In this month’s update, we look at (1) the recent release of an Opinion from the European Banking Authority regarding banks that are putting up obstacles to PSD2/SCA implementation and (2) and a lack of clarity in the PSD2 regulations about B2B transactions. Also I provide some commentary on where we are at in terms of PSD2 implementation as an industry and a society. I also provide a vocabulary list at the end of the post, because as we know, the jargon and acronyms build up quickly in the PSD2 topic. :)
I saw a webinar description with the following quote, which is one of the more optimistic I’ve seen regarding PSD2/SCA implementation since the January 2021 deadline: “This year marks the start of a change in the goal posts. With the influx of richer datasets, PSD2 is quickly shifting away from a pure compliance play and moving into its strategic mission of driving better customer experience and trust.” Its inspirational tone certainly caught my attention. So where is Europe in the rollout of the Second Payment Services Directive? I think we are at the stage of listing and describing the problems and gaps in the regulations. We’re drawing a circle around the things that need to be fixed and added. And to an extent, this was to be expected. How can we expect regulators to think of every single necessary piece of regulation, given an evolving technological landscape? The general lack of guidance provided by the European Banking Authority after the deadline leads me to believe that their regulators are depending on the stakeholders to organize their own comment period and speak out even though the deadline for implementation has passed.
In this month’s PSD2 update, I present a few of the potholes that need to be filled, so to speak.
The European Banking Authority speaks: ASPSPs (banks) must remove obstacles!
Back in June 2020, the European Banking Authority (EBA) published an official opinion on obstacles of the implementation of PSD2 and SCA, specifically calling out practices by account servicing payment providers (ASPSPs) that are obstacles to account access under Directive (EU) 2015/2366 (PSD2) and Article 32(3) of the EBA’s Regulatory Technical Standards. The EBA specified that they expect national competent authorities (NCAs) to take the necessary actions to ensure that ASPSPs (the banks) comply with the PSD2 and the RTS and remove any obstacle identified within the shortest possible time and without unnecessary delays (by the way, I added a vocabulary list at the end of this post, because I can sense that the jargon and acronyms are building up rather quickly).
The EBA stated that it continues to observe that some ASPSPs across the EU have still not removed obstacles and are preventing the competition-enhancing objective of the PSD2 from materialising in full. The recent Opinion’s purpose is that the relevant legal requirements are applied consistently across the EU by removing identified obstacles in a timely manner. The EBA expects NCAs (national competent authorities) to take, by 30 April 2021, take some supervisory actions requiring non-compliant ASPSPs to become compliant with the applicable law and to set a deadline for the removal of these obstacles. The EBA recommends that NCAs follow a risk-based approach with meting out the supervisory actions, which I think means to tread carefully and dot your i’s and cross your t’s. The supervisory actions may include but are not limited to issuing an instruction/warning to the non-compliant ASPSP or requiring an amendment to ASPSP’s rules, procedures and/or systems. Penalties can include, but are not limited to, the revocation of the exemptions from the contingency mechanism under the RTS on SCA already granted to ASPSPs and/or the imposition of fines. The former sounds more severe than the latter, that’s for sure.
So, removal of ASPSP obstacles are on the to-do list. :) Step by step… If we remove several major obstacles and fill in some gaps in the regulations, then we'll be well on our way to PSD2 bliss (driving better customer experience and trust).
A gap in the PSD2 regs: consumer vs. corporate environments
Adflex has done a great job of contributing some helpful critiques of the current PSD2 regulations especially with regards to how SCA rules apply to corporate or B2B environments, which operate a little differently than consumer or B2C environments. There is a lot at stake, including whether the precious SCA exemptions apply in certain cases. It appears that the PSD2 regulators devised the regs with the assumption that there are some pretty clear delineations between the two worlds; this has proven to not be the case...
