On December 23, 2015, Directive 2015/2366 of the European Parliament and Council, known as the PSD2 directive, was approved, providing a new regulatory framework for the use of mobile payments, tools from non-banking institutions and enhanced security. What do these changes mean compared to the first PSD and how do they affect companies?
What is PSD2 and why does it matter?
PSD2 is the abbreviated name given to the second version of the Payment Services Directive (PSD), whose purpose is to "provide the legal basis for further progress in the development of a more integrated internal market for electronic payments in the European Union."
This directive creates a regulatory framework that each country must use to legislate its own internal regulations. The result is unified key guidelines to make "international payments (within the EU) as easy, efficient and secure as payments made within a single country."
They do not appear in the document, but it is clear that API tools are the perfect vehicle for enforcing this directive and its local transpositions in each country. With the opening of TPPs (Third-Party Payment Service Providers, as we will see below), APIs become basic tools for implementing the secure management of information.
1. The regulation considers mobile and online payments
The first PSD directive dates back to 2007, when smartphones were first sold. By 2015, the universe of banking services had changed and companies were demanding more tools, as noted in the 2012 green book "Towards an integrated European market for card, internet and mobile payments." Hence the need to include mobile and online payments in PSD2.
This has enabled companies to make payments without being anchored to a physical location, and has posed a challenge for banks, by forcing them to adapt their IT systems to security requirements and to the possibility of including third parties while guaranteeing security.
2. The inclusion of TPPs
One of the most significant legislative changes was the inclusion in PSD2 of third-party payment service providers (TPP) in the provision of banking and related services. Although the directive is clear in terms of security and lays out guarantees for customers, it also allows working with third-party, and not just internal, APIs.
This decision opens the door to the integration of more open, powerful and reliable banking services, since when the use of a tool is widespread, it is easier to find critical flaws and solve them. Outsourcing services can be viewed as the ability to include the program or routine of a third party into a two-party process.
This translates into more tools for those companies that want to use them. The change is similar to opening an app market to external developers, rather than restricting it to the phone manufacturer. The possibilities multiply exponentially, since thanks to this key point of PSD2, there are now more parties that are interested in having this service be used, and to make it secure and high quality.
At the same time, the security and verification requirements have led banks to work to build open and secure platforms, such as BBVA API _ Market, meeting points between companies, third parties and customers who are looking for strategic alliances and long-term partnerships that are beneficial to all involved.
3. What happens to payment integration and account information services?
The payment initiation service (PIS) allows third parties (service providers) to use online banking to make online payments. Similarly, the account information service (AIS) collects and stores information from a user's various bank accounts – always with their express consent – in a single location, providing said user with a better understanding of their financial situation.
It is not difficult to understand why APIs have been so useful in these two business segments, which are now integrated under the same TPP umbrella. However, in addition to grouping PIS and AIS, PSD2 also allows customers to pay third parties directly from their banking app.
In other words, a user can transfer their information to third parties if they wish and it's convenient for them. This possibility, which was previously unregulated, now has all the European guarantees that banks like BBVA are implementing on their end, resulting in the consolidation of more robust and secure systems.
4. The arrival of new players on the banking scene
Until not too long ago, the payment service providers (PSP) were the banking, credit and payment institutions themselves. With the opening of PSD and PSD2, and the arrival of third parties, we are now seeing the inclusion of aggregators (AISP or Account Information Service Providers) and payment initiators (PISP, Payment Initiation Service Providers), among other players.
This enhanced diversity in the provision of banking services has attracted talent to the sector, as well as new companies that are interested in becoming an efficient link in the B2B chain. This also requires more from traditional entities, however, since they have to provide the basic structure – a scaffold or frame – around which TPPs can design and deploy their services.
5. PSD2: more stringent security requirements
Alongside all these changes are greater calls for security from customers. It's consistent: if third parties are given access to the data that the user of the system wishes to provide, protecting said data can't be optional. Thus, PSD2 provides for Strong Customer Authentication (SCA).
This is implemented through elements such as two-factor authentication before making a transfer, as well as in any other banking application that includes TPPs or APIs. Although there are, of course, direct systems that also use this strong authentication.
Internally, entities such as BBVA have had to deploy a series of tools for this strong customer authentication, which are usually categorized as knowledge, something the customer knows, such as a PIN; possession, something the customer has, like a smartphone; and inherence, something the customer is, such as a fingerprint.
Images | Luis Villasmil, Halacious, George Prentzas