While the European General Data Protection Regulation (GDPR) took most of the headlines in 2018, a lesser-known piece of European legislation known as PSD2 (the Second Payment Services Directive) also came into force last year.
Here, we will take a look at what PSD2 is, what it means for SMEs and how you could benefit from it.
What is PSD2?
PSD2 came into force in January 2016. However, members in the European Economic Area (EEA) states were only required to implement it into law in January 2018.
PSD2 is intended to:
- Increase competition in the financial services sector.
- Protect consumers and businesses.
- Increase the range and quality of services that financial services companies can offer with the goal of helping consumers and businesses make better financial choices.
Unlike GDPR, PSD2 does not directly affect most businesses. It mainly refers to financial institutions like banks and building societies, as well as payment service providers (PSPs) – companies that enable merchants to take payments via credit or debit cards and have that money transferred to their bank. If you’ve ever bought or sold something online, you’ll be familiar with PSPs like PayPal, Worldpay, Sage Pay, or Apple Pay.
Importantly, PSD2 lets bank account holders choose whether and how their banks share information with trusted third parties. Expect to see new companies offering services that help you analyse and manage your finances. This also means that merchants (online stores, for example) could take payments directly from your bank account rather than going through an intermediary PSP or card provider (like Visa or Mastercard).
Under PSD2, PSPs are required to implement stricter checks (known as strong customer authentication (SCA)) to certain transactions to reduce fraud. You may have seen these introduced by your card providers or banks in the past year when you shop online or use mobile banking. Although the deadline for SCA was set at 14 September 2019, an announcement from the European Banking Authority has given member states the freedom to extend their implementation periods in light of the technical complexities of implementing such checks.
How can PSD2 benefit my small business?
PSD2 enables payment service providers to develop new services to help consumers and small businesses. While these services are not specified in PSD2, the improved ability to exchange information makes several scenarios possible.
Better financial insight
Businesses that hold accounts with more than one financial institution could allow trusted third parties to access all their account data and present it on one screen with detailed insights into financial performance.
The natural progression to this is integration of your business bank account data with other administrative systems. This could be your own accounting software, your e-commerce platform, your enterprise resource planning (ERP) system, or your customer relationship management (CRM) system.
Safer, simpler payments
PSD2 could be good news for small businesses that take payments from consumers online. Stronger authentication is set to lower the number of fraudulent transactions. According to UK Finance’s Fraud the Facts 2019 report, fraud losses on UK-issued cards reached £671.4 million in 2018. That’s 19% higher than the £565.4 million losses recorded in 2017.
Merchants could also reduce the cost of payments by routing them directly between a customer’s bank and their own. This would bypass traditional card and payment providers, who currently take a small percentage of a sale.
Do I need to do anything to comply with PSD2?
For most small businesses outside of the financial services industry, the answer is no. But you should be aware of SCA changes.
If you take online payments, you will need to ensure you have the appropriate controls in place to accept payments where the payer uses strong customer authentication (SCA). As mentioned above, the new deadline for SCA controls is still in the air. It’s a complex field, with governing authorities, media, PSPs and banks all offer advice. Barclaycard and Visa have both produced useful preparation guides. Merchants should investigate 3-D Secure 2.0 – a protocol that complies with SCA and one that many PSPs are already adopting.
What are the risks?
While there are many benefits to PSD2 for SMEs, the main risk lies in the expansion in the pool of entities that could access to your company’s financial data. Third parties must be approved to operate in this area, and you must always give explicit and detailed consent about the data you’re willing to share, but PSD2 represents a fundamental shift in how we share financial information. Protecting your sensitive information is vital.
UK finance has produced an FAQ guide covering PSD2 and its implications for data protection.