FinTech and PSD2: Opportunity or Threat for Financial Services?

Since entry to force of PSD2 the balance will tend towards those who will take advantage of the resources offered by this Directive. FinTech solutions will increase their placement in the market in order to guarantee the Digital Innovation.

Introduction

By January 2018, all EU Member States have implemented the new "Payment Service Directive" (PSD2) in terms of digital payments, issued by the European Union and the European Council, into their national legislation. The same legislation, in terms of security of authentications, will have to be implemented by Member States by September 2019.

The objective of the legislation is to introduce new digital services (complementary to current payment services) to the market, trying to standardize and facilitate digital payments, ensuring maximum security and transparency for customers. The parties involved in the legislation are all those who offer a payment service: banks, insurance companies and "Third Party Providers" (TPP), services that do not always coincide with banking institutions (like Amazon, Google, Apple, Facebook). This document aims to give a general overview of the new European legislation PSD2, clarifying the current and future context that will be impacted, the actors involved and the scenarios that will possibly arise.

Context

The continuous technological evolution and the increased use by customers of technological tools (tablets, smartphones, wereable) lead to a change in the habits of consumers who now frequently make digital payments. As a consequence, it has therefore been necessary to promote and regulate the digital payments market. The new European Directive on payment services has the objective of promoting an efficient and competitive digital payments market, while at the same time strengthening customer security in the use of electronic payments. In this scenario, new players called "Third Party Players" will be present in the market, in addition to the main and traditional market players. The regulation of the market and its actors is dictated by the "Regulatory Technical Standards" (RTS), while the processing of sensitive data, regardless of the purpose of processing, is regulated by the "General data protection regulation" (GDPR), which defines also the ways in which the data, according to the sensitivity, must be processed together with the transmission of the same.

The importance of Fintech

.
As defined by Banca d’Italia, the term FinTech refers to Financial Technology, that is to say the offer of financing services, payment, investment and consultancy services with high technological intensity, which involve strong innovative impulses in the financial services market. The evolution of FinTech was very fast and involved two categories:

  • Banking services: these are companies that compete directly with banks, providing customers with alternative offers to traditional ones offered by financial institutions

  • Companies that can be integrated into banking information systems to digitize processes: an example of this category are companies that offer solutions called "RegTech", i.e. companies that try to offer, simplify and automate the processes of adaptation to regulatory requirements.

With the great consent received from end customers, the influence that FinTech is having on the market is steeply growing, so that the "traditional" financial institutions are activating collaborations and partnerships to be in line with market demands and be more efficient to respond to user requests. Hence the partnership between FintTech startups, which need no raise capital, and institutes already present on the market, which need innovation and modern approaches to new technologies. Adopting this type of partnership allows on one hand the traditional financial institutions to rapidly bring innovative solutions to the market and outsource research and development. On the other hand, FinTech companies also benefit from the partnership, thanks to the use of large amounts of data necessary for the development of new models and tests. This type of collaboration is beneficial but at the same time not easy in terms of both management and culture. The Traditional Institutes are not generally adaptable to a rapid adjustment in the market unlike the new FinTech, that are born in an advanced technological context and consequently more flexible in the face of various changes. With the advent of FinTech, Financial Institutions will need to better understand the speed with which technology evolves and must be in step with change and innovation. So it is essential to understand the needs of end customers and how competitors are moving into the market.
To remain competitive in the financial sector, in the present and in the future, and thus avoid becoming a mere "passive actor" of the market, financial institutions will have to define the path of financial / technological innovation, considering it pervasive of all corporate aspects, rather than be considered as a new initiative in its own right. In conclusion, financial institutions should evaluate the following possibilities:

  • Assess the technological evolution of the market

  • Evaluate possible partnerships

  • Integrate with new FinTech companies

  • Supporting innovation

  • Analyze and take actions targeted to customer needs

  • Change the corporate culture, converging towards innovation.