B2B vs. B2C. B2B transactions can be much more complex than B2C transactions, so complying with SCA rules is currently a gray area type challenge. Often, prices fluctuate far more often than they would on a traditional B2C eCommerce platform. Dynamic pricing and disparities between a quote and final pricing lead to uncertainty over how and when SCA procedures should occur. For example, a repair service provider might provide an estimate, secure a sale, and then adjust the price as needed. Or, customized pricing agreements between buyer and supplier may see costs fluctuating depending on inventory and demand. So what happens when the initial amount is different to the final amount? It turns out that in the current regs, there are quite strict rules that the amount that’s authenticated must be equal to or less than the amount authorized.
Timing. There is also confusion around whether merchants should initiate SCA procedures at the time a purchase is made, when an order is fulfilled, or when payment occurs. In B2B transactions, these activities can potentially occur weeks apart from each other. Also, what if a B2B merchant accepts credit card details over the phone and enters that information into their own web portal? When should B2B merchants initiate SCA procedures in such a case? Another clarification from the EBA may be in order.
Exemptions. Another major area of uncertainty is in the SCA’s language surrounding exemptions. While the legislation leaves room for exemptions, it does not specify when B2B transactions might qualify for them. There is ambiguity of a consumer-versus-corporate environment and the difficulties in providing a commercial card transaction within a “secure” environment, as the SCA requires.
But how is a corporate environment defined? The U.K.’s Financial Conduct Authority has defined it as a transaction that’s taken in a closed loop between businesses and not open to consumers. But, as Adflex has pointed out, a lot of sites now, especially since the pandemic, are open to both corporations and consumers. Adflex’s CEO is quoted as saying “I think it’s going to take another year before we really know what’s happening.”
The CEO of Adflex is quoted as saying “I think it’s going to take another year before we really know what’s happening.” The other thing I’ve heard from folks in the payments universe is “No one knows what is going on.”
In other words, it’s a process.
The gaps, errors and mistakes will be identified and described and ironed out. In a year we’ll be well on our way to PSD2 nirvana, which is “shifting away from a pure compliance play and moving into its strategic mission of driving better customer experience and trust” (thanks Ekata).
There’s a lot of work to be done.
But the regs are clear and consistent on the need to keep fraud rates low, and the good news is that it is something your company can control. Keep your fraud rates low! Partner with a Machine Learning-based fraud prevention solution like oh, I don’t know, maybe NETHONE, and let us worry about the account takeovers, false positives, chargebacks, remote desktopping scams, acceptance rates, etc. Payment service providers (PSPs) will continue to bear the weight of compliance headaches, but we can help them too, as we’ve already demonstrated in some of the historically highest fraud-risk geographies in the world.
PSD2 jargon terms
API: Application Programming Interfaces. The API must allow Third Party Payment Service Providers to provide payment initiation or account information without difficulties.
ASPSP: Account Servicing Payment Service Providers provide and maintain payment accounts for payment service users (PSUs). Traditionally, ASPSPs are banks and similar institutions. Under Open Banking, ASPSPs publish Read/Write APIs. These enable consumers to share their account transaction data with third-party providers; in turn third-party-providers can initiate payments on their behalf. Under PSD2, all ASPSPs in Europe are required to participate in open banking and provide access to the data.
CSC: Common and Secure Communication (CSC) seeks to promote competition and innovation among payment service providers by introducing: TPP (Third Party Payment Service Providers). Entities that not have payment accounts for their customers but can provide the following services:
AISP: Account Information Service Provider – a one stop shop for all of your payment accounts, irrespective of where they are held
PISP: Payment Initiation Service Provider – entities who can make payments on your behalf
NCA: National Competent Authorities are not only responsible for supervision but also for registering and authorising providers and publishing registers that will be used both by Qualified Trust Service Providers (QTSPs) to make decisions on issuing certificates and by financial institutions to check whether other parties are authorised.
RTS: The Regulatory Technical Standards define how access to the customer's account is handled between ASPSP’s, AISP’s and PISP’s: Customer Consent, Secure Communication channel to access the payment account, secure screen scraping, all the while complying with GDPR – General Data Protection Regulation
SCA: Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments.