What will PSD2 do for the mobile phone user?
In June the GSMA wrote on how banks can adapt to meet PSD2. Passing into European law this year (with roll-out due for completion in 2018) the Payment System Directive 2 is designed to close the gaps left by the original directive set in 2007. The objective of the directive is to make electronic payments safer and more convenient whilst promoting payment innovation through the creation of new lightly regulated financial services roles. Payment Initiation Service Providers (PISP) and Account Information Service Providers (AISP) will transform the way users access their bank accounts during digital commerce, making it possible for consumers to consent to these service providers having limited access to their account. This is likely to change quite a few things in the way people bank and shop. Here are a few examples.
The freedom to “delegate” bank account access is the first major shift that user’s will see. Under PSD2 an account holder will be able to allow a licenced PISP or AISP access to their bank account for the purposes of initiating a payment or evaluating the user’s ability to pay. Online commerce is likely to become simpler through such rules as it will allow all banked consumers to buy online using just their bank account, removing the reliance on debit or credit card ownership. This represents a leap forward for consumer and merchant alike, since direct bank transfers can typically clear in two hours or less with some services offering instant settlement. For merchants wanting to ease cash flow this is a benefit and service for which they may be willing to offer incentives. Are we heading back to the good old days when merchants offered “discounts for cash”? We may well be, but the power to delegate bank account access is set to trigger major changes in the way digital commerce is conducted. The appearance of new innovative payment services that rely on the powers conveyed by PSD2 is highly likely; as is the anticipated reaction from traditional card schemes whose profitability may well be curtailed by PSD2’s cap on interchange fees and merchant surcharging. Either way the consumer will benefit.
With increased openness comes issues that relate to “security”. To address these PSD2 is demanding the use of strong authentication. The European Banking Association (EBA) has been tasked with defining a standard that achieves this and first drafts are out for review now. From the application designer’s perspective traditional authentication systems that employ one time passwords (OTP) or static personal identification numbers (PINs) may be deemed unfit for use within future digital commerce applications as the banks and other service provider’s latch on to the EBA’s regulatory technical standard. The EBA is asking for two factor authentication where the user has to be in possession of two things, for instance, a password and an access token to prove their identity. Mobile phone based services like the operator centric Mobile Connect authentication product set will become more prevalent in the future digital market, as may the use of biometrics. From the consumer’s point of view authenticating themselves in the future may require more complex underlying solutions or even a need for them to subscribe to an identity service. Complexity however should not be interpreted as harder for the user. In today’s world where most smartphones are equipped with biometric sensors it is very likely that the overall user authentication experience will become simpler and more consistent across different services. It is also highly likely that the mobile phone will play a much greater role in future user authentication frameworks.
All the impacts of PSD2 will not come just from easier access to bank accounts or added security. PSD2 has tightened the rules on Direct Carrier Billing (DCB). Consumer accustomed to buying digital content via their mobile phone and charging it to their phone bill will see their options curtailed. Under PSD2 single DCB transactions will be capped to a maximum of €50 per transaction with a maximum monthly limit of €300. PSD2 continues to allow Electronic Money Institutions (EMIs) to extend the reach of DCB from digital content to the purchase of physical goods.
Not all the impacts of PSD2 have been discussed here however: most of them will be up to service providers’ imagination, who are set to integrate payments more tightly in their digital services, delivering the innovation that the EU intended to encourage.
GSMA Digital Commerce seminar – PSD2 RTS on Strong Customer Authentication
Tuesday 27th September, London
Hear from a panel of expert speakers guide you through the EBA consultation on PSD2 Regulatory Technical Standards on Authentication to gain an insight into the implications, different viewpoints and discuss possible solutions. To view the agenda and register your attendance, please click here.