PSD2, the regulation that will replace the current Payment Services Directive, has passed another milestone in its slow march towards legislation, having now entered the “trialogue” process. Adoption into European law in 2015 and transposition into national law by 2016 is possible. Given the magnitude of the changes that it reflects, there has been surprisingly little discussion of PSD2 in the payments community.

Why The Change?

One of the main drivers for the legislation is that “the retail payments market has experienced significant technical innovations…and the emergence of new types of payments services”. This refers to companies such as Sofort and Trustly who provide “overlay” services that sit between the consumer and their bank. When paying for an e-commerce transaction these services appear as a payment option. If chosen, the consumer enters their banking credentials into the service provider’s payment page, and the service provider uses these to log in to the consumer’s online bank an initiate a payment on behalf of the consumer.

Another Blow For Banks

From a bank’s point of view this is disastrous. Not only have they been disintermediated from the payment process – the consumer sees the service provider’s branding, not the bank’s – but the consumer has also breached their terms of service by sharing the security credentials with a third party. If a problem occurs it is not clear who the consumer should contact – service provide or bank – or what liabilities each party carries. To add insult to injury, the service provider is getting a “free ride” on the underlying account management and payment processing capabilities that the banks have paid to build and operate.

In Germany the banks tried to prevent Sofort from doing this, by technical means and by legislation; but the German Federal Antitrust Office intervened on the basis that the banks were hindering competition and stifling innovation. Now PSD2 is being drafted to bring these payment initiation services under the legislative umbrella.

So What Does This Really Mean?

The key question is, what will the effect of this legislation be, on banks and on payment initiation service providers? Service providers will have to be authorised and registered with their local “competent authority”, and organisations that are not so registered will be forbidden from providing payment initiation services. When a registered service provider requests access to a bank’s payment accounts, the bank is obliged to grant access in a non-discriminatory manner, and must process payment requests from the service provider “without any discrimination, in particular in terms of timing, priority or charges” compared with payment initiated directly by the payer.

Finally, the legislation envisages technical interface and security standards that banks and service providers must both use. The definition of these standards has been delegated to the European Banking Authority, but it is unlikely that it will produce detailed, prescriptive specifications, leaving the way open for a mass of incompatible bilateral interfaces.

And What Are The Consequences?

Will the legislation achieve its goals of ensuring “a high level of consumer protection… across the whole of the Union” and creating “a downward trend in costs and prices for payment services users and more choice and transparency of payment services”? Or will it stifle innovation, encourage phishing, and drive up prices by imposing a new cost on banks with no corresponding revenue stream?

In either case, PSD2 is not driving the change, it is reacting to the digital disruption of payments that is already well underway. Banks cannot afford to wait and see what the legislation says – they need to start thinking – and acting – now to ensure they are not relegated to “plumbing” in the new payments world.