By Neil Smith, Head of Issuer Sales & Partnerships, EMEA and APAC at Verifi
The words “transformational” and “revolutionary” are often overused, but the advent of PSD2 is a rare example of a new financial regulation that will have a profound and widespread impact across Europe’s financial services industry.
Building on the groundwork of the first Payment Services Directive (PSD), PSD2 requires banks to open themselves up to other financial services providers by giving third parties access to their payments infrastructure and customer data.
By September 2019, all companies within the EU must comply with the new regulations, which aim to bring enhanced integration and efficiency to the European payments market, increase competition, make payments safer and more secure, and increase protection for consumers. The new regulations will also lower fees for payment services while encouraging more frictionless payment methods, such as mobile, voice, and fixed internet payment services.
While frictionless payments and greater choice are obvious benefits to customers, fighting fraud is the most urgent issue facing issuers and merchants. In the UK alone, almost three-quarters of a billion pounds were lost to financial fraud across payment cards, remote banking, and cheques in 2018, according to UK Finance.
More specifically, the Home Office and its National Audit Office found that between 2011 and 2016 there were 1.4 million incidents of card-not-present (CNP) fraud. The Home Office has said that by 2019 it “wanted to see a very significant reduction” in CNP fraud, even though it has not been able to quantify what reduction will meet its expectations because “it depends on the solutions.”
Can PSD2 be the solution that the Home Office is waiting for? Broadly speaking, the answer is yes. Customer security is one of the cornerstones of PSD2, requiring merchants to implement strong customer authentication (SCA), such as two factor authentication (2FA) to verify transactions.
“Implemented correctly, PSD2 will transform customers’ relationships with their money, creating a raft of new services”
What impact will PSD2 have on merchants?
Merchants will now be able to take online or mobile payments by drawing directly from a customer’s bank account. Since merchants will be able to securely access the customer’s bank account for payment, complex authentication processes at checkout might no longer exist nor be easily circumvented by fraudsters.
Both Visa and Mastercard are strongly encouraging banks and merchants to implement 3-D Secure 2.0, which allows biometric authentication and meets requirements of PSD2. In 2019, Mastercard will dictate that merchants must use biometric authentication, known as Mastercard Identity Check. In fact, both Mastercard and Visa will mandate 3DS 2.0 on a market-by-market basis, which will force merchants to support 3DS 2.0.
The time for processing customer complaints has also been cut from eight weeks to 15 business days, so we can expect increased pressure on the chargeback process.
What impact will PSD2 have on issuers?
PSD2 introduces opportunities for new payment initiation service providers (PISPs) to bring products to market. With PISPs, customers have the option to make payments direct from their bank accounts, rather than using a credit or debit card as an intermediary. This means that they lose the protection that their card schemes afford them, so PSD2 provides protections to tip the scales in their favour, including:
- Legislation around the unconditional refund right which applies under SEPA Core Direct Debit scheme
- With regards to pre-authorisation of card payments, when the final amount is unknown in advance, the payee will only be able to ‘ring-fence’ funds on the payer’s account when the cardholder has approved the exact amount to be blocked
- Payment Service Providers must introduce dispute resolution procedures and will be required to respond to payment complaints within 15 business days of receipt
- Member States are required to designate competent authorities to ensure and monitor compliance within PSD2 – this is the FCA in the UK
Retailers also will not be able to enforce a contract term requiring payment of a banned surcharge. In fact, they must repay it. This could well lead to customers initiating chargebacks for the excess amounts via their card issuer. Can we then expect an increase in chargebacks? As the Home Office insinuates, only time will tell.
Impact on acquirers
For remote electronic card payments, acquirers can avoid using SCA if their fraud rate (unauthorised transactions/total transactions) is below certain thresholds. For transactions up to €100, frictionless flow is allowed if the acquirers fraud rate is less than 0.13%; for amounts up to €250, the acquirer’s fraud rate must be less than 0.06%; while for transactions up to €500 require a fraud rate that is less than 0.01%
These are certainly stringent requirements, and achieving such low rates of fraud can be a challenge for many acquirers that lack the purchase details needed to legitimise the transaction. Therefore, acquirers cannot easily discern “friendly” fraud from “true” fraud. Since only “true” fraud will be used to determine fraud rate, distinguishing “friendly” fraud from “true” fraud will be essential practice, since higher fraud rates will likely result in an increase in SCA demand and decrease the conversion rate for merchants.
If the acquirer uses a Transaction Risk Assessment (TRA) exemption, they have not attempted to validate with the issuer, but instead have opted to conduct their own risk analysis on whether the transaction was performed by the cardholder. As such, if the transaction is disputed, the liability is with the acquirer since they have not asked the issuer for this additional level of validation.
Is the industry ready for PSD2?
Card brands such as Mastercard, Visa and American Express have already made great strides towards implementing PSD2. Mastercard has already set out concrete plans, for what it calls a “world, not only beyond cash, but beyond cards as well” with Mastercard Send, an account-to-account transfer service that does not use its traditional card processing system.
But card issuers are only one side of the coin. Given the rapidly approaching PSD2 deadline, the entire payments industry needs to urgently double down on its efforts to improve education and collaboration. From the issuers’ side, it is very important to implement all the exemptions to help customers smooth their transactions.
Implemented correctly, PSD2 will transform customers’ relationships with their money, creating a raft of new services from personalised financial dashboards, lifestyle payment apps, and uniquely tailored financial products and services for each customer.
The payments industry cannot afford to let this unique opportunity slip from their grasp. Educating all parties about the revolutionary potential benefits of PSD2 is key, from the ability to share customer data with authorised third parties (subject to customers’ explicit consent), to delivering more robust safeguards against fraud, which costs us all.