Financial technology companies (“FinTechs”) are startups that use technology to improve financial services. FinTech business models have to comply with the applicable financial regulation. However, many FinTechs try to build their business model in a way that avoids license requirements and intense supervision and thus costs. In this light, the upcoming changes to the European regulations by the so called Payment Service Directive 2 (“PSD 2”)1 appear interesting with regard to FinTechs and even more so since a German FinTech is supposed to have been the reason for this new legislation. The implementation of PSD 2 in the European member states will affect certain FinTech business models. In the following article we will outline this development and will concentrate on the FinTechs affected by selected relevant changes under PSD 2.
Current FinTech Regulation under implemented PSD 1
Payment Service Directive 1 of 2007 (“PSD 1”)2 was implemented in Germany in 2009 by the Payment Service Supervisory Act (Zahlungsdienst Aufsichtsgesetz – “ZAG”) and by amendments to the Civil Code (Bürgerliches Gesetzbuch – “BGB”). Through PSD 1 the European Commission intended the harmonization of the European Payment Area. PSD 1 provided the legal foundation for a European Union single market for payments with the intention of establishing safer and more innovative payment services across the European Union. The objective was to make cross-border payments as easy, efficient and secure as national payments within a member state.
Even though PSD 1 was implemented in member states, there is still a significant lack of harmonization. The market still appears heterogeneous and opaque when considering the particular national regulations. According to a study on the implementation of PSD 1, the supervisory practice considerably varies between the different member states.3 This has led to regulatory arbitrage and legal uncertainty and resulted in impaired consumer protection and competitive distortions. According to this understanding, the European Commission in July 2013 suggested the amendment of PSD 1 by PSD 2. Next to this, the European Commission identified innovative business models, namely FinTechs, that on the one hand had developed as significant new market players, but on the other hand had not been accounted for by the “old” regulations under PSD 1.
Expected Changes by the Implementation of PSD 2
PSD 2’s main objectives are to contribute to a more integrated and efficient European payments market, improve the level playing field for payment service providers (including new players, like FinTechs), make payments safer and more secure, protect consumers and encourage lower prices for payments. The new regulation will comprise technical innovations and offer a “technologically neutral” regulation to allow the development of new services, whilst ensuring equivalent operating conditions for existing and new services and clarifying and harmonising the applicability of exceptions under PSD 1. The new rules shall be established to close the regulatory gaps whilst at the same time providing more legal clarity and ensuring consistent application of the legislative framework across the European Union.
The most important change for FinTechs will be the new regulation of so called third party providers, namely account information services and payment initiation services. These services are typically only involved indirectly in the payment process and are never in possession of the customer’s funds. Thus, they were not affected by PSD 1. Since the European Commission has identified these new business models as significant for the development of payment transactions and with regards to consumer rights, it intends to make them subject to the regulations under PSD 2.
1. Account Information Service
An account information service provides the payment service user with aggregated online information on one or more payment accounts held with one or more other payment service providers and accessed via online interfaces of the account servicing payment service provider. The payment service user is thus able to have an overall view of its financial situation immediately at any given moment. Next to the global view on their financial situation such services often offer to analyze the spending patterns, expenses and financial needs of the user. These services typically aggregate information on several accounts, like banking accounts, credit card accounts, PayPal, stock portfolios etc. and enable an easy overview and administration via a user friendly front-end.
PSD 2 intends to cover account information services in order to provide consumers with adequate protection for their payment and account data as well as legal certainty about the status of account information service providers.
2. Payment Initiation Service
Payment initiation services help to initiate a payment from the user account to the merchant account by creating a software “bridge” between these accounts. The service fills-in the information necessary for a transfer (amount of the transaction, account number, message) and informs the merchant once the transaction has been initiated. Thus, the payment initiation service provides a payee with the comfort that the payment has been initiated in order to provide an incentive to the payee to deliver the goods or services without delay. Such services offer a low-cost solution for both merchants and consumers and provide consumers with the possibility of shopping online even if they do not possess payment cards.
