How banks can meet PSD2 requirements
Traditionally, banks have never been too fond of introducing major changes to their business models.
Sure, they stumble onto new ideas from time to time, like the case was with ATMs or contactless payments. However, the fundamentals of banking have virtually remained intact for decades.
Focused primarily on online transactions, PSD2 (Second Revised Payment Service Directive) is a new regulation designed with hopes of instigating a more uniform, transparent, and open EU payment market.
Among other things, this directive is an attempt by the European Union to foster competition and innovation in banking while improving security. PSD2 promises — or, depending on who you ask, threatens — to transform the way we move and use money.
Back on 16 November 2016, when PSD2 was originally passed by the European Union, the implementation deadline of 13 January 2018 appeared to be very far away. However, two years passed in a heartbeat, and PSD2 is now implemented into national laws and regulations of EU member states.
It should be noted that PSD2 is actually a complementing version of the first Payment Services Directive (PSD), a law that was adopted in 2007. While PSD primarily tried to establish safer payment services across the EU, PSD2 widens the directive’s scope by insisting on new services and players, as well as raises the bar in terms of security.
Unlike its predecessor, PSD2 completely focuses on electronic payments, a manner of transacting that’s more cost-efficient than cash and will inevitably be the backbone of economic growth in the future.
What is PSD2 (Second Revised Payment Service Directive)?
If we were to use a single sentence to explain what the main goal of PSD2 is, we’d say that the new directive is uncompromisingly trying to eliminate banks’ monopoly over customer account information and payment services. Since both of these fields were under the exclusive supervision of the banks themselves, such a radical detachment has already proved to be a particularly exasperating one — at least for bankers.
So, how does the new directive plan to fundamentally separate banks from their long-lasting administration of customer information and transaction initiations?
Well, quite literally, it seems.
According to PSD2, banks must allow third-party providers to essentially play the roles of “middlemen,” one in charge of providing access to customer account data and the other of initiating payments. This means that bank customers, both individuals, and businesses, can use third-party providers to manage all vital aspects of their finances.
In order to work, these freshly introduced service providers must have total access to all the necessary customer information, which PSD2 ensures by insisting on open API implementation across the financial sector. Banks are forced to expose their APIs at least in scope which will allow third parties to get balances from accounts and execute payments. While opening APIs to a further extent is not mandatory, it’s projected that the banks ready to provide greater access will be in a better position to implement new regulations and reap more benefits of PSD2 compliance.
By standardizing regulations in such a fashion, PSD2 ensures enhanced transparency and fair competition, breaks down the entry barriers for new payment services, and raises security by having more entities be in charge of protecting the data.
Is PSD2 limited to the EU?
PSD2 applies to payment services within the European Union and, as such, is primarily enforceable within member states. However, the directive also includes transactions with third countries when the payment service provider is located within the EU borders. These are what the directive refers to as “one-leg transactions.”
The reason for having the directive be somewhat of an international character? Making cross-border European payment services safer for individuals and businesses in member states.
While the country may no longer be a part of the EU, United Kingdom is also subject to the new directive. Their Open Banking law was implemented as a part of the 2017 Payment Services Regulations and is enforceable by the Financial Conduct Authority (FCA).
A brand new banking infrastructure
For customers, the bottom line of PSD2 is that they should be able to use social media platforms or messaging apps to pay their bills, make P2P transfers and analyze or even plan out their spendings and retirement funds.
This new infrastructure introduced by PSD2 fundamentally changes the payments value chain. It also introduces many game-changing shifts by altering what business models are profitable and raising customer expectations within the EU and EEA.
Two new players introduced by PSD2 — PISP and AISP companies
The PSD2 infrastructure insists on two new types of firms in the financial landscape: PISP (Payment Initiation Service Providers) and AISP (Account Information Service Providers).
Payment Initiation Service Provides are firms responsible for initiating a payment process on behalf of the user.
When customers decide to pay their bills online or to purchase services on the Web, the initiator company can request the payment from the bank through the API, drastically streamlining the payment procedure in the process.
On the other hand, Account Information Service Providers provide access to the account information of bank customers, consolidating the consumer’s financial information in one place.
Entities falling under the AISP category analyze user’s spending behavior or aggregate account information and should be able to gather data from several banks into one overview. All of that is achieved through the bank’s open APIs as well.
Although logic might dictate otherwise, the introduction of PISP and AISP actually poses a substantial economic challenge for banks. It is estimated that, by 2020, 9% of retail payments revenues will be lost to PISP services only. Combine that with the fact banks are expected to invest heavily in new security standards and the opening of APIs, and you’ll start getting a clearer picture of just how taxing PSD2 truly is to banks.
Raising security levels within the banking sector
PSD2 introduced enhanced security measures all payment service providers, including banks, must implement. From the moment the directive took effect, strong customer authentication (SCA) for electronic payment transactions became the industry’s standard.
Consequently, customers are no longer allowed to authenticate using only a static password. Instead, the new verification system must be based on a combination of things users know (such as passwords or PINs), things they have (like a card or an authentication-code-generating device), and things they are (like the use of a fingerprint scan or voice recognition).
