PSD2: What You Need to Know in 2019
A year after European Union member states were required to implement the Payments Service Directive 2 (PSD2), additional 2019 deadlines have already been scheduled for merchants and financial institutions (FIs). If being proactive was imperative for FIs in 2018, it is even more crucial this year as deadlines for both testing and complying with PSD2’s Regulatory Technical Standard (RTS) quickly approach.
A PSD2 Recap: How We Got Here
PSD2 aims to address security concerns related to Europe’s move to a digital economy. It establishes requirements for enhanced security via strong customer authentication (SCA) and aims to increase consumer rights overall.
One intended outcome is to give customers the freedom to utilise qualified third parties — known as Account Information Service Providers (AISPs) or Payment Initiation Service Providers (PISPs) — to manage their finances. AISPs and PISPs would allow customers to do everything from viewing their account information across multiple banks to making payments — all within one platform. PSD2 was formalized last year and all EU members needed to transpose it into local legislation by January 13, 2018.
Critical Dates and What to Look For
Just as January 2018 was an important month in the PSD2 timeline, March and September of 2019 bring their own critical dates:
- March 14: All Account Servicing Payment Service Providers (ASPSPs) — any institution that provides and maintains payments accounts — will need to provide a testing facility and make technical specifications available.
- September 14: SCA and all requirements specified in RTS Articles will need to become effective.
While it is still too soon to make predictions, 2019 will start revealing important insight regarding PSD2 implementation.
For one, despite the fact that PSD2 was supposed to be formalized into EU member states’ legislation in 2018, there were some slow adopters who missed this deadline. What will the impact be on the state level of being proactive with PSD2 compliance? And, how will the rest of the world react to the European initiative? What influence will PSD2 have on discussions within other countries regarding their own banking and data policies?
We may already have some clues.
Is the United States next?
With the plethora of data breaches that have occurred in the United States in recent years, PSD2 is of special interest. Already, some legislators are paying close attention to PSD2 and GDPR (with GDPR regulating the usage, security, and privacy of data that PSD2 would use).
Although a US equivalent of the legislation has yet to be formalised or planned, Congressman Will Hurd (R-TX) recently spoke on the concept of GDPR to attendees in San Francisco at the Aspen Cyber Summit.
“One of the things we will be looking at is GDPR. Is it working? Is it not working? Is it something we may be moving to?” asked Hurd, who is also chairman of the Information Technology Subcommittee of the House Committee on Oversight and Government Reform.
A year ago, the answer would have not been ‘no,’ but ‘hell, no.’ I think more people are open to that now because of some of the breaches. I think a component of the privacy conversation in the 116th Congress is going to be, is GDPR working, and how is that impacting the United States? - Rep. Hurd (R-TX)
Although it appears to only be an idea for US policymakers at the moment, it is apparent that other countries are looking to the EU this year to see how regulations are securing citizens’ data. After 2019, we may start to see other countries looking into implementing similar policies depending on PSD2 and GDPR’s impact.
PSD2, Security, and the Consumer Experience
One of the most impactful aspects of PSD2’s implementation will be on consumer experience. SCA’s deadline in September is one of the driving forces behind the regulation — requiring additional security checks for online transactions. SCA requires customers to prove their identities using two out of the following three options:
- Something you know: Provide unique information only that customer will know. E.g., password, response to a security question, or PIN
- Something you have: Have access to a device only associated with the customer. E.g., Two-factor identification via mobile phone
- Something you are: Show physical proof. E.g., biometrics, such as a fingerprint or facial recognition
While SCA security measures are beneficial for both consumers and institutions, merchants and FI’s will be challenged to implement them without negatively impacting customer experience. Consumers prioritise flexibility, speed, and overall experience just as highly as, if not higher, than security.
So, how do institutions provide a frictionless experience when SCA can directly cause friction?
One answer: Machine learning.
How Machine Learning Can Provide a Win-Win Scenario
With new authentication requirements, changes to how data can and will be shared, and new technical standards with PSD2, it is imperative for institutions to find a solution that can scale to meet their needs as well as intelligently detect and prevent fraud. There are also exemptions to SCA for Payment Service Providers (PSPs) who are utilising machine learning or other advanced analytics to reduce their fraud rates to certain levels that are well-defined. This is where companies like Feedzai can be invaluable to institutions attempting to walk the line between security and agile customer experiences.
For example, in order to proactively meet the needs of PSD2, a leading bank in the UK trusted Feedzai with its company’s PSD2 roadmap. There were a few key reasons for this:
- The most advanced machine learning capabilities, both from a technology and an infrastructure perspective. Feedzai’s real time data agnostic decision engine, can create and maintain behavioral profiles for data entities in huge volumes and with more granularity than any other system.
- Simply put, Feedzai is the best at training, testing and deploying many different models on the fly.
- The platform is architected for scale and flexibility, providing the ability to add new applications as needed.
Companies like Feedzai can help merchants and FI’s adapt to the changes PSD2 will bring without negatively impacting business or the customer experience. Although PSD2’s impact is still unknown, Feedzai’s unmatched machine learning capabilities, scalability, and adaptability are paving the way for companies to view PSD2 as an opportunity rather than a roadblock.
To learn more about how Feedzai supports digitally-focused banks, check out our Ebook here.