The new regulation concerning the European financial landscape, PSD2, will be one of the most influential reformations the financial industry has seen in the past few years. The EC has decided to make the PSD2’s regulatory technical standards applicable around September 2019, giving payment market players the opportunity to upgrade their security systems.
Nationwide implementation of the directive is planned for January the 13th, 2018, however a few countries, including the Netherlands, will not be able to make the deadline. This means that Dutch banks won’t be obliged to share consumer data (which would happen with consent of the consumer) and that third parties are not able to apply for PISP or AISP licenses. Nevertheless, some Dutch banks are already anticipating the innovation stimulating regulation and, as a result, are aligning their businesses in advance.
Along with PSD2 go certain specific requirements, which market players need to meet in order to comply with PSD2. To enforce these requirements, PSD2 empowers the European Commission to adopt these regulatory technical standards (RTS) based on a draft submitted by the European Banking Authority (EBA). After making some limited substantive amendments to the RTS, the EC has decided to make the RTS applicable 18 months after the date of entry into force of PSD2, resulting in somewhere around September 2019.
The security measures described in the RTS stem from two key objectives of PSD2, namely ensuring consumer protection and enhancing competition and level playing field. To stimulate the increase of competition and innovation in the retail payment market, the RTS includes standards for payment initiation services providers (PISPs) and account information service providers (AISPs).
In general, the RTS focusses on strong customer authentication (SCA). The EC assures that PSD2 will better protect consumers when making electronic payments or transactions. This implies that users use two out of three possible authentication methods, which consist of something they know (e.g. a password), something they own (e.g. a mobile phone) and something they are (e.g. fingerprint). Banks and other payment service providers are responsible for providing the infrastructure around these authentication methods, as well as for improving fraud management. The RTS also caters for the security of corporate payments, often carried out in batches.
Until recently, the exact specifics of how third parties will be able to access consumers’ financial information, remained unclear. Banks wanted to grant access to the data through APIs only. With these specific interfaces, banks allow third-parties to develop custom software solutions in order to cooperate with the banks. Fintechs, on the other hand, want to access a higher quantity of data by means of screen scraping. Screen scraping is a way of gathering personal data through the customer interface with the use of the customer’s security credentials.
The RTS makes clear that no data processing can happen without expressed consent of the consumer in question. Once the consumer agrees to share his or her personal data, payment service providers can only access and process the data related for the provision of the services the consumer has agreed to. Payment service are required to inform their customers about the data processing method. By these new rules, third-parties will not be able to gather data through screen scraping.
As mentioned before, the period between the PSD2’s date of entry and the application date of the RTS is 18 months. This transition period enables payment market payers to upgrade their security systems. This implies that the strong customer authentication methods and secure communication requirements, directly specified in the RTS, will apply around September 2019, making screen scraping possible only under certain circumstances until the RTS applies.
To read about current viewpoints from various stakeholders on PSD2, click here.
By Michael Brooijmans, Research Analyst at Holland FinTech
]]>
