The European payments industry is coming to the end of the Payment Services Directive 2 implementation – or is it? Deadlines are looming, but not everyone is ready. Joy Macknight identifies the remaining hurdles and how the industry is responding. 

PSD2

The main goals of the second iteration of the EU’s Payment Services Directive (PSD2) are commendable. The directive intends to improve customer security – and consequently reduce fraud – through the implementation of strong customer authentication (SCA) for online purchases. It also aims to increase competition and drive innovation by opening up the payments market to new players, or third-party providers (TPPs), mainly through application programming interfaces (APIs).

But getting the EU’s complex and heterogenous payments industry to line up in an orderly fashion has proved a Herculean feat and been four years in the making. PSD2 was first published in November 2015, entered into force early the following year and then member states had until January 13, 2018 to transpose it into national law.

Yet 18 months on and a ‘hard’ deadline of September 14, 2019 – for implementing SCA across the industry and for banks to make at least one secure communication interface available for TPPs – appears to be slipping, because multiple stakeholders are simply not ready.

Standards slip

Part of the problem, according to Pritesh Kotecha, senior vice-president for Europe, the Middle East and Africa (EMEA) at global software and managed services provider SmartStream, is that the final regulatory technical standards (RTS) came out two months after PSD2 came into effect and the UK had launched Open Banking. The lack of clarity justified banks taking a cautious approach, “evaluating and managing the regulation versus looking for the opportunities”, adds Mr Kotecha.

Ad van der Poel, head of product management for EMEA, global transaction services, at Bank of America Merrill Lynch (BAML), says: “Some banks decided to wait until the [PSD2] specifications were clearer; however others, like us, were compliant by January 2018. We used the draft specs at the time, and we looked at what was happening in the market from a standardisation perspective.” In recent months, BAML has been upgrading its file format based on the RTS. “Those changes were very straightforward,” adds Mr van der Poel.

A more problematic issue is that many European banks have viewed PSD2 as more of a threat than an opportunity. “While there is [now] an acceleration of activity, there was some initial reluctance as the business case is far from clear for many players,” says Francesco Burelli, digital and payment specialist at consultancy Arkwright. “With few exceptions, such as business finance management for small businesses, the opportunities and attractiveness of PSD2-related propositions are far from being universally clear or attractive to the ultimate users – contributing to lack of any mass cross-industry movement or demand.”

Mr Kotecha reports a shift in some banks’ attitudes in 2019, driven by the realisation that the winners in the payments space will be those that create a deep, seamless, in-stream social experience, as seen in Asia with WeChat and Alipay. “Banks realise that they can’t create that embedded upstream, downstream, 360-degree customer experience on their own. So they are developing APIs and forming partnerships [with specialist TPPs] at a rate of knots to create that killer customer experience, while still complying with risk and financial regulation,” he says.

However, a lack of readiness could put the whole TPP ecosystem at risk if the regulators adhere to the September deadline, warns Tomas Prochazka, vice-president of product at open banking platform Tink. “If the PSD2 services don’t work in the way they should, they will threaten existing TPPs, which have been pioneering the future of financial services,” he says. “If the existing TPPs go under, then there will be a massive gap and it will take years to rebuild to the point where these TPPs are today.”

Convenience versus risk

It is therefore unsurprising that the industry breathed a collective sigh of relief in June 2019 when the European Banking Authority (EBA) gave the green light to national competent authorities (NCAs) to grant extensions for SCA implementation beyond September 14. The UK’s Financial Conduct Authority (FCA) was the first to announce plans to give more time to the e-commerce industry, while other NCAs, including the Central Bank of Ireland and the Bank of Italy, were close behind.

Under PSD2, SCA is based on the use of two or more elements: knowledge, or something only the user knows; possession, which is something only the user has; and inherence, defined as something the user is. SCA is to be applied to all remote electronic payments but there are exemptions, such as recurring payments or purchases under €30.

The concern is that adding another step, or friction, into the online check-out process will lead to 'cart abandonment', or consumers cancelling their purchases. Jerry Norton, head of strategy for the financial services business at IT consulting firm CGI, says: “Many people are worried about consumer acceptance, as consumers want everything to be ultimately secure but also super convenient. The balance between convenience and risk is difficult to achieve – that is the main issue.”

Research released in June by payments infrastructure company Stripe suggests that Europe could lose up to €57bn in economic activity in the first 12 months after SCA takes effect. It reported that preparedness remained low: only 40% of businesses aware of SCA said they felt prepared to address its requirements.

Jonathan Williams, principal consultant of independent advisory firm Mk2 Consulting, and co-author of recently published British Standards Institution specifications on digital identification and SCA, says that SCA is a tale of two industries: interbank and cards. “The interbank industry has been doing SCA for years, such as one-time passwords, but the card industry has been relying on static data, such as card details or the card verification code,” he says. The card industry’s initial solution – EMV 3D Secure – proved unsuccessful, as it added unexpected friction to the customer experience.

However, the latest version of 3D Secure (2.2) is emerging as a popular SCA-compliant way to accept payments online, according to Stripe’s research. Mark Nelsen, senior vice-president of risk and authentication products at Visa, says it also helps to solve the exemptions allowed under SCA. “These exemptions, if applied properly, can play a key role in keeping commerce seamless,” he says. “The latest version of 3D Secure is designed specifically for the European market that allows for all these exemption requests to be communicated between the merchant and the bank.”

