Europe’s Revised Payment Service Directive (PSD2) has yet to come into effect, and some of its guidelines remain in consultation. The EU is also gearing up for additional, overlapping regulations that could confuse financial services players regarding how (and when) to become PSD2-compliant. That doesn’t mean banks and other financial service providers should delay implementing changes to comply with PSD2, though, according to Deutsche Bank.
The German financial institution (FI) recently released a white paper urging banks and account servicing payment service providers (ASPSPs) to implement PSD2-related changes and reforms within their institution. It acknowledges several hurdles FIs continue to face in that effort.
Its paper, “Are You PSD2-Ready?” released in conjunction with payments consultancy PPI AG, highlighted speed bumps likely to arise as banks hustle to become PSD2 compliant when the Jan. 12, 2018, deadline for implementation passes. One of those challenges is ongoing discussions over some guidelines within the regulation, Deutsche Bank noted, particularly those pertaining to fraud reporting and security.
“However, it would not be wise to refrain entirely from planning and preparing their implementation,” the bank added.
Separate regulations coinciding with PSD2 could also challenge FIs’ process of implementing the new rules, analysts warned.
Among them are the Regulatory Technical Standards (RTS) on Strong Consumer Authentication (SCA) and Common and Secure Communication (CSC), which will not see an implementation date until the first half of 2019 at the earliest. That gap in implementation time could lead FIs to delay compliance with their SCA obligations but, because many aspects of PSD2 are closely tied to the incoming SCA rules, banks should ensure they’re ready for both regulations to come into force.
It won’t be easy, though.
“Industry bodies have noted that the effective dates of PSD2 itself, and the RTS on SCA and CSC, are not merely out of step, but that there is a genuine — and problematic — implementation gap,” the paper stated. “The only way to obviate these difficulties is to start implementing the third-party interface and strong customer authentication as soon as is possible.”
There could also be challenges ahead for FIs with the upcoming implementation of the General Data Protection Regulation (GDPR), which comes into force in May 2018, Deutsche Bank noted. PSD2 and the GDPR are overlapping regulations, both pertaining to data protection and emphasis on consumer ownership of data.
“However, there is initially likely to be an imperfect fit,” Deutsche Bank said.
Both regulations require different types of consent from data owners, and differ in how to handle third-party providers when they change or expand how they use data. There are also differences in how the regulations address who is liable for data breaches and what constitutes sensitive payment data, among other factors.
Proper Preparation
Understanding these challenges ahead will be critical to ensuring FIs are not just in compliance with PSD2, but are also ready to comply with the RTS for SCA and SCS, as well as the GDPR. While there are uncertainties ahead, Deutsche Bank global head of cash products and cash management Shahrokh Moinian is urging banks and ASPSPs to move forward with PSD2 implementation plans.
“Given the benefits to corporates, there is no reason why ASPSPs shouldn’t conclude their IT projects and deploy PSD2-related changes — including those outlined in the new Guidelines — as planned, prior to the January start-date,” Moinian said in a statement. “With respect to compliance with their third-party interface obligations, [and] we would also advise ASPSPs not to wait until late in 2018 or early 2019 to get going. They will not only miss out on some first-mover opportunities, but they may find themselves wholly underprepared for change.”
The message of Deutsche Bank’s report is clear. There are challenges ahead for the financial services industry when it comes to implementing PSD2, and balancing the directive with other incoming rules that address overlapping topics, like data protection.
But, PSD2 can dramatically improve the financial services space, Moinian added, and service providers have to be ready to adhere to the new rules to participate in that improvement.
“We rest on the cusp of a payments revolution,” the executive said. “The financial institutions that will thrive will be those that exploit the power of APIs, initially to provide third-party providers with access to their customers’ accounts as part of PSD2, but more broadly thereafter to create innovative and convenient products and services tailored to users’ changing requirements.”