What Is the Revised Payment Services Directive (PSD2)?
The Revised Payment Services Directive (PSD2) is a European electronic payment services regulation intended to make electronic and online payments more secure throughout the European Union. Initially proposed in 2013 and officially taking full effect on September 4, 2019, the PSD2 amendment introduced changes in the European financial landscape that arguably set the foundation for open banking in Europe by providing third-party payment providers access to bank infrastructure and account holder data. Although the directive doesn’t apply to Canadian financial institutions directly, it provides federal regulators with a notable real-world regulatory framework for payment services that they can observe as our industry shifts toward consumer-directed finance.
PSD2’s Predecessor Was Aimed at Developing a Single Payment Market in the European Union
As you may suspect, PSD2 is an amendment to an earlier regulation, a 2008 regulatory predecessor known as the Payment Services Directive (PSD). The earlier form of the regulation was primarily aimed at developing a single payment market in the European Union. At the time, it worked to unify the payments market by regulating both payment services and payment service providers. Following its inception, though, numerous innovations were made in the payment industry. While payment service providers began offering new ways to make online payments, both consumers and merchants began to explore new financial services and financial service applications. The innovation in the market and the adoption of new mobile and online financial technologies created concerns around consumer protection and security, and new opportunities arose for third-party service providers.
As a result, the European Union introduced a number of new changes to the regulation with the ultimate goal of promoting innovation, reinforcing consumer protection, and increasing competition in the banking industry between banks and emerging third-party service providers. The result is the PSD2.
PSD2 Requires Banks to Provide Consumer Data to AISPs & PISPs
With the consent of their clients, European banks are now required to provide consumer account information to two types of third-party service providers: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). The regulatory element that makes this provision mandatory is known as PSD2 Access to Account—also known as XS2A. While the PSD2 XS2A regulatory component mandates that financial institutions must provide authorized AISPs and PISPs controlled and secure access to customer accounts, it also stresses that financial institutions must block and prevent XS2A access to unauthorized and malicious entities until the identity and regulatory authorization of the third-party service provider is validated. That validation is done through Public Key Infrastructure and digital certificates.
AISPs and PISPs provide two fundamental services through open banking, leveraging technology and a framework that allows them to request data and payments from banks and financial institutions. How is data accessed? It’s accessed through what the industry often refers to as “digital pipes,” a set of open application programming interfaces (APIs).
What Are Account Information Service Providers (AISPs)?
Account Information Service Providers are regulated companies that are authorized to access and process consumer account data from a client’s financial institution on behalf of a client. That access to data requires explicit client consent, and under PSD2 AISPs must be clear to consumers about what data they will be accessing, what the data will be used for, and for what length of time they will use that data. AISPs must also be clear about what partners or companies they will be sharing account data with so consumers are fully informed on how their information will be used. By accessing, collecting, and processing account data, AISPs are often referred to as having “read-only” access to account data, using the financial data they obtain in order to offer customers entirely new financial services.
What kind of services is possible through the help of AISPs? The data that AISPs collect can be used to help customers better manage their finances. This includes applications that leverage financial data to build personal budgeting applications, financial management tools that help customers track wealth and spending habits, and data aggregation applications that allow clients to view and analyze their account information in meaningful ways that can help them make more informed decisions about their finances.
What Are Payment Initiation Service Providers (PISPs)?
Where AISPs are authorized to access and analyze account data, PISPs take on a different role in Europe’s open banking system, having the authority to make actual payments on behalf of their customers. Leveraging a bank’s application programming interfaces (APIs), PISPs interact with a bank’s infrastructure in order to initiate online payments and transfers, effectively moving money in and out of customer accounts. With the ability to initiate and process payments, PISPs are often referred to as having “read-write” access to account data.
By requiring financial institutions to share account data with AISPs and PISPs, PSD2 gives consumers the opportunity to explore new emerging services and financial applications that can provide a cohesive view of a customer’s financial situation by connecting accounts at different banks and financial institutions and providing the tools to analyze financial data. With the help of open APIs and PSD2’s Strong Customer Authentication (SCA) requirements, consumers can use PISPs in order to make more secure online purchases and even view account balances at the point of purchase online. More importantly, they can feel safe about it. The PSD2’s addition of SCA introduces strict additional authentication processes based on three factors, including personal passwords or PINs, physical devices, and biometric data—two of which are used to verify identity during online payment processing.
https://gocardless.com/guides/posts/what-is-payment-service-provider/ (Retrieved February 1, 2021)
https://www.bbva.com/en/everything-need-know-psd2/ Retrieved February 4, 2021)
https://www.zoho.com/books/guides/what-is-the-revised-payment-service-directive-psd2.html (Retrieved February 4, 2021)
https://en.wikipedia.org/wiki/Payment_Services_Directive (Retrieved February 4, 2021)
https://www.finextra.com/blogposting/16647/open-banking-aisps-and-pisps-explained#:~:text=Account%20Information%20Service%20Providers%20(AISPs,institutions%20with%20their%20explicit%20consent (Retrieved February 10, 2021)
https://www.yodlee.com/open-banking/open-banking-differing-implementations-will-stifle-the-dream#:~:text=The%20FCA%20handbook%20stipulates%20that,be%20defined%20as%20an%20AISP.&text=Although%20not%20consumer%2Dfacing%2C%20aggregators,customer%20data%20behind%20the%20scenes (Retrieved February 10, 2021)
https://www.openbankingeurope.eu/media/1176/preta-obe-mg-001-002-psd2-xs2a-tpp-user-management-guide.pdf (Retrieved February 17, 2021)
Comments are closed.