visual of strong customer authentication (SCA) required under PSD2 in EU

PSD2 regulation went into effect at the end of last year. The regulation aims to introduce more competition into the European Union’s (EU) financial services ecosystem by making it easier for new players, including FinTechs and challenger institutions to access data and offer products of their own.

Six months after its launch, how has PSD2 changed the EU’s financial services landscape? Let’s review.

A Brief PSD2 History

PSD2, also known as the Second Payment Services Directive or the Revised Payment Services Directive, addresses a perceived monopoly that had taken hold across Europe in the banking and payment card sectors. Regulations passed after the 2008 financial downturn require banks to meet minimum liquidity requirements to operate in the EU. These requirements created hurdles for many smaller players. Major card schemes, meanwhile, secured tremendous power to set and charge merchants interchange fees. Higher costs resulted that were ultimately passed on to consumers.

PSD2 compliance has two key components: Open Banking and Strong Customer Authentication (SCA). The Open Banking requirement of PSD2 requires banks to make their customer account data more easily available to Third-Party Payment Services Providers (TPPs) through application programming interfaces (APIs). The SCA component intends to implement fraud prevention early and make payments more trustworthy. This is achieved by implementing minimum authentication methods for account access and payments. This can include passwords, PINs, biometric data, or two-factor authentication (2FA).

The SCA requirement went into effect across the European Economic Area (EEA) on December 31, 2020. In the U.K., however, the Financial Conduct Authority (FCA) pushed the enforcement deadline to March 14, 2022.

PSD2 Expectations & Realities

When PSD2 was initially conceived, there were several predictions about how the regulation would ultimately shape the EU’s financial services market. Here are a few observations on the impact PSD2 regulation is having six months after its initial launch.

Customers are still attached to traditional banks

PSD2 was expected to lower the barrier to entry for smaller players, thereby making it easier for FinTechs to expand in the market.

So far, there have been some successes on that front. According to the latest data from the U.K.’s Open Banking Implementation Entity (OBIE) – the agency responsible for overseeing the U.K.’s open banking technology implementation – open banking payments rose to over 4 million in 2020 from 320,000 in 2018.  

While this is an impressive surge in a two-year period, the activity does not indicate a massive shift away from traditional banks. Consider this: the 4 million figure cited earlier is on par with what a single large bank would process in a day. This indicates that while FinTechs and new players are clearly gaining ground under PSD2, so far EU consumers are more likely to trust traditional banks with their finances. 

FinTechs’ solutions are often used as an extra utility service, but not a primary banking mechanism. Some customers see Fintech products as helpful for specific situations, like using a solution when traveling abroad to get a 0% commission on taxes. But they’re not ready to use that same FinTech service for their everyday banking.

The EU FinTech market is still stabilizing

One possible reason consumers are not rapidly adopting FinTech services is that not every FinTech succeeds. 

Some will entice consumers by rolling out attractive products like high-yield savings accounts only to later align with broader market offerings. Others might get bought out or fold entirely. 

This uncertainty gives consumers a reason to pause before moving their money to the newcomer. Early leaders in the FinTech movement might not be around later. Look at companies like MySpace and Napster. They are no longer around even though they once dominated the social media and music streaming sectors, respectively. Many consumers are aware of these risks and are waiting to see how the FinTech market stabilizes.

Digital banking is taking off

There’s little doubt that the adoption of mobile technology has surged in recent years. However, this was the trend even without PSD2 or Open Banking initiatives. As noted in Feedzai’s Financial Crime Report, the pandemic helped accelerate the shift to digital. The report found 75% of consumers planned to maintain the digital banking habits they picked up during the pandemic. It also found 45% of consumers across all age groups use online and mobile channels for their banking “most” or “all of the time.” 

In other words, PSD2 doesn’t deserve full credit for the shift to mobile banking. Many traditional FIs had already started investing in digital banking services to address usability and accessibility concerns. 

What to Expect Next from PSD2

Based on these observations, several PSD2-related predictions have not yet come to fruition. However, it’s important to have realistic expectations for an initiative of this scale. Especially at such an early stage. Here are a few things to bear in mind.

PSD2 is still in early stages

Based on these observations, PDS2 appears to be off to a slow start six months into its official launch. However, Open Banking is a long-term process. This means it’s too soon to fully evaluate PSD2. 

Consider the EMV chip market by comparison. EMV-enabled chip card technology first debuted in the EU in 1993. Seventeen years later they were introduced in the United States. But the technology still faced barriers to adoption, which is why the EMV-enabled credit card technology is only now reaching near-universal adoption. 

Measuring the state of the PSD2 regulation six months into the initiative is a narrow lens to consider. Instead, banks and merchants should consider how the EU financial services market will impact the payments market in the next five to 10 years. 

Start building digital trust now

One of the key components of Open Banking and PSD2 is to benefit consumers. Keeping financial services secure from fraud is an essential part of this goal. But it’s not enough to know who the fraudsters are. It’s equally important – if not more so – to know who the legitimate, trustworthy customers are too. 

Regulators have set minimum SCA security requirements for banks and FinTechs to meet. SCA methods can include PINs, knowledge-based questions, 2FA, multi-factor authentication, or biometrics like fingerprints or facial recognition. These customer protection methods enable banks to trust that the transactions are authentic. They also help consumers trust banks and merchants more by adding an acceptable level of friction into the user experience.

Become future-focused

PSD2’s SCA component aims to build digital trust with customers by making fraud prevention a core part of authentication. It pays to start building that level of trust now. But remember that fraud tactics will change in a few years’ time. Whatever SCA method you invest in should be flexible enough to change as consumers’ – and fraudsters’ – habits change. It doesn’t make sense to focus on SCA investments for today’s fraud patterns because they will inevitably change in a few years.

For example, if a bank or FinTech expands their omnichannel portfolio they will need to bring in new payment technology. SCA investments will prove to be costly misfires if they aren’t flexible enough to accommodate new banking channels. 

Establish a baseline of trust

It’s unclear which payment methods will gain ground under PDS2. We’re already seeing movement on social payments via platforms like Facebook and WhatsApp. Internet of Things (IoT) developments will enable more payments to take place through virtual assistants like Amazon Alexa. Whichever ones take off, however, it will be important for banks to establish what genuine customer behaviors look like on those channels. 

As new payment solutions emerge, banks will need to understand normal customer behaviors and be able to identify anomalous behaviors. Banks and FinTechs will need to understand how consumers normally behave, whether they make payments in-person, online, or through voice-enabled devices. At the same time, it’s just as important to understand that both normal and anomalous patterns will change again over the years. Solutions implemented today must be capable of addressing tomorrow’s needs as well. 

PSD2 is only six months old. While it’s too early to assess the initiative’s long-term impact, banks and FinTechs can take steps to make sure they are prepared for the changes it will usher in eventually. Building strong customer experiences and trust, investing in SCA solutions, and understanding “normal” patterns now will go a long way toward the shifts PSD2 and Open banking will ultimately bring.  

As fraud increases, customer behaviors change, and a more competitive open banking market becomes reality. Download our eBook, PSD2 & Strong Customer Authentication: A Collection of Resources for Banks, to learn how to reduce customer friction while satisfying SCA and more.