Back in 2009, the original structure of the Payment Services Directive (PSD) helped EU member states to speed up transactions. It provided a consistent set of guidelines that could be followed by banks and financial institutions, providing transparency, certainty and speed of payment across the European Economic Area (EEA).
This enabled consumers and corporates to clearly understand payment transaction execution times, as well as setting out clear rules on charging, liability and refund rights. As a result, payments within the EEA (in the euro or EEA domestic currencies) are now harmonised and consumers have largely the same rights wherever in the EEA the transaction occurs.
Now, the market is changing again. Recently, there has been an unprecedented level of interest in the payments market, as those within the payments industry seek to balance their investment budget, while addressing the requirements of innovation and regulation.
At a country level, administrators and regulators alike are supporting innovative ideas. For example, Singapore and Australia are both looking to develop new real-time consumer and small business payment systems. In the UK, Paym (a new industry-wide mobile payments system) has just been launched, allowing payments to be made using nothing more than mobile phone numbers. Virtual currencies continue to make the headlines and numerous new entrants are rumoured to be about to take the payments world by storm.
Meanwhile, from a regulatory perspective, sanctions and anti-money-laundering concerns are still considered newsworthy. The UK government is establishing a new UK payment systems regulator, which aims to ensure that the industry is competitive, meets the needs of user groups and supports the economy now and in the future. And, perhaps most significantly, in Europe the finishing touches are being put to the second iteration of the Payment Services Directive (PSD2).
The UK government is establishing a new UK payment systems regulator, which aims to ensure that the industry is competitive
Since 2009, some key areas of the payments market – including cards, the internet and mobile payments – have remained fragmented across national borders. In addition, newer forms of payments have revealed gaps and inconsistencies in the current legal framework. It is these that the PSD2 attempts to address.
As technology gathers pace, the period from initial idea to implementation is becoming shorter. At the same time, the volume of payments regulation is increasing. As the industry prepares itself for the PSD2, an extension to the scope of regulated payment institutions is expected to provoke further competition in the payments market, as it moves beyond bricks-and-mortar trade towards e-commerce, with the potential for new businesses to enter into the payments market and compete with the banks.
The PSD2 is also likely to represent a converging of regulation and innovation for the benefit of consumers. As a result, it’s a considerable opportunity for forward-looking institutions that can sell the benefits, as well as complying with the rules – although there remain lingering concerns over whether the PSD2 could also herald a weakening or reduction of security and payment safety.
It’s clear that any advances come at a price. Existing platforms and processes may need to be overhauled and tightened, so there may be associated operational costs. Clients are likely to begin asking questions about the products and services that will be available, and those institutions willing to invest early are likely to be able to offer a more immediate and informed response.
Any widening of the scope of regulations to facilitate connectivity at a corporate level will need to be balanced, with a focus on developing security, access controls, reconciliation and transaction management capabilities during any initial acclimatisation. Overcoming these challenges will require an in-depth review of the risks involved. Safety continues to be of paramount importance in relation to the payments industry and reconciling such risks, while reassuring clients, is critical.
There are those who argue that any broadening of the regulations will, by default, result in increased risk. It may be that any significant change to regulations will result in an initial period during which mitigants are set out to resolve risks and issues, and best practice in the new environment is established.
There are some core changes in the PSD’s scope that are set to offer new and existing entrants an opportunity to transform the propositions that they offer their clients. For example, the inclusion of third-party providers (TPPs) as payment service providers (PSPs) is a core part of the PSD2. TPPs will compete with banks and other card acquirers for online merchants.
Another key change relates to one-leg out payments (payments where either the payer’s or payee’s PSP is outside the EEA). Such payments are currently out of scope, but it is proposed that the PSD2 will bring them into regulation. The goal of the one-leg out provisions is to provide end-to-end transparency over charges and delivery terms for these cross-border payments (and has similarities with section 1073 of the Dodd-Frank Wall Street Reform Act in the US). For consumers and corporates, this will mean that they will be advised upfront how much the fees for the payments will be and when the beneficiary will receive the funds. This requirement, in turn, will impact overseas banks, with all the banks in the EEA demanding certainty on these cross-border payments, where previously there may not have been any. It also brings into question the continuation of any bespoke guaranteed OUR services that may currently be offered. (Note: OUR is a SWIFT payment instruction. It means: You pay all transfer charges. We receive all your payment.)
In addition, the PSD2 will herald strong customer authentication. This is a more secure authentication concept that goes beyond two-factor authentication (knowledge and possession) and involves at least two of three elements – knowledge (for example, security questions), possession (such as a mobile device) and inherence (such as fingerprint or retina data). The impact of this on consumers, corporates and TPPs is currently being discussed, but will undoubtedly require changes to systems, processes and the way in which clients interact with their provider.
The PSD2 will introduce a defined complaint regime for payments. That is, they must be resolved within 15 business days, with a further 30 (or 15 days, dependent on how legislation is finalised) allowed in exceptional circumstances. Within certain member states, however, there may be a wide divergence of existing processes. Various other changes include a requirement for PSPs to establish a framework to manage operational risks – including security risks related to the payment services they provide.
It’s clear that the PSD2 will both offer opportunities and pose some, possibly significant, risks to banks and financial institutions that wish to take advantage of a fresh approach through new regulations and the more immediate relationships that will be possible.
Customer communications regarding the impending changes in regulation and services will be vitally important. As with any change to regulations, clients will be looking for clear marketing collateral and helpful support. Ensuring the whole journey is transparent and secure is just one way in which forward-looking banks and PSPs can gain competitive advantage.
As with all EU directives, the PSD2 will require agreement from both the European Parliament and Council. Once this process is complete, two years will be allowed for member states to enact it into national law. For the PSD2 implementation, this is expected to be H1 2017. It is essential that banks and other financial institutions start work as early as possible, since the changes to the systems and processes involved are likely to be wide-ranging.
Bringing in such an expansive and wide-reaching change smoothly and accurately will be a challenge. But through our engagement with EU policymakers, we remain hopeful of a positive outcome. Any improvement in consumer security would help to increase trust in payments and this, in turn, would support greater payments harmonisation in Europe and beyond.
Mark Curran is payments technical services director, global payments, at Lloyds Banking Group