PSD2: Safer and More Secure Payments
PSD2 is an EU directive governing payment services in the internal market. It aims to facilitate increased competition in the payment service market, promoting innovation, enhancing the security of online payments and access to accounts. Furthermore, it improves the interaction between different types of actors and further harmonizing EU regulatory frameworks. PSD2 empowers businesses as well as individuals availing banking services to make use of third-party services to manage their finances.
In simple words, as long as a user consents, third party companies will be able to provide them services which previously only banks were able to. Banks are obligated to provide access to their customers account through open APIs to these third-party providers. The result will be the competition in the financial sector will not just be limited to bank sector rather open to all financial service providers.
PSD2 is bound to fundamentally change the payments value chain, the use of account information, introduce a variety of business models and enhance customer expectations. With this new directive, the European Commission looks forward to taking innovation, strengthening customer protection and enhancing security in account access and online payments.
With PSD2, European Commission introduces two new types of players in the financial landscape: AISP and PISP
Who can benefit from PSD2?
PSPs (Payment service providers) who provide the software through which a customer can access aggregated information from multiple online accounts that they hold, often with different banks.
The activities of PISPs and AISPs were previously unregulated and their inclusion in PSD2 ensures that they are now subject to certain security, risk management and transparency requirements under the regime. The changes introduced by PSD2 also mean that banks (or other payment institutions that operate and manage a customer’s bank account) are now required to provide PISPs and AISPs with access to a customer’s online payment account, so as to provide them with the same functionality (in respect of PISPS) or account information (in respect of AISPs) as would be available to the customer.
Account Information Service Providers (AISP)
An AISP is a firm which uses customer’s account information to study patterns of spending and investments to develop new services for them. AISP firms in general have no co-relation with the banks. However, as a customer one can grant access to account information to these third-party developers. The information AISP firms collect can be used to offer advice on other ways of using funds to generate income.
The benefits of AISP comes into play when a customer applies for a loan. In general banks takes 3–4 weeks to check your creditworthiness, but with AISP in play, the bank can access a customer’s entire transaction history and analyze the creditworthiness far more quickly. As a result, loan applications process becomes more simplified and can be speed-up easily.
Payment Initiation Service Providers (PISP)
A PISP (Payment Initiation Service Provider) can initiate payments directly from banks on behalf of customers. There will no longer be the need of payment gateways as online payments to e-merchant or other beneficiary’s account will be made directly from the payer’s bank account. In case of more than one bank account, the customer can opt from which account the money needs to be deducted.
PISP will make online transaction safer as the sensitive information would no longer be logged into payment gateways. A customer can also use PISP to pay for products and services available at brick and mortar stores that has agreement with their preferred PISP.
As PISP are not regulated by banks or other financial services, PISP’s are free to make agreements with businesses that will benefit their customers.
Known PISP’s in the European Region are:
— In Norway: Vipps
— In Sweden: Swish
— In Denmark: MobilPay
General Data Protection Regulations (GDPR)
The issue of personal data, and more specifically data protection, has become a burning one of late — not least in the wake of the Facebook data scandal.
General Data Protection Regulations aka GDPR are a set of regulations developed to protect the privacy of the citizens of European Union. The clauses in the regulations define what comes under “personal data” so the businesses across EU know which data needs to be protected. Also, how the information will be collected, stored and distributed in and outside the European region is defined.
In global economy, GDPR is bound to impact the lending business. Lenders who collect in the EU region (the “data controller”) as well as any company with whom the lender shares customers’ personal information (the “data processor”) are bound to be impacted by GDPR. The” data processing group” is spread to vendors like technology partners, data processors, credit scoring agencies, payment gateways located in EU as well as countries like US, Russia and South America. Any non-compliance on the part of data processing group shall be a responsibility of data controllers.
The significance of GDPR for any organization handling personal data is significant. The regulation impacts across a business, from strategic decision making and governance through to marketing and customer communications.
One of the major issues for lending businesses is the fact that GDPR at places simply talks about general guidelines without specific detail implementation. For example, the GDPR asks lending companies to provide a “reasonable” level of protection to the consumers however, the term “reasonable” is not defined.
In general, complying with the Data Protection Act 2018, which implemented GDPR is an ongoing responsibility and one which many lending firms are finding challenging. A large number of mid-size lenders are looking to outsource services like cyber safety and regulatory compliance management. Some firms even leverage from Logging-as-a-service (LaaS) platforms with built-in compliance and cyber security features. The benefits of LaaS platforms are that they are upgraded regularly according to the change in rules and regulations of the banks, helping lending platforms to adapt easily to the GDPR regulations.
