Come next year, FIs will need to share consumer data with FinTechs and merchants courtesy of PSD2. In the latest PYMNTS Digital Identity Tracker™, powered by Socure, Euro Banking Association Secretary General Thomas Egner shares the ways in which FIs must protect this newly shared data and what’s coming next. Plus, the latest headlines from around the Digital Identity space and a ranking of 121 providers.
Change is coming to the European banking scene. At the end of the year, a new regulation called the second Payment Services Directive (PSD2) will officially take effect, requiring banks, credit unions, financial institutions and FinTech companies across the continent to change the way they conduct business.
The most important measure of PSD2 requires banks and other financial institutions to share data with companies they may consider competitors. Under the new rule, financial institutions will need to give FinTechs, retail merchants and other companies access to consumer financial data to complete a transaction, or may need to display information from a range of bank accounts on one screen.
With the arrival of PSD2 approaching, PYMNTS recently caught up with secretary general of the Euro Banking Association Thomas Egner to discuss the conditions that led to the regulation, what will change because of it and what’s coming next.
From PSD1 to PSD2
PSD2 is not the last word in data sharing, and, as its name implies, it’s also not the first. This latest measure follows the first Payment Services Directive, which was passed by the EU and took effect in late 2007.
The earlier regulation was designed to increase competition in the European financial services market. The goal was to make it easier for nonbanks — companies such as FinTechs — to participate and build businesses in the financial sector. It also gave customers more rights over how their information could be shared between different companies.
Specifically, the PSD1 regulations allowed more electronic banking and financial institutions the ability to provide payment services, promoted the rise of FinTechs and laid out a more specific set of digital finance parameters. Additionally, it required financial institutions to provide real-time information to other financial service providers upon customer request.
Egner, who is based in Germany, explained that while the first iteration of the Payment Services Directive was successful, the time had come for an update. The update comes nearly a decade after the first regulation took effect.
“You already had part of this in PSD1, but it was a much smaller piece than what PSD2 covers,” Egner said.
PSD2 — which was passed in 2015 and will take effect at the start of 2018 — aims to further bolster the capabilities of FinTechs and other nonbank financial service providers.
“Now, in PSD2, if the customer asks for it, a bank will have to provide access to a third party,” said Egner. “It forces some players in the market to open up their information to other parties, and that is really a very new element.”
According to Egner, this new element will require banks to allow merchants to retrieve account data, with a customer’s permission, in order for that customer to make a payment. This will allow consumers to make payments without being redirected to a service like PayPal or Visa Checkout.
But, as Egner noted, the bill isn’t without controversy. There is debate surrounding whether screen scraping, a practice in which FinTechs use software to access bank accounts through a customer’s credentials, will be outlawed under the new regulation. Most FinTechs are against banning this practice because it limits the services they can provide to customers. Banks, on the other hand, would like to see it outlawed, restricting FinTechs to access the requested data only through APIs.
This controversy speaks to larger security concerns surrounding the regulation. Regardless of how FinTechs access customers’ financial data, that data is going to be open to more players and shared more often than before, creating privacy and security issues. To prevent that, Egner said, the regulation will further require banks and FinTechs to change their practices to include more stringent protections for client information.
Most notably, the regulation does not allow most FinTechs or other companies to store account data held by other banks after accessing it, Enger said.
“Of course, with this kind of data, the worry is that it could be downloaded, or could be used for purposes other than payment information services,” he said. “But PSD2 is very concrete on this point. PSD2 says, if you accessed something, you’re not allowed to store the data.”
It also requires financial service providers to immediately disclose security breaches to consumers, and obliges the providers to use at least two of three security protections when transferring and protecting information. These include the use of a knowledge-based credential, such as a password or pin; a customer’s physical identification device, such as a dongle or debit/credit card; or the use of a biometric verification device like a fingerprint or iris scanner.
With the sequel regulation not yet in effect, there could already be a PSD3 on the horizon. Egner said he wasn’t certain what the next regulation would be called, but he was confident that PSD2 would likely be updated before too long.
As for what could be included in a potential PSD3, a lot is still up in the air, according to Egner.
“I can say there will probably be a PSD3, because we’ve heard there will be revisions. What this PSD3 will cover, I don’t know,” he said. “PSD2 only covers payment accounts at the interest of the customer but, of course, [the space is] much larger than only looking at payment accounts. So, the market for this is much bigger than just what PSD2 achieved.”
To download the July edition of the Digital Identity Tracker™, powered by Socure, please fill out the form below.
The PYMNTS.com Digital Identity Tracker™, powered by Socure, is a forum for framing and addressing key issues and trends facing the entities charged with efficiently and securely identifying — and granting permission to — individuals to access, purchase, transact or otherwise confirm their identity.