[This post begins a series of blogs which will examine in detail the effect of the EU’s new payment service directive (aka PSD2) from both a technical regulatory and business opportunity perspective. It was originally posted on our sister site Digital Baobab]
Attending recent seminars on PSD2 brought home just how much industry uncertainty still exists around the directive. This is not surprising. For despite the fact that member states have two years to implement it, much of the detail remains to be defined.
This job has been largely been left to the European Banking Authority (EBA) who have been mandated to define the necessary guidelines and regulatory technical standards (aka RTS – although they won’t be defining anything ‘technical’ as technologists might understand that term) which are subject to their own timelines. In fact, the EBA’s own role in defining PSD2 is worth a post in itself, something we’ll be publishing in the coming days.
The EBA currently have an industry discussion paper out on strong customer authentication and secure communication issued on the 8th of December. This will be the most contentious and politically sensitive of the RTS’s to be defined and has been exercising the minds of compliance departments across the banking industry. The deadline for responses is the 8th Feb (i.e. this coming Monday) and opportunities for industry lobbying to shape this thereafter will be slim, so for those who wish to influence its outcome speak now or forever hold your peace. The EBA will assuredly have their work cut out to incorporate the slew of responses coming their way and whether they meet their own deadline of Q2 this year for a draft RTS on this topic remains to be seen.
Some of the current confusion around PSD2 can also be attributable to how the EU legislative process works. For clarity, those timelines might be worth clarifying. The revised payments services directive (PSD2) was first proposed by the European Commission in June 2013, adopted by the Parliament in October 2015 and entered into the Official Journal (OJ) of the EU on 23rd December of that year (making it legally binding in all member states). Its ‘entry into force’ (EU jargon for ‘effective from’) was the 12 January 2016 (20 days after publication in the OJ), giving all member states two years to transpose it into national law.
All clear and simple, right? Well, yes, except with one major caveat. And that is that all RTS’s to be defined by the EBA have their own timelines. These by and large fall within the two years’ deadline national legislatures have to implement PSD2 – that is to say the 12th Jan 2018.
Except for one – the big one. The RTS on strong authentication and secure communication (which we mention above), is subject to a separate timeline. It is intended that this will come into force some 18 months after being adopted by the EU Commission. Given that the earliest foreseen adoption date is Jan 2017, this implies the earliest date this RTS can come into force is September 2018, some 8 months after the deadline for PSD2. The EBA readily admits that given its sensitive nature this date could be pushed out into the calendar year of 2019. To help give some clarity around these timelines we’ve drawn up a ‘PSD2 Timeline’ infographic that some might find useful.
Given that it is this RTS that underpins much of how PSD2 will operate, can we effectively have an industry operating under PSD2 until that last remaining RTS comes into force date? Could some banks refuse to cooperate with trusted third parties and payment service providers until this final RTS is in place? We believe so. But the more forward thinking will have long since been operating under an open API environment, leaving the defensive laggards to serve as the utility banks of the future.
Next up in this series we will be taking a closer look at some of the more pertinent articles in the directive as they relate to banking and payments, plus an examination of the role of the EBA in defining the technical standards that will underpin PSD2. We feel that this technical understanding of the directive is crucial before one can apply it to the new business models that will disrupt the industry over the coming years.