Three months after publication of the final text for the second iteration of Europe’s Payment Services Directive (PSD2), the brouhaha over Article 29, commonly known as Access to Accounts or XS2A, continues unabated – but is it the big issue in PSD2 or just a red herring?
I’m not going to go into the details of XS2A (read a great explanation here) but in essence it requires banks to set up secure API layers so that third party PSPs can directly introduce payment and balance requests into the bank of the debtor, and in doing so cut out payment middle men such as card brands. It’s going to be a huge technological shift for sure, which has the fintech companies rubbing their hands, consultants’ hearts racing and banks running scared at having to open their investment purses again. Essentially the creaky old 80’s (and older) systems running in many banks will likely need replaced as the necessity to deal with XS2A comes in 2 years’ time (the transposition timeline for the directive).
However, 29 is but one article out of a directive filled with delights – one hundred and seventeen of them to be precise, coupled to an additional one hundred and thirteen pieces of preamble and definitions in the ‘whereas’ section. All-in-all, it’s a hugely significant piece of legislation that will change the payment industry in ways not yet conceived.
Take a few gems from the preamble for example – paragraph 66 tells Member States that merchant surcharging for card transactions is bad and should be stopped or limited to direct compensation for the transaction cost, which in most markets is a variable percentage rather than the fixed 15 cents charged by my local petrol station. Paragraph 84 gives us ‘it is essential for payment service users to know the real costs and charges of payment services’, which is something that few banks know or understand themselves (corrections welcomed!). And finally, paragraph 21 gives us ‘the definition of payments services should be technologically neutral’, which means that no matter how you move the money, if you’re moving money then this one’s for you!
Perhaps the biggest and most frequently ignored Article in the PSD2 is Article 2. Line 1 of this article states ‘This Directive applies to payment services provides within the Union’. Punkt, fullstop, nevermind the buzzcocks. Enter deeply breathing consultants in non-Euro countries. Yes, whereas SEPA and PSD1 were more specifically targeted at getting the Eurozone harmonized, PSD2 is saying that this time, we all get to play. It goes on to tell us that regardless of currency, if a transaction starts or finishes in a Member State then the bulk of this directive applies. One of the biggest fudges in SEPA was the failure to deal with precisely these types of transactions – there were a number of working groups on the topic of how to deal with ‘leg-in’ and ‘leg-out’ transactions, none of which came to conclusion as earlier legislation failed to deliver guidance. But now it’s certain – if your transaction toe or the end of its pinky finger is in Europe, then the rules apply.
However, with no harmonized interbank payment methods, beyond SWIFT, capable of managing multiple currencies across the Union, how practical a reality is this? Indeed, if a Swedish bank is mandated to provide D+1 credit transfers to anywhere in the Union and provide knowledge of all costs up front to the customer including exchange rates, how is this possible if the likely engine will be a Euro payment via SCT that will require two currency conversions to arrive at a Hungarian customer bank account?
Articles 97 and 98 finally give us something that has been in the pipeline for nearly 10 years, and should have been settled long ago – mandatory strong authentication for account access transactions, online payments and any remote channel access. Harmonised through specifications to be delivered by the new European Banking Authority, this has been a long time coming and should be a point of shame to any Financial Institution that hasn’t done it already. What it will require though is a new attitude from consumers – not only to demand secure transactions, but to realise that the cost of security is to be sometimes stopped from making a payment or for payments to be a little more complex than simply giving up your card details. Some banks will have a lot of work to do to make this a reality, and more so need to start declining transactions that are not performed securely instead of playing dumb and waiting for complaints.
With all of this, and XS2A, PSD2 has delivered us all a box of delights that will keep the payments industry changing for the next few years, but perhaps a larger issue than all of this will be the new reporting requirements added into a number of articles across the directive. With many banks still running disparate systems requiring manual reporting and few able to access the information required to meet their new obligations, PSD2 will likely become a driver for changes in the way that banks handle data. There has been noise in the industry for a few years that banks needed to capitalize on big data to provide a better offer for their clients, but underinvestment in this area has led to few actually doing so. With the new requirements for reporting driving a data rethink, will PSD2 usher in the era of big data at last, or is someone already working on building a bank reporting hub to connect the aging systems?