2. Payments Services Direc0ve 2
• Original Payment Service Direc0ve 2007/64/EC adopted December 2007
• Since its adop0on:
• The retail payments market has experienced significant technical innova0on
• Rapid growth in the number of electronic and mobile payments
• Emergence of new types of payment services in the market place
• Market developments have given rise to significant challenges from a regulatory
perspec0ve
• Significant areas of the payments market (e.g. internet/mobile payments) remain fragmented
along na0onal borders
• Many innova0ve payment products or services do not fall within the scope of Direc0ve
• Elements excluded from original scope, such as certain payment-related ac0vi0es, has proved
in some cases to be too ambiguous, too general or simply outdated
• Resulted in legal uncertainty, poten0al security risks in the payment chain and a lack of
consumer protec0on in certain areas
• Proven difficult for payment service providers to launch innova0ve, safe and easy-to-use
digital payment services
• The European Parliament believes there is a large posi0ve poten0al which needs to be
more consistently explored
2
5. PSD2 – Impacts & Implica0ons
5
Business as Usual Development
Liability for Payments
• Enhanced Consumer Rights
• “No ques0ons asked” Refund Right
for Direct Debits
• Alloca0on of Liability Between
Payment Par0es
• Unauthorised / Incorrectly
Executed Transac0ons
• Disclosure of Payment Info
• Data Protec0on by Design/Default
Access to Accounts
• Access to Accounts
• Objec0ve, Non-Discriminatory/
Propor0onate
• PISP, AISP & ASPSP
• ECB to Dra] Regulatory Technical
Standards (API)
• Common/secure open standards
• ID/auth, no0fica0on and
informa0on
Transparency of
Payments & Charges
• Central Register of Companies
Providing Payment Services
• Transparent Charging Principles
• Framework Contracts & Single
Payments
• Full Disclosure of Charges
• Prohibi0on of Surcharging
Customer Authen:ca:on
• Introduc0on of strict security
requirements for ini0a0on &
processing of payments
• Strong Customer Authen0ca0on
procedure
• Dynamic linking
• Use of Mul0-Factor
Authen0ca0on
• Protect the Confiden0ality and
Integrity of Personalised Security
Creden0als
PSD2
Regulatory Oversight
Impactonsystems,processes&documentation
Development,testing,auditing&reporting
6. PSD2 – Access to Accounts
6
• Access to Accounts will drive disrup0on (innova0on) in payments
• An accelerator for technology driven disrup0on of incumbent banks by flexible and innova0ve
service providers
• Open the market to new entrants (Challengers, FinTech’s etc.)
• Drive new business opportuni0es (exis0ng & new market entrants and a combina0on thereof)
• Drive new business models and services
• What is Access to Accounts
• It is an environment in which par0cipants can share customer data, when explicit consent has
been granted, with each other in a secure, automated fashion
• EBA Discussion Paper (pre consulta0on & RTS)
• “The requirements for common and secure open standards of communica0on for the purpose
of iden0fica0on, authen0ca0on, no0fica0on, and informa0on, as well as for the
implementa0on of security measures, between account servicing payment service providers
(ASPSP), PIS providers, AIS providers, payers, payees and other payment service providers”
• This all needs to be overlaid by HM Treasury published a “Call for evidence on data
sharing and open data in banking”
9. PSD2 – Strong Customer Authen0ca0on
9
• EBA Discussion Paper (pre consulta0on & RTS) – Strong Customer Authen0ca0on
• Ar0cle 97(1) & (3) strong customer authen0ca0on applies to:
• Access to payment accounts online
• Ini0a0on of any electronic payment transac0on
• Any ac0on through a remote channel that may imply a risk of payment fraud or other abuses,
including online or mobile payments
• Ar0cle 97(2) provides that, with regard to the ini0a0on of electronic remote payment
transac0ons, PSPs shall apply strong customer authen0ca0on, which includes elements
that dynamically link the transac0on to a specific amount and a specific payee
• Ar0cle 4(29) ‘authen0ca0on’ means a procedure which allows the payment service
provider to verify the iden0ty of a payment service user or the validity of the use of a
specific payment instrument, including the use of the user’s personalised security
creden0als
• PSD2 defines authen0ca0on as any procedure which allows the PSPs to verify the
iden0ty of a PSU or the validity of the use of a specific payment instrument, including
the use of the user’s personalised security creden0als (PSC)
10. PSD2 – Strong Customer Authen0ca0on
10
• Ar0cle 4(30) provides that strong customer authen0ca0on means:
• Knowledge (something only the user knows)
• Possession (something only the user possesses)
• Inherence (something the user is)
• That are independent, in that the breach of one does not compromise the reliability of the
others, and is designed in such a way as to protect the confiden0ality of the authen0ca0on
data
• Ar0cle 98.3 specifies that exemp0ons for strong customer authen0ca0on shall be
based on the following criteria:
• Level of risk involved in the service provided
• Amount and/or the recurrence of the transac0on
• Payment channel used for the execu0on of the transac0on
• Things are not yet clear and many issues to be worked through before clarifica0on and
understanding of Strong Customer Authen0ca0on
12. PSD2 - Summary
12
• PSD2 published in the OJEU and entered into force on 12 January 2016
• Transposi0on into Na0onal Law January 2018
• RTS transposi0on October 2018 onwards
• Programme of work to achieve compliance:
• Systems, processes and documenta0on
• Development, tes0ng, audi0ng and repor0ng
• Access to Accounts
• Need to take into considera0on HMT Open Banking ini0a0ve
• Regula0on driving innova0on
• Open the market to new entrants (Challengers, FinTech’s etc.)
• Drive new business opportuni0es (exis0ng & new market entrants and a combina0on thereof)
• Drive new business models and services
White Paper published on PSD2 and Open Banking: www.thehumanchain.com
13. 13
Brendan Jones
The Human Chain Limited
Magdalen Centre
The Oxford Science Park
Oxford
OX4 4GA
United Kingdom
Mob: +44 7785 388 867
Tel: +44 1865 784 386
Fax: +44 1865 784 387
E-mail: brendan.jones@thehumanchain.com
Web: www.thehumanchain.com
www.digitalservicestoolkit.com
13
14. how can we help - what we do
14
technology
consultancy
business
consultancy
digital service
realisation
test and learn, PoC and
demo toolkit
DST