PSD2 | Are firms ready?
Two months from today, on 13 January, the revised Payment Services Directive (PSD2)1 will come into effect across the European Union (EU). To understand how prepared the industry is for this deadline Deloitte surveyed over 70 firms across 18 European countries, between August and September, to gather their views.
The majority of firms, particularly within the banking sector, are broadly ready to comply with the conduct of business requirements which apply from January. However, there are significant variations in firms’ preparedness to respond to the longer term strategic opportunities and disruption PSD2 may bring to the payments and retail banking sector, with many firms still in the early stages of formulating their strategic responses.
A closer look at the compliance challenges
Our survey showed that, to date, the vast majority of firms’ human and financial resources have been devoted to responding to PSD2 from a compliance standpoint in order to meet regulatory deadlines. As a result, 75% of the firms we interviewed feel broadly confident about their readiness to comply with the PSD2 primary legislation requirements which become enforceable in January.
Looking further ahead to the implementation of the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC), many firms noted that regulatory uncertainty and in particular the absence of a finalised RTS is creating challenges in the definition of their broader compliance programmes. Indeed, the results highlighted that firms’ most important challenges and concerns relate to the development of Third Party Access to Accounts and Strong Customer Authentication (SCA)2 solutions, and it is in this area where some key challenges still need to be addressed.
In terms of developing Third Party Access solutions, a clear majority of 58% of respondents cited the development and implementation of robust and compliant security solutions to authenticate customers and Third Parties, and the lack of a common and specified standard of communication to do so, as their biggest implementation challenge. Consistent with this, our results highlight strong industry demand for collaboration, with 69% of respondents currently collaborating with other firms or participating in a standard setting body to develop common communication standards for their market. Collaboration under PSD2 presents a number of potential benefits that are highly attractive to firms including reduced implementation time and costs for individual firms, and increased market interoperability. These should, in turn, facilitate the development, adoption and proliferation of PSD2-enabled products and services which firms may wish to develop as part of their strategic response. Furthermore, a common and secure communication standard may partially assuage some of the issues around customer consent verification and TPP identification; as we concluded before, the UK Open Banking APIs will provide a useful model on which to proceed.
With respect to the strong authentication requirements, firms are relatively confident about their ability to implement SCA from a technical perspective. However, 31% respondents cited maintaining a good user experience while implementing these requirements as their top concern. Delivering a seamless and user-friendly customer journey could allow Payment Services Providers (PSPs) to differentiate themselves and gain competitive advantage in the market. Doing so will require effective management of PSD2 exemptions, advanced fraud prevention capabilities, cutting-edge customer data analytics, and clear communications to help customers understand why they are asked for SCA in some cases and not in others.
Taking advantage of the strategic opportunity
From a strategic perspective, 59% of firms see PSD2, on balance, to be an opportunity for their business. Many firms plan to proactively embrace PSD2 and use it to drive their digital transformation, whilst remaining mindful of the threats it can pose to their business models.
That said, relatively few respondents have so far developed a clearly defined strategic response. Only around a quarter of firms have secured and assigned formal budgets and resources to develop their strategic plans, or feel ready and confident about their state of strategic preparedness.
This may in part be explained by the need to prioritise compliance over strategy. However, our survey indicated that the majority of respondents believe that PSD2 will only result in significant competitive change over the next 2-3 years, lending additional support to the delays in strategy formulation. On balance, we tend to agree; the delay in the RTS on SCA and CSC presents a structural challenge to quicker competitive change, as TPPs will not be able to access and rely upon Application Programming Interfaces (APIs) connectivity solutions for approximately two years from now.
A further insight arising from the survey is that the majority of firms believe that the firms best positioned to succeed in a post-PSD2 world are the largest incumbent banks and established FinTechs, despite one of the key aims of PSD2 being to increase competition in the market. This is due to the strength of their financial resources, brand, trust and wide existing customer base. FinTech start-ups are seen as more likely to pivot towards B2B business models, partnering with banks to access their customers pools, given high customer acquisition costs and the investment needed to build sufficient scale to become commercially viable. However, it is worth noting that a significant minority of respondents believe that if Google, Apple, Facebook, and Amazon (GAFA) decide to enter the payments market this would be a “game changer” for the industry. In reality, it remains to be seen whether these tech giants have the appetite to fall within reach of the Financial Services regulators, but if they did, they could cause significant disruption for large and small traditional market participants.
To conclude, now is the right time for firms to start bridging the gap between their strategic aspirations and their strategic plans. Although competitive forces may be not be strong initially, they are likely to gain pace rapidly, and firms which have not effectively positioned and differentiated themselves in the market may be left behind.
For further reading on this topic please visit:
- PSD2 and GDPR - friends or foes?
- PSD2 RTS on authentication and communication – EU Commission proposes amendments
- PSD2 – EBA dials up flexibility to achieve a more balanced approach
- PSD2 RTS on authentication and communication | The devil is in the (lack of) details
1Under PSD2, TPPs will be able to connect, with customers’ consent, directly to the customers’ bank details and use the banks’ infrastructure to facilitate payment initiation or account information services. “Access to Account” (XS2A), as it is known, is one of the most significant changes, both strategically and operationally.
2PSD2 SCA is authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.