The European Commission's proposed update to the Payment Services Directive will allow third parties to penetrate banks' security firewalls, which is leaving banks understandably nervous.

What is happening?

PSD2 is the revised version of the Payment Services Directive (PSD), the legal framework for a single payments market in Europe. Broadly, the PSD aims to eradicate the differences between national and cross-border payments in Europe and open up competition in the payments industry.

The European Commission (EC) published a proposal for PSD2 in July 2013, which would repeal and replace the first PSD. PSD2 was announced as part of a package that includes regulation on interchange fees – which are paid by a merchant’s bank to a cardholder’s bank when a payment card is used – and both parts of the package have to be adopted together.

PSD2 and the interchange regulation both have massive implications, says Gareth Lodge, a senior analyst at Celent. The combined package is a “one plus one equals three punch to the banking industry”, he says.

How is PSD2 different from PSD1?

PSD2 has the same goals as the original version and is viewed as tidying up PSD1 and closing some of the loopholes.

Francesco Burelli, a partner at consultancy Value Partners, says at a macro level: “This is part of a cultural shift in regulatory reform from the EC,” which includes smoothing national differences in implementing the regulation when it is transposed into a country’s law. “PSD2 takes away the ability of member states to use the option to interpret and adapt some of the content of the titles of the previous version of the PSD,” adds Mr Burelli.

The PSD2 proposal also takes into account the rapid change and innovation in the payments industry. “PSD2, in comparison to its predecessor, appears to be enforcing a much more integrated market for payments across all channels, including the internet and mobile devices,” says Mr Burelli. 

There are also other differences. “The scope of PSD2 is extended, both in regards to the geographical scope as well as the currencies being covered,” adds Mr Burelli.“The scope of PSD2 has been extended such that transparency and information requirements, which only applied previously to transactions executed wholly within the EU, now apply to payment transactions involving third countries in any currency, as long as one of the payment service providers is located within the EU.” 

Banks will have an increased workload with more transactions falling under the reach of PSD2, but there are other areas that are causing more concern. Dermot Turing, a partner at law firm Clifford Chance, says that it is the proposals around payment initiation services that are the most challenging. 

What’s the problem?

Payment initiation services have emerged from the innovation and competition that has developed in the European payments market, particularly in the area of e-commerce. If a shopper is online, for example, they can click a payment brand at the checkout stage. That payment service could be a third party that is able to initiate payment from the consumer’s regular account. These third-party payment service providers have not been regulated in the same way as other providers and PSD2 brings them into the scope of regulation.

Reg rage - exasperation

Under PSD2, says Mr Turing, “banks will have to allow third-party services to come into an account and initiate payment transactions”. Allowing this access, he explains, 
is potentially problematic because it enables a third party to circumvent a bank’s security firewall. “Banks are really nervous about this. The concept of allowing anybody other than the consumer to penetrate the security firewall has been greeted with hostility. And consumer associations are not particularly thrilled about it,” says Mr Turing.

Another bone of contention is what happens if something goes wrong when a third party is involved in initiating a transaction. Under the draft proposals, says Mr Turing, the bank would be liable, would have to reimburse the consumer and investigate the matter afterwards. Amendments that have since been proposed take the opposite approach and state that the third party should be liable.

There have been calls for greater clarification on the definition of who this regulation applies to. In theory, the access to account information could include entities such as credit agencies.

Mr Lodge says that the proposal outlines access without defining what that third party can and cannot do. A consumer can give their details and permission to access their account, but this is problematic for banks as under separate regulation – such as anti-money laundering – banks are responsible for knowing who is accessing the accounts. Mr Lodge says there have been discussions about creating a common set of rules and standards for access to the accounts, but banks are concerned they will have to invest massively in something they are not convinced will work.

What happens next?

PSD2 and the interchange regulation need to be adopted by the European Parliament and Council of Ministers and then enshrined in local law. At the time it published the proposals, the EC said it was aiming to reach agreement by March or April 2014, i.e. before the European parliamentary elections in May. Given the complexities of the proposals observers say that is unlikely to happen and nothing will be agreed until the end of this year at the earliest.  

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter