As the January 12, 2018 implementation deadline looms, some of the directive’s guidelines are still being discussed. Additionally, overlapping regulations may cause confusion amongst those in financial services as to when and how to comply with the directive. These compliance forces come together to create a complex and confusing decision-making environment for those in financial services.
Despite this, Deutsche Bank encourages financial service providers and banks to push on and not delay in implementing PSD2 compliance.
In their white paper with PPI AG, a payments consultancy, “Are You PSD2 Ready?” the German bank acknowledges the compliance obstacles regarding ongoing guidelines discussions. For example, the guidelines regarding fraud reporting and security are of particular interest.
Concerning other, separate, regulations that could get in the way of implementation, the paper mentioned some of these will not need to be implemented until the first half of 2019, at the earliest occasion. Among these regulations are the Regulatory Technical Standards (RTS) on Strong Consumer Authentication (SCA) and Common and Secure Communication (CSC). This gap may cause some financial institutions to delay SCA implementation, but they shouldn’t because “The only way to obviate these difficulties is to start implementing the third-party interface and strong customer authentication as soon as is possible.”
Another set of regulations that could cause problems is the General Data Protection Regulation (GDPR), which overlaps with PSD2 regarding data protection and emphasis on wanting consumers to have proprietorship over their own data. This goes into effect in May 2018. However, GDPR and PSD2 differ in what types of consent they mandate regarding data owners and who is liable for data breaches, for example.
Shahrokh Moinian, Deutsche Bank’s Global Head of Cash Products, Cash Management, in an opening statement to the paper, encouraged account servicing payment service providers (ASPSPs) to broker no delay in implementation, writing:
“With respect to compliance with their SCA and CSC (third party interface) obligations, we would also advise ASPSPs not to wait until late in 2018 or early 2019 to get going. Indeed, there are some significant provisions in PSD2 that are either dependent on or closely bound up with compliance to these obligations.” He adds that those who choose to delay, “will not only miss out on some first-mover opportunities, but they may find themselves wholly underprepared for change.”