On October 27, I attended the CEPS ECRI event on “Time for review: EU retail payment services legislation,” which covered the achievements of Directive 2015/2366/EU (PSD2) and the next European policy steps in this regard. The panel was composed of Ms. Céu Pereira, Payments Team Leader, Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA), European Commission, Ms. Amelia Ruiz Heras, Manager Solution Consulting for Banks & Intermediaries Europe, ACI Worldwide, Mr. Roeland van der Stappen, VISA and Mr. Abel Bagaméry, OTP Bank. Discussions were moderated by Mr. Willem Pieter de Groen, CEPS ECRI.
Following are some notable highlights from this interesting debate:
Ms. Céu Pereira, DG FISMA, European Commission (EC) explained that the Retail Payments Strategy (RPS) was adopted one year ago and that the EC is now considering the legislative and non-legislative initiatives linked to it and will try and address the fragmentation and concentration issues that the RPS has identified as challenges in the European retail payments market. She mentioned how the EC will also leverage new opportunities such as the full roll-out of instant payments and digital ID solutions. As for the PSD2 review, PSD2 has allowed the deployment of open banking business models and it is now necessary to check if it is still fit for purpose, launching its review. The EC will, in the context of the review of PSD2, look at the new risks linked to new business models and how these can impact the security of payments, and the level playing field in the market, for example in terms of possible barriers to innovation or barriers for firms that are providing initiation of payments and account information services. It will also look at consumer protection, for example in terms of how open banking can benefit consumers. Moreover, the EC will assess whether, in the face of the Regulation on markets in crypto-assets (MICA) and the Regulation on digital operational resilience for the financial sector (DORA), the PSD2 still achieves its objectives or whether it is necessary to review the PSD2 for open banking to develop its full potential and to pave the way for an Open Finance framework – a project on which the EC will work in parallel with the PSD2 review.
Ms. Amelia Ruiz Heras, ACI Worldwide, explained that in her role at ACI, she needs to find payment solutions for European banks and has therefore been observing how banks have been implementing open banking and PSD2, opening their platforms and exposing their services via open application programming interfaces (APIs) for third parties to serve consumers initiating payments and providing account information services. This has created a fundamental shift, facilitating the sharing of data between different members of the payments ecosystem. At ACI, the customer’s needs are at the centre of any consideration, and customers shall be empowered and given control over their data. The implementation of open APIs has for many banks been the beginning of a digitalisation journey, which will help them beyond open banking to be ready for the open finance framework to come. So, in ACI’s view, compliance with PSD2 has for some banks been the catalyst for an innovation and modernisation journey.
Mr. Abel Bagaméry, OTP Bank, explained that the OTP Bank’s experience in Hungary, as far as the impact of PSD2 is concerned, is based on the following three areas, which really had an impact on people’s lives: the Strong Customer Authentication (SCA) implementation in eCommerce, the instant payment scheme and the open banking experience. The SCA implementation was a difficult to meet challenge for the banks in Hungary, but they met it and implemented it around 11 months ago with the final SCA limits, whereas some other countries started with higher limit amounts (meaning less disruption) and were gradually decreasing the amounts to the final values. As for instant payments, they went live on March 2 last year and any transfer that is less than 30,000 EUR is to be processed via instant payments rails as of that moment. Moreover, as of January this year, all merchants in Hungary, including small and medium-sized enterprises (SMEs), have to offer electronic means of payment, and it is consequently possible to have small shops allowing instant payments to be used, for example, via the use of a QR code. As for open banking, OTP now offers its mobile applications to customers of other banks, using the open APIs to access account information.
Mr. Roeland van der Stappen, VISA explained that PSD2 was about the reduction of fraud via SCA. He added that VISA is always keen to use data to have a risk-based approach to authentication, but they also think there is a need for SCA optimisation, which will mean applying SCA only when necessary to avoid that legitimate transactions are declined when a second factor of authentication is requested and also to allow a lower abandonment rate. In VISA’s view, SCA optimisation will mean that issuers shall use the data they receive from EMV 3D-Secure to feed in their risk models and fine-tune their approval and also, looking ahead, that SCA shall move away from the use of static authentication factors such as passwords to increase the use of biometrics and behavioural biometrics. Moreover, as the pandemic has increased the adoption of digital payments, VISA has noticed that contactless payments have become a new normal and have shown the lowest level of fraud of all card payments types. VISA would therefore welcome in the review of PSD2 that the limits for SCA, as far as contactless payments are concerned, are reviewed as has been the case in the UK recently. As for open banking, VISA believes that – as a payments technology provider – a lot of the capabilities they have on the core side for fraud prevention and security are transferable to non-card payments flows, and can be looked at as being focused on the secure movement of data rather than of money. Moreover, for open banking to really deliver on its potential, VISA believes it is necessary to promote the use of premium APIs and explore new use cases – the SEPA Account Access Scheme is certainly a step in the right direction, while informed consumer consent is also key.
Ms. Amelia Ruiz Heras, ACI Worldwide explained, in response to a question from the public about what needed to be done for customers to be in control of their data, that standards like the ones being developed by the Berlin Group would be very important in this respect in her view.
Ms. Céu Pereira, DG FISMA, European Commission explained, also in response to a question from the public about access to the market of payments for banks and non-banks, that the current review of the Settlement Finality Directive will make it possible to further consider the question of a level playing field between banks and non-banks, providing them with equal opportunities.
Ms. Amelia Ruiz Heras, ACI Worldwide explained, in response to a question from the public about open banking and the remaining obstacles to its full deployment, that solutions that are provided by the market must be useful for the end customer in order for customers to use them. Moreover, standardisation is also a key element to achieving a true single market, which only exists really if interoperability is ensured.
Ms. Céu Pereira, DG FISMA, European Commission concluded, reacting to a question from the public about concentration in the market of payments, by saying that in the RPS the EC has concluded that there is a need for more competition in the eCommerce space, as well as in terms of solutions available at the point of sale. The full rollout of instant payments, which is also one of the objectives of the RPS, shall enable the possibility to have more competition in the market, allowing the combination of open banking with instant payments and also allowing the development of real pan-EU solutions by the market. The EC will have an initiative on instant payments in its Work Programme this year, but this initiative is likely not of a legislative nature. The EC will publish a study about the PSD2 review, which will collect the necessary evidence and will be accompanied by a public consultation, and send a call for advice to the European Banking Authority (EBA) for certain areas of the PSD2 review.
Following this extremely interesting debate, we now wait for the EC PSD2-related study and public consultation to be published, and for the EC Instant Payments non-legislative initiative to be published as well. We understand that the latter shall be out in the coming month.