The PSD2 regulation has profoundly changed the world of banking and payments. Policy expert Dr. Dirk Haubrich, Head of Conduct, Payments and Consumers at the European Banking Authority, gives us his feedback on the successes of PSD2 as well as the improvements to be made, and sheds light on the EBA's recommendations for the PSD3 directive in preparation.
What is your assessment of PSD2 and its impact?
The PSD2 has been a paradigm shift for the regulation of payment services. It introduced for the first time in EU law detailed security requirements, in particular the requirement to apply two-factor strong customer authentication (SCA) for the initiation of electronic payment transactions and for accessing payment accounts online. It also laid the foundations for the concept of open payments and open banking, by bringing into the scope of regulation two new payment services that are based on access by third party providers to customer data held primarily by credit institutions, namely payment initiation services (PIS) and account information services (AIS). The Directive also had an explicit competition-enhancing objective by regulating services that are provided by legal entities that operate as competitors to incumbent credit institutions. And then there are PSD2 objectives such as facilitating innovation, further enhancing a single EU market for retail payments, and enhancing customer convenience.
This directive has therefore been uniquely ambitious and, thus, also challenging for a supervisory authority like the EBA, because some of these objectives are mutually contradictory and require regulatory requirements to make difficult trade-offs between these competing demands.
However, we are satisfied that many objectives have materialized in a significant way. For example, the requirements on strong customer authentication (SCA) are having the desired effect of having significantly reducing fraud. This is evidenced in particular by our preliminary analysis of payment fraud data and the assessment of the SCA migration data for e-commerce card-based payment transactions, which suggests that fraud rates are 40-60% lower for payment transactions where SCA is applied compared to those where SCA is not applied. We are expecting these figures to improve further once we have completed our analysis more comprehensively later in 2023. In addition, data from the EBA’s central register under PSD2 reveals that more than 2700 PIs and EMIs, including 400 non-bank third party providers (TPPs), have been authorized or registered in the EU, thus contributing to the competition enhancing objective of the Directive.
Nevertheless, we are also of the view that there are some issues. The most important one is the continued obstacles that some AIS and PIS providers face when accessing payment accounts at some banks, and the often cumbersome journeys customers have to endure using the interfaces provided by those banks. This remains a priority for us to address in 2023, jointly with our national competent authorities as direct supervisors of those banks. We would want to see this issue addressed and also not repeated when the concept of open payments may be extended in EU law to other banking products or financial services more generally (open banking / open finance).