How PSD2 will affect payments for banks and business

Nic Feare examines the changes that the Revised Directive on Payment Services (PSD2) will make to banking and business

When officials first proposed the creation of the revised Payment Services Directive (PSD2) nearly five years ago, their goal was to revolutionise the way that financial companies operate in Europe. In particular, the new rules aim to establish a secure and innovative payments infrastructure across the European Union.

At the time, commissioner Jonathan Hill claimed that the legislation was "a step towards a digital single market". He said it would benefit consumers and businesses, as well as help the economy grow. Since then, certain aspects of PSD2 have come into force. However, organisations have been most vexed by the introduction of strong customer authentication and secure communication.

Companies will need to invest in the best authentication technology to limit the impact of this on consumers in the long run

But PSD2, most of which came into force earlier this month, won't just affect banks and financial organisations - it seeks to transform the way all organisations take and make payments. With this in mind, what practical changes have been made? And while the directive is all about positive change, could it potentially inconvenience organisations?

Transforming financial services

The main aim of the directive has been to increase competition and drive innovation through open banking, but the introduction of strong customer authentication and other additional checks is intended to boost security in the sector.

Matthew Cox, managing director of fraud, cyber and financial crime at analytics software firm FICO, expects transactions and general banking to remain largely remain the same but explains that the directive will introduce a number of new changes.

He said: "We will see the introduction of Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs), whereby third-party companies - and that includes non-financial businesses - can have direct access to process payments and summarised consumer account information.

"In order to secure these channels, banks will use local registers and additional checks to ensure the companies are who they say they are. Additionally, banks and card issuers will want to keep their losses low to maintain their flexibility as to when they should invoke strong customer authentication (SCA)."

For traditional banks... their core banking apps simply aren't designed to cope with real-time data requests that happen when you run at web-scale

Those issues around security and authentication were partly the reason for warnings issued earlier this month over contactless and online payments.

But it's not just financial organisations that will be affected by PSD2, says Cox. "While changes within financial institutions are a large part of the changes wrought by PSD2, retailers will also be affected, as will payment processors. IT companies may see this as a commercial opportunity to become either an AISP or PISP."

For consumers, it means they'll have to authenticate themselves more often than before. He adds: "This will create additional friction within the ‘payment journey'. Companies will need to invest in the best authentication technology to limit the impact of this on consumers in the long run, which will in turn increase their competitiveness."

The rise of open banking

Another goal of PSD2 is to make banking easier and more understandable. Patrick Callaghan, enterprise architect at DataStax, says that it will mean an increase in requests for data from the banks by customers and by third parties who work on behalf of them.

"For traditional banks running on older platforms like mainframes, this additional load was a huge problem, as the core banking apps simply aren't designed to cope with real-time data requests that happen when you run at web-scale. Supporting this has meant re-organising applications and looking either at how to offload these kinds of transactions to a caching layer or migrating away from mainframe-based services," Callaghan told Computing.

In many ways, traditional banks are playing catch-up with new and more innovative competitors. Callaghan added: "New challenger banks have not had this problem. They were able to use newer open-source options, like Apache Cassandra, that can scale-up to cope with the huge volumes of transactions that are taking place.

"The traditional banks are moving to those same applications and services too. Banks today don't just compete with each other - they have to compete with the other applications that customers use on their phones. Open Banking has helped all banks look at their experiences and infrastructure to achieve the right results."

How PSD2 will affect payments for banks and business

Nic Feare examines the changes that the Revised Directive on Payment Services (PSD2) will make to banking and business

Karl Foster, legal director at law firm Blake Morgan, believes that the financial services industry will benefit greatly from improved security. "In 2016, the European Central Bank (ECB) calculated the total cost of card payment fraud in Europe as €1.8 billion, with the UK suffering from one of the highest rates of fraud," Foster said.

He continued: "Improving systems to safeguard consumer personal data and implementing appropriate steps to confirm transactions are being completed by genuine customers are key strategies in fraud defence.

Banks today don't just compete with each other - they have to compete with the other applications that customers use on their phones

Improving security and safety for consumers will contribute to the optimisation of the consumer experience, launching the industry a step further towards achieving goals set out under PSD2 and providing consumers with an end-to-end experience. It will also assist the industry in complying with anti-money laundering legislation."

A double-edged sword

While PSD2 is all about giving customers and businesses access to better services and deals, CallSign CMO Sarah Whipp says the path to achieve this goal is fairly complicated.

"One specific aspect of the regulation - strong customer authentication or SCA - has been created to reduce online payment fraud by requiring a strong authentication process whenever a payment is initiated, or remote account access is requested," she told Computing.

She continued: "But regulators have identified that a number of customers were massively unprepared for its introduction on September 14.

"As a result, the FCA has not only granted retail merchants an extension, but it also provided additional guidance around the inherence element, which now includes behavioural biometrics such as keystroke dynamics, typing and swiping patterns, and the angle at which a phone user holds their device."

Whipp claims that although SCA has been designed to protect consumers, it may even cause an increase in alternate scams such as APP fraud. She explains: "The rise in third-party payment providers (TPPs) fuelled by open banking who utilise screen scraping, complicates the authentication landscape.

Strong customer authentication has been created to reduce online payment fraud by requiring a strong authentication process whenever a payment is initiated

Ultimately, if a consumer hands over information about their various accounts to one TPP, and that provider then gets compromised, all of that individual's accounts are at risk - you are only as strong as your weakest link."

She says that for financial institutions to prevent their customers being targeted by fraudsters, they must be able to see the full picture.

"Intelligence from both telcos and email providers will provide a clearer picture of whether a customer has received a stream of calls from a random number, a number which has also been targeting other customers - by piecing that together with behavioural insights, banks can build up a more complete view of fraudulent activity and stop it in its tracks."

The aims of PSD2 seem legitimate: lawmakers want to create a financial services industry that is more open, aligned with the times and accessible for consumers. But just like any other major regulatory change, PSD2 will no doubt bring challenges that organisations will have to overcome and adjust to, long after its introduction.