February 2022 – Open banking is changing the way people use banking services in the modern world. Europe prides itself on being the cradle of the open banking revolution, with the EU’s Payment Services Directive[1] (PSD2) being one of the first regulatory initiatives to open up bank-held account data. PSD2 has been in force now for more than four years and has already reshaped the European payments sector. The ongoing review of PSD2 brings an opportunity to assess the current status of open banking in Europe as well as the impact of the directive on the sector.
Open banking is the practice of enabling secure interoperability in the banking industry by allowing third-party providers (TPPs) to access payment transactions and other data from banks and other payment services providers. Through the use of application programming interfaces (APIs), open banking allows the networking of payment accounts and data across financial institutions. TPPs such as fintechs and e-commerce businesses can access the data and utilise it to build custom services. This ultimately provides customers with a range of new services for managing their finances.
Revised Payment Services Directive (PSD2)
The arrival of open banking in Europe would not be possible without PSD2, a regulatory initiative that aims to increase competition and innovation in payment services. The PSD2 directive was adopted in 2015 and EU member states had until January 2018 to transpose it into national law.
At the beginning of 2022 – more than four years after the directive went live – there is no doubt that PSD2 has had a significant impact on the European payments industry, as well as the entire banking sector. Yet, some people may argue that open banking in Europe has not succeeded as much as was expected, and that the payments market has not yet fully utilised the opportunities brought by the opening up of bank-held account data.
The review of PSD2, which is currently underway,[2] brings an opportunity to analyse the current state of open banking in Europe and the actual impacts of the directive, as well as to identify what the barriers are to a more open financial system.
Objectives of PSD2
In 2015, EU legislators introduced PSD2 with a view to:
- contribute to a more integrated and efficient European payments market,
- level the playing field for payment service providers (including new players),
- make payments more secure, and
- enhance consumer protection.[3]
There are indications that some of these objectives are already materialising. First and foremost, with PSD2 TPPs have gained access to payment accounts held with banks and other payment services providers. This regulatory intervention alone has the potential to promote competition in the payments industry and create new innovative solutions and, consequently, to reshape the European banking sector.
In terms of competition, a 2020 study[4] shows that the payments-oriented fintech sector in Europe has grown significantly after the implementation of PSD2. There are now more than 300 businesses in the EEA that are authorised to provide account information (AIS) or payment initiation services (PIS) –payment services, which were practically non-existent before the introduction of PSD2.
In 2021, Strong Customer Authentication (SCA) became mandatory for online payments in the EEA. This requirement ensures that online payments are subject to multi-factor authentication in order to increase the level of security when making online purchases. This, along with other security requirements under PSD2, such as security incidents reporting,[5] increases the security of payment transactions and protection against the risk of fraud.
Another benefit to consumers is the surcharging ban. Before PSD2 came into effect, some merchants charged their customers additional fees for payments via debit or credit cards – this practice is known as “surcharging”. PSD2 has banned additional charges[6] for payments with most debit and credit cards.[7] This has only accelerated a shift towards payment cards and a decline in the use of cash.
Regulatory and technical issues
Although it appears that the above-mentioned objectives of PSD2 have been achieved, TPPs still face many regulatory obstacles when entering the payment services market.
Given that PSD2 was introduced in the form of an EU directive and needed to be transposed into national legislation, certain nuances have arisen between the interpretations of PSD2 policies by the individual member states and financial institutions. These interpretation differences present complications, in particular to TPPs that are active in multiple countries and need to address these nuances on a country-by-country basis.
For instance, PSD2 provides that TPPs are allowed to access “payment accounts” held with other payment services providers. According to PSD2, a payment account is an account that is used for the execution of payment transactions.[8] Regular bank accounts in which the user can deposit and withdraw money, as well as execute transactions, are thus regarded as payment accounts. Accounts that do not fit in this definition (e.g., mortgage accounts) fall outside the scope of PSD2. When it comes to credit cards, however, the assessment is less clear. Most credit card accounts presumably do not fall under the “payment account” definition, as the users cannot deposit funds in those accounts. On the other hand, the users are allowed to withdraw money from the account and make payment transactions. The answer thus depends on the specific features of the financial product and the banking legislation in the particular state. Consequently, TPPs providing services in multiple EEA countries may access credit card account data in one country, whereas banks in another country do not make this data accessible.
Furthermore, as open banking under PSD2 is limited to payment accounts, other financial products such as wealth management services or consumer lending are not within the scope of the directive. Financial institutions offering such products are not required to (and in practice usually do not) provide access to such customer data to TPPs. Making this data available to TPPs would create interesting opportunities to customers beyond the area of payments and support innovations in sectors such as trading and investments or wealth management.
