The second Payment Services Directive is regulation that affects all payment service providers. It aims to improve customer protection, incentivise competition, and create a more efficient payment framework within the EU.
As we are now seeing a divergence in the regulatory approaches between the FCA and the European Banking Authority (EBA) – along with the FCA deadline for the e-commerce implementation of SCA-RTS having passed – now is a good time to revisit PSD2's regulatory requirements. It is important to identify the issues that firms are experiencing since SCA became a requirement in September 2019.
The EBA and the FCA require payment service providers (PSPs) to document, test and evaluate their compliance with SCA technical standards to allow for remote account access and payment processing authorisation. Ensuring that the appropriate controls, oversight and government procedures are in place, firms will need to review their overall security measures and ensure they are ready for enhanced SCA.
Fostering this payment method also requires the use of strong customer authentication solutions that allow for authorisation to be dynamically linked to payments. Providers should incorporate transaction monitoring that will identify unusual payment patterns and keep customers protected against fraud. This would allow customers to identify third-party PSPs in a secure way and provide a better, more seamless user experience to make payments.
The intent of SCA is to establish customer protection tools that take advantage of enhanced security methods against payment fraud. Two-factor authentication (2FA) and secure communication requirements should be put in place to reduce fraud and allow an open network of transaction and account services to flourish to benefit the user experience.
On their own, these requirements are relatively straightforward but the recent changes introduced by the FCA have progressed the overall payment landscape. As a result, some traditional and new payment providers have struggled with the interpretation and implementation of technical measures which comply with SCA. Firms have also had to contend with the mandatory need to audit the implementation of SCA and, should the regulator require, provide an audit report which sets out the firm’s compliance with the security of the measures in place.
Complying with these requirements is important in avoiding reputational damage and regulatory intervention. Developing clear authentication protocols for operational and security risk assessment will satisfy the regulatory requirements and mitigate potential risk. But having conducted a number of SCA and transaction risk analysis (TRA) implementation reviews, we found some common challenges coming to light. These include:
Whether by oversight or misinterpretation, firms that are processing tens of thousands of payments a day, and being mindful of the FCA’s business plan to make payments safer, do not have the luxury of allowing any weaknesses in their authentication protocols to persist.
This is why it is important that firms are up to date with the regulatory requirements and review their systems to ensure that they are meeting best practice.
As with any large regulatory and infrastructural change, the cost of compliance can be high. The mandatory requirements are an additional factor to already costly operational considerations, and resources or specific technologies may be required to monitor controls on an ongoing basis. This brings an extra element of operational and IT risk to the equation, meaning that firms will have to do a thorough overview of their systems and business operations to integrate PSD2 effectively into their organisation.
You need to maximise the potential for growth by embracing the changes. Notably, there are now more opportunities to increase your market share by leveraging payment initiation and account information aggregation. By getting it right the first time, firms can improve their customer assurance and get ahead on developing progressive systems to embrace payment services.
For leading advice on PSD2 and upcoming regulatory updates for payment service providers, please contact Paul Olukoya.