Now that it has become clear that PSD2 has also entered into force for the Netherlands - as the last member state - as of February 19, 2019, we once again reflect on the introduction of two new payment services and the ban on surcharging introduced under PSD2. The latter ban, by the way, is relevant for all merchants. So it is a misconception that PSD2 is only relevant for banks and payment institutions.
co-author: Ate Bremmer
Payment account access
PSD2 introduces two new payment services:
Account information services; these are provided by "account information service providers," referred to in English as Account Information Service Providers ("AISPs"); and
payment initiation services; these are provided by "payment initiation service providers," referred to in English as Payment Initiation Service Providers ("PISPs").
These new payment services aim to promote innovation and competition within the European payments market.
AISP
An AISP may access one or more checking accounts, which the customer holds with one or more banks, based on the customer's express authorization (see below).
Based on the information obtained, the AISP must provide the client with a consolidated overview of the financial situation. In doing so, the AISP can, for example, categorize expenses, giving the client a better understanding of his spending pattern and financial situation (in effect, a digital housekeeping book). In addition to the client receiving consolidated account information, the client can, for example, grant permission to the AISP to use his data for other purposes as well. For example, consider a situation where the AISP's main activity consists of providing (consumer) credit and the account information obtained is also used in the context of a credit analysis (underwriting) or for certain marketing strategies. Since in principle personal data is always involved, the processing of this personal data will of course always have to be in accordance with the General Data Protection Regulation (AVG).
To access a checking account, an AISP must have developed what is known as an API (Application Programming Interface) that can interface with the banks' APIs. Through the APIs, the systems can then communicate with each other and exchange data. Developing and using an API is obviously a technical and complex matter.
The provision of account information services further requires a license from the relevant European regulator. In the Netherlands, this is DNB. If the AISP only provides account information services, only a registration is required. Because an AISP never holds (third party) funds, the licensing requirements are less stringent than for other payment services. Nevertheless, an AISP is subject to ongoing supervision by DNB, which will obviously have a major impact on the organization.
PISP
Payment initiation services are especially important when making online purchases from a Web store. A PISP can initiate a payment from a checking account that the customer holds with another bank with the permission of the online store's customer. In that case, the PISP sends a payment order to the payer's bank, which then executes it. Again, authorization must be granted for each payment. If the PISP initiated the payment, the bank must immediately provide information about the payment transaction to the PISP. The PISP can then immediately notify the merchant whether the payment was successfully made.
Payment initiation services are an alternative to iDEAL, credit card or Paypal payments, among others. This can be useful if the online store's bank is not affiliated with iDEAL, for example abroad, or if the customer does not have a credit card or Paypal account. Also, an online store with a PISP license can initiate the payment itself. This can make the payment easier and cheaper for the online store.
Furthermore, a Dutch PISP must have a license from DNB. Incidentally, the licensing requirements for a PISP are considerably more onerous than those for an AISP and are more or less comparable to the licensing requirements for an "ordinary" payment institution.
Consent
As mentioned above, AISPs and PISPs can only offer their services to customers if they have the consent of the customer. This consent is twofold: thus, on the one hand, the customer must give permission to the AISP and PISP, respectively, to access the payment account or to initiate a payment order; on the other hand, the customer must consent to the AISP and PISP having access to personal data necessary for the provision of payment services, and agree to AISPs and PISPs processing and storing this personal data.*
Permission to access or initiate a payment order is granted by the customer through "strong customer authentication" (SCA). In principle, the way SCA takes place is always determined by the bank. SCA is also referred to as "two-factor authentication. This means that a customer, for example, can only grant permission by means of a password in combination with a code the user receives on his mobile phone, or a password in combination with a fingerprint.
Customer permission to access the checking account is valid for a period of up to 90 days; after that, the customer must re-authorize through SCA. Otherwise, the AISP will no longer have access to the checking account. Likewise, the customer must give permission through SCA in case the AISP wants to release information that relates to payment transactions older than 90 days.
