Since open banking came to life the environment has greatly evolved. The services moved from the real world to digital and the payments industry had to adapt too. The first legislation related to open banking was passed in 2007 which seems like decades ago. Read on if you want open banking explained simply and learn some more details about the payment market changes since the first Payment Services Directive (PSD).
The three key changes that unfolded since the PSD are - increased levels of digital payment fraud within the EU and EEA, the acceleration of Application Programming Interfaces (APIs) and the development of new financial business models that fell out of scope.
The increased levels of digital payment fraud within the EU and EEA were portrayed by the European Central Bank (ECB). ECB conducted a research between 2011-2016 and found out that online fraud had increased by 66%. This means that when there was a transaction made online (card not present) there was a major possibility that something might go wrong. Consequently, overall fraud within the EU and EEA increased 35% and continued to rise.
The acceleration of APIs meant that there appeared ways to make payments and financial data more open and secure. In other words, API enabled separate systems, usually owned and managed by separate businesses, to interact with each other while safeguarding the data. The key users of API’s were the fintechs and companies like Google, Stripe or Amazon.
The development of new financial business models that fell out of regulation scope caused concern in the payment industry. Hence, the PSD was developed to suit the situation at that time and did not include regulations to new business concepts and evolving payment mechanisms. Therefore, the majority of new services fell out of scope and were left unregulated. The need for improved regulations constantly grew and finally, PSD2 came out which structured and gave standards to the innovative payment market.
The EU and EEA had open banking explained and put into practice over the years, with some arising issues that got solved on the way.
The open banking definition is as follows - The Revised Payment Services Directive (PSD2) aims to regulate payment services in the European Union (EU) and the European Economic Area (EEA) by providing a collection of laws and legislations. It was first passed in 2015 and underwent further improvements until the latest version which came to effect on 14 September 2019.
The PSD2 regulation has four main goals:
PSD2 brought changes to all levels of payment market participants and it was important to ensure compliance. Even though the changes brought will be felt by everyone it is crucial for online sellers and payment providers to understand the requirements. The first change is Strong Customer Authentication (SCA). SCA means Two-factor Authentication (2FA) and it is required by the European Banking Authority (EBA). SCA and 2FA are there to secure online payments and reduce the possibility of fraud.
The second change is the licensing. All companies that provide payment services within the EU and EEA must obtain a payment license, gain authorisation and register with EBA. The third change is legacy banks opening bank data to Third Party Providers (TPPs). This step empowers new providers to enter the market and increase the competition which should also lead to better customer service and reduced service prices. The two main new types of TPPs are Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).
AISPs are there to consolidate information across banks and provide efficient banking account management to consumers. Whereas PISPs are there to initiate payments from consumer’s accounts. In both cases, TPPs can perform their services only after gaining consent (via SCA) from the end-user.
The SCA plays an important role under the open banking definition and PSD2. It must be enforced on all payer-initiated transactions when both involved parties, payer and receiver, are within the EU and EEA. In cases where one party is outside the EEA, like the US, SCA is not required. For instance, if a buyer from the EU purchases an item from a business based in the US that also uses US bank services, then SCA is not enforced. These types of payments are called one leg out.
In general, PSD2 creates two types of impact - direct and indirect. The direct impact will affect all countries within the EEA and their payment providers. If put in numbers it should total around 300 million online consumers. The UK is not the exception and PSD2 is implemented there too despite Brexit.
The SCA implementation was expected to cause disturbances within the payment market as it did in India after the 3D secure came to effect. In the case of India, it was reported that some e-commerce vendors lost up to 25% of their sales due to an additional step in the purchasing process. However, the EU seemed to deal with the changes more effectively.
Furthermore, PSD2 will influence online businesses outside the EEA if they provide payment services within the area. These businesses will also be obliged to acquire a license for their services.
The indirect impact should be felt in the businesses that are outside the EEA, yet have subsidiaries or branches inside it.
According to the PSD2, it is a mandatory regulation and it must be enforced in the member states of the EU and EEA. As open banking explained above, payment providers and legacy banks have no other choice or they will have to face consequences. If a business fails to comply and does not require SCA it could face a drop in sales due to rejected payments. If a bank commences payment initiation, but the consumer does not authorise it then it gets rejected and the purchasing process fails.
However, in cases where a payment provider performs the same violation, it could face serious consequences. The first one, less serious is the loss of payment traffic as payment initiations do not get authorisation. The second, more severe, is imposed by the national regulators. Nevertheless, the consequences may vary depending on the country and its stage of PSD2 implementation. It could receive some kind of fine or in the worst-case scenarios a payment provider could get its license revoked.
We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.
By providing your email, you accept