How to Remain PSD2 Compliant in the Modern Banking Era
In today’s fast-changing digital payments space, how can you ensure that you stay compliant with new rules and regulations for payment data sharing and processing? Real-time payments, Open Banking, PSD2, SCA - there are a lot of factors impacting the Financial Services sector. In this blog, we look at how to remain PSD2 compliant in this modern banking era.
The post-PSD2 era of Open Banking
The New Payment Services Directive (or PSD2) was introduced to the sector by the EU in 2016, with businesses given until late 2019* to comply with new rules around payment data sharing, processing, and authorisation. The “New Directive” set out to bring more transparency to the rules, bring existing regulations up to speed and make them fit for purpose for the modern payments space. It has ushered in a new era of data sharing that is enabling TPPs to access the payment data that’s crucial for offering innovative services to consumers.
The Open Banking era is also about building a relationship between banks and TPPs where responsible and secure payment data sharing can occur, seamlessly via APIs, to modernise and harmonise the payments ecosystem to empower FinTech innovators and make real-time payments a reality.
Incumbent players have to up their game and embrace the latest technologies while giving TPPs access to their banking data. But PSD2’s requirements of ASPSPs and PSPs alike have been necessary to meet the changing demands of consumers, to move Banking forward and to deliver a better and safer payments experience.
*Grace periods for some elements of PSD2 have been granted - more on this and how to remain PSD2 compliant later in the blog!
Key themes and objectives of the New Directive and Open Banking
Here are just some of the main themes and objectives of PDS2 and the Open Banking concept:
- The harmonisation of the EU payments market
- Introducing new players to the value chain (PISPs and AISPs)
- Creating a closer relationship between banks and TPPs
- Greater transparency for data sharing, consent and authorisation
- The establishment of Central Electronic Register for authorised payment institutions, held at the European Banking Authority (EBA)
- Updating exemptions to accommodate new technologies, consumer behaviours, and service offerings
- The common use of APIs to enable TPPs secure access to bank data to create independent financial services
- Changes to the rules over surcharges
- Clear SLAs for responding to complaints, reporting incidents and resolving issues
- Holding TPPs to account over investigating potentially fraudulent activities
- Offering consumers new ways to manage their finances and make use of their money
- Ultimately, delivering a better payments experience for consumers
How to stay PSD2 compliant
So, staying PSD2 compliant revolves predominantly around two key areas: Access to Account (XS2A) and Strong Customer Authentication (SCA). These form the harmonisation of the payments market that PSD2 set out to achieve.
With the FinTech space changing the payments landscape significantly in recent years and the Open Banking era of innovative financial apps and mobile banking solutions, it was vital for new rules and responsibilities to be introduced, both for the new breed of financial service providers and for banks and financial institutions to modernise their processes and infrastructure. ASPSPs and TPPs have new responsibilities to adhere to PSD2 to ensure transparency, secure sharing, and processing of data, clear consent and authorisation. For more details on these key responsibilities and how to stay PSD2 compliant, get our PSD2 Compliance Checklist, or scroll down the blog to get more info about our checklist
Using APIs is essentially how XS2A requirements are being met by banks and financial institutions, to grant TPPs access to the banking data that they require to offer their services to customers securely.
SCA is about ensuring that all electronic payment transactions are authenticated by at least two of the following three methods of authorisation:
- Knowledge - something only the user knows, such as a password or PIN
- Possession - something only the user possesses, such as a mobile phone, ID card or token
- Inherence - something the user is (identifies as), i.e. biometrics, fingerprint/facial recognition, etc
Under the mandate of SCA, a customer’s identity must be verified using at least two of these elements. There are exemptions, such as for low-value and low-risk transactions, which are outlined in the New Directive.
Grace periods for meeting SCA requirements
One key sticking point for organisations is SCA, requirements for which many European countries are in a grace period to meet. The new SCA compliance deadline for most EU countries is 31st December 2020. The UK has until 14th March 2021 - get more details on the FCA’s Strong Customer Authentication page.
With so many factors to consider and a continually evolving payments space, staying PSD2 compliant is no easy task. Our PSD2 Compliance Checklist should help you!
PSD2 Compliance Checklist
The Open Banking era has created an environment with so many possibilities and introduced new innovative players into the market. But it has also presented challenges for banks and payment service providers alike.
We’ve put together a PSD2 Compliance Checklist which offers handy information and advice about the key responsibilities for businesses when it comes to payment data sharing and authorisation. Download the checklist today to help you stay PSD2 compliant!
Apply Financial is a SaaS company based in London, offering payment validation and data management services to help businesses improve straight-through processing and eliminate costly payment errors. Over 700 financial institutions, banks and payment service providers use our Validate software solutions, which covers over 180 countries and 220 payment jurisdictions.