#PSD2: What Is It? Innovation Through Regulation.

So I'm super exited to speak about payments, FinTech and authentication today at the Consumer Payments Primer. As as my usual self, I was going on and on about PSD2 to a friend over the weekend... then realized after a few minutes, a puzzled look on my friend's face. He had no idea what PSD2 is all about, in spite of working for the Canadian banking sector and that this is a global trend.

Thus, my attempt to explain in good plain, esl english.. what I understand it to mean:

PSD - for starters it stands for Payment Services Directive. Set by European Parliament, it started in 2007 when this whole directive got underway. The big change, was actually approved in November of 2015. 

PSD2 might represent one of the single biggest changes in banking industry history, because it’s the first time banks will be obligated by law to open their infrastructures to third parties.

Many banks are concerned about this legislation, feeling exposed and under attack from new entrants, aka FinTechs. Many might be clueless, and certainly many like me.. have LOADS of questions left to be answered. Such as, "Is this an advantage to European banks?" and, "Will it be a challenge to push banks to do innovation through regulation?" I would say so!

"PSD2 will enable more access for new players in payments, the time to develop an open banking strategy is NOW," says Jim Marous of The Financial Brand

What is PSD2 suppose to do? Its aim is to make payments safer and to better align with internet development and mobile trends. Thus, enabling consumers to have secure e-payments and expand the financial services eco system. Sound like big goals have been set? For sure.

Opportunity or threat for incumbents? Certainly. A lot of regulatory work ahead? Absolutely! A large majority (88 percent) of bank executives believe that PSD2 will affect their businesses, but they are far less sure about the specific implications and ramifications of PSD2 or what their response to the directive should be.

Three main things that PSD2 sets out: 

1.  Demands strong customer authentication 
2. Opens bank data to third parties
3. Covers payments services providers 

What are the new roles now open to this eco system?

1. ASPSP: Account Servicing Payment Service Provider, aka consumers bank or current issuers.
2. PISP: Payment Initiation Service Provider, aka initiates the payment process, seller or PSP
3. AISP: Account Information Service Provider, aka platforms that can consolidate customers data - "Cross bank" - like a Yodle, but with the potential to transact 

Obviously I'm super obsessed with authentication, given my "day" job at BioConnect. So, when PSD2 requires strong customer authentication for remote payments, I ask, "What could this mean for the authentication landscape?"

Let me break down my understanding, service providers in the eco system will have to comply to at least two of the three following parameters/ factors: 

1. Something you know: could be your user name and password. 
2. Something you have: could be your mobile device.
3. Something you are: your biometrics.

Key thing to note here, is that a customers dynamic authentication must be linked to a specific amount and a specific payee. But, have we really defined what dynamic means? 

Let's be real, seems a bit odd to think the European customer is used to $30 pounds for contactless payments and now that same customer should use MFA (Multi-Factor Authentication) for a $15 pound transaction online? Where is the language or clarity between friction and security? 

Also, ASPSPs, aka banks, must allow third-party payment service providers access to their customer's account information. No wonder some banks say this is a threat. Have you seen Facebook or Google be mandated to share their client information for no exchange of value of money? Don't think so... 

So, XS2A, mandates that the data can only be shared if the customer has given explicit consent to do so. Also, on the list of responsibilities it is listed that payment service providers have to find evidence against fraud, and secure the confidentiality of users's credentials...

Now, one of the many questions become whether this can truly enable customers to be in the driving seat when it comes to their finances and their data. Who will manage this data? Who owns it? Who regulates it? Who really has the right to monetize it?

As a customer, I'd like a piece of this pie; that's for sure.