A primer and overview of Open Banking, also known as Payment Service Directive 2 or PSD2, which went into effect in the UK on 13 January 2018. Produced by Digital Ventures, the Fintech arm of Siam Commercial Bank. Credit to Nat Wittayatanaseth for the research.
3. Executive Summary
Objectives
• Improve rules for electronic payments: It takes into account emerging
and innovative payment services, i.e. internet and mobile payments.
• Level the playing field for new financial service providers: Third party
providers can access customers’ account data or initiate payment
transactions.
Key additions
• Standardize and promote online transactions and payment services
• Strong Customer Authentication (SCA) for online payment
• Enhance consumer rights
• Expand the scope of regulated payment transactions
The revised Payment Services Directive (PSD2) will make banks in European Economic Area (EEA) open up their Application
Programming Interface (APIs) to provide third parties with access to customer account information.
4. EEA* + Switzerland
What?
SEPA PSD1 PSD2
Objective
Key players
When
To provide a legal framework for
payment services**.
It improves rules for electronic
payments, taking into account
emerging and innovative payment
services.
Payment institutions:
Non-bank institutions that provide
payment services.
Third party providers (TPP):
Those who can access account
information or initiate payment
transaction.
PSD2 is one of the initiatives intended to create an efficient and integrated market for payment services in the EEA.
To create an efficient and
integrated market for cross-
border payment services.
Payments are processed under the
same conditions.
Banks
Effective by 2009
Where EEA EEA + Switzerland
Effective by 1 Nov 2009 Effective by 13 January 2018
*EEA = 28 EU members, Iceland, Liechtenstein, Norway
**Payment services = Service relating to payment account (current account, e-money, credit card account, current account mortgage); card issuing; merchant acquiring; remittances; mobile-
based payment services.
5. When?
2007
Jul 2013
2014
Oct 2015
Jan 2016
Feb 2017
Jan 2018
2019
PSD1 come into force
A review of PSD1 proposed
by European Commission
PSD2 prepared by the
European Commission
PSD2 adopted by the
European Parliament
PSD2 is introduced by
regulators to financial
institutions
A draft of Regulatory Technical
Standards (RTS) was
submitted by the EBA*
Member States introduce into
national legislation
PSD2 is fully enforced
across the EEA
*EBA =The European Banking Authority
Timeline
6. Standardize and promote
online transactions
Strong Customer
Authentication
Enhance consumer rights
Expand the scope of regulated
transactions
How?
PSD2’s
4 key additions
7. #1 Standardize and promote online transactions
Banks need to open up their API to allow Payment Initiation Service Provider to initiate payment transactions with customer
consent.
Payment Initiation Service Provider (PISP)
Check balance: Receives information from the payer's bank
on the availability of funds (a yes/no answer) on the account
before payment initiation with the payer’s consent.
No intermediaries: Funds are transferred directly from an
issuer bank to merchant bank, bypassing card network.
Requirement: Must be authorized; have a minimum of
€50,000 in initial capital (or higher depending on types of
service); and hold a professional indemnity insurance (PII).
Sofort offers real-time online banking payment service in Germany
iDEAL is an e-commerce payment system in the Netherlands, allows customers to
buy on the Internet using direct online transfers from their bank account.
Sample of startups that will be affected
Present flow
Future flow
1. Initiate payment &
give consent
2. Check balance &
authenticate as required
by issuer bank
3. Payment
8. #1 Standardize and promote online transactions
AISP may retrieve balance and transaction data from payment accounts from accounts that customer has authorized the AISP to
retrieve data from.
Account Information Service Provider (AISP)
Aggregate data: Provides an aggregated view of past
transactions that have already occurred and present it in one
place. AISP cannot transfer funds out of a payment account.
Limited information access: Receives information
explicitly consented by the payer and only to the extent they
are necessary for the service.
Requirement: Must be registered; hold a professional
indemnity insurance (PII).
Money Dashboard is a personal financial management service in the UK.
Users can view all of their online financial accounts in one place.
AtomBank is a digital-only bank in the UK that provides banking services
through a smartphone app.
Sample of startups that will be affected
Present flow
Future flow
APIAPIAPI
Aggregate data
Data Data Data
9. #2 Strong Customer Authentication (SCA)
PSD2 introduces a requirement for strong or 2-factor customer authentication (2FA)
Knowledge
Something only the
user knows
(e.g. password, PIN)
Inherence
Something only the
issuer is
(e.g. a finger print
or voice)
Possession
Something only the
user holds
(e.g. a card, a
token)
2 out of 3 elements must be satisfied Sample application of SCA
More detail on 2FA in Appendix
Note: TAN = A “transaction authentication number” used by some online banking services as a form of single use one-time
passwords to authorize financial transactions
10. #3 Enhance consumer rights
Reduced liability
In case of an unauthorized
payments (stolen card),
payers’ liability is capped at
€50, reduced from €150
Right of recourse
If payment service providers
(banks) fail to provide SCA,
they should compensate the
other payment service
providers.