Ban on surcharges
PSD2 also introduces the ban on surcharging. Under this ban, online stores, for example, are now prohibited from charging consumers for the use of debit and most credit cards. The ban also applies to wire transfers and direct debits. This will make it clear to a consumer at the start of the transaction what the total price of a service or product is, and they will no longer be confronted at a late stage with additional charges for the use of a particular means of payment. Think of the case where an airline ticket is ordered and just before the final booking an additional charge is made for the use of a means of payment, making the final price higher. In the Netherlands, by the way, the ban does not apply to payment cards issued in a so-called tri-party scheme, including, for example, American Express, Diners, Discover, JCB and UnionPay. These are often more expensive payment cards that offer extra services such as insurance and savings programs.
For iDEAL payments, web stores cannot charge separately for the underlying transfer, but they can charge for the cost of the iDEAL service. In addition to iDEAL, there are of course other payment methods; think Sofort and Paypal, for example.
Regulation varies by member state
PSD2 provides that member states may decide whether surcharging is partially or totally prohibited. The Netherlands has opted for a partial ban, as has Germany. France and Belgium, however, have opted for a total ban. For merchants offering their services across borders, it is therefore wise to find out what the exact rules are in each country. Not only can the scope of the ban differ per member state, but the local regulator may have a different opinion than the Dutch regulators regarding the application of the ban.
Discounts
By tightening the rules around surcharging, the offering of discounts for certain payment methods also comes into a new light. The rationale for the ban on surcharging is partly that it should be clear to the customer what the price of a certain product is at the moment the customer makes a choice - and that the customer is therefore not confronted afterwards with surcharges or a different price. The offering of discounts will therefore not be allowed to thwart the purpose sought by the ban.
What does this mean in practice?
Ban on surcharges
It is particularly important for web stores and merchants to check whether surcharges are currently still used when paying by debit and credit cards. In many cases, charging such a surcharge will no longer be allowed. Not every payment method is covered by the ban on surcharging, so it is important to have a clear view of the exact scope of the ban. Are discounts offered if the customer chooses a particular payment method? Then make sure that these discounts do not violate the ban on surcharging.
New payment services
PSD2 also offers opportunities. For example, for large retailers it may be interesting to offer account information services at some point, or for online stores it may be interesting to soon initiate payments themselves.
In particular, the use of account information for credit analysis or for even more targeted advertising has potential. At the moment, however, it is still unclear how the practice will develop and which parties will become active as AISPs. Below we have already identified a number of points of attention with regard to AISPs:
an AISP must be licensed by the DNB;
an AISP will need to develop an API;
at present, far from all European banks have developed their own (functioning) API;
the banks generally do not have a "unified" API making it difficult in practice to link with each individual bank via its own API; and
the account information currently obtained through banks' APIs is very raw data that cannot be easily processed. We understand that in practice this is a big problem for which there are not really good solutions yet.
Meanwhile, because of the diverse landscape of APIs within Europe, there are calls for far-reaching standardization of the standard for APIs. At the moment, there is still (too) much room for interpretation regarding how technology companies should access customers' bank accounts. The call for more standardization is not surprising, because Europe has over six thousand different banks and if a large number of them develop their own APIs, it becomes impractical for the smaller Fintechs in particular to develop their own APIs that can be linked to all those banks APIs.
The United Kingdom is doing a lot more bold in this regard - there, the government has required the largest nine banks to use a single API. This has contributed to the fact that people there are already a lot further along in terms of open banking. In September 2018, Yolt - a subsidiary of ING - was the first AISP to link up with all of these nine banks. Among other things, Yolt offers customers the ability to see all accounts back in one overview and offers analysis in terms of spending patterns.
Should it not currently prove interesting to apply for an AISP license itself, it may alternatively be interesting to investigate whether other AISPs are active that can provide account information services on behalf of external parties. In that case, exploring a (strategic) partnership with such a party might also be an option.
* The requirement of explicit consent for access to personal data does not apply to AISPs offering only account information services. This does not alter the fact that they must still comply with the rules under the AVG.
This article can also be found in the PSD2 dossier
More articles by Kennedy Van der Laan
