ready, steady, PSD2Are Businesses Ready for Payments Regulations?
January 2018 saw the introduction of PSD2, with September 2019 as the finale deadline by which all businesses must be PSD2 compliant. The regulation’s aim of 'open banking' is a worthwhile goal but the steps required to reach it involve challenges to business practices involving payments and security. It is expected that the market for PSD2 solutions could reach a value of over $20 billion by 2025, especially once other countries begin taking the lead and passing similar legislation.
How Secure is Secure?
Security is among PSD2's primary objectives and when the regulation comes into overlap with GDPR's data privacy requirements, businesses can be found lacking, mostly due to an overall lax approach to security or simply not implementing required measures in time. Data center security is coming under increased scrutiny and it has been shown that cloud service providers are a much better choice than companies hosting their own data centers. This is largely because these providers do most of the heavy lifting themselves with regards to PSD2 security compliance.
And What About Plastic?
While some have been prophesying the "death" of credit cards in the digital revolution - or at least their relegation to the level of checks - there is a strong belief that credit cards have a long life ahead of them.
The implementation of cutting edge technology will certainly keep them at the head of the race: Mastercard has already begun testing cards with fingerprint scanners, while Visa has made a push at implementing chip cards and in doing so reduced counterfeit fraud in the US by a staggering 75%.
The SCA Hurdle
However, the implementation
of SCA - strong customer authentication necessary for security in the three-way
exchange of data between customers, banks and third-party payment providers may prove a difficult hurdle to overcome.
SCA requires confirmation
of user's device, use of a PIN or password, and biometric verification, and
reports indicate that many companies are struggling with implementing it.
The issue most at hand is that SCA can potentially cause significant problems with a customer's frictionless experience, which in turn can lead to customer dissatisfaction and even service abandonment.
A Good Reputation Makes Good Business
The only ways of avoiding mandatory SCA for transactions is to request exemptions based on either the value of transaction since PSD2 provides exemptions for those under €30 for Ecomm, and up to €50 for contactless.
It should also be based on transaction ecosystem such as trusted beneficiaries, unattended terminals or based on low fraud rates - if the PSP's fraud rate for remote payments is between one and six basis points, for transactions up to €500.
With regards to the 'open' part of 'open banking' there are initiatives already in place that involve payment service providers and merchants sharing information to reduce some of these problems.
The basic idea is to create a sort of reputation score that would be applied to transactions, which would then be used to satisfy SCA requirements (for example, detecting that the device in question is the one the customer has used numerous times for all kinds of online transactions).
- To request exemptions based on either value of transaction (PSD2 provides exemptions for those under €30)
- Low fraud rates (if the merchant's fraud rade for remote payments is between one and six basis points).
The advent of third-party providers is also forcing traditional banks to adapt fast and implement new services and offerings to both retain current customers as well as attract new ones.
One of the emerging business models is for banks to serve as "platform aggregators": provide an open platform that would allow various partners to use the bank's API to integrate their services and products into the bank's own offering. In doing so, banks turn their competitors into partners, to mutual benefit.
Emerging License Market
There has been a marked increase in fintechs looking to take advantage of open banking and serve as payments intermediaries.
These companies seek out E Money licenses from EU issuers, with most making their bids to Lithuania and Luxembourg. Of the two, the Lithuanian one is faster to acquire and more user friendly and has been acquired by the likes of Google.
The Luxembourg license, however, is one that FinTechs aspire to, since it is considered the most prestigious.
The latest international business to have acquired the Luxembourg license is Alipay, and the license has also been of interest to banks such as Revolut which hope to mitigate issues that will be raised by Brexit.