Revolutions are usually unplanned and unregulated. They happen organically, and hit you suddenly when you least expect them.
But this time, it’s different. The latest revolution is planned, regulated and just around the corner. And it will usher in a new era of Digital Banking in Europe.
The regulator is none other than the European Union itself, and its mission is threefold: to make it more convenient to pay online, to enable greater choice in how to do this, and to protect you when you do.
How? Through the revised Payment Services Directive (known as PSD2), an EU directive that came into force in 2016 and will be transposed into national laws by the beginning of next year. Companies will then have to comply with the relevant technical standards by the end of 2018 or the beginning of 2019.
The directive affects banks, of course – but it also has a wider scope. FinTechs and Third-Party Providers (TPPs) will also see their activities regulated, to fuel competition in the financial sector.
And that’s where the revolution comes in. Because PSD2 is not a simple, single piece of legislation: It’s a milestone in the digitalization of financial services and ePayment. New technology and authentication mechanisms have changed payment processes for businesses and consumers, and almost every financial transaction can now be executed digitally. Financial institutions need to adapt, and PSD2 creates an environment that fosters the innovation required for the digital revolution.
New challengers: Third-party providers
The biggest change that PSD2 will bring about in the banking and payment ecosystem is to open the door to new kinds of competitors, by recognizing so-called Third-Party Payment Service Providers (TP PSPs), or Third-Party Providers (TPPs). These new players in the financial world – which currently have to navigate different laws in different countries – will be able, within the EU and with the consumer’s consent – to access accounts held at other financial institutions, and use the information to offer tailored services. They could be entirely new startups looking to carve their own niche in the finance world, or they could be existing technology companies looking to expand their consumer offering, such as Google, Facebook or Apple.
PSD2 distinguishes two main types of TPPs:
- Account Information Service Providers (AISPs), who could, for example, analyze a customer’s global spending in accounts held at different banks, and provide tips on where to place money or spend it more efficiently.
- Payment Initiation Service Providers (PISPs), who could, for example, pay a customer’s bills or make P2P transfers. They initiate the payment through a “software bridge” between the merchant’s website and the bank’s online banking platform. The PISP typically appears as a payment option on the merchant’s website.
TPPs can potentially flourish because, under PSD2, banks are obliged to give them access to account information. This meets the first two aims of PSD2: to make it more convenient to pay online (more competition should foster more innovation, meeting consumer demand for greater convenience), and to enable greater choice in how to do so.
The third aim is to protect consumers who pay online. Here again, banks and TPPs have obligations. First, they need to provide what is known as “Strong Customer Authentication” to secure access to accounts – which means using a combination of at least two independent factors between something they have (e.g. a bank card), something they know (e.g. a PIN), and something they are (e.g. a biometric feature). Second, they must have safeguards that are “compatible with the risk of payment.” Specifically, PSD2 requires payment service providers to conduct transaction and risk monitoring so that they can identify, assess, and manage the risks associated with payment and access to accounts. They can also assess the weight of the risk and balance safety with convenience.
Competition and cooperation
Google, Amazon, Facebook and Apple (GAFA) – as well as other Internet giants – have already made their move and started offering different financial services that compete more or less with traditional banking institutions. They see the opportunity to expand beyond their existing customer base into new fields: from cashless payment of bus tickets to ensuring the financial security of large business deals. Meanwhile, start-ups and small service providers see their chance to revolutionize the market – especially in the area of banking and payment applications.
In this environment, how can banks and other financial institutions remain competitive? One key advantage is their trustworthiness. Consumers will not adopt technology if they cannot trust the people behind it – and they tend to trust banks, especially when the customer relationship has existed for a long time. Another advantage is their know-how. The security norms requested by PSD2 are high, so those who are not used to the strict compliance rules of the financial world will struggle to follow.
But, despite these advantages, banks still need to find more ways to insert their services into users´ smartphones and shopping habits.
Since PSD2 aims to be technologically neutral, the law neither describes nor standardizes the open interfaces that will allow access to account information. This means that there is no single standard, so organizations need the right partners with enough experience in compliance and security to define these interfaces. For this market to be successful, certifications and standardization become crucial – as does cooperation.
The future of banking will be through digital channels – which are mobile, secure, and user-friendly. But with PSD2 and the General Data Protection Regulation (GDPR), many changes in IT and IT security are coming to European financial institutions.
The financial sector is very sensitive to data security and compliance rules. This is precisely where the huge advantage of traditional financial institutions lies – because this sensitivity will not change in the age of digital integration.
But the way organizations deal with two issues will decide how far they can benefit from the development:
· Firstly, how can they compete against new actors such as GAFA and other emerging digital innovators?
· Second, can they meet the usability and security expectations of both the EU and their customers?
To tackle both questions, financial institutions need to find the right technology partners: those that help them create user-friendly offers that comply with regulations and are secure.
The choice is important, because the clock is ticking. This time, the revolution has been announced before-hand. In less than a year the PSD2 will become legally binding – and it will change the rules of the game in the financial services industry.
Howard Berg, Senior VP and Managing Director, Gemalto UK
Image Credit: Centtrip