Sample case:
Non-execution, defective or
late execution of payment
transactions
Multilateral interchange fees
(MIF)
MIF charged on issuing
banks on consumer debit
cards are limited at 0.2%,
credit cards at 0.3%.
Ban retailers from imposing
surcharges on customers
for the use of cards
(impacting about 95% of
payment cards).
More detail in Appendix
11. #4 Expand the scope of transactions
PSD2 extends the scope to payments in non-EEA currencies, and to where only one payment service provider is located in the EEA.
Note: PSD2 starts impacting a PSP when funds are credited to a clearing account of one of its entities domiciled
in the EU, and the required information becomes available to this entity (for inbound payments); or until the
clearing account is debited (for outbound payments).
• All payments in EEA-currencies carried
out within the EEA.
• Italy Germany
Two-Leg-Principle
• Payments in any currencies, where all
participant PSPs are located within the
EEA.
• Italy Germany
Foreign currency
transactions
• Payments in every currency, where only
one of the PSPs is within the EEA.
• Italy USA
One-Leg-
Principle
New
New
€ €
$ $
€ $
Value dating and availability of funds under Two-Leg-Principle
€ € €
12. #4 Expand the scope of transactions
Note: PSD2 starts impacting a PSP when funds are credited to a clearing account of one of its entities domiciled
in the EU, and the required information becomes available to this entity (for inbound payments); or until the
clearing account is debited (for outbound payments).
• All payments in EEA-currencies carried
out within the EEA.
• Italy Germany
Two-Leg-Principle
• Payments in any currencies, where all
participant PSPs are located within the
EEA.
• Italy Germany
Foreign currency
transactions
• Payments in every currency, where only
one of the PSPs is within the EEA.
• Italy USA
One-Leg-
Principle
New
New
€ €
$ $
€ $
Value dating and availability of funds for foreign currency transactions
PSD2 extends the scope to payments in non-EEA currencies, and to where only one payment service provider is located in the EEA.
$ $ $
13. #4 Expand the scope of transactions
Note: PSD2 starts impacting a PSP when funds are credited to a clearing account of one of its entities domiciled
in the EU, and the required information becomes available to this entity (for inbound payments); or until the
clearing account is debited (for outbound payments).
• All payments in EEA-currencies carried
out within the EEA.
• Italy Germany
Two-Leg-Principle
• Payments in any currencies, where all
participant PSPs are located within the
EEA.
• Italy Germany
Foreign currency
transactions
• Payments in every currency, where only
one of the PSPs is within the EEA.
• Italy USA
One-Leg-
Principle
New
New
€ €
$ $
€
CreditValue date and availability of funds when the payer’s bank is outside the EEA
under One-Leg-Principle
DebitValue date when the payee’s bank is outside the EEA
under One-Leg-Principle
PSD2 extends the scope to payments in non-EEA currencies, and to where only one payment service provider is located in the EEA.
€
14. Impact: Re-distribute payment value chain
Taking the UK as a case study, the average Merchant Service Charge (MSC) is 0.68% of the transaction value for debit
cards.
With PISP, the PISP itself will be the only intermediary to which this MSC is to be distributed.Therefore, the new fee is
likely to be between 0.2%-0.68% (below current MSC level).
15. Impact: Experience-driven payment evolution
PISPs are being purchased to streamline the payment flow, e.g., Braintree, Stripe.
Incumbents will need to adopt new technology for SCA.
Visa, Master-Card and American Express are working with Apple on establishing Apples mobile payment application.
Physical (in store) merchants Online merchants
Polymorphic payments (online + in store)
16. Impact: MIF regulation depresses issuers’ revenue
Effective interchange rates for select European markets
(2014 vs 2016)
Estimated annual interchange revenue drop for issuers
(2013 to 2017)
Source: ACI Universal Worldwide
Source: ACI Universal Worldwide
17. Impact: MIF regulation raises card usage
Low interchange fees are associated with a higher usage of cards
EU survey shows that
Credit interchange caps hurt issuers (around €2bn
reduction in annual revenue)
Issuers cut back consumer loyalty programs and
cash back offers
Some have introduced card fees
The UK, the largest credit card market, has been
most impacted
Conversely, large merchants received a significant
revenue transfer, adding to their profitability
SMEs have not seen pass-through
19. Key provisions under PSD2
PSD1 PSD2
Transactions &
Services
Card payments, direct debits and credit transfers in the EU/EEA at
national and cross-border level.
Cash deposits and withdrawals
M-payments and e-payments
Money remittances
Card payments, direct debits and credit transfers in the EU/EEA +
Switzerland at national and cross-border level.
Cash deposits and withdrawals
M-payments and e-payments
Money remittances
PISP & AISP
Amounts
Transferred
& received
Charges should not be deducted from the amount transferred
for payments in member state currencies. Full payment amount should
be transferred.
Charges can be deducted from the payment amount received by
the payee, with prior agreement.
Actual payment received and charges deducted should be provided in
the confirmation to the payee.
