PSD2 is the second payment services directive from the European Commission. Here is what you need to know before it becomes effective in January 2018.
1) Safe and transparent payments
The new rules aim to improve consumer protection and generally make payments safer. For consumers in general it means that the liability for certain types of non-authorised payments is reduced from €150 to €50 among other things. Legislators also seek to improve transparency, which is why a ban on surcharging for some payment instruments is introduced. Additionally, PSD2 imposes strict security requirements meaning that strong consumer authentication will become de facto standard whenever a payment is initiated or an account is accessed.
2) Improve internal market and competition
At the same time, the new regulation is meant to create a better-integrated internal market for electronic payments. Extending the scope of the first payment services directive, so-called one-legged transactions will be covered by the rules. That means transactions in and out of EU member states as long as either the sender or the recipient is based in an EU member state. Additionally, legislators want to open up the payment market to new players leading to increased competition. Specifically, PSD2 introduces two new types of players: Account information service providers (AISP) and Payment initiation service providers (PISP). The Account information service providers are a type of third party providers that may access the account information of a customer and thus be in a position to provide the customer with an overview across different banks. Payment initiation service providers may initiate payments on behalf of customers.
3) APIs at the center
Up until now, the Account information service providers and the Payment initiation service providers have not necessarily been able to access the customer account information or initiate payments. With the implementation of PSD2, however, banks like Danske Bank will be required to allow access through APIs (Application Programme Interface) upon customer accept. This is widely seen as the potentially most wide-reaching consequence of PSD2. It is worth mentioning that the API requirement will await the new Regulatory Technical Standards (RTS), which are not yet approved at a European level, and which will be followed by an 18 month deadline for implementation. Thus, it is not likely to take effect until September 2019. The same deadline will apply for the requirements regarding strong customer authentication.