Overview#Payment Services Directive (PSD2) is a new (2015-08-10) regulation that will apply across the European Union and is likely to result in a huge increase in the number of Application Programing Interfaces (APIs) for banking products.
Making Financial Organizations programmable will significantly change the engagement model for accessing a consumer’s account.
What is less clear is how this may affect the consumer themselves, including their level of access to the data (that in theory they own), and their ability to use their data in any way they see fit.customers, both consumers and businesses, to use third-party providers to manage their finances. In the near future, you may be using Facebook or Google to pay your bills, making P2P payment Transactions and analyse your spending, while still having your money safely placed in your current bank account. Banks, however, are obligated to provide these third-party providers access to their customers’ accounts through open APIs. This will enable third-parties to build financial services on top of banks’ data and infrastructure.
Banks will no longer only be competing against banks, but everyone offering financial services]. PSD2 will fundamentally change the Payment Transactions value chain, what business models are profitable, and customer expectations. Through the directive, the European Commission aims to improve innovation, reinforce consumer protection and improve the security of internet payments and account access within the EU and EEA.
Payment Services Directive describes the following types of players within Payment Transaction landscape:
- Payment Service User (PSU)
- Account Information Service (AIS)
- Payment Service Provider (PSP)
- Payment Initiation Service (PIS)
- Third Party Payment Service Provider
- Payment Initiation Service Provider (PISP)
- Account Information Service Provider (AISP)
- Account Servicing Payment Service Providers (ASPSP)
First, third-party access to customer data must be given only at the explicit consent of the customer. It is the responsibility of the third-party provider to ask for specific scoped access (i.e., read only access to account transactions) on behalf of the customer.
Second, PSD2 mandates that data not be used, accessed or stored for any purpose other than the service the user explicitly requested. These requirements are similar to requirements under the General Data Protection Regulation (GDPR), but are given an additional legal basis by being in PSD2.authenticate with the bank using Two-factor authentication, which will then provide the client application with a unique and time-bound Access Token. The client app can use this unique Access Token to make calls to the bank on the behalf of the user.
Generally, these Access Token are specific to a single account of a user and are valid over a longer duration (up to 30 days, for example).
The end user authenticates the account and provides access to the app to carry out the transaction via a two-step verification on the bank site. The following steps are done to provide authentication:
- The user is shown a consent page from the bank where the user logs in with a customer ID and password
- The bank then requests the user to verify this with an OTP, which is sent to the user’s registered mobile number
More Information#There might be more information for this subject on one of the following:
- Account Information Service Provider
- Account Servicing Payment Service Provider
- Open Banking
- Payment Initiation Service Provider
- [#1] - http://ec.europa.eu/finance/payments/framework/index_en.htm - based on information obtained 2016-07-12-
- [#2] - PSD2 - the directive that will change banking as we know it - based on information obtained 2017-04-03