PSD2: Advent of the New Payments Market in Europe
MARCH 2019
Ron van Wezel
Sponsored by:
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. Photocopying or electronic distribution of this document or any of its contents without prior written consent of the publisher violates U.S. copyright law, and is punishable by statutory damages of up to US$150,000 per infringement, plus attorneys’ fees (17 USC 504 et seq.). Without advance permission, illegal copying includes regular photocopying, faxing, excerpting, forwarding electronically, and sharing of online access.
PSD2: Advent of the New Payments Market in Europe MARCH 2019
TABLE OF CONTENTS IMPACT POINTS ...... 4 INTRODUCTION ...... 5 METHODOLOGY ...... 5 INTRODUCTION TO PSD2 ...... 6 MARKET RATIONALE ...... 7 DEFINITIONS...... 9 WHAT ARE THE MAIN CHANGES OF PSD2? ...... 10 THE SCA REQUIREMENTS ...... 10 ACCESS TO THE ACCOUNT: COMMON AND SECURE OPEN STANDARDS OF COMMUNICATION ...... 12 IMPACT OF PSD2 ON E-COMMERCE PAYMENTS ...... 17 MANAGING FRICTION AT THE CHECKOUT ...... 18 OFFER NONREGULATED PAYMENT METHODS ...... 18 APPLY TRA TO FILTER OUT LOW-RISK TRANSACTIONS ...... 19 FILTER TRANSACTIONS THAT ARE EXEMPT FROM SCA ...... 20 OPTIMIZE THE USER EXPERIENCE FOR TRANSACTIONS THAT REQUIRE SCA ...... 21 IS THE MARKET READY FOR SCA? ...... 25 OPEN BANKING: BETWEEN HYPE AND REALITY ...... 27 THE TESTING GROUND: OPEN BANKING IN THE U.K...... 27 THE PROMISE OF OPEN BANKING FOR PAYMENTS ...... 28 CUSTOMER PAYMENT PREFERENCES: HARD TO CHANGE ...... 30 THE RISK OF FRAGMENTATION FOR OPEN BANKING ...... 31 CONCLUSION ...... 33 RELATED AITE GROUP RESEARCH ...... 34 ABOUT AITE GROUP...... 35 AUTHOR INFORMATION ...... 35 CONTACT ...... 35 ABOUT IOVATION ...... 36
LIST OF FIGURES FIGURE 1: SHARE OF CNP FRAUD AS A PERCENTAGE OF TOTAL FRAUD IN SEPA ...... 7 FIGURE 2: SCA MODELS ...... 14 FIGURE 3: MEASURES TO MINIMIZE CONVERSION RISK AS A RESULT OF SCA ...... 18 FIGURE 4: DIFFERENCES BETWEEN 3DS 1.0 AND 3DS 2.0 ...... 22 FIGURE 5: MARKET ASSESSMENT OF 3DS 2.0 ...... 24 FIGURE 6: EUROPEAN MILESTONE DATES ...... 25 FIGURE 7: COST OF PAYMENT METHODS IN GERMANY ...... 29 FIGURE 8: DOMINANT ONLINE PAYMENT CULTURES IN THE EEA ...... 30
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 2 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
LIST OF TABLES TABLE A: MARKET TRENDS LEADING TO PSD2 ...... 7 TABLE B: PSD2 TERMINOLOGY EXPLAINED...... 9 TABLE C: SCA EXEMPTIONS FOR ONLINE/REMOTE CARD TRANSACTIONS ...... 11 TABLE D: AUTHENTICATION SCENARIOS BETWEEN BANKS AND TPPS...... 14 TABLE E: EUROPEAN API STANDARDS INITIATIVES ...... 16 TABLE F: ATV AND SHARE OF TOTAL CNP TRANSACTIONS BY ONLINE MERCHANT CATEGORY IN THE U.K. 19
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 3 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
IMPACT POINTS
• The revised Payment Services Directive (PSD2) changes the rules of the game for the European payments industry. By September 2019, payment service providers (PSPs) have to comply with the directive’s requirements for strong customer authentication (SCA) and third-party access to bank accounts. This Aite Group report analyzes the consequences for the e-commerce payments market.
• Sufficient tools are available in the market to mitigate the risk of a deterioration of the consumer experience in e-commerce due to the PSD2 SCA requirements. However, the issue is a lack of orchestration of the PSD2 implementation around Europe. Varying choices in the implementation of the SCA requirements on a country and individual bank level, differences in interpretation of the directive, and different timelines may create confusion that merchants have to navigate.
• Another issue is market awareness of the SCA requirements. Only 25% of European online merchants are aware of the SCA requirements under PSD2. This is a call to action for acquirers and PSPs to step up their communication and realize a smooth transition to the SCA requirements.
• So far, takeup of U.K. Open Banking has been slow—even disappointing. This may be a result of a number of issues with the implementation of open banking. However, it is still in the early days, and at least the U.K. has the central governance in place to identify the issues and coordinate the required activities to resolve them.
• The new account-based payment models that PSD2 enables hold a lot of promise for e-commerce payments, particularly in combination with real-time payment (RTP) clearing rails that are rolled out all over Europe. Such payment models could offer merchants a service that seems to beat existing card solutions because of service and price.
