Europe’s new payments regulation promises much, including free transactions. But do banks need to be forced to do what’s in the best interests of customers and shareholders?
The European Union’s revised payment-services directive (PSD2) changes rules governing payments and is intended to, and inevitably will, impact the roles and economics of players across the payments-value chain. Some fear, and some hope, PSD2 will roil the EU’s payments market.
The European Parliament on Oct. 8, 2015, rubber-stamped the European Commission’s (EC’s) revised payments directive, passing it by a whopping 578 votes in favor to 29 nays, with 52 abstentions. On Nov. 25, the European Council approved it. PSD2, which supersedes the original 2007 payments directive, will start to take effect in January.
Banks historically dominated EU payments. But, in the network space, European banks have been ceding share since Mastercard Inc.’s watershed initial public offering in 2006. The original payments directive facilitated nonbanks competing in a range of other payments sectors. It provided a payments-institution licensing regime for money remitters, nonbank card issuers, acquirers, and mobile-network operators offering payments to compete across the EU.
In a recent article, Bird & Bird LLP partner Scott McInnes observed PSD1 “introduced a first wave of competition into the EU payments sector.” It also provided the legal framework for EC and European Central Bank regulation and initiatives aimed at harmonizing credit and debit automated clearing house and card payments across the EU.
Concluding PSD1 didn’t finish the job, the EC put banks and networks in its cross hairs and took another shot with PSD2.
Its purpose is to increase payments competition, innovation, and security. The EC envisions a constellation of new and nontraditional competitors for dominant retail-payment card networks such as Visa, Mastercard and Cartes Bancaires, and new services built off marketwide access to bank payments accounts and data.
The new directive is informed by EC regulators’ thinly veiled hostility to traditional card networks, desire to squeeze retail banks’ profits, prescribe how risk is managed, and set acceptable risk levels.
Account Access
Three core provisions impact payments providers. First, starting in January, at their customers’ request, payment-account providers—typically banks—must permit a new type of licensed third-party provider, a Payment Initiation Service Provider (PISP), to initiate payments against their accounts, in principle for free.
Second, on request, payment-account providers must share payment-account data, including transaction data, with newly licensed Account Information Service Providers (AISPs). Last, PSD2 prescribes strong customer authentication (SCA), defined as two-factor authentication, for payments. That will be required in 2019.
Retail Goliaths, tech colossi, digital-wallet providers, fintechs, and an EU species of infomediary may attempt to take advantage of PSD2.
Galérie Lafayette, Auchan, Harrods, Tesco, Sainsbury’s, and Carrefour have sophisticated retail credit card, loyalty, reward, and promotional programs. They have trusted brands and the wherewithal to offer incentives to persuade consumers to authorize payments against their accounts and retrieval of (transaction) data, with which they can more intelligently market to them. In fact, there may be no merchant on the planet better positioned to exploit PSD2 than Amazon.com Inc.
Tech titans such as Apple, Facebook, and Google use, and have further ambitions in, payments to enrich and increase consumer engagement on their platforms. That inevitably will diminish bank visibility, and in extremis will relegate banks to being backend utilities. PSD2 can only facilitate their efforts.
Chinese fintech dragons Alipay and WeChat Pay are primarily focused on building merchant acceptance in the EU. If and when they seek European consumers, PSD2 may grease the skids for funding and building an ecosystem of financial and nonfinancial services.
Two-stage wallets like PayPal, open wallets Android Pay, Apple Pay, and Samsung Pay, and the gamut of in-app wallets could tap PSD2 payments and use consumers’ payment history to enhance service delivered over their platforms. It’ll be easier to add and manage multiple PSD2-enabled apps and wallets on smart phones than it is with their analogs in leather wallets.
As for the ballyhooed wave of fintechs, time will tell. London startup TrueLayer co-founder Franceso Simoneschi trumpets the bullish case, telling TechCrunch: “We believe that PSD2 will be a once-in-a-lifetime opportunity for startups to displace incumbent banks and financial-services providers.” TrueLayer aims to arm challengers with a universal application programming interface to access bank infrastructure.
Siren Song
The siren song of pan-European and global payments standards has long been appealing, but for the foreseeable future, payment processors and hubs will have to deal with a messy and changing patchwork of connections. And there’s a network effect. The more connections a processor has, the more compelling its offer.
But, while handicapped by plodding and risk-averse cultures incubated under heavy regulation, banks enjoy consumers’ trust and relationships, and generally deliver an adequate to rich suite of services. Would-be bank slayers will need to provide compelling value to consumers to induce them in any numbers to authorize payment initiation and data sharing, and to directly or indirectly monetize it.
