PSD2, otherwise known as the Second Payment Services Directive, is an EU Directive that applies to all member states and anyone in the European Economic Area (EEA). It is designed to strengthen regulation and consumer protection from payment service providers (PSPs)
The majority of PSD2 came in to effect in January 2018, but the Regulatory Technical Standards (RTS) did not. These are coming into effect throughout 2019, with the first deadline on March 14th and the second on September 14th.
The March deadline was the date by which PSPs and other non-bank financial entities had to have an open API available for testing, 6 months ahead of the September 14th deadline for the RTS to come into full effect.
Between now and September 14th, these open APIs will be rigorously tested and developed for by third-party providers in readiness for open banking to become a fully regulated reality under PSD2.
With that in mind, here are 4 essential things you need to keep in mind if you are subject to PSD2.
If you still don’t have an open API in place, make this your top priority
Building and rolling out a fully compliant test-ready API is a mammoth task to start given where we are now, but there are still options for you.
These options include a range of off-the-shelf solutions that meet all the criteria for PSD2 and RTS but selecting the most appropriate one can seem daunting. Our experts at JT can consult with you to find the best solution in the least amount of time.
Make sure you have appropriate support in place for your API
This includes having all the supporting documentation readily available and a dedicated individual or team that can assist third-party providers with testing their integrations.
Open banking is firmly on the horizon which means that startups and established FinTech companies will be furiously competing to be the most innovative, or provide the most seamless customer experience. This means they will be pushing the limits of your API and it is in your interests to work with them on this as much as possible.
Strong Customer Authentication is a critical element of the RTS
Strong customer authentication (SCA) requires multi-factor authentication for payments, including at least two of the following; something the customer knows (such as a PIN or password), something the customer has (a smartphone and app or other hardware) and some form of biometric identifier (typically a fingerprint, but could also be facial recognition).
This form of authentication will be required for any online transaction initiated by the customer from September 14th onward, including card payments and bank transfers, where the merchant business and customer’s bank are located within the EEA. It will also apply to any ‘in-person’ transactions within the EEA that do not currently require any authentication, so predominantly contactless payments.
SCA will not apply to merchant-initiated transactions, this includes direct debits, standing orders and recurring card payments. Payments that fall under the criteria of requiring SCA will be rejected if the bank does not have SCA in place, which will have a deeply detrimental knock-on effect on the customer experience.
Being ready for SCA well before the 14th of September is going to be a critical condition for success under PSD2. Make sure you have the right expertise in your team to ensure your authentication measures are thoroughly tested and fit for purpose in advance of the deadline.
Make sure your customers are able to access their account information via third-party providers at all times
Banks will be required to abide by certain communication standards in order to ensure that customers can access their account information via third-party providers at all times.
The EU has not defined exactly which standard will be enforced, leaving this part in the hands of the market to find a solution that works for everyone.
Some of the pre-requisites that have been defined include the necessity for a dedicated channel that allows banks and third-party providers to identify each other and communicate securely at all times when accessing customer data.
Again, this is a task that will require specialist knowledge and experience with working to international standards. And again, JT can provide essential expertise in these areas.
So there you have it, just some of the most essential things to consider between now and the arrival of PSD2 in full force this coming September. These are only the tip of the proverbial iceberg though, and you’ll want to engage the services of an experienced diver to explore every area of that iceberg and be fully compliant with PSD2 and RTS.
Fortunately, JT have plenty of oxygen tanks to go round!