These services are typically user friendly front-ends accessible via the e-commerce merchant which enable the customer to access his payment account to initiate payment to the merchant by entering his Personal Identification Number (PIN) and a Transaction Authentication Number (TAN). Thus, the services provider plays a part in e-commerce payments by establishing a software bridge between the website of the merchant and the online banking platform of the payer’s account servicing payment service provider. In this process the service provider does typically not possess the transferable money at any time. Hence, the licence required under PSD 1 is not required by this service provider, but by the payment account holding institution. A popular provider of such payment initiation service in Germany is “Sofortüberweisung” (meaning “instant transfer”). The business model of “Sofortüberweisung” is considered to be one of the inspirations for the European Commission to extend the regulations to such FinTechs by drafting PSD 2.
After the implementation of PSD 2, payment initiation services will need a license to operate as a payment service provider. Account information services will still not require a license, but will become subject to numerous requirements like payment service providers to address issues which may arise with respect to the confidentiality, liability or security of such transactions.
In order to enhance the transparency of the operation of payment institutions within member states and to ensure a high level of consumer protection in the EU, PSD 2 requires easy public access to the list of entities providing payment services. Therefore, PSD 2 introduces a new register for payment services that will be hosted by the European Banking Authority (“EBA”). This register shall include payment initiation services as well as account information services.
3. The Right of Access to Account
Another important change for FinTechs by PSD 2 will be the so called access to account (XS2A). PSD 2 shall safeguard the access to payment accounts for FinTechs which are essential for their business models. On the one hand, “classic” payment account services, especially banks, shall be prevented from trying to hinder this access. On the other hand, PSD 2 intends to implement standards for the security of these accounts when accessed by FinTechs and to clarify the FinTechs’ liability with regard to this access. This will increase the use and development of APIs (Application Programming Interfaces) and might inspire banks and other classic players from the financial industry to benefit from this development by interacting with FinTechs and complementing their services. Some German banks have already made APIs an important part of their business model (e.g. Fidor Bank).
4. Closure of the Regulatory Gaps Caused by Exceptions
PSD 2 will significantly limit the exemptions existing under PSD 1. After the implementation of PSD 1, several service providers tried to (re-)structure their business model in a way that circumvented the restrictions under PSD 1. The supervisory practice in member states differed in the treatment of such exemptions. The German supervisory authorities adapted their practice in a way that tried to prevent such circumventions, especially by assessing the overall impression of the respective business model instead of concentrating on the separate legal requirements. By this approach most of the regulatory gaps have already been closed by the German supervisory authorities. However, this looks different in other member states. FinTechs from countries with less restrictive national regulations and supervision can use this as a competitive advantage. With PSD 2 the European Commission has realized this situation and attempts to react by trying to close these gaps by harmonising the application of exemptions.
5. Prohibition of Surcharges
PSD 2 shall help lower the charges for consumers by prohibiting surcharges for card payments by consumers in the vast majority of cases. In some member states, like Germany, it is common that merchants charge additional amounts for the use of credit cards. Such surcharges can vary from a low percentage rate of the purchase price to fixed fees, like € 5 per transaction.
In May 2015, the European Union limited the fees (so called interchange fees) that have to be paid from the bank that handles credit card payments for the merchant (the acquirer) to the bank that issued the card to the consumer (the issuer) 4. As a result the prices for credit card transactions were significantly lowered. Therefore, the European Commission argues that surcharges are no longer necessary to cover merchants’ costs for credit card payments by consumers. As a consequence such surcharges shall become prohibited in accordance to PSD 2.
This might become problematic for the business models of certain FinTechs with regard to their revenue model. The European Commission assumes the ban on surcharges will affect 95% of card payments and save consumers € 750 millions per year. 5 This amount will be missing by FinTechs when trying to structure innovative payment business models with an economic future.
