Most banks in Denmark will be ready for PSD2 by its implementation date, although the quality of the APIs will be debated – and there are concerns around the readiness for strong customer authentication (SCA), according to Tobias Thygesen director of FinTech, payment services and governance division at Finanstilsynet.
PSD2 has a final deadline of 14 September and from then, banks and third-party providers will be able to retrieve payment information from different sources and provide consumers with better financial products. The open banking aspect of the regulation has received a lot of the attention, while the SCA requirement, which is just as important for companies wishing to meet compliance, has not received as much interest Tobias Thygesen said, “if you’re not ready for SCA on the 14th of September you very much risk that payments will be rejected.”
The directive requires European consumers to confirm their identities for online purchases with two-factors of authentication. This can be either something they know, like a password, something they have such as a phone and something physical about them, like a fingerprint.
Players in the market have made their opinions clear on the market readiness for SCA. The European Banking Authority (EBA) even came out to offer its opinion on SCA following numerous queries and requests for the application date to be postponed. The European authority stated that there will be no extension as it believes the market has had enough time to prepare. Although, some leeway was given to certain providers, on an exceptional basis. In Denmark, this requires an agreement with the FSA on the timeline and measures implemented in the meantime.
The requirements of SCA were outlined back in 2015 and has already had an 18-month implementation period. However, there is still some concern about getting systems ready. Thygesen stated that it has been “slightly problematic.” Its not the banks which are the issue, as most of them know the rules, it’s the payment gateways and vendors which need to be supported and guided through the changes.
To support companies, the Danish Payment Council recently released a note on SCA to clearly express what the changes are. Thygesen believes that the market has got the message, and everyone is preparing for the deadline as best as they can. One potential fear is if customers begin to stop using an e-commerce platform due to SCA.
Thygesen said, “In general, the problem is that when you introduce such security measures then shoppers might drop out during the process. So, I think that’s probably why some have been hesitant to introduce strong customer authentication solutions.
“These changes were already suggested in the previous secure pay recommendations for secure internet payments way back in 2013. But now that it is in the directive, banks are actually obliged to not perform payments which do not live up to the requirements. So, I think it’s sort of a mixture of strong customer authentication not being very wanted by the e-commerce side of things and perhaps there hasn’t really been enough focus on it in the financial sector.”
Shoppers dropping out of a checkout due to extra measures could be a big problem. These customers could end up going to other providers in different regions, which would lose traction for a lot of online businesses in the EU. Payments processing company Stripe noticed the potential falloff and conducted a survey of 1,000 consumers across the UK, France, Germany, the Netherlands, and Spain to see how the market would react. The answer was not great. According to its research, it believes Europe could lose up to €57bn in economic activity within the first 12 months of SCA. Obviously, this is not a crystal ball of the future, but does highlight that companies need to ensure they comply with SCA and have efficient protocols in place, so the customer experience is not hindered.
Thygesen does not think this will be an issue as you should not be able to trade on the internet within the EU without an SCA compliant processes. There might be fears and worries about its implementation and the cataclysmic effect it could have on the economy, but at the end of the day, most changes to an established process are met with similar doomsday talk. The extra measures implemented by SCA will not be too onerous on customers and its for their benefit. Thygesen stated that companies already using SCA methods have seen considerable drops in the levels of fraud, so the medicine works although it may take some getting use to.
“Some might react the first time it happens you’ll get used to it and in the end, it’ll just be the normal way you do it in the future. And it is important to remember why this has been introduced: to counter fraud in payments.”
PSD2 in Denmark
Thygesen is confident for the market readiness of PSD2 overall, and believes that most banks in Denmark will be ready for the September 14 deadline. There has been a lot of work in the market to ensure banks are ready for the change. Since 2015, companies developing solutions for PSD2 have raised a total of $193m, RegTech Analyst data shows.
Banks across Europe have also been frantically partnering with RegTech solutions to make sure they are ready. Earlier in the month, Norwegian bank SpareBank 1 partnered with open banking solution developer Nets to help meet compliance. Luxembourg-based Rakuten Bank, Italy’s UBI Banca, and German challenger bank Fidor, are just some of the companies to recently form a partnership with a PSD2 solution.
Thygesen believes, however, that there will be debate over the quality of the APIs developed by the banks, as banks and third party providers do not always speak the same language. Even when banks try their best to deliver good APIs, it is not always what the third party providers want. The process of getting the APIs right might this continue after the September 14 deadline.
The market has taken to PSD2 and there is a lot of excitement about what new products could be created. Although, this might take longer than some people might hope. Thygesen said, “I think the potential is there down the road to develop new financial products to the benefit of consumers, but I think it’s a long journey and to begin with, this is mainly a compliance exercise for banks. If anybody thought that we would implement PSD2 and then suddenly the market would change and flourish, then I think they were perhaps a bit optimistic. I think this is a rather slow-moving process in that sense.”
But one of the promising things Thygesen has seen is that several banks are even going beyond just simple compliance with PSD2. There are a number of banks which are looking to go further and not only share transaction details but share other types of information through their APIs as well.
Denmark’s readiness for the regulation has been supported by Finanstilsynet, the country’s financial regulator. The authority has offered support and dialogue explaining what the regulation means, the changes it requires and answering questions banks and prospective third party providers have. It also has an innovation hub which has been helping companies who are developing the necessary solutions.
One of the factors Thygesen thinks places Denmark well in meeting compliance is because the country’s banks have typically been digitally advanced. Another advantage in Denmark is that banks operate on shared data centres, which means that if a solution is built at the data centre level, many banks are all using the same solution, instead of 80 banks and 80 separate products.
As for consumer adoptions in Denmark, this might be a little bit of a slow burner. “In Denmark people are very spare to take up new forms of payment and we’re a country that’s very happy with our credit and debit cards so it might be a slow take up but it’s very hard to know and it’s very hard for the bank to know what will actually hit them on the 14th of September.”
Copyright © 2018 RegTech Analyst
