By 13 January 2018, the PSD2 will be law in all EU member states. But what does that mean for APMs? The answer, says PPRO’s Ralf Ohlhausen is actually really straightforward.
With just over six months before all member states must incorporate the Revised Payment Services Directive (PSD2) into law, there seems to be some confusion about what the new directive means for alternative payment methods. There needn’t be. The answer is simple.
PSD2 defines what it calls Payment Initiation Service Providers (PISPs). A PISP is a service which can initiate a payment by itself at the request of an end user. Imagine, for instance, a service that you select at an e-commerce store’s checkout and which allows you to transfer money from your online bank account to the merchant – paying for the goods you wish to purchase – without requiring any user action apart from providing their credentials to authorize it.
Under PSD2, such a service would be defined as a PISP, i.e. initiating payments “on behalf of the user”. To continue operating once the directive is in law, the service provider must register with its home state’s financial regulator. The regulator will check their data and transaction security measures and any other obligations and, assuming all is in order, issue the company with a licence. Being licenced by one EU member state, allows the company to operate in all member states. If it operates in accordance with the law, it can continue to trade with — at least in theory — no disruption.
So all APMs are covered by PSD2?
Not at all. Firstly, there are many APMs not using bank transfers anyway and even for those that do, most of them are not payment initiators themselves. Services such as iDEAL, giropay, MyBank and many others do not collect user credentials and are not acting “on behalf of the user”.
They are what is known as ‘redirect services’. The customer chooses the service at checkout and is automatically redirected to their bank’s online login page. When they login, using their credentials, the transaction has been auto-populated for them, but they still have to go through a number of different screens – similar to a non-automated bank transfer they would do just by themselves.
Hence, these services offer an extra layer of convenience, but users have to initiate the payment themselves. Therefore, they do not qualify as PISPs under the terms of PSD2 and such companies do not have to obtain a license from their national regulator. They can continue to operate as they do today.
So why the confusion?
The PSD2 has thrown the industry something of a curveball. Originally, the expectation was that the new directive would clarify and regularise the status of existing and future PISPs. In return for accepting regulatory oversight and for agreeing to certain conditions, notably identifying themselves to the banks as part of the transaction handshake, PISPs would be able to carry on much as before.
However, the process of drafting the PSD2’s Regulatory Technical Standards (RTS) has thrown this assumption into doubt. To the industry’s surprise, the original draft of the RTS contained elements that would not have allowed PISPs to continue their business model.
Most notably, it specified that banks could simply deny PISPs the use of the online banking interface they provide to their customers. Instead, banks could provide a separate, dedicated, interface just for their new competitors. The fintech industry was not happy with this solution, because it makes the viability of their business model dependent on the banks keeping that “competitor-interface” at par with their customer-interface, which of course would not really be in their own interest.
As a result, there has been a lot of debate and back and forth about the terms and definitions within the RTS. The good news is, that the European Commission has now changed some of the content of the RTS to make them less harmful to the needs of EU consumers and fintech providers, however, there is still a lot to be desired.
The bad news is, that the back and forth around PSD2 and this RTS — which is, in any case, already an alphabet soup of new acronyms to be understood and memorised — has probably gone a long way to confusing the market. At least on the point covered by this article — which companies are and are not PISPs — this confusion is unnecessary.
If, as part of its business model, a payment service acts on behalf of end users and handles confidential customer data, it’s a PISP and needs to register with its national financial regulator in order to continue trading. Exactly what this registration and subsequent licensing will entail, depends on how a company’s national legislature transposes the PSD2 into that country’s law.