The PSD2 Review – Too Big Too Early?
When you think that everything about PSD2 has been said, we decided to organise a session on the European Commission's review of PSD2. We invited Saar Carre, Head of Daily Banking and Payments of Febelfin and Diederik Bruggink, Head of Payments and Innovation of the European Savings Bank Group (ESBG), to help us understand how that process works.
With those insights, we had an open discussion on what is currently going well and what is wrong with PSD2. With the audience's input, the session ended up being very interactive, with insights from attendees and our special guests.
The PSD2 Review Process
Mainly payments experts joined, people that work on topics like PSD2 in their day-to-day job and yet, the majority wasn't aware of how the PSD2 review process works or how to influence the results.
I can reassure you that once you understand the process, you won't be surprised why so few people know how to share their opinions. To me, it symbolises the Ivory Tower, called the European Commission, from where this kind of evaluation is being made.
Diederik and Saar explained that the evaluation by the European Commission is based on 3 parallel streams, which were initially supposed to have been finished by January 2021:
- a request for advice to EBA (European Banking Authority). The EBA asked for feedback from the National Competent Authorities (125 pages of suggestions, according to Saar);
- feedback from a team of dedicated consultants who answer a list of concrete questions, for which these consultants organised workshops, interviews and online polls;
- a public consultation to ask market participants to provide input.
Febelfin influenced the review on all three levels. They had discussions with the National Bank, which communicated their input to EBA; they were asked for interviews with the consultants and responded to the public consultation like also their member banks did.
Despite the initial timing of January 21, on 5 September 2022, the Commission hasn’t published a public feedback yet. However, Diederik expects a report soon assessing whether PSD2 is fit for purpose or not.
Would the answer be that it isn't, part of the report should explain how to solve that. This solution could be a legislative proposal, or the conclusion may be that it is OK for now, keeping in mind a few minor corrections.
Why the PSD2 Review was Delayed
As I said: the review has a 1,5-year delay. The first reason that Diederik shared is the implementation of PSD2: "The Directive was established at a European level, and subsequently had to be transposed into national law by each Member State. Only then is PSD2 applicable, and can it be enforced. Although Member States had two years to implement PSD2, some required up to four years to implement it."
Next to that, some aspects of the Directive, like RTS (Regulatory Technical Standards) and SCA (Strong Customer Authentication), were delegated to EBA. Diederik referred to this as Level 2 PSD2.
After those implementations, EBA followed up on this with more opinions and guidelines. Saar counted 13 clarifications banks needed to adopt since the publication of PSD2.
Conflicting legislations created confusion and delays. Take the example of GDPR. Despite new guidelines issued by the Data Protection Board on the interplay between PSD2 and GDPR, some elements remain open for discussion.
With the public consultation of the European Commission on OFF, the Open Finance Framework, the review of PSD2 could no longer be delayed, which brings us to one of the main frustrations of the banking industry.
Saar: "Now the APIs of the banks are mostly what they should be, following all the all the opinion papers, clarifications, guidelines, one could argue if this review, at least for Belgium, and for many other countries, doesn't come too quickly."
Diederik agreed by adding: "The dust is still settling about what a good API is and isn't. The banks and TPPs are increasingly coming together to discuss and resolve the remaining issues. So, taking the temperature right now is a bit too early."
Results of the PSD2 Review
Looking at the review, Diederik explained we cannot ignore that fraud levels have gone down. In that respect, Diederik believes PSD2 had a positive impact. On the other hand, Saar felt that more could be done to reduce fraud.
She explained: "Today we work in an ecosystem; everything is becoming increasingly digital. Everything is going online. We believe that other players in the ecosystem, like telcos, and merchants, also have their part to play in the fight against false elements. So one of our main points is that we should bring this whole ecosystem together and that every element in the chain should have their proper responsibilities to fight fraud."
PSD2 had less success in terms of transparency, according to Diederik: "Nowadays, customers are, by law, overwhelmed by lots of information about the products, the fees they are being charged and the costs associated with the various products. Maybe that should be more to the point instead of having to disclose whatever is to be disclosed to consumers, to avoid being confused."
Another point of attention is the liabilities by banks in the process of payments initiated by third-party providers (TPPs). Banks are always the first point of contact for consumers, whether it is the TPP to be blamed for an erroneous transaction of the customers.
Someone in the audience replied that it is unfortunate that banks cannot provide a list of third parties that were granted permission to access their current account, including the option to manage these consents. It would drastically increase transparency, according to them.
Both Saar and Diederik replied that this is also something banks have asked for from the beginning. Unfortunately, the Commission disagreed with the banks, fearing it would hamper access to accounts. Third parties can access consented accounts three times a day, for 90 days today and soon for 180 days. This contradicts a bit with the obligation for banks to have a mandatory SCA every time consumers want access to their bank accounts online.
Forget PSD3, Embrace SPAA
When I asked Saar how to define PSD3, she countered the idea by saying that we should clearly distinguish between payment-related topics and the rest. Most of the elements in discussing a PSD3 aren't about payments. Initiatives like the Data Act and the OFF will open new opportunities, and today it is simply too early to think about a new Payments Services Direction.
In parallel with the PSD2 review, the industry is putting hope on SPAA to set a new basis for a more balanced discussion between banks and third parties. I raised a poll in my LinkedIn Group Innovation In Payments, and out of the 64 votes, 84% voted that they are insufficiently aware of what SPAA means.
SPAA stands for Sepa Payments Account Access. SPAA is an initiative from the ERPB (European Retail Payments Board) that brought together all stakeholders (banks, merchants, consumers, fintech companies) to develop a new scheme for TPPs to get access to richer data, new types of data, more accounts… through APIs.
The EPC (European Payments Council) has published a draft rulebook that is now open for public consultation. Building on the PSD2 infrastructure, the idea is to offer premium APIs so banks can be fairly compensated for the richer services they provide to TPPs.
I was excited to see so much interest in this topic. Clearly, the discussion is not over yet. Throughout the years, banks accepted that they needed to share data, which led to higher quality APIs. They even seem more willing now to co-create a new scheme to provide premium APIs.
On the other hand, there is still work to be done to ensure PSD2 achieves its goals in a way that every stakeholder is satisfied. More on that in other sessions of The Banking Scene Afterwork, I assume.