Every two months, CEO of Online Payment Platform and president of the Verenigde Betaalinstellingen Nederland (VBIN) Maurice Jongmans, is writing an article for Emerce. As a payment innovator, he wrote an article about one year of PSD2 in the Netherlands. Is this the calm before the storm?  

 

During my talk at Platform Day 2019, I discussed the impact of the revised European Payment Service Directive 2 (PSD2), which was converted into the Dutch legislation. Its expectations in Europe and the Netherlands are high. Speculations about the new truth were arising in the world of finance (banks and Fintechs). Do banks still have 'the right to exist'? Is the consumer still in control of sensitive personal details? What will the Big Five do (the largest BigTech players Apple, Google, Facebook, Amazon and Microsoft)? The foundations in the financial world are shaking and big changes were expected.

A year has already passed and up to now, the water surface is only showing off a small ripple. Is there no big change? Or is this just the calm before the storm?

 

PSD2

The PSD2 legislation provided several fundamental changes.

1. Regulations for payment institutions were sharpened with extra rules and awareness for IT security requirements, IT risk management and reporting in the case of incidents.

For existing payment institutions, this meant modifications in their organization and procedures, which had to be informed with the Dutch Central Bank (DNB) and concluded before February 2019. These dates ensure that the existing payment institution license will be converted to a new PSD2 license at the commencement date of PSD2. This process was concluded successfully and so far known, all payment institutions obtained a new PSD2 license. 

A large impact for payment institutions, but the consumer or entrepreneur will only notice the slightest.

 

2. The scope of the directive has included trading platforms.

Where trading platforms or marketplaces did not previously fell within the scope of the directive, PSD2 adjusted the scope of the legislation. This includes trading platforms that process third party funds to comply with PSD2, as well as outsourcing payments to a platform Payment Service Provider (PSP). Meanwhile, we already detected motion in the industry such as platforms switching to PSD2 licenses (like Uber and Thuisbezorgd) and other platforms are outsourcing payment processes to Payment Service Providers.

Despite the 1-year anniversary of PSD2, many platforms are still not aware of their obligations and can expect enforcements from the DNB. The first warnings on these issues have already been sent.

A large impact for trading platforms and marketplaces, but the consumer or entrepreneur will only notice the slightest.

 

3. Strong Customer Authentication(SCA) became mandatory.

SCA implies that access to payment services requires extensive security from the identity of the user. With SCA, you must secure that the payment transaction is performed by the authorized owner of the account or credit card. SCA means: an authentication based on using at least 2 out of 3 available elements: something you know (password or pin), something you own (telephone or card), and something you are (fingerprint or facial recognition) 

For many payment processes this was already available, such as paying with debit card, logging in with a reader or an app with facial recognition on your (registered!) phone. But especially in the world of creditcards there is a poorly arranged authentication process. You often pay with the card details, which is not sufficient. However, the implementation period for SCA of only 9 months was too short for all parties to implement changes. Therefore, Europe provided a postponement for the SCA on credit card payments until the end of 2020.

From this year on, consumers must authenticate credit card payments with SCA elements. For example, by using a temporary code from a (registered!) app on a phone. Entrepreneurs must adapt their systems to SCA. Entrepreneurs that make use of a Payment Service Provider (PSP) may assume that these will cover all necessary adaptations. 

 

4. Payment Initiation services are new.

PSD2 welcomes two new payment services (with corresponding licenses). The first one is payment initiating (Payment Initiation Service – PIS). In short,  banks must allow third parties with a license to initiate payments (or series of payments) on behalf of the account holder. The account holder then assigns a PIS to perform a payment. All European banks must provide free access to the account, preferably with an API key (technical link).

With PIS, new parties can develop payment methods or you can for example use Google to perform a payment (if they have a license for PSD2).

However, in the Netherlands this is still very rare and so far, very little is happening. This has several causes. Firstly, the licensing procedure is heavier than initially foreseen. To date, the DNB provided only a handful of licenses for PIS (which is explained later). Eventually, Online Payment Platform performed the first PSD2 payment together with iDEAL on August 29th, 2019, by planning a single payment. This was executed in a private group but the first pilot for the general public is scheduled for the end of March. There are many opportunities to be found for entrepreneurs (scheduled payments, recurring payments, initiating multiple payments at once) but the demand is still limited. 

 

5. Account Information Services are new.

The second new service enabled under PSD2 is account information  (the Account Information Services – AIS). This service allows the accountholder to provide access to his bank account transactions to a third party. The AIS provider can process these transactions afterwards and show these to the user. This service is suitable for financial records, household books, cash books or budget schemes. However, with this service, sensitive and personal information will be shared causing discussions regarding privacy. 

A good example of this service is Peaks (investing with your spare change).

Furthermore, it is noticeable that banks are mutually using this new service by showing account information of other banks in their own bank environment. You can now add your ABN AMRO and BUNQ account at Rabobank , ABN AMBO introduced this as 'Multi-Banking' (with Rabobank, ING, and the Volksbanken brands). Information about the number of users linking their other bank is still lacking.

 

Licenses

As consumer and entrepreneur, we are seeing very little of PSD2. To get an idea of what we could expect, I analyzed the current position of licenses at the website of DNB.

First of all, when applying for a PSD2 license in another European country, it is relatively simple to register in other EEA countries, enabling you to offer the same services. In the register of DNB, various parties are currently displayed. But for now, there are no parties that offer services solely focused on the Netherlands. An invasion of other European Fintechs seems unforthcoming.

In addition, the large BigTechs in Europe have a license for payments. Meanwhile, Apple Pay entered the Netherlands but is still making use of existing payment systems. Apple is a big success in the physical world, but online (eCommerce) it is barely being used. I do, however, expect a large increase in online usage. The strength of Apple Pay is in user friendliness. Other fintechs are still quiet.

Still remaining are the specific Dutch licenses. As there are only a handful of them, I clarified them below:

Bizcuit – Financial administration for entrepreneurs. (PIS and AIS)

Cobase – Central bank services for entrepreneurs. (PIS and AIS)

Dyme – A clear overview of all fixed costs for consumers. (AIS)

Floryn – Business credit without hassle. (AIS)

Online Payment Platform – Payment services for platforms and marketplaces. (PIS and AIS)

Huishoudboekje.nl – Aggregating consumer transaction data. (AIS)

MoneyMonk – Online bookkeeping for people that are self employed. (AIS)

Peaks – Investing with your spare change. (PIS and AIS)

Twinfield – Online bookkeeping. (AIS)

In order to make PSD2 a success and see innovative services enter the market, there is still much to be done. It will not be a storm raging unexpectedly. Let's see if 2020 allows for some wind to blow.

 

Is my platform required to have a PSD2 license?
Download the infographic for clarification on which category your platform is in.
Download decision tree