Impact of PSD2 on financial services industry

As the dust settles from the release of the final Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA), details are starting to sink in, and established banks, emerging fintechs and others are just beginning to understand what these new regulations mean for them and how they must prepare for the challenges and opportunities that lie ahead.

How will these new regulations affect those in the financial industry?

Banks

The onus for authentication and payment is on banks. Payment Initiation Services Providers (PISPs) have the right to rely on the authentication procedures provided by the bank unless there is some substantiated reason for the bank to object.

This authentication must include real-time fraud detection and prevention. The final RTS calls for SCA on higher-risk transactions and many lower-risk transactions — parking meters, tollbooths, recurring subscriptions — to use risk-based authentication (RBA). Consumers may appreciate the added level of protection but, in general, RBA has been shown to increase transaction volume up to 4 percent for banks and merchants. Banks will want to enable SCA and RBA that afford as little friction as possible.

Given this specific role and the potential for disintermediation and customer loss, banks will need to leverage their reach and team with third-party processors (TPPs) to roll out new applications of their own. For most institutions, this will require a realignment of strategy, culture, skill sets and infrastructure.

This is also an opportunity for banks to build on existing margins by streamlining their internal processes through open infrastructures.

Fintechs

PSD2 will further accelerate innovation in the fintech sector by arming new entrants with the tools they need to offer compelling new apps and services.

However, all that open access comes with a cost. Largely unregulated until now, providers will now face more regulatory scrutiny. For example, they will no longer be allowed to engage in screen scraping, which is susceptible to man-in-the-middle attacks and other forms of fraud.

While customer account information is now open, access to it is narrowly defined. What’s more, they will potentially face market saturation, making it harder to gain a foothold.

To maximize the benefits of PSD2, providers will likely gravitate toward collaborating with more well-known and trusted banks, embracing “coopetition” if not full cooperation or even outright capitulation to partner mandates.

Payments and Commerce

For payment service providers (PSPs), the RTS puts them in new territory. With authentication squarely in the banks hands, PSPs are forced to cede to them to facilitate transactions. Should there be complaints made to PSPs or retailers, the banks can decline the authentication all together.

Merchants are allowed to maintain recurring (Card-on-File) charges to registered users, as well as payee-initiated payment methods, such as direct debit.

Cross-border payments represent an area where PSPs may have dodged a bullet. Previous versions of the standards stipulated both sides of a transaction needing to use SCA. Now, as long as the EU-based PSP has it, transactions can go through. The catch is that fraudulent transactions will no doubt reflect on the PSP, which could cause future transactions to be rejected by banks.

Conclusion

It’s worth noting that the RTS must still be ratified by the European Commission. That means the standards may still be amended before final approval. But once that happens, they will become law as early as November 2018.

As anyone undergoing a massive transformation effort will tell you, the days are long but the months are mercilessly short.

So, for those in the financial industry, its time to get started.

Creating Value and Managing Risk in the World of PSD2

To find out more about PSD2 and its impact on financial institutions, read our latest whitepaper; this whitepaper, Creating Value and Managing Risk in the World of PSD2 was developed by Aite Group, a leading independent researcher, in cooperation with ThreatMetrix, which provides insight into the key provisions of the revised Payment Service Directive (PSD2) legislation and its impact on market practices. Download this whitepaper today!

About Alisdair Faulkner

Alisdair Faulkner is a technology entrepreneur and brings nearly two decades of industry experience to his role leading product management and strategy for ThreatMetrix. He is a noted industry expert in online fraud, cybercrime, identity theft, information security and networking technology and holds several patents in security, fraud and networking. Prior to ThreatMetrix he was founder and Chief Products Officer at NetPriva (now part of Riverbed).

About ThreatMetrix

ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,500 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.