That thing about the single market and PSD2

I am currently acquainting myself with the payments-side of EU regulations — I am more of a capital and risk guy myself — and I found that those are an extremely good example why regulations are really cool. I mean, don’t get me wrong: Basel and CRD is necessary and useful, but it is not cool. Firstly, it is just too technical to get excited about, and then, what is sexy about “we are trying to prevent the total meltdown of the banking system, even if this means we have to choke off the economy”. Payments regulations on the other hands are sexy: they create an environment for a whole new range of cool fintechy products that’ll change the way we live (well, maybe not quite, but it is pretty cool stuff nevertheless).

The Payments Services Directive 2 (PSD2)

I first want to give a brief overview over the Payments Services Directive 2 (“PSD2”). It is a Directive of the European Union, which means it lays out in reasonable detail what legislation should look like, but it is not legislation in itself, and it is the duty of the member states to implement appropriate legislation within a reasonably time frame. This may sound a complicated way of doing things, but it is actually quite helpful in practice as different jurisdictions might need to implement things in a certain way. Ultimately, in case of issues, the Court of Justice of the European Union is the arbiter whether the local implementation is a fair representation of the Directive.

Directives come in two parts: the second part is the usual legalese as one would find in any other statute. The interesting part however is often the first one, called the “recital”, that in prose (and without legal standing) describes what the directive is trying to achieve, why this is a good thing, and how this should be done. This is helpful eg when checking whether an actual transposition in spirit complies with a directive or not — with pure legalese documents it happens quite often that in case of conflicts people have to go back and ask “what was the intention of the law” — in European Union Directives you can just look it up in the recital. It has been pointed out to me though that sometimes the recital contradicts the regulations, and is also there so that differing views can be included into the final text. This of course renders the whole thing rather less useful…

The PSD defines Payment Service Providers (PSPs) which are essentially all businesses that operate somewhere in the payments vertical that has been classically dominated by banks. Usefully, the Directive enumerates what services PSPs can provide:

1. Services enabling cash to be placed on a payment account as well as all the operations required for operating a payment account.
2. Services enabling cash withdrawals from a payment account as well as all the operations required for operating a payment account.
3. Execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider or with another payment service provider:
   (a) execution of direct debits, including one-off direct debits;
   (b) execution of payment transactions through a payment card or a similar device;
   (c) execution of credit transfers, including standing orders.
4. Execution of payment transactions where the funds are covered by a credit line for a payment service user:
   (a) execution of direct debits, including one-off direct debits;
   (b) execution of payment transactions through a payment card or a similar device;
   (c) execution of credit transfers, including standing orders.
5. Issuing of payment instruments and/or acquiring of payment transactions.
6. Money remittance.
7. Payment initiation services.
8. Account information services.

Within the big group of PSPs the directive defines a number of subclasses of institutions, for example Payment Institutions (like banks, but without loan and deposit businesses), Payment Initiation Service Providers (who can connect to PIs or banks to initiate payments on the customer’s behalf) and Account Information Service Providers (who can connect to PIs or banks to retrieve detailed account information on the customer’s behalf).

One of the key purpose of PSP2 is to define a regulatory regime for the different providers, with a view to ensuring that the more is at stake the more stringent the regulation becomes. It also defines how this regulatory regime extends across the EU (or EEA, but I’ll ignored that), notably if defines the roles of the Home Regulator (in the EU country where the company is based) and Host Regulator (in the EU country where the company is operating) and how passporting works. For those interested, the relevant articles are 28 and 29, but essentially the way it works is as follows

1. the company applies to its Home (!) Regulator to extend its operation to another country
2. the Home Regulator checks with the Host Regulator whether it sees any issues with this application
3. the whole process shall be finished within three months, at which point the company can operate in the new market

Now reality might be more complex, especially if the Host Regulator has some issues with which the Home Regulator does not agree, but there is also a process for resolving this.

Which leads us to the next cornerstone, the European Banking Authority (EBA) which is some kind of European super bank regulator. In various parts of the PSD2 it is tasked with defining and updating the technical details and best practices. Importantly, it is also tasked with adjucating differences amongst member states and/or their regulatory institutions (Article 27). So if Home and Host Regulator disagree the EBA is the first port of call.

Last but not least, the PSD2 defines a requirement for owners of payment infrastructure (notably the banks) to provide access on equal and non-discriminatory terms. So when some PSP / PISP / AISP provider has been authorised and fulfils the requirements as defined in this directive (including the more detailed requirements being produced by EBA) then banks and Payment Institutions have to provide API based access to the systems and the customer data. In particular

• all PISPs can initiate payments on behalf of all customers who authorise them, regardless of where thos have their account
• all AISPs can retrieve detailed account information on behalf of all customers who authorise them, regardless of where those have their account

Benefits of Regulation

It is pretty evident that sensitive services like payments need to be regulated. Some ultra-free-market proponents might disagree, but generally customers are not able to ascertain whether PSPs are legitimate and safe to use, and given what is at stake this is not quite acceptable. Interestingly, simply regulating PSPs and making sure they are safe can increase competition and innovation: without regulation, customers will place a huge premium on reputation, and the largest and oldest institutions win on this criterium hands down. However, if customers know they can trust any PSP that is allowed to operate in their country then they can safely use a start-up without risking their livelihood.

