Payments Europe’s response to PSMEG questions on the policy options for the review of PSD2
- PSD2 has been instrumental in the development of a framework for safety and security and in fostering competition and innovation in the payments market. Its revision provides an opportunity to ensure the Directive is both up to date and future-proof.
- Payment processors, operators of payment systems and schemes should be out of the scope of the reviewed PSD, as strong global rules for the supervision and oversight of these services already exists outside of PSD2 and any duplication might create inefficiencies.
- An SCA framework that allows and encourages PSPs to select the best combination of authentication methods and technologies is essential, and will allow the market to reach the best result through an outcome-based approach. Flexibility will also support the prevention of financial and digital exclusion.
- Payments Europe fully supports the ongoing efforts on the current open Banking and upcoming Open Finance Framework. The framework should focus on incentivizing the development of high-quality APIs and promoting competition and innovation in the payments market.
- Payments Europe supports moving Account Information Providers into the upcoming Open Finance framework but highlights the importance of regulatory convergence as the two frameworks are being developed.
On scope and coverage
It is important to recognise that the European payments market has changed significantly in the last years, and since the entry into force of the second Payment Services Directive (PSD2), many new providers and services came to market. The functioning of the market is of utmost importance and we support the ongoing assessment that (certain) new services or providers need to be captured under PSD2.
As part of that assessment, we believe it is important to understand what issues have been identified with certain entities as well as what existing regimes are in place beyond PSD2 to manage these.
Payments Europe believes that payment processors, operators of payment systems and schemes do not need to be in-scope of the PSD2. A robust and globally agreed-upon basis for the supervision and oversight of these services already exists today outside of PSD2, known as the Principles of Financial Market Infrastructure (“PFMIs”), which have been designed and implemented in Europe with international payment processors, operators of payment systems and schemes in their scope. Additionally, central bank oversight and the recently adopted PISA framework play a critical role in strengthening supervision.
Any treatment of these activities under PSD2 should not result in duplication with these existing, well-functioning supervisory and oversight processes in order to avoid inefficiency and additional complexity, as this could undermine the smooth functioning of payment systems operating across the EU.
Additionally, any extension of PSD2 should preserve the ability of unregulated group affiliates of a regulated PSP to provide intragroup services to the PSP to support its regulated e-money and payment services. This is because such arrangements are already subject to sufficient regulatory oversight under outsourcing requirements (including the EBA Guidelines on outsourcing), and PSPs need the flexibility to support technical functions from group affiliates without such affiliates having to apply for separate regulatory authorisations.
On measures for fraud prevention
Over the last year, new and evolving fraud and cyber threats have entered the global payments’ ecosystem. Fraudsters continue to innovate upon known threats such as ransomware, payment account enumeration, insider threats, and digital skimming, while cultivating new strategies to conduct fraud and payment ecosystem attacks. Emerging payment channels, such as cryptocurrency, continued to prove an attractive target for threat actors, and as acceptance within such channels increases, so too does the opportunity for threat actors to capitalize on the payment volume through fraud attacks.
Fraud resulting from social engineering is an issue that goes far beyond the strict remits of the payment industry, and is not always under PSPs’ control as the transactions are authorised by the consumer. We believe that immediate refunds will not reduce fraud, nor prevent it from happening, and other options should therefore be considered to combat it. As a cross-sectoral issue, action and coordination among all parties should be explored.
We also believe that strong educational campaigns should be promoted by the EU Commission, as social engineering could be better prevented via educating the public to promote more cautious behaviour.
While IBAN verification could be a helpful tool to reduce fraud it would not solve all the issues. We would recommend that it be left to the industry on how to implement this measure rather than to have prescriptive rules around it.
On recommended measures on SCA
European regulators should enable the full use of innovative fraud prevention and authentication tools to allow payment service providers to stay ahead of fraudsters while improving customers’ experience and be able to adapt to their different needs.
Payments Europe believes it essential to have an SCA framework that allows and encourages PSPs to select the best combination of authentication methods and technologies. In this regard, we believe that the best results are achieved through an outcome-based approach.
A flexible approach also supports the prevention of financial and digital exclusion. Indeed, the percentage of digitally excluded people is still relatively high. Thus, it is important to have some flexibility to use alternative authentication options that can be made available to more vulnerable consumers. For instance, when an inclusive two-factor authentication solution is required for consumers that do not use mobile apps/biometrics, considering all available options at the moment, the optimal mainstream inclusive solution would be a combination of Behavioural Biometrics and OTP. Having some flexibility for PSPs to be able to design and use the best combination deemed appropriate would allow them to tailor better solutions and ensure financial inclusion.
