Europe has rewritten its laws governing online commerce in an effort to protect against fraud and encourage the development of new online fintech products.
The European Banking Authority has been revising the Payment Services Directive for the last seven years, and the final phase of implementation for the new version (known as PSD2) will be complete on December 31, 2020. Beginning on New Year’s Day 2021, online shoppers in the EU will need to go through an identification process to complete purchases.
The original PSD
Prior to the early 2000s, payments were almost exclusively the domain of banks, just as they had been since paper checks appeared as a form of payment or money transfer. More recently, however, nonbank payment processors — like Stripe and PayPal — have become major players in the field.
A number of events ushered in this change, such as the increasing sophistication of the internet and the widespread use of credit and debit cards as well as the free travel and trade between European countries (which was the original goal of the EU).
These new nonbank entities offered services tailored to the new capabilities for making electronic payments — regardless of the location of the payer’s bank or the ultimate destination of the payment.
PSD2 gives anyone in the EU with a bank account the authority to allow third-party access to their payment accounts — with their express consent. Since nobody will give a third party access to the bank account unless they are confident their money is safe, PSD2 mandates “strong customer authentication” (SCA) and “open APIs” (application programming interfaces) to grant access.
To make these transactions seamless, PSD2 regulations recognize two new types of third-party providers (TPPs). A payment initiation service provider (PISP) that has complied with the strong customer authentication requirements will initiate payments at the request of customers. The providers that hold the accounts will execute the actual payments.
The second new financial services entity is an account information service provider (AISP). The AISP will, after complying with the open API’s protocols, provide multiparty consolidated transaction reporting services.
A summary PSD2 timeline
Development of PSD2 has been slow, even by the standards of EU rulemaking. As noted above, the process began in 2007 when the EU adopted the first Payment Services Directive. In practical terms, this simply served as an official acknowledgment that the EU needed to update its regulations to account for innovations in payment processing.
It wasn’t until 2013 that the European Commission proposed a written PSD2 to bolster consumer protection, encourage competition and innovation in the payments sector, and mandate tighter security to increase consumer confidence in using new payment methods for e-commerce transactions.
Here’s a more detailed PSD2 timeline.
2007: The first Payment Services Directive
The original Payment Services Directive (PSD) came into effect in 2007. The goal was to create a unified payment market in the European Union. PSD served as a good start toward promoting a competitive, innovative, and efficient payments market in the EU.
2013: Recognizing the need for PSD2
The original PSD was developed before the widespread adoption of smartphones, so it didn’t regulate the mobile commerce market or the growing number of nonbank fintech companies that began processing payments and transfering money. It also couldn’t anticipate consumers becoming increasingly comfortable making purchases through their phones or laptops — or the demand that would create for new kinds of payment services.
In July 2013, the European Commission introduced a proposal for a second Payment Services Directive (PSD2).
January 2016: The first stage of PSD2 began in January 2016 when EU member states agreed to write PSD2 into their national laws by January 13, 2018. This began the process of creating a continent-wide open banking regulatory structure.
June 2017: A harmonized European API
A major breakthrough came in June 2017 when the Berlin Group NextGenPSD2 Task Force announced it had created “an open, common and harmonised European API (Application Programming Interface) standard to enable Third Party Providers (TPPs) to access bank accounts under the revised Payment Services Directive (PSD2).”
In less technical terms, the harmonized API made it much simpler for payment processors (third-party providers) to gain a purchaser’s permission to take money from their designated account and transfer the payment to the seller’s designated account.
November 2017: Strong Customer Authentication (SCA)
On November 27, 2017, the European Commission adopted regulatory technical standards for anti-fraud measures at the point of purchase and in the payment processing that follows. The stringent standard for verifying the identity of the person making an electronic payment and protecting their personal and financial data is known as “strong customer authentication” (SCA).
Complying with SCA standards requires the complex 3D Secure 2.0 process. For most purchases, the seller will have to verify the customer’s identity with a combination of at least two independent elements — such as a card or mobile phone and a password or a biometric feature, like fingerprints.
While this is an unquestionably strong anti-fraud measure, there is one significant drawback (at least until the market adapts) — the added friction in the checkout process will likely increase cart abandonment, the scourge of online commerce.
The European Commission adopted a second set of technical standards for two new fintech categories geared toward processing payments once verification is complete. The goal is to create opportunities for innovative fintech services tailored to online commerce.
The final set of technical standards focuses on account information service providers (AISP), which analyze and consolidate customer data and account information for use by banks and third-party providers. These standards are meant to facilitate the growth of digital banking throughout the EU.
Compliance with PSD2 is daunting for the typical e-commerce platform. The easiest PSD2 compliance solution for most online sellers will be to work with a PSD2-compliant payment service provider (PSP) that offers a hosted checkout service. This transfers the compliance hassle to the third-party processor, but it also adds another cost to doing business.
January 2018: All EU member states passed PSD2 domestic banking regulations. This set a deadline to complete the process of building SCA compliance solutions so retailers can obtain customer authorization to access their accounts or banking data, and building the networks for banks and TPPs to securely exchange funds and data.
December 31, 2020: PSD2 goes live
The European Commission has set and extended the deadline for PSD2 compliance a number of times, but New Year’s Day 2021 is final. PSD2 will officially be the law governing e-commerce in Europe beginning then. All online stores — and the banks and payment processors necessary for them to conduct business — must be in full compliance with PSD2 the first day of 2021. The one exception is the Brexit-bound U.K. Financial regulators there have delayed PSD2 compliance until March 2021 for online banking and September 14, 2021 for online shopping.
At this point, though, all the players should be ready. In 2021, an online sale in the EU can be denied if the purchaser’s identity isn’t verified according to SCA. Most observers believe it will take some time for customers, e-commerce businesses, and the fintech industry that processes payments to adjust. In the longer term, PSD2 will open the entire EU to seamless online commerce and electronic banks, creating new opportunities for merchants and fintech entrepreneurs.