Deep Dive: PSD2 And FCA Exemptions

PSD2 requires every player in the EU that handles payments to make adjustments to ensure faster and more transparent transactions. The regulation opens customer data to third-party providers — as opposed to granting banks the right to silo and share it at will — and also gives FIs more requirements when it comes to customer authentication.

The regulation also aims to decrease the amount of middleware involved with online transactions, making it possible for third-party providers to move funds from customers’ accounts to those of merchants or others without needing approval from payment services. While this will improve the speed of online transactions, it also means that consumer authentication and data security are more important than ever. Identity information is also sent along with most payments data, which is something third-party providers can help speed along by smoothing the authentication process. This activity can also ramp up the possibility of fraud for banks or processors that are not yet compliant, however. Additionally, FIs, payment services and consumers need to rethink where they stand when it comes to successfully completing online payments.

FIs across Europe are racing to upgrade their payment systems to accommodate PSD2, and the region’s regulatory agencies are expanding on the directive to make online transactions more transparent. The FCA, for instance, is outlining PSD2’s rules and exemptions, creating an important pathway for FIs as they set up new payment ecosystems.

What PSD2 means for online payments and authentication

PSD2 is a new way to treat data that removes banks as the sole keepers of the payment information that typically accompanies consumers’ financial histories.  Giving third-party providers access to this data will affectthe speed of transactions and the roles of the banks involved in them, which could have a profound influence on the way that open banking develops in the EU.

Under PSD2, third-party AISPs will be able to give users a clear view of their payment histories by utilizing the financial information that was typically siloed by banks. Third-party PISPs will have access to payment accounts, enabling them to initiate transactions with authentication from only the customer, reducing the need for security measures from the other players in the process, such as the merchant, bank and card provider.

This regulation pushes banks’ roles to the side, creating a much stronger sense of give-and-take between consumers and third-party providers. Banks are still critical for PSD2-compliant transactions, though, as they are providing a majority of the key data that makes them possible. Moreover, all of this depends on knowing that the consumer in question actually requested the transaction, which puts the need for complex and concrete authentication methods to the forefront. This is where regulatory agencies like the FCA come in.

FCA exemptions and online authentication

One of the prime tenets of PSD2 is enabling faster online payments, but the directive also makes consumers more active participants when it comes to their online data.

To assist businesses and consumers in this aspect, the FCA released a few notes on the process, as well as exemptions to PSD2’s authentication requirements. The FCA detailed the technical standards that are expected of payment providers under the directive, all of which emphasize the need for transparent communication by every player involved in an online transaction.

Additionally, the FCA outlined guidelines for two-factor authentication — a method that is frequently used to verify that customers are who they say they are. Payment providers take responsibility for payment security under PSD2, so authentication needs to be bulletproof. To
authenticate users, providers must verify something known only by them, or something that only they can provide, like a biometric identifier. The two factors that are chosen by payment providers need to be independent of each other to be considered an acceptable form of authentication.

Exceptions to these authentication methods include contactless payments — a popular payment method in the U.K., where PSD2 has already been enacted. Contactless payments authenticate customers when their cards are not present using a messaging protocol known as EMV 3-D Secure (3DS). This protocol conditionally mandates that consumer identity data be passed through along the 3-D Secure payment flow,
which allows consumers to authenticate themselves through their card issuer when making card-not-present purchases. Merchants and PSP providers can then leverage third-party identity verification providers to verify the identity data thus allowing them to remain compliant with PSD2 authentication requirements.

What PSD2 means for cross-border payments 

Enabling these authentication methods isn’t easy, especially as payment players in the EU are still figuring out where they fit into this new, open banking ecosystem.

The goal of PSD2 is to create more transparent online payments, where data is easily shared between banks, third-party providers and retailers to facilitate safe and secure money movement. PSD2’s role in this open banking ecosystem is sure to be essential, although it’s too early to determine the scope of the directive’s impact — that’s going to depend on how well banks and payment providers adapt.



The How We Shop Report, a PYMNTS collaboration with PayPal, aims to understand how consumers of all ages and incomes are shifting to shopping and paying online in the midst of the COVID-19 pandemic. Our research builds on a series of studies conducted since March, surveying more than 16,000 consumers on how their shopping habits and payments preferences are changing as the crisis continues. This report focuses on our latest survey of 2,163 respondents and examines how their increased appetite for online commerce and digital touchless methods, such as QR codes, contactless cards and digital wallets, is poised to shape the post-pandemic economy.