Explaining PSD2 without TLAs is tough!

Explaining PSD2 without TLAs is tough. Image: Freepik
Written by Anne Boden

Anne Boden unravels the complex terms and impenetrable language of financial services, particularly where it involves Payment Services Directive 2 (PSD2).

The European Parliament recently voted to pass the Payment Services 2 Directive (PSD2). In a rather timely fashion, we had just published a paper on this subject, so have reproduced it here. (If you would like a copy of the original, please email [email protected]) I would like to thank all of the Starling team, as it was genuinely a group effort on tackling this content, but particular thanks to Mark Hipperson, Julian Sawyer, Sarah Williams-Gardener and Terry McParlane.

For those who experienced the roller coaster that was Europe’s implementation of the Payment Services Directive (PSD1), here comes PSD2, and before the initiatives outlined in PSD1 have been fully dealt with. We won’t lower ourselves to jokes about bad movie sequels, so let’s move on. The driving force behind both directives is the harmonisation of the payments landscape to level the playing field between countries and between payments providers, with the end goal of increasing competitiveness and thereby giving the consumer better value.

Financial services is sometimes accused of being a dark art
Let’s pause there. Financial services is sometimes, understandably, accused of being a dark art, with complex terms and an impenetrable language all of its own. At Starling, we always strive to explain what it means for a customer when technology or regulation evolves – the good, the bad and sometimes the ugly – so bear with us through this.

This subject, of all that we have covered recently, probably needs the most explanation. Even those in the industry are still trying to wrap their heads around all of the implications. We want to focus on two (of the many) changes in the new directive and what they mean for all impacted – the banks and other financial institutions, merchants (ie retailers and other payments beneficiaries), and most importantly, customers. We’ve tried to define terms as we go, but have also included a glossary on this page, with some examples of what companies might fall into which bucket to help bring it to life.

The common themes of both directives are about opening up the market to new types of organisation and defining common standards that encourage interoperability. For example, PSD1 introduced the concept of a Payment Institution, which is a firm in the payment industry that’s regulated, but not to the higher banking standard. Examples most will have heard of are large payments bodies such as PayPal or WorldPay, but it also allowed hundreds of smaller players to compete. It also introduced the Single Euro Payment Area (SEPA), which is the set of standards for low value euro payments in the eurozone. The idea was that if there was one standard for payment transactions and more players in the mix, then those poor consumers in Spain where payments are expensive would benefit from increased competition from The Netherlands, which would drive prices down. It has been a long road and SEPA has still not been fully deployed, with many deferred end dates along the way.

However, here we’re talking about PSD2, which probably has much more relevance for consumers. The directive has a wide scope, but we would like to focus on how PSD2 capitalises on the accessibility of APIs, and explain why there’s so much nervousness and excitement in the market. PSD2 is a great example of TLA (three-letter acronym) speak at its very best. So, here goes:

Today, maybe you’re shopping on Amazon, you decide what to buy and complete your purchase using your debit card. The merchant (Amazon) will have an acquirer (eg First Data or WorldPay) who will then contact the customer’s card scheme (eg MasterCard or Visa), who will then pull the payment, debiting the customer’s bank account (eg Lloyds Bank). (See Diagram 1.)

Illustration courtesy of Starling Bank.

Diagram 1

Now fast-forward to when PSD2 has been implemented. You’re shopping again on Amazon, but instead of entering your debit or credit card details, you’re asked whether you want to give the retailer access to your bank account, again at Lloyds. You agree and it takes you to the Lloyds internet banking site, where you give your permission. This is similar to the way you allow applications to access your Facebook or Twitter account today. You don’t give your bank logon details to Amazon, or vice versa, the retailer your logon details to your bank account. You simply give permission to Amazon to execute payments on your behalf via your Lloyds bank account. (See Diagram 2.)

Illustration courtesy of Starling Bank.

Diagram 2

The next time you go shopping on Amazon, you won’t need to give permission again; the permission should stay active until such time as you revoke it, for whatever reason.

Here’s the technical bit. In this scenario, the directive allows for one firm to manage the payment initiation, known as the Payment Initiation Service Provider (PISP), in this instance Amazon, and another to manage the account, which is known as the catchy Account Servicing Payment Service Provider (ASPSP), Lloyds. This Access to Accounts (XS2A) (see what they did there, X-ess-to-A!), is probably the biggest technological innovation in retail banking since the internet. The merchant or retailer and the bank will communicate to each other using an open Application Programme Interface (API) for which the European Banking Authority (EBA) have been given the responsibility for defining the Regulatory Technical Standards (RTS). This basically means the standards that all APIs will need to comply with (ie what data is transferred, what the security protocols are, what happens when things go wrong, and so on).

