payment services directive psd2 PISP AISP

On January 12, 2016, the revised Payment Services Directive (PSD2) came into force in the European Union (EU). When the original Payment Services Directive (PSD1) was issued in 2007, the purpose of the directive was to create a single market for payments within the European Union by providing a legal platform with comprehensive rules and guidelines that advocate efficiency, innovation and reduced costs. At the time, the payments industry included banks, credit institutions, e-money issuers, payment system providers, and money transfer businesses.

PSD1 predated the rise of financial technology (fintech), which resulted in a grey regulatory landscape for many payment-related fintechs, inadvertently creating an unequal playing field. The objective of PSD2 was to create a level playing field for all payment services with security and consumer privacy at the forefront.

In a previous blog post, we covered many of the key aspects of PSD2. Now that PSD2 is in effect, how will it impact fintech in Europe and other fintech companies servicing the European market?

New Payment Services Covered Under PSD2

Under the updated regulations of PSD2, two types of third-party payment service providers (TPPs) have been introduced.

Payment Initiation Service Provider (PISP)
PISPs play an important role for online payments, as they provide the bridge between the customer and the merchant. Once PSD2 is fully implemented, consumers can pay directly from their bank account to an eCommerce business without the need to provide any banking or credit card information.

Instead, the PISP will initiate a secure direct connection to the bank or credit card issuer via an application program interface (API) that asks the customer to log in using their credentials. By logging in, the customer is giving their consent to transfer funds from their account to the merchant.

This process will be similar to what already happens with payment service providers like PayPal, and the authorization process is much like what we are already accustomed to when we use our Facebook or Google accounts to connect to a different online service. No account information is stored by the PISP or merchant, and the PISP is only permitted to provide a yes/no response to confirm whether or not the customer has sufficient funds to pay for the transaction.

Account Information Service Provider (AISP)
The AISP model is one that is already actively in use in North America. Services like Intuit’s Mint, which provide users with an overall view of activity on all of their financial services, are classic examples of AISPs.

Unlike in North America, AISPs operating in the European Union thus far have had limited adoption and success. This is due mostly to the practice of “screen scraping” that is used to collect data from the various financial services accounts. “Screen scraping” requires the customer to provide the login information for all of their financial services accounts to the AISP, which violates the terms and conditions of the financial services companies.

It remains unclear at this point exactly how this will be addressed in the case of the European Union, but the Regulatory Technical Standards that will define the requirements to protect customer’s security credentials are presently being discussed. The European Banking Authority has been assigned the task of delivering the new standards by January 2017.

PSD2 and Open Banking

Another significant change that will result from PSD2 is the requirement for the incumbent financial institutions, such as banks, to share customer data with PISPs and AISPs with the customer’s permission. This presents an excellent opportunity for fintech companies, especially due to the expected availability of open APIs that will allow fintech platforms to connect with banks to provide new innovative services.

The British government has thrown its support behind PSD2 and Open API standards in the hopes of providing consumers with more secure and affordable financial services that are easier to use. In a report released by the UK Treasury in November 2015, the government committed itself to working with regulators to promote providing consumers with easier access to data that will allow them to find the deals for financial services. One of the examples given in the report includes using price comparison websites to access data on behalf of consumers using secure APIs.

Support for open-source APIs in financial services is not only limited to the UK. In Germany, Fidor Bank – a digital bank founded in 2009 – has been a long-time proponent of open APIs. The country is also home to the Open Bank Project, which provides its own open-source “API for banks” that uses secure enterprise-ready technology and supports OAuth, the same protocol enabling logins on third-party websites using credentials from Facebook, Google, and LinkedIn.

There may very well also be a ripple effect from PSD2 that extends well beyond the EU. As the European fintech industry will likely see large gains as a result, other countries in other regions, such as the U.S., are expected to push for open APIs for banking in order to avoid being left behind.

“Over the next two years as EU countries roll out new legislation and regulations that conform to PSD2, the number of opportunities available for fintech companies will continue to grow,” said Jon Jones, President of Trulioo. “PSD2 not only levels the playing field for fintech companies seeking to compete with traditional banks, but there is also great potential for more innovative products and services to be made available to consumers with more open and secure access to financial data.”

Should other markets follow Europe’s Directive to standardize regulations in payments with privacy and security at top of mind?