PSD2 SCA requirements: Striking the right balance
As a fintech player, we really appreciate the benefits that the Payments Services Directive (PSD1) and its revised version (PSD22) have brought to the payments ecosystem. Both pieces of legislation enable payment institutions like Payvision and other non-banking players to provide payment services that go hand-in-hand with innovation and consumer choice. If we think about PSD2, transparency and newly regulated services immediately come to mind, as well as enhanced competition that stems from a wider variety of business models and payment methods.
The expansion of payment services is naturally fueled by technology, which also works as a compliance tool, supporting the way we do business through Regtech solutions. However, even though technology is the driving force, that doesn’t mean it can solve everything. Next to all the benefits of PSD2, we also have unintended consequences that especially have an impact on fintechs. That’s why we need to play our part and bring forward the challenges our industry is confronted with. We see this as one of our key contributions to help PSD2 become a success.
One pressing point relates to the Strong Customer Authentication (SCA) requirements laid out in a European Commission Delegated Regulation (CDR3). This secondary legislation, which aims to increase security and consumer protection, stands out because of the impact it will have, particularly on those smaller, innovative players whose resources and setup make compliance a remarkable challenge.
It’s not only a matter of being compliant on time, but rather of how the rules are drafted and are likely to be applied across the different EU Member States. This can be tackled by taking some of the following steps to make such rules work for and along with the industry:
Applying the requirements in a harmonized way across the EU.
Providing the current rules with greater clarity. The efforts of the European Banking Authority (EBA) in responding to questions from the industry through their online Q&A facility and their recently issued Opinion4 are a big help. However, there are still open topics due to the complex nature of PSD2. The challenge here is not only for providers, but also for local competent authorities, who currently run the risk of exercising their supervisory powers inconsistently.
Engaging with local supervisors so that the rules are enforced with a risk-based approach, considering the size of the companies and the risk they pose to the system. Translated into real terms, this means a pragmatic and proportionate approach that has all the goals in mind: safety, competition and, consequently, consumer choice and innovation.
Pursuing a level playing field. How? Within the context of the rules governing the exemptions to SCA, this landscape should allow acquirers and issuers to have a proportional involvement in implementing the requirements. For instance, under the current conditions, issuers always have a final say and can require acquirers to perform SCA, even if their exemption request is legitimate. We see a more balanced landscape as one that’s fairer and which would increase the likelihood of a successful implementation.
The payments ecosystem needs the above milestones in order to make use of PSD2 not only as a legal instrument, but also as a business enabler. Otherwise, the current framework will have a detrimental effect on consumer experience, and eventually on conversion levels due to an increase in abandoned transactions.
Enhancing security is a must. However, making SCA requirements and PSD2 an actual success means providers need to preserve long-term customer trust in electronic payments. To that end, they should be empowered with tools to strike a balance between security and business convenience. That can only be achieved with a realistic regulatory approach that properly measures the complete impact of these new rules.
1DIRECTIVE 2007/64/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of November 13, 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC.
2DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of November 25, 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.
3COMMISSION DELEGATED REGULATION (EU) 2018/389 of November 27, 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication.
4Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2 (https://eba.europa.eu/documents/10180/2622242/EBA+Opinion+on+SCA+elements+under+PSD2+.pdf)
About the author
Ignacio González-Páramo is Payvision’s Vice President of Regulatory Affairs. In this role, he’s responsible for public affairs, regulation and advisory compliance. Ignacio handles external engagement and represents Payvision publicly as a Payments Institution before competent authorities, policy making bodies, and trade associations such as the European Payment Institutions Federation (EPIF), where he sits on the Executive Board.
Payvision is a global payment processor that’s driven by a passion for technology and simplifying payments. With one single, secure platform, we power transactions for businesses across the globe. We know our way around the latest techniques in artificial intelligence, omnichannel strategies and advanced fraud prevention. The dedication to our clients shows – this is where we truly make a difference. By enabling an intuitive and flawless customer experience on all channels, we bring a unique beat to payments.
In 2018, ING bought a 75% stake in Payvision, allowing us to offer an unstoppable combo of the fintech and banking worlds put together. This partnership means cutting-edge innovations and a startup mindset backed by ING’s expertise and global network. Learn more about how Payvision takes the hassle out of payments at payvision.com.