What is PSD2 and How Does it Affect Third-Party Compliance?
Payment services are a critical part of today’s digital commerce ecosystem, but are also vulnerable to fraud and other types of wrongdoing. As a result, there’s more pressure on the industry to secure their practices, with support from regulatory compliance set by the government. In the EU, this has taken the form of Payment Services Directive 2 (PSD2), a new regulation designed to both provide increased fraud protection and encourage innovation and competition within the industry. Therefore, implementing this new regulation is expected to ultimately enable business growth for Fintech companies and other third parties.
Also known as the Revised Payment Services Directive, PSD2 was released in 2015, replacing a 2007 version of the regulation. It is overseen by the European Commission and applies to payment services in all EU countries and the European Economic Area (EEA). Furthermore, while the original text of PSD2 was released in 2015, it did not go into full effect until September 2019, with additional extensions on Strong Customer Authentication (SCA) protocols through the end of 2020.
What Does PSD2 Require?
In addition to amending an out-of-date financial and technological regulation dating back to 2007, the PSD2 contains several core regulatory goals. Included in the regulation are guidelines for payment services modernization, enhanced security, better consumer protections and efforts to level the playing field for Fintech brands. These combined initiatives aspire to advance the EU towards the completion of what the European commission terms the Digital Single Market—a lofty goal, and one that presents significant challenges to financial institutions.
Under PSD2, financial services providers must take steps towards enhanced digital security. This includes not just banks, but also e-wallets, prepaid card providers, neobanks and other payment services groups that communicate with third-party providers—essentially any organization that manages financial transactions. These service providers are required to take the following steps to strengthen their digital security:
Provide at least one secure channel for third-party communications.
Financial services providers have several options in this regard. They may offer an API or a Modified Customer Interface (MCI) and must provide a sandbox environment at least six months before the channel goes live; third-party providers must be notified of any changes to the channel three months before they are launched. It is, however, easier to launch an API in compliance with PSD2.
Verify third parties using their eIDAS certificates.
Third parties are central to PSD2. This is because it both regulates groups like Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) while encouraging open, competitive banking with new Fintech. Third parties must be verified using Identification, Authentication and Trust Services (eIDAS) certificates. This ensures that the third parties are trusted financial bodies and are not unintentionally facilitating fraudulent transactions.
Ensure Strong Customer Authentication (SCA).
Among the various aspects of PSD2, the SCA requirements were the only ones to receive an extension due to implementation challenges, but it’s important for financial services providers to recognize that SCA requirements don’t need to add friction to the payment process. Rather, these added verification steps can help enhance customer trust, reduce the number of transactions that go on to be declined, and generally fuel industry innovation. By leveraging existing technologies, financial services providers can ensure that these new requirements are not unnecessarily cumbersome for users.
A Boon for Consumers
As financial services providers work to ensure PSD2 compliance, it’s important to recognize that this isn’t just about technical issues. While enhanced security, innovation and competition are lofty goals, one of the major goals of PSD2 is to improve consumer rights and protections in the payment process. Among these rights, the regulation reduced consumer liability for unauthorized payments and the implementation of no-questions-asked refunds for direct debits in Euros.
While financial penalties may not suffice to motivate some organizations to complete the PSD2 compliance process, especially when it’s viewed as jumping through regulatory hoops, most will be motivated when the proposition is about consumer trust and loyalty. If financial services providers fail to complete these steps expeditiously, they risk losing customers to more competitive groups with strong consumer protections.
Compliance Struggles Slow Rollout
If financial services providers were presumed to have completed the transition to PSD2 standards last year with a slight extension on SCA requirements, why is this still a pressing issue? The fact is, many providers have struggled to roll out all of the new features by the September 2019 compliance date, and only 15% of organizations had complete API functionality as of that time. In fact, as of August 2019, not a single EU financial institution met compliance requirements and the PSD2 deadline was extended to Dec 31, 2020. Clearly, financial services providers need more support, but how?
At Panorays, we specialize in addressing cybersecurity gaps between key service providers and their third parties, with a strong emphasis on regulatory compliance. That’s why, if your organization is still struggling with PSD2 compliance, Panorays’ third-party security management tool can help you. We connect the dots by emphasizing visibility. Based on your organization’s specific regulatory requirements, we evaluate your third-party relationships and provide actionable security insights. And when problems arise, Panorays is prepared. Our continuous monitoring catches problems promptly and supplies immediate, actionable solutions to ensure that you and your third parties are always working hand-in-hand.
How Panorays Can Help
If your organization is struggling to complete the PSD2 compliance process, or you’re concerned that changes by your third-party providers could compromise your regulatory standing, you need big picture support—and that means you need Panorays. With Panorays, you can feel confident that your third parties are upholding the standards you expect and that you’ll never miss a policy change.
In today’s financial services ecosystem, complete compliance with new regulations isn’t just a goal; it’s a requirement, both legally as well as for your organization’s reputation preservation. It is also a challenge, but luckily you do not have to figure it out alone. Panorays is here to help you navigate the PSD2 process. Contact us to schedule a demo and learn how our third-party security platform can protect you and your customers.