PSD2: criticism and opportunity
In order to implement the new legislation, banks will have to take actions to analyze the costs, opportunities and positioning deriving from the adoption of the PSD2. Certainly, a first step is to be compliant with the directive, by adapting the infrastructures to the changes required by the regulations. The approach to be taken by 2019 will be different based on the size of a bank and the strategy to be adopted. A possible approach is also to establish alliances with the new financial operators (ie the FinTechs - focus of the next chapter).
The approach of a medium or small bank could be to make investments to offer more services to customers, like aggregation services, to gather information from multiple financial institutions. The approach best suited to a large bank, instead, could be to invest and enrich the digital offer, allowing an increase in the customer base, therefore operating with large volumes of data, in this context therefore it is necessary to have a team which is highly trained and savvy with new technologies. In both contexts, for small / medium or large banks, it is appropriate to enter into agreements with third parties (FinTech), to make the service more efficient and innovative, acquiring new customers on the market.
Based on the strategy that each financial institution decides to adopt, it will still be necessary to involve all the structures that are part of the organization: from IT to business, marketing, security and privacy.
The PSD2 is a new opportunity for financial institutions to innovate, but it could also determine certain problems. The major criticalities that a bank may encounter in adopting the PSD2 are certainly related to:

  • Technology and security: in the short time it is required that banks are compliant with the new regulations, both regarding the access to accounts by TPPs, and regarding greater security for customers, so a lack of adequate skills and / or adequate infrastructure could arise

  • Adaptation to the RTS: this adjustment, involving a high degree of complexity, could slow down the completion of innovative initiatives and projects

  • Budget constraints: financial institutions will be prohibited from having their customers incur additional costs in transactions with TPPs.

One of the objectives of the PSD2 is to expand the payment market by regularizing the action of new methods and new actors like Third Party Providers(TPP) that are non-banking actors and are classified in:

  • PISP - “Payment Initiation Service Providers”

  • AISP - “Account Information Services Providers”

  • CISP - “Card Issuer Service Provider”

Another aim is to increase the security in digital payments. This goal can be achieved by:

  • Secure standards in the information exchange between TPP and banks

  • Strengthening of the authentication process

In this new emerged context, banks must decide whether to aspire to be leader by modernizing their methods and products, or to simply be compliant with the minimum requirements of the new regulations.
The new legislation aims to establish a collaboration between "traditional" financial institutions and "new" financial institutions. In this context, if the end user authorizes the TPP to use their personal information, banks must allow access to data and bank account information to the the TPP. The results are an open collaboration between banks and third parties, and the implementation of high security standards, through the verification of identity at the time of authentication and uniqueness of the transaction.
In order to ensure standardization in communication between banks and third parties, the PSD2 introduces a summary document, the Regulatory Technical Standards (RTS), defining rules both for those who make use of Strong Customer Authentication (SCA), and for those who decide not to use the SCA. This document also defines the rules to be followed in terms of security for the end user.
The directive opens the possibility for TPPs to autonomously take charge of the user authentication process, subject to the consent of the banks. The identity of the user must however be validated through two or more authentication tools, such as: PIN, Token, fingerprint or SCA. These authentication tools must comply with the rules defined in the GDPR, a document that regulates the processing of sensitive data and the sensitivity with which they are transmitted. With the entry into force of the new directive, it is possible for new applications, created by Third Party Providers, to access to user’s accounts movements, expenses and so on, once received the client’s consent.

One of the main themes introduced by the PSD2, although not of immediate impact (it will enter into force with the RTS in September 2019), is certainly the secure authentication system, the so-called "Strong Customer Authentication" (SCA).
The term SCA means a method of "strong authentication" that will be applied every time the user accesses a payment account online, carries out transactions for payments, or any remote payment transaction from which may arise a risk of fraud or other abuses.

The SCA is an important and mandatory topic in the new legislation as it focuses on improving security in digital payments.
The secure authentication system is based on the use of at least two of the factors defined below:

  • Knowledge: something known by the user only, such as passwords, PINs, security questions etc.

