An evolving payments landscape
The way consumers interact with business is changing rapidly. For example, a 2016 Malta Communication Authority study[i] suggests that around 70% of consumers make purchases online. This has also brought with it a change in the way consumers make payments with cards and e-wallets being used for these online purchases.
This relatively poor take-up for non-cash transactions does not seem to stem from a lack of payment options. Malta has transposed all payments-related EU Directives and banks have taken on board technological advances with the recent introduction of contactless cards in the local market. The premise is that new technology will usher with it a new era of mobile and smart watch payments that is seen as the next generation of cash free transfer of money. This could possibly entice consumers to move away from cash.
The EU asserts that the 79% cash-based transaction in the Euro area is still high and is looking to encourage further innovation in the area of electronic payments as part of its 2020 Digital Strategy. With this aim in mind, 2015 saw the adoption of a new Directive on Payment Services (PSD 2)[iii]. The Directive, which should be transposed into local law in January 2018, is seen as a fundamental piece of payments-related legislation in Europe.
PSD 2 has arisen as a result of a review of the original Payment Services Directive issued back in 2002. It requires payment service providers (PSPs) to make a signiﬁcant number of changes to existing operations aimed towards:
- making it easier and safer to use internet payment services;
- better protecting consumers against fraud, abuse, and payment problems;
- promoting innovative mobile and internet payment services;
- strengthening consumer rights; and,
- strengthening the role of the European Banking Authority (EBA).
PSD 2 is part of a legislative package that also includes a regulation on multi-lateral interchange fees. Together, these will limit the transaction fees for consumer debit and credit cards and ban retailers from imposing surcharges on customers for the use of these types of cards.
Regulators will also require existing and prospective payment institutions to provide a security policy document. This needs to be supported by a detailed risk assessment, which describes the measures taken to protect customers from fraud and illegal use of sensitive and personal data. The security aspect is critical given that consumers and companies will be able to grant access to third parties with whom banks will interface.
The provision of consent by consumers for use of their data and the security requirements around sensitive data alluded to within PSD 2 should be viewed in conjunction with the requirements under the General Data Protection Regulation (GDPR) coming into force in May 2018. The GDPR sets clear standards on data security, privacy and the type of consent that needs to be obtained before obtaining and processing consumer data.
It will be challenging for the payments industry to ensure compliance with both PSD 2 and the GDPR, as certain requirements under PSD 2 appear to conflict with what GDPR sets out to achieve. For example, PSD 2 is intended to lead to improved accessibility of customer data to authorised third parties so as to open up the market, whereas the GDPR has data minimisation at its heart.
The opening up of banking systems will enable consumers to use payment initiation services providers (PISPs) and account information services (AISPs) where their payment accounts are accessible online. This will make internet and mobile payments easier whilst helping customers to manage their accounts and make better comparison between deals.
Similarly to banks, PISPs and AISPs will have a number of data-related challenges. GDPR not only stipulates general requirements to protect personal data, but also provides specific requirements about the way consent is obtained and how the controller should document that consent was in fact obtained.
According to the GDPR, a controller is the entity that determines the purpose and means for processing personal data. This can lead to more than one entity being considered joint data controllers. Under PSD 2, both the bank and PISP or AISP can be considered as controllers, as they are both able to determine what will happen with their customer’s personal data, and how. For example, an AISP can determine the way in which it wants to analyse transactional data within the consent provided by its clients. If the AISP wants to expand or change the purposes of personal data held, it would need to obtain consent from the client for these new or expanded purposes.
It is clear that both PSD 2 and GDPR are not just a matter for Legal and Compliance Departments. These rules will have substantial organisational implications for both banks and PSPs. The impact will be felt on a wide variety of product and services as well as the operations of regulated firms. Operational changes could include updates to online banking services, new reporting requirements and revised customer terms and conditions.
The extension under PSD 2, to include all currencies and one-legged transactions, brings more transactions and currency accounts into scope. In addition, where the customer’s payment account is accessible online, PSPs and banks will need to be able to interface with any PISP or AISP, on a pan-European basis. This clearly increases data-related challenges for organisations.
Both PSD 2 and GDPR will impact the payments industry at a time when the sector is going through a period of signiﬁcant change. PSPs need to consider these laws alongside other market changes, industry and regulatory developments (such as the proposals for an open banking standard) and digital transformation. This can only mean bigger challenges as well as opportunities for operators in the payments industry.