Yet Stripe’s research also found that one in four online businesses are not yet familiar with the latest version. “It is going to be a challenge to reach everyone due to the number of players in this space,” says Mr Nelsen. As such, Visa has been lobbying the regulators for a grace period of at least an extra 18 months. In July, the European Association of Payment Service Providers for Merchants also called for a minimum 18-month delay in the introduction of SCA, to avoid significant disruption to online business interests.

The lobbying has paid off. In August, the FCA announced an 18-month extension; other NCAs are expected to follow suit to ensure a harmonised implementation.

The end of screen scraping?

The TPP space is another area where SCA will have severe impact, as many TPPs rely on direct access, or 'screen scraping'. Today, TPPs can receive a customer’s credentials once and then use them to continuously access the customer’s account data to track spending patterns and so on. However, under SCA rules, a user must use two-factor authentication when logging onto online banking.

If TPPs do not have other communication methods in place, such as APIs, then they will need the two-factors every time they want to refresh the customer’s data. “This will be a problem for most TPPs because their business models have evolved around the ability to get continuous access to a customer’s account data; for example, to notify them when they are spending too much, or if their balance is going to turn negative,” says Mr Prochazka. As such, TPPs have also been lobbying for an extension to the SCA deadline.

Currently, direct access is still permitted in some instances, for example, when the API does not exist, either the bank has not built it or it is delayed; or it is incomplete or not functioning properly. Mr Prochazka points out that the burden is on the TPPs to prove that they are facing obstacles.

Secure interfaces

SCA is one issue, but Mr Prochazka highlights the other major challenge facing TPPs: accessing consistent, accurate and quality bank APIs. European banks were required to set up publicly available 'testing sandboxes' by March 14, 2019, so that TPPs would have six months to test bank APIs, and by June 14 all banks were supposed to have their production APIs ready for consumption.

In the run-up to the June deadline, Tink tested more than 100 sandbox environments and production APIs across 12 markets. It concluded that the APIs available were far from ready, lacking the quality and maturity needed. “It is rare that the APIs actually do what they are supposed to,” says Mr Prochazka. He reports that, on average, Tink has had to exchange more than 100 e-mails with a bank to integrate its APIs. “In theory, we should be able to read the documentation without needing to communicate with the bank. But we have WhatsApp groups, conference calls and e-mails with the banks just to make the API work,” he adds.

In his estimate, it will take a minimum of six months even for the best-in-class bank APIs to get to a point where a TPP could build a business-critical function. For average banks, he predicts 12 to 18 months or longer.

Despite these technical issues, Europe has been successful in harmonising API standards, according to Wijnand Machielse, secretariat of Berlin Group, a pan-European payments interoperability standards and harmonisation initiative. The group’s NextGenPSD2 has already been implemented by more than 3000 banks and most were ready on or before June 14.

Mr Machielse rebuts the idea that the banks were holding back the process. He says: “The TPPs were late in trying to work in the testing environment. In March, most banks were ready with test sandboxes but there was hardly any traffic coming in from TPPs.” However, there has been some progress and Mr Machielse points to the “gentlemen’s agreement” between the banks and TPPs, published on July 26, where the TPPs have agreed to intensify testing and providing feedback on bank interfaces.

On the bank side, ING, for one, will be ready for PSD2 with a mature proposition, according to Evelien Witlox, global director of payments and cards. She explains that PSD2, and open banking, is a fundamental building block in the bank’s platform strategy. “We have chosen to make PSD2 a platform solution, so we don’t bother our clients or TPPs with the complexity that different client groups and countries can have,” she says. “Through our developer portal, TPPs can use our APIs to reach all our clients and products in more than 10 European markets where we are present.”

A few banks are already exploring new revenue streams, according to Mr Kotecha. In addition to the standard PSD2 API, which they must provide free of charge, some banks are beginning to create premium APIs, based on a subscription model. “The latter can provide far greater and deeper historical data, real-time feeds and greater accuracy and reliability for TPPs,” he says. “The model is sustainable because it gives banks a new, recurring revenue stream and will fuel an exponential adoption by TPPs. It is a model that is already prevalent in the social media world, with the likes of Twitter premium APIs.”

Will there be a PSD3?

Before even thinking about next steps, the regulators will allow time for PSD2 to bed in, according to Hamish Thomas, Europe, the Middle East, India and Africa payments leader and UK advisory banking technology leader at EY. “As firms’ compliance implementation activities tail off, we will see the increasing emergence of new products and services; the EBA and various competent authorities will be looking with interest at how the market evolves. Scrutiny of, and ongoing interest in, activity in the payments space by the regulator will continue. However, it is unlikely that in the short term it will manifest in a PSD3, requiring the same level of heavy lifting across the ecosystem.”

Likewise, Mr van der Poel does not think that there is a need to go all the way to PSD3, though he expects a refinement of the current PSD2 to ensure there is consistency in the market. He returns to the reasons PSD2 is being implemented: to improve the market for the consumer, to increase competitiveness and support innovation. “These elements need to be addressed to achieve the actual goals of PSD2,” he says.

While not convinced about the need for PSD3, Ms Witlox thinks the industry needs to consider open banking in the broader sense. Patrick Langeveld, innovation driver for open banking at ING, adds: “With PSD2, we are only looking at payment accounts, while there are more accounts and services that can provide a fuller financial picture. Customers want insights into their payment accounts, savings accounts, credit cards, mortgages, and even investments. These are the areas banks will need to look at next.” He points to Australia’s recent adoption of Consumer Data Rights, which will regulate more products than solely payments.

Mr Williams, on the other hand, believes that PSD3 must happen at some point because PSD2 will not achieve everything that it is meant to – plus it has not tackled the issues of cryptocurrency transactions. “We need to think about how we do those from a payment services perspective,” he says.

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter