The EU’s revised Payment Services Directive – PSD2 – is probably one of the most ambitious and impactful pieces of legislation ever to be enforced in the European financial industry.
Not surprisingly, the implementation across Europe comes with a high degree of complexity and offers many challenges. Some of these challenges have to do with the introduction of new roles in the industry, others are due to the obligations and liabilities attached to some of these new roles. The remaining challenges result from the rather tricky new encounters between some of the players, notably the so-called Third Party Providers (TPPs) and the European Financial Institutions (i.e. Credit Institutions (banks), Payment Service Providers (PSPs) and Electronic Money Institutions (EMIs)), which, in PSD2 terms, are referred to as Account Servicing Payment Service Providers (ASPSPs).
The crux of the matter is that PSD2 allows a TPP to gain access to an ASPSP’s customers’ payment accounts – provided customer consent has been given. However, if something goes wrong, liability typically lies with the ASPSP. For instance, if it turns out that account access is given to a TPP who isn’t who it claims to be, and fraudulent transactions take place, the ASPSP would be liable.
PSD2 was adopted by the EU Parliament as early as October 2015 and entered into force in January 2016. The European Banking Authority (EBA) initiated discussions on The Regulatory Technical Standards (RTS) in December 2015. These continued to 2016 with the final draft of the RTS for Strong Customer Authentication and Common and Secure Communication1 (RTS for SCA and CSC) being released in February 2017 and approved by the EU in September the same year. Apart from some delays in implementation of SCA, all regulatory requirements put in place by PSD2 are now in effect. This means that the financial services market has moved beyond a general compliance race to a much more diverse situation where TPPs are now starting to deploy and grow their services on a much wider scale.
Around the time of the EBA market consultation on the draft standards in 2016, the founders of Konsentus started to wonder how the new directive would eventually cater for a completely new situation when – somewhere down the road – presumably thousands of new TPPs would knock on the doors of the c. 6,000 European banks asking for access to accounts – as granted to them by the new directive