Another issue that TPPs face is that the access to payment accounts by TPPs is limited by the so-called “90-day re-authentication rule”. Banks or other payment services providers maintaining a payment account are required to perform a Strong Customer Authentication (SCA) of the user either upon each access to the account, or at least every 90 days. Furthermore, it is not possible to authenticate the user for all accounts aggregated by an account information service (AIS) in one go. Instead, users are required to authenticate themselves for each account separately, and usually at different times, because the 90-day re-authentication period is not synchronised. This requirement creates unnecessary friction in the customer journey of AIS applications. The good news is that EBA proposes to extend this 90-day rule to a 180-day minimum,[9] which may have a positive effect on the user experience of many AIS applications.
The lack of new pan-European payment solutions can also be conceived as an unfulfilled opportunity of PSD2. The European payments sector is still heavily dependent on card payments and global card schemes,[10] and the EU’s financial sovereignty would benefit from innovative payment solutions enabling frictionless payments across the whole EEA. Although account-to-account payments present a promising alternative to card payments – not only from the perspective of pricing but potentially from transaction speed as well, payment initiation services (PIS) have not yet become a common payment method in Europe. Perhaps a regulatory requirement for pan-European instant payments in all EU member state currencies might change this. A new revised version of the Payment Services Directive could then provide the necessary regulatory framework for this purpose. Currently we can observe a drive to real-time payments globally, with preparations also underway for FedNow instant payments in the United States, and Europe should not be left behind in this respect.
Conclusion
The introduction of open banking in Europe, enabled by PSD2, has already shown a positive impact on competition in payment services and the banking sector generally, enhanced consumer protection and supported the creation of new payment solutions. Yet, TPPs such as fintechs, e-commerce businesses and other start-up companies still face regulatory hurdles when entering the payments market. A regulatory requirement to open up not only payment account data, but also data concerning other financial products such as wealth management services or consumer lending, is another opportunity to foster innovation in financial services and to create new solutions beyond the area of payments. It remains to be seen whether the review of the EU’s payment services legislation will result in a transition from open banking to open finance.
For more information please contact Jakub Šťastný, Associate at Kinstellar and PhD student at Charles University, at .
___________________________________
[1] Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market
[2] On 20 October 2021, the European Commission requested advice from the European Banking Authority (EBA) on a number of specific topics related to the application and impact of PSD2. The objective of the call for advice is to gather evidence on the application and impact of PSD2, including any benefits and challenges that may have arisen in the areas such as scope of the directive, licensing requirements, Strong Customer Authentication (SCA) and access to bank accounts by TPPs
European Commission. (2021, November). Call for advice to the European Banking Authority (EBA) regarding the review of Directive (EU) 2015/2366 (PSD2) (fisma.b.3(2021)6927974) https://ec.europa.eu/info/sites/default/files/business_economy_euro/banking_and_finance/documents/211018-payment-services-calls-advice-eba_en.pdf
[3] European Central Bank. (2018, October 5). The revised Payment Services Directive (PSD2). Retrieved February 22, 2022, from https://www.ecb.europa.eu/paym/intro/mip-online/2018/html/1803_revisedpsd.en.html
[4] Polasik, M., Huterska, A., Iftikhar, R., & Mikula, T. (2020). The impact of Payment Services Directive 2 on the PayTech sector development in Europe. Journal of Economic Behavior & Organization, 178, 385–401
[5] Article 96 of PSD2
[6] Article 62(4) of PSD2
[7] Although this ban only applies to payment card transactions in so-called four-party schemes and does not apply to payment card transactions in three-party schemes, the ban on surcharging in the EU is almost universal, as the vast majority of payment cards in the EU are issued under four-party schemes.
[8] Article 4(12) of PSD2
[9] European Banking Authority. (2021, October 28). EBA consults on the amendment to its technical standards on strong customer authentication and secure communication in relation to the 90-day exemption for account access. Retrieved February 22, 2022, from https://www.eba.europa.eu/eba-consults-amendment-its-technical-standards-strong-customer-authentication-and-secure
[10] European Central Bank. (2019, April 17). Card payments in Europe – current landscape and future prospects: a Eurosystem perspective. Retrieved February 22, 2022, from https://www.ecb.europa.eu/pub/pubbydate/2019/html/ecb.cardpaymentsineu_currentlandscapeandfutureprospects201904%7E30d4de2fc4.en.html