A new regulation for payment services: PSD2
PSD2 went into effect at the beginning of the year. PSD2 should, contrary to its earlier version, lead to an increase in innovation and competition within the EU. What does that mean for the payments market and particularly for banks? We'll cover the most important matters in this blog post.
What is PSD2?
PSD2, or Payment Services Directive 2, is a European regulation for payment services - A revised version of the PSD1. The purpose of PSD1 was to create a uniform payments market in the EU. PSD2 is tasked with paying the way for more innovation and competition by pushing trough some important changes. Especially shops, banks, and their costumers and clients are involved in the process.
PSD2 in action
PSD2 went into effect on 19 February 2019. The section of PSD2 that creates additional security for online credit card payments will take effect on 14 September 2019. According to DNB, the central bank of the Netherlands, money matters will become more organised and safe for consumers. That will look like this: if a client has accounts with multiple banks, that person will have access to an overview of all their bank accounts in one clear summary. You can give payment apps and online shops consent to initiate payments directly from your account.
Why was PSD2 put into place?
The implementation of PSD1 in 2007 brought Europe one step closer to an even playing field in the payments market. The goal of PSD2 is to strengthen that uniformity by encouraging more innovation and competition in the banking sector. Additionally, consumers must receive better protection and the security of payments must be improved. Based on that premise, four important changes were introduced.
An outline of the changes
These are the four most significant changes:
1. Third parties will have access to a consumer’s payment account if the consumer grants their bank consent to do so.
2. It is no longer permitted to add a surcharge for payments with debit cards and credit cards. For alternative payment methods like Afterpay and acceptgiro, surcharges are still allowed, although they must not exceed the cost incurred by the merchant in accepting that payment method. Credit cards for the business market, like American Express and Diners Club, are not banned from applying a surcharge.
3. You will no longer be liable in the instance of theft or loss of your debit card or credit card.
4. Payment security will be improved by two-step verification, for example. That could happen by using an ID-check in combination with facial recognition software to verify authenticity.
What does PSD2 mean for banks?
As mentioned earlier, banks need to grant licence holders and payment service providers access to their payment system. That access must be provided objectively, equally, and without discrimination. Banks are required to participate in payment orders and information requests from third parties. The access may not be rescinded due to, for example, a poor relationship between a bank and a third party. Banks simply cannot treat third parties differently.
Additionally, banks need to take great care in protecting the privacy of consumers. Without explicit consent, access must not be granted to sensitive personal information.
There are great risks involved in breaching a client’s privacy:
- Parties offering new payment services must comply with the GDPR law. Violation of those regulations can lead to large fines, depending on the judgement of the Dutch Data Protection Authority (Dutch DPA). These penalties can be as high as €20,000,000 or 4% of global revenue.
- When banks violate their duty of non-discrimination by treating third parties differently, there are significant consequences. The Dutch DPA will pursue those matters.
The PSD2 highlights that banks must be much stricter in monitoring the safety and security of their clients. A solid solution is what’s needed.
The solution of two-step verification
Two-step verification is a way to improve the security of payments. One solution is to secure online payments through an added step. By sending a client a SecureIDLink in combination with an ID-Selfie, the client can be identified through facial recognition and an ID Check. In that scenario, an ID document is sent along with a selfie (shown side by side) for a visual check. All this takes place in a safe environment that is compliant with the GDPR requirements.