In the last two years, Europe’s banking industry has seen one of its biggest technology revolutions ever. The Second Payment Services Directive (PSD2) has brought a new era in financial services that has reshaped the need for customer authentication and secure connectivity, and made it a higher priority than ever. Financial companies are now being held to a whole new level for managing the security and privacy of their customers’ data, and the next steps they take in complying with PSD2 this year will have ramifications for their business operations for years to come.
Syniverse has been playing a big role in providing PSD2 services to help ensure companies’ compliance with this new financial landscape, and we increasingly receive a number of common questions about PSD2’s requirements, challenges, and opportunities. To help shed some light on where we are with PSD2 and what’s ahead, in this post and in posts over the next few weeks, I’ll address some of these questions. To start, let’s first explain what PSD2 is and if it’s been delayed.
What’s the significance of PSD2 in a nutshell?
Specifically, PSD2 is, for the first time, allowing bank customers to make use of third-party providers to manage their finances and assist with financial services. Under this regulation, payment service providers like banks are not only required to provide API access to third-party companies, but these providers are responsible for implementing secure customer authentication for a range of mandated situations. Consequently, banks must be able to ensure that they properly authenticate access to customer data to meet new EU regulatory requirements.
What’s the timetable for PSD2 and how has it changed?
Recently, the implementation deadline of Sept. 14 drove banks and payment service providers to rush to update both their infrastructure and customer experiences for account access, payment processing and strong customer authentication. However, this summer, the European Banking Authority announced that this deadline could be extended for some parties.
The small print is always important, and the announcement included plenty of these types of provisions:
- It’s the responsibility of the national regulator to decide whether to provide the extension. This has resulted in 19 countries announcing delays.
- The extension is time-limited, and in the U.K., the Financial Conduct Authority (FCA) has provided an 18-month extension, to March 15, 2021.
- The extension applies to the strong customer authentication requirement specifically, not the whole of PSD2.
- The extension applies to enforcement rather than compliance, subject to monitoring. This makes it clear that the regulation won’t change as this is now E.U. law, but that flexibility is given to help the industry, specifically those indirectly affected by PSD2, such as merchants, to complete their migration.
As a result, the timetable and process for migration to PSD2 have become even more extended and complex, and some financial companies may still have a long road ahead of them depending on how they plan their migration.
Why was there a delay?
While banks have pressed ahead with the implementation, it’s taking longer for the rest of the payments ecosystem to adapt. There are two key reasons for this:
- The diverse range of authentication methods being implemented by different banks.
- The lack of clarity in the original directive, which required additional detail, such as that provided by the final guidance for strong customer authentication, which was only issued in June 2019, at the same time as the extension.
Separately, a number of merchants and payment processors have expressed concern about the impact of PSD2 and strong customer authentication on genuine transactions. In fact, the financial services technology company Stripe has published research that estimates that €57 billion ($73.3 billion) of purchases are at risk.
What does the delay mean?
Banks and payment service providers still need to support PSD2 and strong customer authentication requirements for account access and payment initiation. Merchants and the rest of the payment ecosystem need to complete their migration to support the new authentication requirements, but without the need to rush with solutions that haven’t been properly tested. At the same time, the delay also provides a great opportunity for the payment ecosystem to work together to ensure their strong customer authentication solutions properly address usability as well as security.
In my next post, I’ll discuss the integral part that text messaging plays in PSD2 and more on Syniverse’s role with these text messaging processes.
Mike Bradford joined Syniverse in 2010 and has developed a number new products for Syniverse’s mobile authentication, digital identity, fraud prevention, and mobile payment solutions. He has more than 30 years of experience in mobile, which has included contributions to ETSI standards, GSMA award shortlists and industry guidelines for in-app payments. Before joining Syniverse, in 2010, Mike worked across a range of organizations and industries, including T-Mobile, Neustar, BAE Defence, and NATS, and technologies including stealth, air traffic control, mobile video, and instant messaging. He holds a bachelor’s degree in electronic engineering and a master’s degree in radio frequency communications, and he is a member of the Institute of Engineering and Technology.