What is PSD2?
PSD2 replaces the original Payments Services Directive, taking into account the huge developments in online payments, financial services and the use of customer data, many of which fall outside the scope of the original rules. The new directive aims to provide a framework for the many new players in the market, giving customers more choice and control over how they manage their money, while ensuring their security is protected.
What are the main changes?
Under the new legislation, banks will lose their monopoly on customer accounts information and payment services, as they’ll be required to give third-party providers access to customers’ details – where the customer has authorised them to do so. This means that from January, banks will be opening up their application programme interface (API) to communicate with third party providers, enabling them to access the customer data they need.
PSD2 has also identified two types of third party providers in this new financial ecosystem; namely AISPs (Account Information Service Providers) and PISPs (Payment Initiation Service Providers). An AISP is any business that uses a customer’s account information to aggregate their financial information in one place, to help them track their spending or plan their finances. A PISP is any company that initiates online payments on behalf of the user, offering an alternative to the use of a card or online banking.
Under PSD2 any company offering either of these services must be registered, licensed and regulated at an EU level, as well as abiding by a number of security requirements, including:
- All internet transactions will require at least two of the following:
- Something only the user knows, e.g. a pin or password
- Something only the user has, e.g. a payment card
- Something the user is, e.g. a unique fingerprint
- Something only the user knows, e.g. a pin or password
- Remote transactions, for example via mobile, will require an extra level of security in the form of a unique authentication code.
What does PSD2 mean for fintech?
On the one hand, PSD2 is revolutionary for fintech, opening up a whole host of opportunities to muscle in on the banks’ territory, with innovative new services to tempt their traditional customers. But, on the other, the onus is on these businesses to abide by the rules set out in terms of security and consumer protection - with serious repercussions if they don’t.
What are the risks?
Handling customers’ payment and financial information is sensitive territory and if anything goes wrong, the fallout could be significant. In the case of PISPs in particular, there is the possibility that a payment could accidentally go through without the authority of the customer, a payment could be carried out incorrectly, or worst-case scenario, cyber criminals or fraudsters could access a customer’s payment details and steal their cash.
If this happens, providers have an obligation to rectify the situation and refund any money to the customer, via their bank, within 72 hours. As a result, the PSD2 legislation requires that PISPs and AISPs have a specific type and level of professional indemnity and cyber insurance cover, to ensure they can honour their responsibilities, which means getting this sorted soon is essential.
In many ways, PSD2 is the revolution that fintech businesses have been waiting for, removing a lot of the barriers to innovation and expansion that previously existed. Just make sure you understand and prepare thoroughly for the risks that accompany the changes, to guarantee you’ll make an impact for the right reasons.
About Digital Risks
Digital Risks is a specialist insurance provider that focuses 100% on the needs of digital businesses. As a fintech specialist, we’ve worked with one of the leading providers in the market to build a specialist PSD2 policy, to meet regulatory requirements and give you the peace of mind that you’ll be protected.
