Although much has been said already about the revised Payment Service Directive (aka PSD2) within the payments and e-commerce industry, it is still a topic where the debate is constant.
The PSD2 local implementation period expired last January. However, stemming from that Directive there are Level 2 legal instruments that are still not applicable and whose corresponding requirements are often unclear for most stakeholders.
The Commission Delegated Regulation (CDR) on Strong Customer Authentication (SCA) and Secure Communication Channels (SCC) stands out for the large impact it will have for the entire payments value chain. Its final version was published in the Official Journal of the European Union on March 13, 2018. To mitigate its lack of clarity, three months later, the European Banking Authority (EBA) issued an Opinion and created a Q&A tool, where industry stakeholders could raise requests for further clarification. Below you will find insights on some of the most controversial PSD2 requirements focusing on security, so please read on.
Most of the requirements refer to the exemptions to the mandatory two-factor authentication (2FA), primarily based on the amount, the channel, the party initiating the transaction (payer vs payee), the customer created whitelists and, more importantly, the combined fraud level of the service providers applying for the exemption (known as Transaction Risk Analysis, or TRA). From these requirements, the TRA and the exemption for recurring transactions deserve a specific mention. The current scope of the latter only covers recurring payments to the same payee and amount, extent that is widely challenged by the industry, as it would exclude common scenarios such as utility and phone bills.
Another set of requirements refers to SCC. Through the CDR, PSD2 mandates banks to open their systems to third-party providers (TPPs) for account information, payment initiation and confirmation of funds via access interfaces such as Application Programming Interfaces (APIs). SCC requirements establish the rules governing the interaction between the Account Servicing PSPs (known as the ASPSPs -the ones providing bank account facilities) and TPPs, who initiate a payment on behalf of a payer and that have so far rendered this service using the customer virtual banking interface (what is also known as screen scraping). Under the new requirements, ASPSPs can establish a dedicated interface for TPPs where these can only access the limited amount of information they need to perform the service. Such an interface will have to meet certain requirements that will be drafted by the EBA on future Guidelines. In the event ASPSPs fail to meet these requirements, they will have to offer a fall-back option that allows TPPs to render their services via the customer interface.
The battle within payments
Both SCA and SCC requirements depict a battle that has been taking place for years within the payments ecosystem. A battle between traditional players and the massive amount of new FinTech players that, understandably, aim to get their share of the innovation pie, which is mostly driven by them. This leads to increased competition within the industry and lower pricing. The ongoing battle within payments stimulates competition and each operator’s ambition to come up with better and more innovative solutions that are better equipped to meet the changing needs of merchants and end consumers. It will be interesting to see what this fascinating world of payments will look like in time and how all players keep up with the pace of modern consumers.
It currently seems that the battle will rage on for some time. Policy makers and authorities have to liaise more and more with the different stakeholders to understand the different viewpoints and needs so their regulatory oversight has a balanced combination of increased competition, safety and consumer protection.
 COMMISSION DELEGATED REGULATION (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication.
 EBA-Op-2018-04: Opinion of the European Banking Authority on the implementation of the RTS on SCA and CSC.
 EBA/CP/2018/09 (dated 13 June): Consultation paper on Draft Guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC).