How the new EU payments regulation will help prevent fraud
Scott McInnes, partner at international law firm Bird & Bird, discusses how the Second Payments Services Directive (PSD2) will affect companies and what requirements industry players need to know.
In recent years, the payments industry has been under a lot of scrutiny in Europe. The EU’s desire to improve consumer protection, boost innovation and foster greater competition has led to a new wave of legislation in the sector including PSD2.
This new directive will be one of the most disruptive laws in the payments industry when it is enacted early next year. The new rules will have a significant impact on online companies, banks and payment service providers (PSPs) so these businesses need to be aware of these new requirements, the exemptions it will bring and plan accordingly.
What is PSD2?
PSD2 is the revision of an existing EU directive from 2007, called the Payment Services Directive (PSD or PSD1), which introduced a new wave of competition into the rapidly changing EU payments landscape. The payments industry, which had historically been dominated and controlled by traditional banks, is now open to new, non-bank competitors called ‘payment institutions’.
However, as PSD2 is an EU directive, it needs to be implemented within the laws of each EU member state. The deadline for these measures to be live is January 2018, except for the provisions on strong customer authentication (SCA) which are expected to go live in the EU member states towards the middle of 2019, as well as the technical aspects related to how banks are expected to give access to the payment account to third party providers (TPPs). These two sets of provisions on SCA and TPPs are currently under much debate in Europe.
How will the changing landscape and the new directive affect banks across the EU?
Customers are after secure click-and-pay experiences and merchants are looking for new payment methods for online retail. This, combined with the new breed of fast-moving fintech firms challenging established banks with innovative services, means that you have a market demanding updated regulation.
What will the new directive introduce?
The main aim of the PSD2 is to facilitate the use of innovative means of payment while simultaneously protecting customers against fraud. There are two rulings which are prominent here: access to payment accounts (XS2A); and the aforementioned SCA.
The XS2A ruling will ensure that banks open up customer payment accounts to TPPs so that they will be able to access payment account information, initiate payments and/or get confirmation of availability of funds on a specific account in order to allow a card payment.
Financial institutions that are holding payment accounts (e.g. current accounts, credit card account, etc) are required to grant access to the account, free of charge, to TPPs.
When it comes to SCA provisions, all PSPs will have to apply multifactor authentication to all electronic transactions initiated by the payer, that means card payments and credit transfers (but not direct debits).
One issue that arises is that multi-factor authentication damages the payment experience. This leads to customer abandonment, a big concern for online merchants. SCA is characterised by the combinations of two (out of three) factors, referred to as “something only you know” (e.g. a password or a PIN), “something only you have” (e.g. your card in a face-to-face context, your phone for a remote payment) and/or “something only you are” (e.g. your fingerprint).
But the regulatory technical standards (RTS) proposed by the European Banking Authority (EBA) allow providers to be excused from using SCA in particular if the they implement risk-based authentication (RBA, referred to in the draft RTS as “transaction risk analysis” or TRA) leading to the conclusion that the transaction is rated low risk. To comply for this exemption, PSPs should put transaction monitoring in place which can operate in real-time and verify each transaction against the various anomalies, i.e. spending patterns and/or payment transaction histories etc. There are already existing fraud detection and transaction monitoring systems which can help businesses meet these standards so it’s important that they are applied accordingly if necessary.