PSD2 is the acronym for Payment Services Directive 2. This regulation has completely transformed the way online payments are carried out. What's more, it's very likely that when using your bank you've received a notice about this standard in the last year. Both the most digital FinTech and eCommerce platforms must adapt their payment methods to comply with the provisions of this European directive.
Together with eIDAS (electronic IDentification, Authentication, and trust Services) and AML6 (Sixth Anti-money Laundering Directive) PSD2 further advances the European Union's objective of creating a secure reference framework in which to operate with agility and guarantees in a market of more than 500 million potential consumers. Although many businesses may think that the approval of this type of standard is a brake on their activity, the reality is just the opposite: this harmonization is resulting in astonishing ease for businesses to develop and deploy in Europe in days without large investments thanks to a secure online framework.
PSD2 is a European directive on payment services over the Internet and in online environments that applies in the member countries of the European Union and in the United Kingdom. It is the second regulation to be implemented in this sense since the previous one - PSD - already defined a series of rules for online payments to be made under secure and consolidated standards.
This second law advances what its predecessor already started, including the concept of Strong Authentication (SCA). This concept is really important, as it is the main novelty of the new regulation. The first directive was launched in 2007 and the second one started the procedures for its approval and development in 2013, being a revision of its little sister.
Rather than talking about changes, we can talk about extensions. The main new features include the new role of TTPs (Third Party Payment Service Providers), the regulation of payment initiation services (PIS) and the definition of standards for account information services (AIS). With this, the financial and banking sector speak the same language throughout Europe and the UK to proceed with their operations, which facilitates intermediation, the creation of new businesses and the ease of developing new verticals.
Now, sensitive customer information is collected and stored in a single form and in a single place, allowing the emergence of financial aggregators. Similarly, this standard has led to the birth and expansion of the so-called wallet cards.
Now, a customer can make a payment to a third party from one bank's application to a different bank without the need for any complex obstacles. This is possible thanks to the PIS and the services provided by TTPs.
The way companies will comply with PSD2 is mainly through API integrations. This model, easily integrated thanks to the best RPA (Robot Process Automation) solutions, automates compliance with the PSD2 directive without blocking the IT and technology departments of companies or high costs.
The main advantages of the standard include the expansion of security for companies, eliminating AML risks beyond what specific standards such as 6AMLD or AML5 were already providing, as well as the possibility of unleashing innovation in terms of payment methods. This will enable FinTech and WealthTech to offer new types of products and services. Likewise, having less risk will accelerate business growth and avoid the costs associated with these problems.
Also, and for eCommerce, establishing reliable payment gateways will increase your online sales given the increased user confidence in your platforms.
Many people wonder whether PSD2 is a directive or a regulation, and what it really means. This law is not optional, it is mandatory for all entities operating in European countries. Put this way, it might seem like something that generates friction for companies to adopt, however, this transformation of certain processes brings more benefits and advantages than the cost of implementing these changes.
A directive is not a recommendation, but a reference framework for each member country to transpose those standards into their own legal framework, developing a specific law or updating the one they already have about that subject and social and economic area. And yes, we can say that the terms PSD2 Directive and PSD2 Regulation are synonymous with each other. All countries have already done the same, so the objectives of the standard are already taking effect and are mandatory.
Now! PSD2 came into force in January 2018. However, the EU and the UK gave companies until 1 January 2021 to adapt to the regulation. From this date, all companies that are not performing their activities according to the standards set by the second European payments directive will be exposed to serious sanctions by the authorities.
The technical standards of the regulation were defined by the EBA - European Banking Authority - and can be freely consulted on their websites. On the other hand, the specifics on access, login and SCA took place in mid-September 2019, so companies have already had to adapt.
PSD2's star new feature focuses on how users who have already passed a customer onboarding process - known as Know Your Customer (KYC) in this industry - authenticate themselves to access their contracted products and services, their management dashboard and perform transactions based on their customer personas.
However, we can say without a doubt that the adoption of SCA standards has been unambitious. While the vast majority of banks have put in place all the necessary controls to comply with this, all of them have provided temporary or "rudimentary" solutions that are not meeting the agility and user experience needs of today's users.
It all comes down to one term: Multi-Factor Authentication (MFA). This means that in order to be considered secure access to a client platform, access must be granted under security standards that require at least two factors of authentication (2FA). Furthermore, these factors must be absolutely secure and created under the strictest order.
In this sense, facial biometrics is revolutionizing the industry as it is one of the most convenient and common ways for users to access their mobile devices. The best customer onboarding solutions create a unique facial biometric pattern for the user when they first register and validate them during the purchase process. This should be able to be used to generate one of the authentication factors within the SCA strategy required by PSD2.
Now, banks are betting on one-time SMS tokens (OTPs), and PINs, and even many are still using coordinate cards. This is a delay not only in terms of security but also for the user. Authenticate for the signature of transactions with the same validity as a KYC of the highest level and seal it with electronic signature is the bet for the future to apply PSD2.