Measuring the mixed impact of PSD2 legislation 18 months on

14 September 2019 was touted as the big bang date for payment methods. What is the upshot?

The revolution never happened. Strong customer authentication (SCA), a flagship measure of PSD2, has been postponed. Now’s the time to review the measures of the European directive and its impact. The question comes to mind, is PSD2 too ambitious for the member states?

What exactly are the flagship measures of PSD2? What conclusions can we draw today?

The regulations in PSD2 have changed the payment ecosystem. The directive has generated a myriad of stakeholders, including some fintech companies. 14 September 2019 brought in two new types of players: AISPs (Account Information Service Provider) and PISPs (Payment Initiation Service Provider).

This new legal sector is helping to redraw the map, challenging the established order. Banks no longer have a monopoly on user accounts. Today, fintech companies have acquired true legitimacy. They are subject to the same rules and restrictions as the traditional players, and with sustainable status.

PSD2 has become a reference text cited universally by stakeholders in the payment world. Some see this directive as an opportunity. Coercively imposed by regulators, PSD2 is reshuffling the cards in the terms of the market.

For many, however, the problem lies in interpreting the text, which lacks precedent.

Why hasn’t strong authentication been enforced yet?

14 September 2019 was optimistically announced as a pivotal date for the payment ecosystem. At that point, the French Observatory for the Security of Payment Methods (OSMP), in compliance with the European Banking Authority (EBA), announced its national migration plan, delaying the enforcement of certain regulatory provisions of PSD2; in particular, the postponement of strong authentication – the measure most visible to the consumer. Then, a few days before its official implementation, the other countries of the European Union did an about-face.

The purpose of this technical provision was to strengthen consumer protection. In other words, account access and transactions would be verified using at least two of the following items:

• one that only the user knows (e.g., password);

• one that only the user owns (e.g., phone number, SIM card);

• one that identifies the user (e.g., biometrics, facial recognition).

This measure was considered a major upset for the payments ecosystem, and many stakeholders did not calculate its impact or magnitude. According to a study by 451 Research, an IT industry analyst company, Europe would lose EUR 57 billion of economic activity in the first year once strong authentication comes into force – at a cost that is financial and technical, not to mention human. The banking authority was caught off guard by questions from professionals who were not ready for this change.

What about the consequences of such mixed legislation? What impact would it have on the consumer?

While strong authentication offers better verification of the users identity, it would once again cause hardware and software issues for online purchasing. This PSD2 update will negatively affect the user experience (UX). It could even be a threat to the one-click model, while double authentication will upset the seamless experience that has always been a priority in the payment world.

In the coming months, the challenge will be to teach payment stakeholders to respond effectively to the postponed measure as well as re-educate consumers about the new constraints ensuring their protection.

Before the practical application of PSD2, we will have to wait for the OSMP to implement its migration plan. Consumers will be affected by the new enhanced authentication solutions introduced by December 2020 and, by March 2021, stakeholders will have to deal with the newly enforced DSP2 regulations.

About Nans Lorenzini

Nans is in charge of risk, compliance, and permanent control at Limonetik. He held a Master 2 degree in International Fiscal Law specialising in tax, business, and commerce at the University of Toulouse Capitole. His career has led him to work in law firms but also for the Pierre Fabre Laboratory. Today, its function leads him to take a close interest in the evolution of the European regulations with the various regulators.

About Limonetik

Limonetik is a payments aggregator whose services are dedicated to Acquirer, Gateways, Tier 1 marketplaces and international merchants. The company offers B2B & B2C personalized payments solutions ranging from processing to collecting of +125 payment methods worldwide, directly or in white label. Limonetik accompanies the international presence of its customers; especially regarding real-time local payments and for both digital commerce or in store via POS terminals. Limonetik is the guarantee of regulation compliance.