PSD2 delayed: What does this mean for you?
For years, the UK and EU have shared the objective of creating a level playing field for new market entrants in the financial services and payments industries while ensuring the proper protection of consumers’ data.
To achieve this, the EU introduced a regulation in 2010 called the European Directive on payment services (PSD) to regulate payment services and payment service providers throughout the EU and EEA.
Cue, PSD2
You may have heard of PSD2, the latest directive imposed by the European Union.
If not, PSD2 came into effect in January 2016, and not long after, member states of the EU were given 2 years to transpose it into national law.
This updated directive’s aims were to:
- contribute to a more integrated and efficient European payments market
- level the playing field for payment service providers (including new players)
- make payments safer and more secure
- protect consumers
- encourage lower prices for payments
Open banking
PSD2’s broader scope includes regulation on the latest digital phenomenon of open banking. Open banking has levelled out the playing field for many authorised third-party providers (TPPs) by being able to access customer payment accounts – only with the customer’s permission.
Mobile apps such as Yolt, allow customers to view all of their bank account balances from one central app, and the ability to transfer money.
Under PSD2, banks and other financial institutions are required to grant TPP’s access to customer payment accounts if the customer requests.
However, only authorised payment services providers (PSPs) will have access to customer accounts and must meet strict guidelines to protect consumer data.
Secure payments
PSD2 will also affect the way consumers are protected when purchasing goods online and in person.
When paying using contactless, consumers will soon be required to enter their PIN when they use this method five consecutive times, or if they hit a daily value limit – therefore protecting them against fraudulent use of their card.
This is not the only method PSD2 uses to promote Strong Customer Authentication (SCA).
Under PSD2, consumers will be required to undergo two-factor authentication (2FA) before a payment is made.
Consumers will be asked to provide either two of the following:
- Something inherited (a biometric feature such as a fingerprint, face or iris pattern) which is linked to the consumer’s card.
- Something owned (this could be a one-time passcode-OTP)
- Something known (this could be a PIN, password, or card numbers)
PSD2 delay
The financial conduct authority (FCA) has been working with industry to delay the enforcement of PSD2. As a result of this, UK retailers have been granted an 18-month extension to update their payment systems and processes to comply with new requirements.
The FCA is not against the implementation of PSD2, but wants the directive to be correctly implemented.
This 18-month extension gives merchants and financial institutions the time to prepare and ensure it is implemented correctly.
How does this affect you?
PSD2 affects all merchants and consumers within the European Economic Area, whether payments are made in person, or online.
The FCA has proposed that both secure customer authentication (SCA) and common and secure open standards of communication take effect on the same timeline as the EU, even in the case of a no-deal Brexit, so no matter the outcome, merchants will have to comply.