The new customer authentication standard is based on the use of two or more of these factors.
It should be noted that, although this still needs to be somewhat ironed out in practical terms, the authentication procedure remains partially in the banks’ sphere of competence. Banking establishments need to offer new authentication methods if they haven’t done so already, while the recently introduced third parties have the right to rely on the bank’s authentication of the user.
Solving the unfortunate PSD2 riddle
PSD2 is an extensive directive by every account, so it’s no wonder that it includes a range of less revolutionary innovations, such as a limit on costs for card payments and better consumer protection against fraud.
But, at its core, the Second Revised Payment Service Directive introduces three new essential novelties the banking sector needs to account for: third-party firms in charge of accessing customer information, entities capable of initiating payments, and severe improvements in terms of authentication protocols.
In order to keep their business up and running, banks need to be innovative and seek out prudent solutions which will help them retain customers. Fortunately for bankers, there’s already a plethora of choices out there as AISP/PISP software companies left and right are competing to provide the most viable solution to the PSD2 problem stacked against financial institutions.
However, the process of implementing these new entities has already proved itself a challenging feat. Being sufficiently prepared to welcome new players can make or break the bank’s chances of surviving these radical changes.
Running on a Hyperledger Fabric blockchain framework, Blinking is a multi-factor identity-management system that offers an exemplary basis for the introduction of AISP and PISP firms to a bank’s infrastructure.
Blinking facilitates storing of personal user information within special profiles of data, profiles which are kept safe on a private blockchain and are controlled by users themselves. Unless a contractual obligation of some sort gets in the way, customers are always the ones in charge of granting/revoking access to their data, editing their information, and potentially deleting it.
Furthermore, since the user is the only one able to directly control and use the profile, Blinking offers something we’ve never really had before — irrefutable digital identities.
Needless to say, this opens up a lot of doors that would otherwise remain closed. Suddenly, there’s no more need for proving one’s identity online — individuals are free to use Blinking to book hotels, reserve airline tickets, purchase services, pay their bills, etc.
And all of that is achieved with just a few clicks on their desktop or mobile devices.
How Blinking can help banks meet the PSD2 requirements
By empowering customers with direct control over their own data, Blinking becomes a valuable intermediary-like entity for banks planning to add AISP and PISP layers to their infrastructure.
Regardless of which AISP or PISP firm customers decide to go with, Blinking is capable of drastically improving user experience by allowing customers to manage all vital aspects of their information. Users can easily transport their data from one service provider to another, control who has access to their information and for what purpose, edit or delete the data if need be, etc.
This not only makes meeting the newly established PSD2 norms a lot easier but increases customer satisfaction as well- which is certainly vital now as banks are expected to see a noticeable loss in client interactions.
Putting data management flexibility aside, another reason why Blinking is such an asset for AISP and PISP service implementation is a key requirement found on the PSD2 top-priority checklist — a strong multi-factor authentication protocol.
Blinking features a versatile authentication solution that can accommodate a few different authentication methods. It combines two biometric scans (fingertip and face scans) and password protection. Together, a biometrics scan and password, as a combination of something the user is and something the user knows, offer the highest security level currently available to us — precisely what the Second Revised Payment Service Directive expects from banks.
To make matters even better, thanks to the adaptive blockchain system upon which it was built, Blinking can be adjusted in accordance to each individual bank’s specific requirements.
Other PSD2-related benefits of implementing Blinking
Besides offering an adaptable core capable of helping banks align with the prerequisites of the recent directive, there are also some other PSD2-related benefits of implementing Blinking that should be kept in mind.
As a long-term solution developed on a technology of the future, Blinking is not a “quick bandage” applied to the problem in hand. It’s a piece of software that’ll be as reliable and beneficial in ten years as it is today, as well as something banks will be able to rely upon even after the current PSD2 storm blows over.
Thanks to its blockchain-based environment, Blinking raises the all-around level of security for banks. It’s not limited to just improving the safety of user verifications but provides an environment where data safety is of primary concern and not just an additional afterthought.
Finally, Blinking is completely compliant with GDPR, another recent regulation that should definitely be on bankers’ radars. As legislation primarily concerned with protecting personal information, GDPR shares a lot of common ground with PSD2 — and Blinking is a viable solution for handling both of them.
Fair or not, PSD2 is here to stay
We’re inevitably going to see a lot of changes in banking in the near future as the sector is currently constrained by two difficult obstacles personified in the shapes of GDPR and PSD2.
Fortunately, Blinking stands ready to answer the call and squeeze itself in between a rock and a hard place, where banks currently find themselves.
With Blinking in place, a bank becomes fully prepared to embrace AISP and PISP without worrying about how the new players will fit with the current state of things.
Blinking facilitates top-of-the-line authentication procedures and abilities that contribute to quality online payment protocols and end-user-friendly overviews of finances. It also provides banks with a variety of smaller modifications which, when added up, improve ordinary routines of banking and take them to a whole different level.
In many ways, Blinking is a miniature glimpse into how we’ll be handling data in the future and, as such, is an ideal first step bank can take towards falling within the PSD2-compliant category and becoming better equipped for a world that’s continuously moving more and more online.