  • Possession: something kept by the owner only, such as the cell phone, a token, a card etc.

  • Inherence: some characteristic of the user, such as a fingerprint, facial recognition, iris scanning, etc.

All these elements are independent each other to avoid any form of abuse and unreliability. The use of at least two out of three elements leads to the generation of a single-use authentication code, which must be available to the user when needed.
In the RTS it is also defined that the authentication code is specific to the amount of the operation being carried out, and that both the customer and the beneficiary are promptly informed.

In a first phase the SCA will be required only for two types of payment:

  • Online payments (such as transfers)

  • Payments within the European Union (it is the case where the user's card issuing institution and payment service provider are based in Europe)

As mentioned above, the Strong Customer Authentication service will be mandatory by 2019 but the EBA (European Banking Authority) in the RTS also defines particular cases for which the use of the SCA is not envisaged. The cases for which it is possible not to adopt the SCA are the following:

  • Beneficiaries included in the whitelist Users will have the possibility to insert in a "whitelist" (both for payments by card and by bank transfer) the beneficiaries that they consider safe and reliable. The secure authentication system is hence required only once in the whitelist creation phase and for each time the whitelist is changed, while for subsequent payments the SCA will no longer be requested.

  • Recurring payments the SCA is not required for recurring and continuous payments of the same amount and to the same beneficiary, with the exclusion of the first operation and / or in case of modification of the amount and / or beneficiary

  • Low amount transactions transactions with contactless cards that do not exceed € 50 or such that the total payments made since the last application of the SCA does not exceed € 150

  • Secure business transactions an exemption is available for payments that occur with company cards, where security is achieved by other means than authentication

  • Consultation of the account  accesses to the consultation of the user account (AISP) are exempt. Authentication is in any case mandatory on first access

  • Low amount payments  payments via remote channel (PISP) with a maximum amount of € 10 and a cumulative amount of € 100

  • Wire transfers  bank transfers made by the user on different current accounts within the same bank, or on current accounts of different banking institutions but registered to the same person.

As already mentioned in the previous chapters, to regulate behavior in the new “digital” context, the European Commission has issued technical standards, the “Regulatory Technical Standards” (RTS), which all players operating on the market will have to adopt. The RTS define the technical and safety rules to be followed in order to apply the new PSD2 in terms of:

  • New collaborations with TPPs and therefore information management and data access

  • SCA, "strong" authentication, and rules for exemption

  • Technical requirements for the development and management of the legislation

  • Security requirements to protect the confidentiality and integrity of user data

  • Verification of safety standards by a third party with documentation to report to the EBA

  • Monitoring and traceability of payment transactions with a periodic report to the EB

  • Structure of the information to be notified to the EBA


Other topics that are covered within the RTS, are:

  • The criteria for assessing the relevance of accidents

  • Monetary amount of the insurance

  • Complaint procedures

  • Information regarding authorization to payment institutions

  • Application of a European communication standard ISO27001

One of the main innovations introduced in the RTS, in terms of partnerships and communications between banks and other players, is that a single standardization of communication is not determined, but instead the institutes must undertake to make available:

  • Useful interfaces to enable AISPs and PISPs

  • The necessary technical documents

  • Infrastructure

  • Possible changes

PISP and AISP instead undertake to make their applications customized for the specific player they face, guaranteeing the same information and services (with the appropriate security rules regarding payment data).

Conclusion

Since the entry into force of the PSD2, on 13 January 2018, all Member States of the European Union have been called to comply with the new directive in terms of digital payments. The content of the directive was certainly not easy to implement due to the many technological innovations and levels of security imposed. The PSD2 can be considered a complex directive, but at the same time challenging, having the aim to exploit the large amount of user data, leading to a better knowledge and attention to customers. All this translates into greater attention to the end customer and in particular to greater security and transparency, with the possibility for financial institutions to innovate and increase services and products offered, in order to acquire new market shares. For end customers, this translates instead into lower costs for payments and other online operations, with the possibility of having more services and technologically advanced products.