Consumers’ bank payments data are a treasure trove. While big data are all the rage, classic payments data—a complete transcript of how much customers spent, when, and on what, are to die for. During the dotcom era, infomediaries such as Lumeria tried to enable consumers to monetize the enormous value of their archipelago of electronic data, distributed across financial institutions, phone companies, retailers, utilities, et al. It was a powerful and very pro-consumer concept, which, unfortunately, never achieved takeoff velocity. Perhaps PSD2 will usher in a wave of euro-infomediaries.
American payment processors have a stake in PSD2. Total System Services (TSYS), which thus far in Europe processes but doesn’t acquire, Elavon, Chase Paymentech, Stripe, Square, Intuit, First Data, Global Payments, and EVO Payments, are a critical part of Europe’s payments ecosystem.
They’re attempting to deliver additional services to merchants to reduce attrition and stem or even reverse fee erosion. They can add PSD2 payments to services offered for which they’d charge fees. Data is more interesting and a basis for enhancing their merchants’ target marketing and promotional campaigns.
Challenges
As with any new system, there will be challenges. To be commercially viable, PSD2 processors and data harvesters will need to access perhaps hundreds of bank APIs (assuming that “screen scraping” is no long allowed—a matter still under discussion at this writing).
And, they or their clients must convince consumers to participate. Consumers and merchants are conservative in their payment habits. New systems must be compellingly better than those they seek to displace. Existing retail-payment systems work well and are a habit. Moreover, their acceptance networks are a powerful bulwark against the EC’s pined-for stampede of disruptors.
The EC’s static SCA rules may reduce fraud but will also increase abandonment rates and reduce the growth of e-commerce. Uber and like in-app payments are frictionless. It’s hard to see how two-factor authentication won’t degrade the experience.
PSD2 charged the European Banking Authority (EBA) with specifying SCA’s technical standards. While the EBA is notionally independent, the EC controls its purse strings, subject to final approvals by the European Parliament and the European Council.
SCA requires that payers provide two of three different elements: something only the user knows, something only the user possesses, and something only the user is.
No one in the payments industry would argue against robust fraud management. However, Bird & Bird’s McInnes says strong customer authentication was mandated in the context where there’s “supposedly too much fraud for online payments (in particular card-based online payments).”
But who should decide what’s too much and how to manage it, the EU administrative state or participants in the market, participants with skin in the game?
Market-risk management is inherently dynamic, adjusting the available technology to changing threats and consumer, merchant, and bank tolerances for fraud, balanced against convenience and ease of transacting.
Publicly, PSD2 was widely hailed as a boon for competition, innovation, security, and for banks, if only they embrace open banking. It’s not wise for private-sector actors to publicly question directives or guidance from on high in Brussels.
A Blessing?
Open-banking evangelists argue banks sharing data and providing free payments will be a blessing. While access for approved vendors might enhance banks’ value proposition and economics, being forced to permit third parties to make PSD2 payments for free and to share their customers’ payments data isn’t good for banks.
Quite the contrary. The state doesn’t have to force profit-seeking firms to do what’s in their and their shareholders’ interests.
PSD2 is a taking, devaluing retail-banking relationships. If successful, it will diminish the value of banks’ assets, change how the market operates, and cap the price of PSD2 payments and data sharing at zero. The EC’s strong customer-authentication diktat will cut payments growth and consequently revenue.
There are already PSD2-flavored payment services in the market, such as Pay by Bank in the United Kingdom, Ideal in the Netherlands, and Sofort in Germany. All the parties, however, are consensual. Mint and Yodlee have PSD-flavored services, generally screen-scraping to retrieve data from multiple financial institutions and giving consumers integrated financial dashboards.
Are there lessons for the U.S.?
The Consumer Financial Protection Bureau likes PSD2’s thrust. At Money2020 last year, CFPB director Richard Cordray made crystal clear he’d like to force banks at consumers’ request to share their transaction data with third parties, à la PSD2, saying, according to his prepared remarks: “We believe consumers should be able to access this information and give their permission for third-party companies to access this information as well.”
While its authority to force banks to do this is dubious, lack of legal authority has not stopped the CFPB in the past.
Just as PSD1 played out slowly, so will PSD2. To the extent PSD2 moves the market, the principal beneficiaries are likely to be payment concentrators, giants such as Google, Amazon, Facebook and Apple, and mammoth processors.
At a minimum, American processors need to support it, particularly those serving or cultivating sectors able to exploit PSD2. Ultimately, the market, not Brussels overlords, will determine what payment systems reign and how PSD2 plays out.
—Eric Grover is principal at Intrepid Ventures, Minden, Nev. Reach him at Eric.Grover@IntrepidVentures.com.