OFA position on the Review of the Revised Payment Services Directive (PSD2)
The OFA welcomes the European Commission’s review of the Payment Services Directive 2 (PSD2). PSD2 introduced groundbreaking rights for consumers and businesses to access their transaction data and payments through trusted third parties, using secure, open Application Programming Interfaces (APIs). It led to significant investment and innovation benefiting consumers and businesses across the EU.
But with only payment accounts included in the scope of PSD2, this is just the beginning of a transformation of the financial services industry towards open finance.
The review of PSD2, coupled with the open finance framework has the potential to further empower consumers and businesses by enabling them to use more of their financial data and account functions via trusted third parties.
OFA believes the key focus areas for the PSD2 review should be:
1. API Harmonisation And Supervision For Open Banking
PSD2 has led to the creation of multiple organisations tasked with developing standards for APIs to meet the PSD2 requirements for ‘dedicated interfaces’. But account providers have flexibility in how they implement their own APIs against these standards, leading to fragmentation in how APIs perform. This results in inconsistent and poor experiences for consumers and businesses.
The review of PSD2 should consider:
- Further harmonisation of the implementation of APIs across account providers. This should include developing a framework for API availability and performance metrics and minimum standard requirements.
- Further coordination of API implementation, by NCAs, the EBA, or through the establishment of an EU-mandated open finance body.
- Facilitating more dialogue and cooperation between existing standards bodies so that new standards are aligned and converge over time rather than become more fragmented.
In addition, OFA is strongly supportive of many of the EBA’s proposals on PSD2. The following proposals in particular would greatly improve the quality of dedicated interfaces:
- Require all account providers to provide a dedicated interface for TPPs and remove the requirement for a fallback mechanism. APIs provide a significantly better and more secure user experience than modified consumer interfaces. Most bank APIs have now matured to a point that fallback mechanisms are no longer necessary.
- Require account providers to share with PISPs information on the execution of a payment as soon as this becomes available to the account provider. This additional functionality would significantly boost the attractiveness to businesses of open banking payments as a method of payment acceptance. This is particularly the case for businesses that provide goods and services to buyers at the time of sale who would benefit from knowing payment had been executed at the time of releasing goods.
- Require account providers to share with AISPs and PISPs the name of the PSU/account holder and of the person initiating the payment. This will enable additional use cases for identity and verification services.
2. User Experience – Balancing Security With Convenience
Strong customer authentication (SCA) is a key security measure that will directly address ongoing consumer harm from unauthorised payments.
OFA supports the requirement for both Account Information Service (AIS) and Payment Initiation Service (PIS) transactions to be strongly authenticated via redirection to a users account provider. This redirection is good for consumer trust (only giving credentials to a trusted account provider), and can encourage take-up of open banking.
However, there are ongoing issues with SCA in open banking journeys:
- 90-day re-authentication requirements for AIS – This requirement leads many consumers – even those that are highly engaged – to stop using open banking. Many businesses report ‘drop-off’ rates above 50%. We welcome changes announced by the EBA to extend the timeframe from 90 to 180 days. However, re-authenticating at 180 days will continue to cause friction and impede the faster rollout of open banking services in Europe. Consideration should be given for allowing a long lived consent following an initial SCA, with AISPs periodically re-confirming the consent with the user.
- Poor authentication journeys – when users are redirected to their account provider to authenticate, they are subject to different user journeys, depending on what account provider they use. These journeys can sometimes be seamless, e.g. when biometric authentication is used. They can also be several steps long, and dissuade users from using open banking. More focus is needed on ensuring the security of SCA is balanced with convenience for users. Poor user experience is a key challenge to increased adoption of open banking services.
3. Unlocking Instant Payments
PSD2 supported open banking providers to initiate bank transfers, reducing reliance on cards and manual bank transfers, introducing cheaper and more convenient payment methods.
Open banking elevates SEPA Instant from a bank transfer option available only through online banking, to an alternative payment method in fast-moving sectors like e-commerce or investment.
But there are blockers to open banking payments realising the potential of SEPA instant:
- Coverage – in some member states, coverage of SEPA instant is as low as 5%, and averages at 60% across the EU. Open banking works well when it can be used to initiate instant payments, slower SEPA credit is holding back user experience of open banking where Instant is not available
- Cross border obstacles – IBAN discrimination continues to be a problem. In the case of open banking, it means that instant payments either cannot be initiated cross border or that banks create discriminatory, unnecessary steps which discourage the user leading to abandoned or cancelled payments
The review of PSD2 should result in a payments framework that complements incoming legislation on instant payments and promotes frictionless instant open banking payments across the EU.
4. Scope And Definitions For Open Banking Providers
The creation of two new payment services under PSD2 – AIS and PIS – – has been instrumental to supporting market entry of a new class of innovative payment and data companies.
But there are some unforeseen issues and limitations resulting from the PSD2 text:
- The scope of what constitutes a payments account is subject to interpretation – credit cards are classed as payment accounts in some member states, but not others. This means the scope of data that AISPs can access is limited in certain member states creating additional friction and complexity for end users
- Inclusion of AIS and PIS under anti-money laundering (AML) legislation – there should be more proportional requirements for Account Information Services Providers (AISPs) and Payment Initiation Service Providers (PISPs) where there is no fund handling involved, to avoid the imposition of cumbersome AML requirements
- The definition of “account information services” is narrow. There are many additional use cases of account data that may be provided by an AISP, or by a business partnering with an AISP, without ‘consolidated information’ being provided back to the user. For example, AISPs can provide useful services such as account verification, without presenting that data back to the user in a ‘consolidated’ format. The review of PSD2 should ensure that consumers and businesses are empowered to re-use their transaction data in a wide range of scenarios. More clarity is also needed to avoid GDPR being used as a reason for not allowing data sharing that could benefit consumers and businesses.
The review of PSD2 should address these limitations in the legal text.
5. Address De-Risking To Improve Access To Payment Accounts
Many open banking providers also combine their services with provision of payment accounts. This is where some of the most innovative services are emerging in payments in the EU. However, payment firms rely on indirect access to payment systems, through banks (payment account providers). Many banks have moved away from providing accounts to payment firms. It is becoming increasingly difficult for payment firms to obtain payment account services – risking their business models and service provision.
In PSD3, the requirements within Article 36, on Access to accounts maintained with a credit institution, should be further specified and strengthened to guarantee PSPs’ access to bank accounts in a proportionate, objective and non-discriminatory basis. This would ensure that credit institutions are not using AML concerns as an excuse to off-board or refuse to serve PSPs without reviewing the controls/policies in place. Furthermore, no discrimination against PSPs registered in specific Member States should take place.
We suggest that NCAs should more actively supervise compliance with Article 36 and to identify and address cases of undue de-risking. We support a common reporting template for credit institutions rejecting an application to open an account. We also suggest that NCA’s should support a specific process to receive complaints from Payment Institutions whose applications for payment account services are not being treated in accordance with Article 36.
Copyright OFA 2022