6. Stronger Customer Authentication
According to PSD 2 additional requirements on customer authentication will apply in the future for access to accounts and the initiation of a payment transaction. The respective service provider will generally be liable in cases of unauthorized payments. The payee will on the other hand be liable for any misconduct if declining payment by a customer who has provided strong authentication.
Strong authentication will comprise of two or more of the following elements: knowledge (something only the user knows, like a password or PIN), possession (something only the user possesses, like a smart card physical token) and inherence (something the user is, like biometrical data, e.g. a fingerprint, retinal skin or voice recognition). These categories are independent, in that the breach of one does not compromise the reliability of the others. Strong authentication is designed in such a way as to protect the confidentiality of the authentication data.6 The EBA and the European Central Bank shall develop further details for the authentication in consideration of the respective risks of certain payment services.
FinTechs will also have to comply with these requirements. Hence, they will consider methods that will not contradict their service; their USP will be methods that offer greater convenience than classic services. The introduction of 3-D Secure with credit cards is a constant issue complained of by merchants since they see it as lowering their conversion rates by making the payment process too inconvenient for customers. The same problem can be expected from the implementation of the authentication requirements. Hence, the FinTechs that find practical solutions for this challenge will have an competitive advantage.
The crucial point will be the respective implementation in the different member states which has to be completed by 13 January 2018. It will be interesting to see if the European Commission can reach its goal of further harmonization or if some member states will manage to implement PSD 2 in a way that gives them an advantage as a less regulated and thus more attractive market for FinTechs and other players, as is currently the case with different levels of regulatory requirement, license requirements and proceedings, exemptions and supervisory practices across member states.
Some changes will not affect all member states in the same way. Germany has abstained from implementing some exceptions into national law and already has a strict practice of closing regulatory gaps in PSD 1, especially by a restrictive supervisory practice. Next to this, certain requirements are already implemented, like the need for strong customer authentication.7 Hence, these new rules will not affect Germany in a significant way. However it might be an advantage for Germany that similarly restrictive rules shall apply in the other member states now, and thus, level the playing field.
Moreover, it will be interesting to see how the implementation of PSD 2 will influence the competitiveness of European FinTechs compared with international FinTechs which are not subject to the European regulations, especially those from the USA.
The implementation of PSD 2 will make certain FinTechs subject to regulation, including license requirements and supervision. This will cause significant new efforts for them. Many FinTech business models are created in a way that avoids such regulations, respectively insourcing regulated services by using white label banks. Due to the new requirements, some business models may no longer work under PSD 2 and will have to be modified or abandoned. On the other hand, PSD 2 will strengthen certain FinTech models by acknowledging their existence and by safeguarding the basis of their business model, especially by ensuring their access to the existing accounts of the established players, like banks. As discussed above, other regulatory changes, like the prohibition of surcharges and the authentication requirements, will also influence the business models of certain FinTechs.
The new regulations will not only affect the directly regulated players, but also other parties, like online merchants and banks. Merchants will have to support the implementation of the new requirements which will mean some effort and an increase in their administrative costs. But merchants might also benefit from new services and lower costs. Banks will have to invest in interfaces that guarantee the access to account by the third party services providers. Next to this, it can be expected that the additional data traffic via the banks’ interface will increase their costs. On the other hand, this might inspire them to develop new products and revenue channels.
PSD 2 will also acknowledge FinTech models and strengthen them. This might lead to more upcoming FinTechs that will compete with each other. Hence, more innovative and improved solutions with regard to B2B, B2C and P2P financial services can be expected.
1 Directive (EU) 2015/2366 of 25 November 2015.
2 Directive 2007/64/EC of 13 November 2007.
3 Tipik, Directive 2007/64/EC – General Report on the Transposition by Members States, 2011.
4 Regulation (EU) 2015/751.
5 Cf. European Commission - Fact Sheet: Payment Services Directive: frequently asked questions, 8 October 2015, p. 2.
6 Since summer 2015, similar requirements on customer authentication already apply in Germany as a part of the administrative practice of the German supervisory authorities (cf. BaFin circular” MaSI”).
7 Cf. above.