PSD2 has already had a significant impact on the payments industry but how does it affect the way firms implement AML compliance?
The Payment Services Directive 2 (PSD2) was adopted by the European Commission in 2015, replacing the original Payment Services Directive of 2007. Like its predecessor, PSD2 affects the regulation of payment services in the EU and EEA; it is intended to increase competition in the industry by allowing non-banks to participate and harmonize compliance standards for payment providers.
While it has been hailed as a revolution for the industry, PSD2 has also brought new compliance challenges, including AML/CFT concerns. With that in mind, it’s important that financial institutions understand how the directive works and how to comply with PSD2 regulations.
What is PSD2?
PSD2 came into legal effect on 13 January 2018, expanding the scope of the original directive in a number of ways. Most notably PSD2’s legislative reach was extended to online payments; it enhanced protections for online consumers and opened up the possibility of greater participation by online merchants in the payment services industry.
In more detail, PSD2 builds on previous legislation and impacts three areas of the payment services industry:
- Consumer rights: PSD2 expands customer rights, introducing a greater degree of transparency in payments, and new rules for surcharges, currency conversion, and the way complaints are handled.
- Security: PSD2 introduced the Strong Customer Authentication criteria (SCA) which includes a two-factor ID requirement, amongst other security measures.
- Third-party access: One of its most significant legislative effects, PSD2 enables third-party access to account information held by banks.
Online Impact: The enabling of third-party access to account information effectively breaks a monopoly previously held by banks and opens the payment industry up to online merchants, like Amazon and Google, who may expand their own payment services.
With customer authorization, these third-party companies may now retrieve account data from banks directly when they need to process a payment, without having to go through an intermediary service provider. That new access to customer bank accounts is managed by open APIs (developed and released by the banks themselves) which effectively enable third-parties to build a new market of financial services products on top of the existing infrastructure that banks have in place.
The enabling of third-party access is also known as Open Banking and is obviously closely connected to the security and compliance regulations that PSD2 introduced. The need to deal with money laundering and the financing of terrorism should be a priority concern for any legislation which expands participation in the payment services industry, and this is reflected in the enhanced regulatory requirements necessary for PSD2 compliance.
Secure Customer Authentication: SCA is the primary PSD2 AML and CFT mechanism, and essentially introduces a much stronger process of customer identification, known as ‘two-factor identification’, for almost all electronic payments. Under the two-factor verification process, electronic payments must be verified by at least two of the following three identifiers:
- Knowledge: Customers can provide some token of knowledge, which could be a PIN number or password.
- Possession: Customers may identify themselves with a physical payment object, which could be a payment card or a mobile phone (in the context of mobile wallet payments).
- Biometric: Customers can verify their payment with biometric data which might manifest as a fingerprint or voice ID.
Risk-Based: Merchants can apply a risk-based approach to PSD2 compliance. While certain lower risk transactions may be exempted from the two-factor verification process, higher risk transactions must be verified. Exemptions from the two-factor verification process are:
- Single contactless face-to-face payments under €50, up to a cumulative value of over €150, or up to five separate transactions.
- Single online transactions less than €30, up to a cumulative value of €100, or five separate transactions.
- Corporate payments made as ‘secure virtual payments’ via virtual cards or B2B cards and initiated by the business rather than an individual consumer.
PISPs and AISPs: Third-party service providers enabled by PSD2 to interact with banks (via APIs) are known as Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). PISPs ‘push’ payments from customer bank accounts to merchants, while Account Information Service Providers (AISPs), aggregate personal financial data (which may come from multiple accounts). It is important to remember that these new categories of service provider will also be subject to risk-based AML compliance requirements, ranging from two-factor SCA customer identification to sanctions checks.
PSD2 compliance should be a priority for all payment industry players, but aspects of the directive are still being legislated by the EU and will not be implemented until late 2019. Staying ahead of PSD2 regulation and ensuring ongoing compliance requires institutional flexibility and a proactive approach to integrating technology within a compliance solution.