Despite the IT complexity and cost to implement the changes, you’ll also notice that all the middle men are gone
So what? As far as customers are concerned, how is there any difference between storing your debit card details with merchants you use regularly, and giving permission for your bank and said merchant to swap data to facilitate quicker payments? Basically, there’s none in experience if you’re already a reasonably sophisticated online shopper. For the businesses involved, though, this is a big change. Despite the IT complexity and cost to implement the changes, you’ll also notice that all the middle men are gone. The acquirers and the card schemes are disintermediated, and subsequently lose a significant revenue stream. Now there could be a customer benefit in this if the merchant passes on the cost benefit. But will they, or will they take the margin? And what happens if banks decide they want another revenue stream to supplement others they are losing, and start charging merchants, like an interchange cost? There are lots of elements still to be worked through before implementation of this can even begin.

Now we move on to the second big part of the directive: the AISP, which is the Account Information Service Provider. While the PISP initiates payments across the ASPSP, the AISP consolidates information across multiple ASPSPs. OMG? Seriously? Put simply, an AISP gives a name to something that does already exist – take for example in the US – and can consolidate a customer’s bank account details from several different banks.

So, imagine in the UK in a few years, you log on to a Money Supermarket app and see your Barclays, Lloyds and Santander accounts, all into one place. Yet again, access to this would be granted using XS2A standards set by the EBA and you wouldn’t have to give your login passwords to Money Supermarket. (See Diagrams 3 & 4.)

Illustration by Starling Bank.

Diagram 3

Illustration by Starling Bank.

Diagram 4

Why Money Supermarket as the example? Well, among lots of other players, the product comparison sites will almost certainly sniff a real commercial opportunity here to enter this space from a cross-product, cross-bank, cross-sell point of view: the more customer data they have, the better they will be positioned to take over the role of the bank in aggressively cross-selling.

These account aggregators, or hub services, have existed in the US for many years. They weren’t successful in coming to the UK because, currently, the data transfer can’t be facilitated via an encrypted token, so previously, customers would have had to give away their passwords to the hub service, and in doing so would break their terms and conditions with their banks and muddy the water in case of fraudulent use of their account. As far as we’re aware, First Direct is the only brand that has proceeded and given customers the choice to do this anyway, one assumes while flagging the associated risks. With PSD2, all banks, building societies and other financial entities (such as prepaid cards, credit card providers, mortgage brokers) would be obliged to support this, this time using passwords, and not asking customers to compromise passwords.

There’s an obvious consumer advantage here, in being able to see all of your financial world in a single view, though it is yet to be determined whether the standards will be set at a high level (eg balance, or complete transactional warts and all).

Pros and cons for all players in PSD2

Pros and cons for consumers
 Ability to consolidate all accounts in one place with continued protection under their product terms and conditions.

 The choice of the most convenient internet or app interface to check their bank account details.

 Direct integration of their bank account with merchant acquiring sites is convenient and practical.

 Lack of clarity of responsibility between PISPs (merchants) and the ASPSPs (banks) in the event of loss.

Pros and cons for merchants
 Reduced costs compared to card interchange.

 Immediate settlement into merchant’s account.

 Even greater direct relationship with the customer.
Pros and cons for banks

 Ability to position themselves as an AISP.

 Significant costs to change systems.

 Loss of screen time in front of consumer.

The question we would ask: is there really enough customer upside, when the existing banks will spend years and billions of pounds implementing these standards, when they could be focusing on other things? For me, the only group to win out of this are the merchants, and the raft of new players who could enter the fray as an AISP to attempt to take over the cross-sell position of power currently occupied by the big banks.

How many of you would be comfortable allowing that new-kid-on-the-block-retailer to access your bank account?
Starling’s advantage as a new entrant is that we’re already building a bank with the capability to deliver all of these requirements within this directive, with the highest level of security and confidence. We realised a while ago that many people now ‘log in using Facebook’ or ‘allow access to my LinkedIn profile to apply for a job’ and are taking advantage of these (among other API potentials). What we want to ensure is that customers always understand what permissions they’re granting, how the data will be used, and the level of security around it. How many of you would be comfortable allowing that new-kid-on-the-block-retailer to access your bank account?

The important part of Starling being a fully-fledged bank, is the higher regulatory standards we will be held to. As it turns out, we will actually be a PISP, an AISP and, of course, an ASPSP. We will allow our customers to execute payments across other banks accounts, consolidate their banks accounts and actually give them a bank account! Being a bank allows us to do all three, and do it well, to the highest level of security.

Most importantly, we will add a level of value to customers, giving them power over their data, to help them manage their money better – be that by helping them ‘jam jar’ their spending and their saving, or tagging their transactions with geolocation and other information. We at Starling are building a bank truly fit for an XS2A world. For those of you who want to know more, you can find the 191-page PSD2 Directive here. Happy reading!

– This article is reproduced with kind permission. Some minor changes have been made to reflect BankNXT style considerations. You can read the original article here.

About the author

Anne Boden

Anne Boden is CEO and founder of Starling Bank, recently named by The Sunday Times as one of the top 25 fintech startups in the world. Previously, Anne was COO of Allied Irish Banks, and head of EMEA, global transaction banking across 34 countries for RBS and ABN Amro. She began her career at Lloyds Bank, moved on to Standard Chartered Bank and then UBS in Zurich. In June 2010, Treasury and Risk Magazine named her as one of the 10 most influential figures in global finance.

Leave a Comment