Previously we’ve established what the PSD2 mandate is, what it will offer European citizens, and why it was introduced. Now we are taking a more in-depth look at its regulatory framework and examining the legal requirements that banks and merchants will be expected to meet.
The new PSD2 regulations are built on three main pillars: security, transparency and technological standards.
What does it mean to be transparent? In terms of PSD2, transparency means first and foremost recognising and respecting the increased rights of the user located within the EU and their increased control of their banking data.
PSD2 security involves the introduction of SCA (Strong Customer Authentication) requirements with the aim of reducing the risk of fraud. To prove their identity and thus have access to their data or to their accounts, users must carry out at least two independent verification actions.
What do we mean with Strong Customer Authentication (SCA)?
The SCA introduced with the PSD2 will have a great impact on the ways in which merchants can request payments from their customers. In fact, the new two-factor identity authentication method will lead to a slight extension of the checkout process, making it longer, but safer.
To make a payment it will be necessary to provide at least two identification tests from among the following:
- Something you know: an element that only the user knows, such as a PIN or a password
- Something you have: something that only the customer possesses, such as a smartphone or a payment card
- Something you are: something unique that characterizes the individual user, like a fingerprint.
In the first draft of the PSD2 this two-factor process had to be applied to all transactions. However, some exceptions have been granted, listed in the Regulatory Technical Standards. For example, contactless payments made in person for single transactions up to a value of €50, with a cumulative value of €150 or a maximum of 5 transactions. The exemptions also include online payments with single transactions that do not exceed €30, up to a maximum value of € 100 or 5 transactions.
Consumers will be able to store merchants they use frequently, or authorise recurring payments of a standing amount made to the same beneficiary - so that future transactions do not require additional security checks.
We refer here to the technological standards to which third parties (Third Party Providers - TPP), including Oval, must comply in order to obtain the authorization from banking institutions to read the information of customers' current accounts and to start transactions.
These new rules force banks to allow users to share their financial information with third-party providers, if they request it. Of course, what follows is the lowering of exit barriers from one bank to another and the possibility for consumers to use alternative financial services such as Oval, not provided by traditional banks.
The objective of the three pillars of the PSD2 directive is precisely to push the European banking system towards the acceptance of the principles of open banking - bringing banks, traditionally operating in a closed and obsolete system, to be part of a new and competitive environment.
As we have seen, PSD2 will bring significant benefits and improvements to users rights within the financial sector.
In terms of transparency, the terms and conditions must be clear and immediate, giving consumers the opportunity to make informed choices. Even in the event of a dispute, the timing will be limited: the PSD2 requires financial service providers to resolve disputes in an appropriate and timely manner. For example, providers will have to respond within a maximum of 15 days if the customer does not have alternative funds available.
As part of the new regulation on appeals, the PSD2 indicates how critical episodes should be reported: whether we are talking about complaints from users, or problems with the system or other related issues. Financial service providers (such as Oval) will therefore have to meet established time limits, to report incidents to the relevant authorities.
Another fundamental part of the PSD2 is the provision of funds. The PSD2 requires card issuers to make funds available to customers at the same time as the amount deposited is estimated. For example, in some sectors such as car rentals or hotels, you are often required to deposit a sum to confirm a booking. In these cases, the amount is set aside or blocked in the client's account before the final confirmation, which will trigger off the withdrawal of the entire sum.
When the reservation is definitively confirmed, the operator must inform the client, who must authorize the withdrawal of the entire sum.
The final part of the PSD2 also regulates the prohibition of surcharges on certain card transactions, integrating the already existing IFR (Interchange Fee Regulation) issued in June 2015. The products involved are credit cards, debit cards and pre-cards.
Commercial cards are not necessarily subject to the same rules. The member states of the European Union have the power to legislate on commercial papers: France, Italy and Sweden are among the countries that have chosen the path of non-taxation. Britain, on the other hand, has chosen to authorize the surcharges on commercial cards, along with Germany and the Netherlands.
The PSD2 was designed to have a positive impact on all payment service users, in particular on the end customer. What shape, you may ask, will this positive impact take?
The right to "reimbursement in eight weeks", already recognized by the SEPA Direct Debit Scheme, is now enshrined in the European law by the PSD2. Furthermore, retailers will no longer be able to overcharge customers.
A user of a payment service may terminate a contract in the event that a free service begins to incur a fee, after a period of 6 months instead of 12. In addition, more stringent regulations will take over in other areas of interest, such as the activation and processing of electronic payments (in particular online payments) and in protecting consumer financial data.