On transactions to be explicitly excluded from SCA
Merchant Initiated Transactions (MIT): MITs are transactions of a fixed or variable amount and fixed or variable interval, governed by an agreement between the cardholder and merchant that, once set up, allows the merchant to initiate subsequent payments from the card without any direct involvement of the cardholder. As the cardholder is not present when an MIT is performed, cardholder authentication is not possible. Therefore we recommend not to extend SCA to MITs. SCA for MIT would have a negative impact on a range of business models and lead to significant inconvenience and friction to consumers. We would support confirmation on the Level 1 text that MITs are out of scope from SCA requirements and SCA would only be required for setting up the mandate.
We also believe that further clarity would be beneficial to ensure the correct use of MITs and avoid those transactions which are in reality Customer Initiated Transactions (CIT) that are incorrectly treated as MITs.
A transaction can only be an MIT if the cardholder is not available at the point of interaction, whether physical or online, to (I) initiate; or (II) authenticate the transaction. If the consumer is available to initiate or authenticate at the time of the initiation of the transaction, the transaction should not be considered as an MIT and should therefore be subject to SCA unless an exemption applies. This should be the case independently of whether the transaction is processed at that exact moment or later in the time. A consumer is available to initiate or authenticate if they are physically present at the merchant’s point of sale or, in the case of a remote payment, interacts with the merchant’s webpage or app.
Mail Orders and Telephone Orders transactions (MoTo:) MoTos have legitimate use cases and – because of their nature – cannot be treated from an authentication point of view in the same manner as SCA subject transactions. It is necessary to clarify that card payments and bank transfers are both ‘electronic’ when used via the internet or other digital systems, and that they are not electronic when payment details are delivered via non-electronic means such as MoTo. All payments can be MoTo, if used via a non-digital channel, and no distinction should be made between cards and other forms of payments. Indeed, if the payment information is communicated via a non-electronic channel, the payment information could be card credential or bank details without the use of the physical card or chip and internet. We agree that when purchases or bookings are initiated via the internet, these transactions are not MoTo transactions and are not out of scope, even if the merchant subsequently manually key-enters the payment details.
We would therefore suggest an amendment to recital 95 of the PSD2 to ensure the regulation does not favour one payment method over another, allowing for those transactions initiated by mail orders or telephone orders to be considered out of the scope.
On a common EU API mandatory standard
Payments Europe does not support an API mandated by regulation. While standardization of data and API are important to consider in supporting the development of open banking and finance, different approaches to standardization may be appropriate for different aspects of open finance, depending on the use case. Certain initiatives such as the “Berlin Group” help in driving a certain degree of harmonization.
Any API requirements should be outcome-based and flexible in order to adjust to changing market needs and availability of technologies, allowing market players to implement APIs in a way suited to their technical capabilities and resources.
An open finance framework should focus on incentivizing the development of high-quality APIs and promoting competition and innovation in the market. The European Commission should explore the possibility of defining security and performance criteria, allowing for performance measuring and ranking of APIs.
On dedicated interfaces
Any framework should focus on incentivizing the development of high-quality APIs and promoting competition and innovation in the market. The European Commission should explore the possibility of defining security and performance criteria, allowing for performance measuring and ranking of APIs.
On API compensation
We believe that compensation by third parties for the rendering available of data for a reasonable return should be allowed. This has to be perceived as an investment for collecting and structuring the data as well as ensuring the right incentives for industry stakeholders to operate within the legal framework to develop multilateral commercial and contractual structures. We recommend leaving the development of this compensation model to industry-led initiatives such as the SEPA Access Account scheme.
Transfer of AIS to the upcoming open finance framework
Payments Europe believes that it would be preferable for Account Information Services (AIS) to be taken out of PSD and covered under a separate Open Finance Framework. If this would be pursued, it would be of utmost importance for the regulator to ensure that there is no divergence on regulatory requirements for AIS and PIS, which would remain under PSD, as this would undermine the developments of Open Banking and stifle innovation. As the underlying infrastructure for AIS and PIS is currently largely the same, having different rules would pose significant implementation challenges going forward. In addition, as PIS and AIS propositions are largely provided and/or enabled by the same companies, a different set of rules would increase overall costs and operational complexity.