PSD2 requirements affecting payment card issuers
Card issuers need to keep their ear to the ground when it comes to news on the regulatory and compliance front. Recent developments of note include, for instance, opportunities of artificial intelligence in detecting fraud, risk-based authentication, and 3DS 2.2 (enabling, for example, exemptions for SCA like personal whitelisting and decoupled authentication). Furthermore, open banking is one of the trends increasingly affecting issuers.
With over a year from PSD2 coming into effect, regulatory compliance requirements are affecting financial institutions like card account holders, aside from traditional banking players. The directive was set to strengthen consumer rights for transaction data and to increase safety and user friendliness of e-payments payments. Along with all payment accounts, also accounts linked to payment instruments (such as debit and credit cards) are included in the scope of PSD2. Through 2020, National Competent Authorities (NCAs) have increased their supervision of card account providers, requiring PSD2 compliance for issuer-processor operations.
What does PSD2 compliance mean for card issuers?
PSD2 has already started to influence the European payments market, and rules for establishing safer and more innovative payment services will come into effect on 31 December 2020.
PSD2 describes the external parties, labeled Third Party Providers (TPPs), involved in the open banking ecosystem and sets out expectations for each.
These new roles in the payment value chain are:
- AISP: Account Information Service Providers, who tap into customer account information to provide various online financial services.
- PISP: Payment Initiation Service Providers, who authorize a payment transaction on behalf of customers and integrate with online banking services to initiate and process outgoing transactions.
One of the main requirements within PSD2 is Strong Customer Authentication (SCA). It is to reduce the fraud, and for issuers and merchant within the European Economic Area (EEA) to validate the consumer for all electronic payments. Authentication must use any two of the following methods, which must be independent of one another:
- Information
Something that only consumer himself/herself knows = password, PIN code
- Physical object
Any object that is used only by the consumer = mobile device
- Feature
Physical feature of the consumer = biometric fingerprint, facial recognition
The transitions towards new requirements has not been easy for all the countries within the EU, and some are still in the process of becoming compliant. The requirements introduced in the EU directive are already being strongly enforced in the Nordics by Finnish, Swedish and Norwegian laws. In Denmark, however, the implementation has been postponed by 18 months due to infrastructural complications. According to the Danish FSA, card issuers and acquirers have until 14th March of 2021 to become compliant with PSD2 requirements.
Some EU countries, such as Belgium and the Netherlands, already use SCAs for electronic remote payment transactions, for instance, card payments or a credit transfer from an online bank. But there are still a few countries where some payment service providers use SCA optionally.
This is a brief overview of the current PSD2 requirements that apply to payment card issuers. We will be back in January with more in-depth insights into how these rules affect card issuers in practice and what can be done to ensure full compliance with PSD2. We will also include a real case study of our Nordic customer successfully navigating the complex world of PSD2 compliance with Enfuce’s help.