The PSD2 Directive on Payment Services updates the first EU Payment Services Directive published in 2007 (PSD1), which created a single market for payments at EU level. PSD2 is applicable from January 13, 2018, by which time member states must have adopted and published the measures necessary to implement it into their national laws.
PSD2 goes further by extending the scope of PSD1 to payments in all currencies, and to payments where only one provider is located in the EU/European Economic Area.
PSD2 defines a new group of actors, the Third Party Providers (TPPs) that are permitted to provide certain types of services connected to payments. Customers will be allowed to initiate payments at their financial institution via authorized TPPs, to whom financial institutions will be obliged to open up their application interfaces and data.
The retail payments market has experienced significant technical innovation since the introduction of PSD1 with a rapid growth in the number of electronic and mobile payment solutions as well as new types of providers and services.
Many innovative payment products and services have been introduced in particular in cards, e-commerce and mobile payments.
The objective of PSD2 mainly consists in protecting citizens and controlling the development of these new services by:
PSD2 introduces two new types of TPPs: the Payment Initiation Service Providers (PISPs) and the Account Information Service Providers (AISPs).
A payment initiation service is defined as a service to initiate a payment order at the request of a PSU with respect to a payment account held at any bank in the European Union. Payment initiation services enable the PISP to give the payee the comfort that the payment has been initiated, confirming to the payee to release goods or deliver a service without undue delay.
An account information service is an online service to provide consolidated information on one or more payment accounts held by a PSU with another PSP or multiple PSPs. These aggregators have been widely developed in Europe (Linxo and Bank’in in France, Tink in Sweden, Spiir in Denmark and Fintonic and Eurobits in Spain, Figo in Germany). In order to stand out, these platforms develop other valuable services such as the management of personal finances (budgeting and spending analysis), or document management (invoices, expense reports, etc.). The client is at the center of the strategy of these new players, with a goal to facilitate the user experience through innovative and intuitive new apps.
Currently the AISPs and PISPs use the technique known as "web-scraping" to aggregate information from multiple banks.
This technique of "web-scraping" is a technique of extraction of the website content via a script or a program that will read the html code, in order to transform it to allow its use in another context. This method is used, for example, by the price comparison sites (trivago.co.uk, liligo.com).
In this case, a TPP will ask the client (PSU) their credentials to connect to the bank online banking application). It will then integrate them into a program that will act as a robot, simulating the connection action to the customer.
The web-scraping leads to several problems:
Through APIs, banks will make available certain features of their information systems accessible to external developers.
These APIs define constraints and an interface that will determine how, when and what other platforms will have access to.
Building an API does not mean that everyone will have uncontrolled access to your data; It just means that you provide them with a well-designed method to access particular items and services. You have control!
These APIs constitute a new channel for banks in the same way as websites and mobile. They will enable banks to generate new revenues based on the data provided.
PSD2 introduces two major requirements about security: secure connection with the TPP and strong customer authentication (SCA).
The bank must clearly authenticate the sender of the request, in other words check that the sender is the one he claims to be. This will be achieved through EBA register of TPPS and certificate authorities called QTSP (Qualified Trust Service Provider). The exchanged messages must be encrypted between the different entities. The bank must also check that the sender is authorized to access customer data.
PSD2 requires a strong or 2-factor customer authentication (2FA) using two or more elements out of the following three:
The elements must be independent of each other, so that a breach of one does not compromise the reliability of the others, and they must be designed in a way to protect the confidentiality of the authentication data.
The SCA will be systematically implemented for any request that doesn’t fall into the list of SCA exemptions.
Whatever the strategy chosen by the Bank, Fronteo PSD2 is a complete solution for banks or other financial institutions participating in the PSD2 ecosystem.
By installing FRONTeO PSD2, the Bank benefits from all the advantages of an omnichannel platform, which facilitates the implementation of IT governance rules imposed by PSD2.
By choosing FRONTeO PSD2, you effectively meet PSD2 requirements and prepare for the future with an omnichannel suite ready for innovative services. As a specialist in Front Office solutions and interfaces with Core Banking, MAINSYS has a strong expertise in security management. FRONTeO PSD2 benefits from our strong experience in web and mobile security.
This platform offers a coherent approach to the implementation of an omnichannel strategy, at a controlled cost. Installed in several Belgian and French financial institutions, FRONTeO is a proven solution. It is based on the latest generation of Web technologies: Java, Ajax, SOA services, ...
Independent of the Back-office solutions and quite modular, it allows a gradual introduction of the bricks of a global omnichannel architecture.
With MAINSYS, you have a unique partner, expert in fast integration of Front-Office solutions into complex IT landscapes.