Ten key messages from our PSD2 Academy

Earlier this week, we welcomed over 120 delegates to our PSD2 Academy which covered the burning issues on PSD2 implementation. If you weren't able to join us, here is a link to the session and ten key messages to take home are set out below:

1.  Under PSD2, it's even more important to work out if you have a "payment account"…

In the new world this question becomes even more important than it was before because:

  • Third Party Providers will have the right to access "payment accounts" that are accessible online; and
  • PSPs will be required to provide information to payers on individual payment transactions as soon as reasonably possible after an individual payment transaction is debited from the payer's "payment account".

2.  Help me decide if I have a "payment account"!

Current accounts, E-money accounts, Instant access savings accounts including ISAs, Credit card accounts and Current account mortgages definitely are "payment accounts".

Accounts which are not marketed as instant access accounts and have meaningful barriers to access (e.g. notice periods, forfeit of interest, limited ways of using the account) and fixed term bonds/deposits with penalties etc for withdrawals are definitely not "payment accounts".

For accounts that fall somewhere in between it will be debatable whether or not the account is a "payment account".  An account is more likely to be a non-payment account if it's not marketed as an instant access account and if there are a number of barriers which cumulatively deter access or which equate to notice accounts.

3.  A few new words may mean big changes for post contract information

We're waiting to see whether the final regulations take into account industry-wide representations on this issue but, if HMT doesn't change its current position, amendments to PSR 53 mean that either:

  • Customers must be given prescribed info after each transaction and it must be provided (i.e. by post or in another durable medium) unless the customer chooses to have it "made available"; or
  • the UK will exercise the member state option and require monthly statements on all payment accounts.

4.  Unintended targets of the new TPP rules

The definitions of "Account Information Service" and "Payment Initiation Service" are broad enough to capture unintended targets such as Authorised User/Power of Attorney arrangements. If these arrangements are deemed to fall in scope of the definitions, then the party providing the service would need to be authorised. We – along with others in the industry - are in on-going discussions with HMT and the FCA to explain why, from a policy perspective, these types of arrangements should not be caught.

5.  The latest on screen scraping

Although the Commission draft RTS says that screen scraping can be used as a contingency when a PSP's dedicated interface is down, it remains to be seen whether this amendment will survive in the final version of the RTS!

6.  "Explicit consent" in PSD2 vs GDPR

PSPs will need to consider how the "explicit consent" requirement in PSD2 fits with the requirements in GDPR - unfortunately PSD2 and GDPR don't fit together neatly on this.

7.  What can AISPs do with data?

PSD2 is ambiguous as to whether AISPs can use data for wider purposes if it is transparent to the customer and the customer agrees.  Although there are policy reasons to support this and the wording in GDPR is helpful, the wording in PSD2 could be a road-block.

8.  "Persistence" argument will reduce impact of SCA for customers

PSPs that require one factor of authentication each time a customer logs into their account online should be able to ask customers for one additional factor of authentication (rather than two new factors) for each SCA event. This would reduce friction in the customer journey while achieving the high levels of security required under PSD2.

9.  Get to know the SCA exemptions

As there are wide-ranging exemptions to SCA, PSPs who choose to rely on the "persistence" argument as well as any applicable exemptions may find they are able to design processes that don't disrupt customers' online experiences. It will therefore be valuable to invest time getting to know the exemptions better!

10.  PSPs can't escape impact of SCA

Even if the impact of SCA on customer journeys can be minimized, there will be some significant behind-the-scenes changes for PSPs who will need to generate an authentication code after each SCA event and dynamically link that to the payee and amount of any payment transaction.

PSPs will also need to be aware if one of the exemptions they've been relying on falls away or changes.

For more detail on these issues and other issues covered at PSD2 Academy you can re-live the afternoon by clicking on this link and watching the sessions.

Back to main blog
Loading data