Same
Execution Time Process payments by D+1 max. from 2009 (D = point in time of
receipt)
Up to D+3 until 2012 only if there is an agreement between payment
service provider and ordering customer
D+1 for paper-initiated transactions
D+4 possible for certain intra-Community payments
Process payments by D+1 max. (D = point in time of receipt)
D+1 for paper initiated transactions
D+4 for certain intra-Union payments
Value Date For the payer/ordering customer – Debit Value Date is date of receipt
of payment order. If the payment is received on a non-working day,
then value applied will be next Business Day.
Rule is applicable for payments in member state currencies.
For payee/beneficiary – Credit Value date is the date of receipt
of funds in the Payee’s bank account. This applies to payments in
member state currencies.
For the payer/ordering customer – Debit Value Date is date
of receipt of payment order.
If the payment is received on a
non-working day, then value applied will be next Business Day.
Rule is applicable for payments in any currency.
For payee/beneficiary – Credit Value date is the date of receipt
of funds in the Payee’s bank account. This applies to payments
in any currency involving no currency conversion and payments
in member state currencies, involving a currency conversion
Information Stipulates minimum information requirements from payment service
provided to customer.
Stipulates minimum information requirements from payment service
provided to customer.
Also, makes it mandatory to disclose the terms and conditions upfront
(execution time, exchange rate and end to end charges) to the payer
before execution of the payment and execute upon receiving consent.
20. What are APIs?
Application Programming Interface (APIs)
An API is a software-to-software interface that allows web-based
applications to communicate with each other and share data.
Technically, they are sets of protocols that define how one application
interacts with another.
They can be viewed as messengers taking a request and returning the
response, i.e. the ‘share buttons’ on social media sites.
“partner API” model
• By providing APIs to partners, i.e. creditors,
brokerage firms, clearing houses, custodian banks,
etc, partners can sign up for services and access
information on customer accounts.
“open and licensed API” model
• By making an API available to the public, banks
have the opportunity to compete for new
business by enabling potential customers to
compare product/service available in the market.
21. Liability for transaction errors
Payment Initiation
service providers
(PISP)
PISP is liable for submitting payment order to ASPSP (i.e. bank)
Account servicing
PSP (ASPSP)
If the PISP can show that the payer’s ASPSP received the correct receipt of the payment order, the
ASPSP is responsible for ensuring the money is transferred correctly.
Where defective payments occur, the payer’s ASPSPs shall refund payers.
Where the payer’s ASPSP fails to require SCA, the payer’s ASPSPs shall refund payers.
Payer
If payers act fraudulently or with gross negligence
If unauthorized payments are caused by the loss or misappropriation of a 'payment instrument',
i.e. stolen/lost card/mobile device.
Payee If the payee’s ASPSP fails to require SCA, it shall refund any losses caused to the payer.
22. Strong Customer Authentication (SCA)
2-Factor Authentication is a way of authenticating yourself by combining SomethingYou Know, SomethingYou Have, and/or
SomethingYou Are
• The traditional way of signing into an
application is by using a User-Id and a
Password (something you know or a
‘single factor authentication’).
Common
Practice
• Can be relatively easily hacked.The Problem
• 2-factor authentication is
introduced.
• Something you know (user-id and
password)
• Something you have (a one time
code)
• Something you are (fingerprints)
The SolutionSource: EBA
23. Current landscape for card fees
Merchant Service Charge (MSC) includes interchange fee, acquiring fee, and payment scheme/network fee.
Issuing bank keeps interchange fee, acquiring bank keeps acquiring fee, and card network (Visa/Mastercar) keeps payment scheme/network fee.
Merchant receives the amount of purchase after MSC fee.
1. Purchase with a card (€100)
2. Merchant submits transaction
for authorization
3. Issuing bank approves & keeps
0.2% interchange fee (€0.2)
4. Issuing bank transfers €99.8
(€100- €0.2) to acquiring bank
through card network
6.Acquiring bank keeps 0.24%
acquiring fee and transfer €99.32
(€99.56- €0.24)
7. Merchant is paid €99.56
(€100 - €0.68 MSC)
5. Card network keeps 0.24%
payment scheme fee and transfer
€99.56 (€99.8-0.24)
8. Bills cardholder €1009. Cardholder pays issuing bank
€100
24. MIF regulation
Current problem
• Despite previous regulations, the European cards market
remains fragmented and interchange fees are widely
varying (0.3%-1.8%).
• Interchange fees are agreed between the acquiring payment
service provider and the issuing payment service provider for
each sales transaction made.
Solution
• MIF was introduced to cap interchange fees, hence,
lowering costs for retailers and consumers and intensifying
competition.
Key rules
• Limit MIF for transactions: debit cards at 0.2%; credit cards
at 0.3%.
• Ban surcharges: Ban retailers from imposing surcharges on
customers for the use of these types of cards.
Benefits
• Acquiring banks and PSPs have higher margin (no regulation on
having to pass-through lower fee to merchants).
• Merchants may accept more cards if total merchant servicing
fees (MSC) is lower.
• Merchants may negotiate better deal (lower acquiring fee) with
acquirer banks
Source : Sia Partners Note: MSC fee includes interchange fee, acquiring fee, and payment scheme/network fee, (ranked by magnitude).