Despite the ‘digitalisation’ theme of PSD2, PSP businesses will now have to provide monthly account statements on paper or a “durable medium”
Hopefully, it hasn’t escaped anyone’s notice that the Second Payment Services Directive (PSD2) is now in effect throughout the EU. It is even incorporated into UK domestic law, as part of the Payment Services Regulations 2017.
Thus far, the industry has been focused firmly on the implications of PSD2 for Open Banking. This is a principle whereby third-party providers are able – provided they have the permission of the account holder – to access the customer account data held by the major banks, in order to enable better services for users.
PSD2: Everything YOU need to know
For many commentators, the security implications of opening up account data is a top concern, but open banking poses many more challenges than this. A detailed inspection of the small print of both PSD2 and the FCA’s new guidelines for payment service providers shows that the legislation has repercussions far beyond security, that are not so well understood by many in the financial services sector. The complexities are so vast that compliance officers may even be scratching their heads in bewilderment. Here’s a few things you need to be aware of.
1. The new breeds of payment service provider
There are now two new classes of payment service providers under PSD2. In addition to standard banks and building societies, PSD2 recognises account information service providers (AISPs) and payment initiation service providers (PISPs). The latter offer services such as bill payment and peer-to-peer transfers, by initiating “a payment from the user account to the merchant account by creating a software bridge”. The former, meanwhile, provide aggregated bank account information and analysis services.
2. PSD2 applies far beyond the boundaries of the EU
PSD2 applies to non-EU transactions where one leg is carried out by a PSP outside Europe, in addition to those taking place on EU soil.
So, no matter where your business’s head office is, if you are processing all or even part of a transaction within the EU, you must make sure your organisation is fully compliant with PSD2.
3. Card surcharges are no more
These have now been scrapped under PSD2 – meaning no more face hidden fees, something that consumers will no doubt be toasting.
However, businesses should take note that only charges on consumer cards have been abolished. Corporate cards will continue to be subjected to surcharges for the foreseeable future.
4. PSD2 has stricter interpretations of “commercial agent” and “limited network” exemptions
This is particularly important for digital marketplaces that handle or control client money, which may have previously depended on the exemptions to circumvent any issues around being a licensed payment services provider.
How online marketplaces have changed retail
5. A new definition of “payment account”
This is now defined as an “account held by one or more payment service users, which is used to conduct payment transactions”. It also encompasses accounts that combine savings with mortgage and payment facilities, as well as savings and current accounts, as long they are used to make payment transactions.
Confusingly, this is different from the definition in the FCA Payment Account Regulations 2015, which does not include some savings or credit-card accounts.
How safe are modern credit cards?
As we barrel ahead into the future, cybersecurity becomes increasingly important. A cashless society is upon us, and this begs the question: How safe are modern-day credit cards and financial transactions? Read here
6. PSPs need to provide monthly account statements
This seems a little old-fashioned, especially since PSD2 is all about bringing banking into the 21st Century. Nevertheless, according to the FCA’s approach document, PSPs must now “provide” monthly statements to their customers on a “durable medium” like paper.
The legislation gives these terms specific definitions. “Provide” now means proactively pushing out information on a regular basis, while “durable medium” is “any instrument which enables the payment service user to store information addressed personally to them in a way accessible for future reference”. This includes anything from CDs and DVDs, to paper printouts, or even websites.
7. Organisations must notify customers of security incidents as soon as possible
According to the FCA, all major operational and security alerts must be communicated to customers within hours of them taking place. Crucially, social media may not count as a notification.
This is an interesting turn of events for challenger banks, many of which have been praised by consumers in the past for their customer engagement on Twitter and other forms of social media. Going forward, they’ll need to do far more to remain compliant with legislation.
8. All existing eMoney and payment services businesses need to be re-authorised
A significant number of firms have yet to hand in their application forms – putting a lot of pressure on the FCA, which may not be able to process them all on time. To ensure their company is able to continue to operate, compliance officers should make sure that their applications for reauthorisation are submitted as soon as possible.
Ready to face the future
PSD2 marks a new age in financial services. It poses risks and challenges for established financial institutions, like banks and building societies, but it offers a wealth of opportunities for challengers to transform the sector, offering consumers greater choice and more control over their hard-earned cash.
In order to enjoy all the advantages that the new directive has to offer, companies and their compliance officers need to ensure they read and understand the fine print. By studying the legislation now, they can take steps to make sure their organisations capitalise on the competitive advantages that PSD2 can help provide.
Written by Myles Stephenson, chief executive at Modulr