The Second Payment Services Directive (PSD2) – A Primer

The Second Payment Services Directive (PSD2) – A Primer
Posted: Mar 22, 2017
Categories: Regulations
Comments: 2
Author: Tom Davis

European Union opening up banking services to fintech providers.

The European Union (EU) is undergoing sweeping changes to open up banking services to fintech providers, by mandating access to account holders’ data and bypassing traditional payments rails. This potential game-changer, PSD2, will allow consumers to use Facebook or Google to pay their bills, and force credit unions and banks to change the way they do business.

PSD2 (the second Payment Services Directive, the first one was in 2009) was approved by the European Parliament on 16th November 2015, and came into force January 2016. It is a lengthy directive by EU lawmakers, consisting of 117 articles, intended to make payments faster, safer, transparent, and consistent across all 27 member states, and encourage new market entrants to the market. New market entrants are broken down into two categories: payment initiation service providers (PISP) and account information service providers (AISP).

What does PSD2 mandate?

Among the 117 articles in the directive, two game-changing concepts stand out: Access to Accounts (XS2A), and support for the Account Information Service Providers.  XS2A means banks are required to create and publish their APIs so that merchants can, with the account holder’s permission, access the customer’s bank account. For example, Amazon - a PISP in this context - currently accepts a debit card through a merchant acquirer, and using Mastercard or Visa rails, “pulls” money from a bank account. With PSD2, Amazon can provide the customer a button to allow access to a banking account. The customer doesn’t give Amazon the user name and credentials, but rather logs in to the bank account similar to using one’s Facebook credentials to login to another website. And the next time that customer shops, Amazon will remember that connection, until permission is revoked by the account holder. No contractual relationship is required between the bank and the PISP. The intent of XS2A is to provide competition to the traditional four-party card acceptance model. One interesting aspect of the mandate is that the bank’s API provide the ability for the PISP to confirm availability of funds.

Whereas the PISP initiates payments, AISPs consolidate information. Mint is the most widely known example of an AISP that consolidates financial information in a single presentation. With PSD2, the Mint user would not give their logins for their various bank and retirement accounts to Mint, but rather would use XS2A standards to provide permission for their account information to be given to Mint by the respective banks, via direct API access. Since many consumers are reluctant to hand over credentials directly to a third party, AISP is intended to promote more fintech providers in this space, with potentially new smart-shopper / comparison-type services.

There are many other provisions of PSD2. One notable directive is to mandate stronger customer authentication. This effectively means two factor authentication at a minimum, with three factor authentication highly encouraged. Any payment service provider that fails to follow this mandate is liable for all fraud losses.

Mobile operator direct billing, charity donations, electronic tickets, prepaid cards, public transport payments, and a few other categories are specifically excluded from PSD2.

Do you think that PSD2 will have the desired intent – to grow and encourage innovation by mandating open APIs and making third-party payments processing possible? Post your thoughts below?

Rate this article:
Tom Davis

Tom DavisTom Davis

Tom is President & CEO of Trellance. He joined Trellance in 2004 and today wears many hats as highly respected executive and tireless evangelist on new payment technologies and innovations and how they will positively impact the success and growth of credit unions.

Other posts by Tom Davis

Full biography , Contact author

2 comments on article "The Second Payment Services Directive (PSD2) – A Primer"

Glen Sarvady, 3/28/2017 4:52 PM

GREAT recap, Tom! John Best and I held court on the topic earlier this week, our podcast makes a nice companion piece to your writeup:

At a high level it's hard to argue with the PSD2's intent (unless you're an FI looking to protect the "family jewels") but it's also a classic case of "the devil's in the details." There are loads of unanswered questions re: consent, security, privacy, etc. that won't be fleshed out until we move from the drawing board to the real world marketplace.

Lou Grilli, 3/29/2017 9:55 AM

I just wanted to add some clarification as to the timeline for PSD2. The article above states that PSD2 came “into force” on January 2016. This is EU terminology that the EU adopted the directive in its final form, and from that point, member states have two years to incorporate the directives into local laws. The stronger authentication directive has a different timeline, 8 months later, but seems like it may get pushed back. I don’t’ think we’ll see much innovation in 2017, since it is a year of planning and preparation, especially for the AISPs (the banks). 2018 will be the first of the fintechs being able to take advantage of the open APIs.

Please login or register to post comments.


Featured Stories