PSD2

Two months from today, on 13 January, the revised Payment Services Directive (PSD2)1 will come into effect across the European Union (EU). To understand how prepared the industry is for this deadline Deloitte surveyed over 70 firms across 18 European countries, between August and September, to gather their views.

The majority of firms, particularly within the banking sector, are broadly ready to comply with the conduct of business requirements which apply from January. However, there are significant variations in firms’ preparedness to respond to the longer term strategic opportunities and disruption PSD2 may bring to the payments and retail banking sector, with many firms still in the early stages of formulating their strategic responses.

A closer look at the compliance challenges

Our survey showed that, to date, the vast majority of firms’ human and financial resources have been devoted to responding to PSD2 from a compliance standpoint in order to meet regulatory deadlines. As a result, 75% of the firms we interviewed feel broadly confident about their readiness to comply with the PSD2 primary legislation requirements which become enforceable in January.

Looking further ahead to the implementation of the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC), many firms noted that regulatory uncertainty and in particular the absence of a finalised RTS is creating challenges in the definition of their broader compliance programmes. Indeed, the results highlighted that firms’ most important challenges and concerns relate to the development of Third Party Access to Accounts and Strong Customer Authentication (SCA)2 solutions, and it is in this area where some key challenges still need to be addressed.

In terms of developing Third Party Access solutions, a clear majority of 58% of respondents cited the development and implementation of robust and compliant security solutions to authenticate customers and Third Parties, and the lack of a common and specified standard of communication to do so, as their biggest implementation challenge. Consistent with this, our results highlight strong industry demand for collaboration, with 69% of respondents currently collaborating with other firms or participating in a standard setting body to develop common communication standards for their market. Collaboration under PSD2 presents a number of potential benefits that are highly attractive to firms including reduced implementation time and costs for individual firms, and increased market interoperability. These should, in turn, facilitate the development, adoption and proliferation of PSD2-enabled products and services which firms may wish to develop as part of their strategic response. Furthermore, a common and secure communication standard may partially assuage some of the issues around customer consent verification and TPP identification; as we concluded before, the UK Open Banking APIs will provide a useful model on which to proceed.

With respect to the strong authentication requirements, firms are relatively confident about their ability to implement SCA from a technical perspective. However, 31% respondents cited maintaining a good user experience while implementing these requirements as their top concern. Delivering a seamless and user-friendly customer journey could allow Payment Services Providers (PSPs) to differentiate themselves and gain competitive advantage in the market. Doing so will require effective management of PSD2 exemptions, advanced fraud prevention capabilities, cutting-edge customer data analytics, and clear communications to help customers understand why they are asked for SCA in some cases and not in others.

Taking advantage of the strategic opportunity

From a strategic perspective, 59% of firms see PSD2, on balance, to be an opportunity for their business. Many firms plan to proactively embrace PSD2 and use it to drive their digital transformation, whilst remaining mindful of the threats it can pose to their business models.

That said, relatively few respondents have so far developed a clearly defined strategic response. Only around a quarter of firms have secured and assigned formal budgets and resources to develop their strategic plans, or feel ready and confident about their state of strategic preparedness.

This may in part be explained by the need to prioritise compliance over strategy. However, our survey indicated that the majority of respondents believe that PSD2 will only result in significant competitive change over the next 2-3 years, lending additional support to the delays in strategy formulation. On balance, we tend to agree; the delay in the RTS on SCA and CSC presents a structural challenge to quicker competitive change, as TPPs will not be able to access and rely upon Application Programming Interfaces (APIs) connectivity solutions for approximately two years from now.

A further insight arising from the survey is that the majority of firms believe that the firms best positioned to succeed in a post-PSD2 world are the largest incumbent banks and established FinTechs, despite one of the key aims of PSD2 being to increase competition in the market. This is due to the strength of their financial resources, brand, trust and wide existing customer base. FinTech start-ups are seen as more likely to pivot towards B2B business models, partnering with banks to access their customers pools, given high customer acquisition costs and the investment needed to build sufficient scale to become commercially viable. However, it is worth noting that a significant minority of respondents believe that if Google, Apple, Facebook, and Amazon (GAFA) decide to enter the payments market this would be a “game changer” for the industry. In reality, it remains to be seen whether these tech giants have the appetite to fall within reach of the Financial Services regulators, but if they did, they could cause significant disruption for large and small traditional market participants.

To conclude, now is the right time for firms to start bridging the gap between their strategic aspirations and their strategic plans. Although competitive forces may be not be strong initially, they are likely to gain pace rapidly, and firms which have not effectively positioned and differentiated themselves in the market may be left behind.

For further reading on this topic please visit:

________________________________________________________________________________________________

1Under PSD2, TPPs will be able to connect, with customers’ consent, directly to the customers’ bank details and use the banks’ infrastructure to facilitate payment initiation or account information services. “Access to Account” (XS2A), as it is known, is one of the most significant changes, both strategically and operationally.

2PSD2 SCA is authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.

 

Stephen Ley

Stephen Ley - Partner, Risk Advisory

Stephen leads the UK Payment Practice and co-leads the EMEA payment practice. He has more than 20 years experience in assurance and advisory services, specialising in providing technology risk and control services to the banking and payments industry. Stephen works with all parts of the payment eco-system including schemes, processes, acquirers, issuers, regulators, banks, payment institutions and market infrastructures.

Email | LinkedIn

Adam


Adam Scott - Senior Manager, Risk Advisory

Adam is a Senior Manager within Deloitte’s UK payment practice. He has more than 10 years’ experience in providing assurance and advisory services to the Financial Services industry, and focuses on Payments, IT & Operational Risk, and Change & Project Management. Adam has extensive experience of delivering and leading business and technology risk projects as well and regulatory assessments across many parts of the payment ecosystem.

Email | LinkedIn

Valeria Gallo_Professional_Picture

Valeria Gallo - Manager, EMEA Centre for Regulatory Strategy

Valeria is a Manager in the EMEA Centre for Regulatory Strategy. Her focus is on regulatory initiatives related to payments and FinTech. Valeria joined Deloitte in early 2012 from a global strategy consulting firm where she was the Business Operations Manager for the European financial services practice.

Email | LinkedIn

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.