Sequent Platform Delivers on PSD2 Requirements for Services Companies
PSD2, the second Payment Services Directive, came into force in January 2018 and now affects the whole European-based payments industry, with new regulations spanning how customers pay digitally, mandated security and consumer controls over how their personal information is used or shared. Failure to comply with this directive incurs a significant penalty.
For quite a while now consumers have been demanding that banks deliver more value for the privilege of holding their money. These demands have largely gone unanswered because traditional financial institutions have not been agile enough to reinvent themselves. They are now becoming disintermediated by new entrants with superior, more agile digital offerings.
The intention behind PSD2 was to mandate new consumer protections while providing additional transparency and opening banking to the competition. While PSD2 was created by the European Union (EU), the new regulation addresses a range of issues that are relevant globally. Indeed, several jurisdictions outside the EU are considering adopting broadly similar legislation to PSD2.
Crucially, failure to comply with the regulations attract legal and financial penalties of a scale that could significantly damage even the largest of businesses.
PSD2 Brings New Opportunities for Financial Services
While there is no doubt that PSD2 is a regulatory burden, we at Sequent believe that PSD2 has the potential to create many opportunities for FinTech companies. The changes required by PSD2 are allowing non-traditional financial services firms to enter the market and disrupt the status quo. For example, a firm can provide aggregated data to individual consumers allowing those consumers to make informed decisions on the products and services they receive from multiple financial institutions.
For financial institutions to retain existing customers they must introduce new ways to help customers manage their financial affairs, make better decisions and save money. Building deeper ‘trusted adviser’ connections with customers can lead to stickier relationships and provide opportunities for product up-sells and cross-sells. The Sequent Platform helps these organizations drive traffic by securely connecting them to the wider financial ecosystem to become an Account Information Service Providers (AISP) and drive new revenue by servicing of API calls to detokenize data.
Consumers can opt-in to receive new services and financial institutions can, at the point-of-sale, offer new services such as deferred payments or incentives such as cashback, discounts or coupon redemption.
One of the many impacts of PSD2, is the ability for merchants to directly transact with banks upon consumers’ behalf, without routing through the traditional networks such as Mastercard, Visa or PayPal.
PSD2 Brings Security Challenges
Digital disruption is here, and it is here to stay. The disruption evolution began with the smartphone and other mobile devices and has progressed to wearable technologies that are available today. Soon, the Internet of Things (IoT) will take smart products even further.
As with many directives, and their associated regulations, PSD2 does not provide detailed technical standards but expects service providers to ensure that their organization has been scrupulous in identifying all potential security risks and deploying suitable counter-measures to mitigate against those risks.
The questions for financial institutions become, “With PSD2 now in effect, how can we prove we are secure enough to operate in these areas, now and in the future?”, and “How can we take advantage of the digital economy yet remain compliant with regulatory requirements, such as PSD2, and stay one step ahead of the cybercriminal?”
PSD2 Requires Strong Customer Authentication
PSD2 defines new types of open banking service providers including account information service providers, payment initiation service providers, and card-based payment instrument issuers. PSD2 collectively refers to these as third-party payment service providers (TPPs).
The EU Regulatory Technical Standards (RTS) for strong customer authentication (SCA) and common and secure open standards of communication set out how payment service providers (PSPs) must verify a customer’s identity where a customer accesses a payment account online, initiates an electronic payment transaction (such as when shopping online), or carries out any action through a remote channel which may create a risk of payment fraud.
The RTS explains how TPPs and ASPSPs should interact and communicate securely to enable TPPs to access ASPSP customers accounts (with customers consent) to provide open banking services to customers.
The RTS further states, “PIS Providers have the right to rely on the authentication procedures provided” by the account servicing payment service providers (ASPSPs) such as banks. Therefore, PISPs (Payments Initiation Service Providers) must pass control to the banks to authenticate customers. PISPs cannot apply their own authentication, directing banks to “just do it”. The Sequent Platform provides the means for banks to issue a PISP with a token to ensure secure authentication in a frictionless fashion. The token is issued at set-up and called whenever verification is required.
The SCA standards require the combination of at least two factors of verification, at a minimum, from amongst three different types: Possession (what I have), Knowledge (what I know), Inherence (what I am). The Sequent Platform offers token issuance and orchestration, satisfying the possession factor.
How Sequent Can Help Financial Services with PSD2 Innovation
Through the Sequent Platform, financial services can innovate new payment solutions such as card-based or QR-code-based open-banking payments and significantly lower transaction costs. Sequent can enable connections between acquirers and issuers for merchant-initiated transactions. Through tokenization, the acquiring bank verifies the token, transaction type and amount with the issuing bank and reserves the amount of the transaction from the consumer’s funding source balance. An authorization is generated and the approval code routed back to the payment initiation device at the merchant.
Want to know more about customer security, PSD2 and using the Sequent Platform to retain and build new customer relationships in the age of digital disruption? Contact us.