But the benefits of the PSD2 go further: firstly, it contains specific pro-competition provisions which force the more powerful players in this segment to open up to authorised newcomers. Note the word authorised in this context which is absolutely key: the reason why regulators can require companies to open up is because they know that because of the authorisation process they can do so safely — there are certain minimum standards that companies benefitting from this opening up need to adhere to, and some of them are the (a) they are most likely not crooks, and (b) they are expert enough in their technology to not wreck the overall system.

Secondly, it provides a unified regulatory space across Europe. This is awesome for scaling, because it means it means that the incremental cost of reaching another country can be kept at a minimum. This of course is particularly interesting for technology companies because of their cost-structure that is typically very heavy on fixed costs — being able to spread those over more customers is an immense strategic advantage, and the companies that can scale first often win because they have more resources to improve their product than their competitors who lag behind. Everything else being equal, a company that can grow over a market of 500m people will scale more quickly than one that can only grow over a market of 50m people, so the former has a greater chance of ultimately winning.

It is the nature of regulated industries that there is a certain amount of regulatory capture, ie that regulators get a little bit too close to their regulatees. This is particularly strong in areas where this capture is not in contradiction of the regulatory mandate. Therefore regulation almost always creates an additional moat, because regulators side with their industry incumbents and protect them against new competition. This is not black & white of course, but everyone who has worked in the space knows that the new and/or foreign firm has it just a little bit more difficult than the incumbent, making it more difficult to compete.

Whilst this effect has not entirely been neutralised within the European Union measures have been taken to significantly weaken it

• regulations are unified as far as possible, making it very difficult to argue that a company operating in one jurisdiction can not operate in another one
• the Home Regulator is a company’s main regulator, and the presumption is the they take the decisions re authorisation across all jurisdictions, and ensure that Host Regulators don’t create moats
• there is a well defined escalation process in case of conflict, starting at the EBA and ending at the CJEU which — importantly — supersedes all national courts within its area of competence

All of this together means that companies who are based in one member state working on innovative payment services will be able to quickly and efficiently roll them out across the entire EU.

So what about Brexit?

So what happens if the UK leaves the European Union? Brexiteers suggest they can simply transpose all EU law into national law (most of it has been transposed anyway) and things will go on as before. This is of course not true —a bit like leaving your football club, and playing football alone following all the game’s rules this is just not the same.

To start with the things that can possibly be addressed: the European Law is a highly interconnected system of EU directives and regulations, as well as lower level regulations issued by agencies like the EBA. Directives rely on each other to work, and if some are revoked or changed the whole thing might fall apart. To give an example, PSD2 relies on a number of consumer regulations, eg one that allows customers to sue a company in their usual country of residence as opposed to the country where the company is based. Whilst inconvenient for companies, this means that customers are certain that, if things go wrong, they can go down the legal path with a local company the same way the could with a foreign one. Without this provision, using a foreign company’s services might be significantly less appealing, especially in sensitive areas like payments. Because of the interconnectedness it is difficult to foresee in detail what happens if local regulations are unilaterally change — unless extreme care is taken by the implementing country (and the EU is satisfied that this is indeed the case) there is a risk that regulations become inconsistent over time (there is also the obvious issue of dealing with updates, and lower level regulation like that created by the EBA)

More importantly however the EU law defines institutions and processes for cross-border adjucation:

• if local regulators disagree they can go to the EBA, and ultimately to the CJEU to address their differences
• if countries implement directives badly this can be addressed either at the Commission level or ultimately through the CJEU
• customers can address issues in their local courts, and can rely on judgements being enforced in the home country of the company, again ultimately relying on the EU

It is this reliance on pan-European institutions that any unilateral approach simple can not replicate. As a French customer, if I am using a UK PSP that happens to be allowed to connect to my bank, then in case things go wrong I can’t be sure that I can sue them in France, and even if I can sue them in France, I can not be sure that the judgment is upheld in the UK. This might not be an issue in single cases, but consider what happened in the financial crisis with the UK and Iceland: imagine a UK PSP becomes pretty big, and due to bad regulatory oversight and/or simple incompetence it causes a major damage to say the French payment system — what is the recourse against the company (and possibly its regulator) given that UK courts do not recognise the superiority of the CJEU?

So ultimately, the best decision the EU can take after Brexit to ensure to avoid those situations is to simply require PSPs operating in the EU to do so via an adequately resourced subsidiary that is based and supervised in the EU. That is not a catastrophe, but in particular for a start-up it can be a significant issue because their regulatory workload might double, they need to deal with at least two adequately resourced subsidiaries in two different countries and — in the worst case — will have to develop different technology for different markets because regulators can’t agree, and there is no mechanism making them agree.