Revisions to the Regulatory Technical Standards of PSD2 have come into effect in July 2023 — here’s what they mean for both payment service providers and customers.
The second Payment Services Directive (PSD2) has been an ongoing topic on our blog — we’ve talked about its introduction, implementation, and what it means for both businesses and customers.
In simple terms, PSD2 is a regulatory framework that was implemented across the EU with the objectives of enhancing customer protection and trust, enabling a dependable standard for third-party providers, and bolstering the security of electronic payments and accounts.
What’s the Current State of PSD2?
Since its inception, PSD2 has regularly been subject to review to ensure that it remains aligned with the growing opportunities and evolving threats within the digital payments landscape.
During the last couple years, there have been significant developments in PSD2 legislation — most recently, the European Commission published amendments to the SCA requirements in August 2022. These revisions have come into effect on July 25, 2023.
Key Takeaways From the Revised RTS
One of the core objectives of SCA requirements is to ensure that payment service providers can verify that a user requesting access to an account or attempting to make an electronic payment is either the customer themselves or another person who’s authorized to make these transactions on their behalf — this is done through the use of SCA elements.
The nature of the revisions that have been made to the RTS pertain to scenarios in which SCA requirements aren’t required. These payment scenarios are generally determined by a transaction’s recurrence, amount, and the channel used to carry out the payment.
Here are three ways in which the revisions to the RTS affect payment service providers and customers alike:
1. Access to 90-day transaction history will now be granted for up to 180 days.
Prior to this revision of the RTS, account providers required users to renew their authentication every 90 days when requesting access to their 90-day account transaction history. With the revised requirements in place, it will only be necessary for users to authenticate themselves every 180 days.
2. There are differences in how ASPSPs vs. AISPs will be allowed to obtain access to customer data.
SCA requirements spell out specifications for different types of payment service providers, namely account servicing payment service providers (ASPSPs) and account information service providers (AISPs).
When a customer uses an AISP to access their data, the 180-day access window is now mandatory. At the same time, ASPSPs must not apply SCA requirements during each access attempt.
3. There are two scenarios that are exempt from the above specifications:
The first case that’s exempt from the newest amendments is when an ASPSP has justifiable cause to apply SCA requirements in order to prevent fraud.
Secondly, the revised requirements don’t apply when an ASPSP provides access using a backup interface (banks typically do this by temporarily allowing screen scraping on existing digital channels).
Beneficial Impact of the PSD2 Revision
The recent revision of the PSD2 marks a significant advancement in simplifying account information services (AIS) and reducing authentication hassles for customers. These changes are poised to benefit both customers and service providers, promoting greater convenience and efficiency in the financial landscape.
By extending the interval required for SCA renewals through Account Servicing Payment Service Providers (ASPSPs) to 180 days, consumers stand to save considerable time and experience fewer disruptions.
Overall, the revised RTS promotes greater convenience and efficiency, and the amendments that are now in place can significantly benefit customers and payment service providers alike.
What’s Next for PSD2?
In June 2023, the European Commission put forward a proposal designed to bring digital payments and the wider financial industry into the digital age. The proposal will modernize current PSD2 legislation, which will eventually become known as PSD3.
We’ll tell you more about PSD3 — including the societal trends that have prompted its creation — in our next blog post.