InstaPay: How will PSD2, APIs & Instant Payments change the game?


The EU’s Second Payment Services Directive (PSD2) represents a watershed moment for public policy surrounding payments in Europe, instant or otherwise, says Hakan Eroglu, an executive in Accenture’s payments practice.

The second iteration of the Payment Services Directive (PSD2) entered into law on 13 January 2018, but with the final Regulatory Technical Standards (RTS) covering Strong Customer Authentication (SCA) and Secure Open Standards of Communication (CSC) still to be finalised. It was eventually published on 13 March in the Official Journal of the EU and implementation of this element will follow by September 2019.

The key thing is that the regulation is here now, and it promises a revolution. PSD2 will open up bank systems to third-party payment services providers (TPPs) for account information, payment initiation and confirmation of funds via open application program interfaces (APIs).

The regulation leaves open the details of standard APIs that third parties will use to connect with banks. The final published RTS specifies only the high level technical conditions and not interface standards.

To help fill the gap surrounding interface standards and access to account (XS2A) services, the Berlin Group — consisting of almost 40 banks, associations and payment service providers (PSPs) from across the EU —has defined a common API framework called ‘NextGenPSD2’ for the use cases specified in PSD2. This may allay vendors fears and, from the banks point of view should ensure minimum standards of security, resiliency, privacy and so forth are maintained.

Initiatives have also been launched in Poland (via PolishAPI), Slovenia and France (STET), as well as in Britain via the UK Open Banking initiative – with a trend of consolidation evident across the continent. Indeed, open banking and APIs are even being discussed in North America at the moment and other regions in Australia and Hong Kong, for instance, as the global trend towards it strengthens. However, Europe is in the lead and the Berlin Group’s NextGenPSD2 is in pole position to become the leading API framework in the EU, as it has the greatest scale and number of participants, so this article will be concentrating on that.

Payment initiation opens up
For payment initiation, the NextGenPSD2 framework offers multiple payment instruments that can be used. Generally, the same payment instrument needs to be provided to TPPs via APIs as is provided to the customer through the bank’s own services (customer-facing interfaces such as mobile and online banking channels).

On top of the regular and ‘future-dated’ single euro payment area (SEPA) Credit Transfer (SCT), the API framework also supports Cross-border Payments – for example via the European Central Bank’s (ECB) TARGET2 platform – and the SEPA Instant Payments (SCT Inst) scheme.

All the standards have one aspect in common: they allow the use of the underlying payment instruments. This reflects the fact that PSD2 democratizes access to accounts and payments. There will no longer be any exclusive gateway for access. This is a change that opens up tremendous opportunities for financial services, as well as non-FS companies, to build new use cases around instant payments (IP) transacted directly from customer accounts.

Combination of PSD2 & instant payments
A TPP just needs to be registered in an EU member state as a PSP, under PSD2, and get an electronic eIDAS identification certificate provided by a Qualified Trust Service Provider (QTSP) in order to enter the marketplace.

All of this means the combination of PSD2 and SCT Inst has huge potential to disrupt existing business models, depending on the level of API standardization and penetration of SCT Inst instant payments in the EU.

Impacts on cards
TPPs such as merchants, airlines, technology giants and PSPs could use the PSD2 APIs to make instant payments directly from customer accounts to the TPP bank account, bypassing card schemes and fees. However, while instant payment (IP) could solve the payment guarantee issue, challenges remain not only around refund/cancellation processes but also processing time.

Online payment service providers such as PayPal and Klarna could use PSD2 APIs and instant payments as an alternative to SEPA Direct Debits (SDDs) – with the risk of uncovered accounts or later payment returns – or credit cards as the underlying payment instrument.

The Berlin Group NextGenPSD2 framework is a kind of a toolkit that allows banks to build their own API standard, so there may well be multiple bank API standards derived from it. This could lead to fragmentation and make it expensive for TPPs to connect to all PSD2 APIs across the EU’s banks.

On top of this SCT Inst is not mandatory for banks and adoption in Europe will take some time. To help address this issue, banks or acquirers could play the role of an API aggregation service connecting all banks and provide one single API endpoint for TPPs. While the usage of PSD2 APIs needs to be free of charge for TPPs, the aggregation of APIs can be monetized – and with instant payments the value proposition could be even more promising.

Frictionless instant payments with PSD2
Customer experience is key in payments: friction and slowness can reduce acceptance of the payment instrument at both the customer and merchant sides, leading to higher cancellation rates in the electronic e-commerce checkout process and longer queues in the store. Cards payments at Point-of-Sale (PoS) have become established and successful due to their very fast processing time during the checkout process.

To compete with cards, instant payments must be faster than 10 seconds as the maximum turnaround time in the SCT Inst scheme allows – the target should be significantly less than 10 seconds for e-commerce and less than three seconds for PoS transactions. No merchant would run the risk of shrinking revenues just to save transaction fees with an unacceptable payment instrument.

PSD2 APIs require banks to perform strong customer authentication (SCA) on every transaction. This means that the customer’s bank requires the customer to authenticate a transaction with at least two of three elements (known as two-factor authentication 2FA). The three SCA elements that can be used are:

  • Knowledge, such as a username and password in online banking;
  • Possession, such as a smartphone or token device to receive an authentication code;
  • & Inherence, such as biometric data.

PSD2 RTS SCA requirements
Meeting the PSD2 SCA requirements is a challenge. For example, a merchant payment app on a smartphone used by the customer would need to log-on to the bank account and trigger an instant payment transaction. The customer would then receive an authentication code on the same device, or on a dedicated token, and enter it into the merchant payment app to complete the authentication.

The PSD2 RTS allows exemptions from performing SCA in certain conditions. Examples include cases where the payment amount is below EUR30 for e-commerce (EUR100 accumulated, across a maximum of five consecutive transactions); or EUR50 for contactless instruments at PoS (EUR150 accumulated, across a maximum of five consecutive transactions). But even these exemptions lead to cumbersome SCA, at least at the fifth transaction. For PSD2 and instant payments, SCA needs to be eliminated: the RTS allows the customer to ‘whitelist’ trusted beneficiaries and exempt them permanently from SCA. A merchant could incentivize a customer to add the merchant’s own bank account to their whitelist and avoid SCA. There are also interesting options for banks to monetize whitelists, such as adding paying merchants to a default whitelist for the customer after asking for the customer’s consent.

The RTS also provides another convenient way to solve the issue of friction: inherence. This enables the customer to authenticate transactions via biometrics data rather than cumbersome reception and submission of authentications codes. However, the biometrics-based methods used today on devices such as smartphones are proprietary solutions that perform fingerprint or face data matching on the device, beyond the banks’ control. As innovation in this area continues, there will be a huge push towards creating RTS-compliant biometrics authentication methods.

Banks as innovators
Banks could play a pivotal role in the game-changing impacts of PSD2 and instant payments. As access to accounts and IP become commodity services with low or almost no margin for banks, the new revenue opportunities will be in the value-added services and the ecosystem around these basic offerings.

There will be opportunities to monetize additional data and services that go beyond PSD2 and instant payments. For example, banks could work with other industry partners and API aggregators to build a new payment ‘scheme as a service’ for merchants, airlines and other industries. If banks are to retain their central position in the payments business, creativity and co-creation with financial technology (FinTech)-enabled players and partners from across the ecosystem will be key.