• Still, a number of factors will hinder the adoption of these new payment models from both the demand and the supply sides. The main challenges are how to change established consumer payment preferences and how to develop a consistent payment offering in a fragmented European market. The conclusion is that PSD2 will not form a threat to card-based payments in the short to medium term, say within the next five years. It is not clear how a consistent, user-friendly offering can be developed for the European market that is attractive enough for consumers to change their payment preferences.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 4 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
INTRODUCTION
The European payments market is preparing to comply with PSD2. By September 2019, all companies providing payment services in the European Economic Area (EEA) have to be ready to support the European Banking Authority’s (EBA’s) requirements for SCA and access to accounts.1 Online merchants have to deal with a change in the customer journey due to an increase in stepped-up authentication requests as a result of SCA, increasing friction in the payment process. At the same time, PSD2 provides an opportunity, as banks have to provide access to their customers’ accounts, which allows merchants and their providers to develop new payment models.
The first initiatives are already coming to the market. Deutsche Bank, for instance, announced a pilot project with the International Air Transport Association (IATA), the trade association for the world’s airlines. The bank aims to reduce the payment processing cost between airline clients and airlines, potentially saving them billions of dollars.2
This Aite Group report surveys the market status in Europe regarding the main changes that PSD2 may bring to the e-commerce payment market. The report includes recommendations on how online merchants can mitigate the risk of SCA and analyzes the potential of payment innovation as a result of PSD2.
METHODOLOGY This report is a based on a joint analysis—by Aite Group and iovation—of the European payments market. The research includes both primary research and an extensive analysis of secondary research.
Aite Group conducted 21 interviews between November 2018 and January 2019 with payment executives from banks and other PSPs, merchants, card schemes, and consultancy firms active in Europe. The interviews were complemented with extensive secondary research to gather reliable data, using publicly available data from central banks, industry associations, company investor presentations, and annual reports.
1. “Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 Supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council With Regard to Regulatory Technical Standards for Strong Customer Authentication and Common and Secure Open Standards of Communication,” EUR-Lex, January 13, 2018, accessed January 14, 2019, https://eur- lex.europa.eu/legal- content/EN/TXT/?uri=uriserv:OJ.L_.2018.069.01.0023.01.ENG&toc=OJ:L:2018:069:TOC.
2. “Instant Payments in Action: Deutsche Bank and the International Air Transport Association,” InstaPay, accessed January 14, 2019, https://www.instapay.today/insight/instant-payments-in-action-deutsche- bank-and-the-international-air-transport-association-iata/.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 5 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
INTRODUCTION TO PSD2
On January 13, 2016, PSD2 came into force. The directive should have been transposed into national law of the 28 member states of the European Union by January 13, 2018—a deadline that was missed by many national governments.3 Nevertheless, there is no escape from the directive, which is a game changer for the payments business in Europe. This includes the U.K., as PSD2 was transposed into national law before Brexit.4
The scope of PSD2 includes any company that provides payment services to customers in the EU. Such PSPs need to obtain a payment license issued by a designated authority in one of the EU member states, which can then be passported into other European countries. The scope of PSD2 extends a number of obligations, notably information obligations, for payments to and from countries outside the EU when one of the PSPs is located in the EU. The extension of the scope has implications primarily for banks and other PSPs that are located in the EU. In practice, this means that these financial services providers shall provide information and transparency on the costs and conditions of these international payments, at least in respect to their part of the transaction. They are also liable for their part of the payment transaction if something that is attributable to them goes wrong.
PSD2 is based on some of the same principles that constitute the General Data Protection Regulation (GDPR), enforcing consumer protection and security requirements on companies operating in the EU.5 PSD2 will have both direct and indirect consequences for companies based outside the EU—direct, as any company providing payment services in the EU will require a payment license, and indirect, as the stricter requirements for fraud prevention in the EU will drive fraud to other regions, such as the U.S.
Unlike with GDPR, PSD2 does not specify fines for noncompliance. PSD2 only states that member states have to lay down penalties that are “effective, proportionate and dissuasive.” The fines or alternative penalties will be at the discretion of the national authorities. This doesn’t mean, of course, that noncompliance will not be taken seriously. Regulators have several instruments at their disposal to enforce compliance, including the right to revoke a perpetrator’s payment license.
3. “Payment services (PSD 2)—Transposition Status,” European Commission, May 25, 2018, accessed January 14, 2019, https://ec.europa.eu/info/publications/payment-services-directive-transposition- status_en.
4. For details on the U.K., see “PS18/24: Approach to Final Regulatory Technical Standards and EBA Guidelines Under the Revised Payment Services Directive,” Financial Conduct Authority, December 19, 2018, accessed January 31, 2019, https://www.fca.org.uk/publications/policy-statements/ps18-24- approach-final-regulatory-technical-standards-and-eba-guidelines-under-revised-payment.
5. See Aite Group’s report Data Protection in the Board Room: The Impact of the GDPR, January 2018.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 6 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
MARKET RATIONALE European regulation is not developed by civil servants in the proverbial ivory tower. On the contrary, new legislation is developed in response to market trends, setting or changing rules that are deemed necessary—e.g., to protect consumers and stimulate innovation and competition. PSD2 was no exception to this theme (Table A).
Table A: Market Trends Leading to PSD2 Market trends Market implications Increasing fraud for online Requirement for PSPs to apply better security to protect consumers and payments businesses
Rise of new payment players Regulation of new players, providing a level playing field for PSPs in Europe
Arrival of the API economy Application programming interfaces (APIs) facilitate the required third- party access to bank accounts
Source: Aite Group
INCREASING FRAUD FOR ONLINE PAYMENTS There is an ongoing shift of fraud from the card-present to the card-not-present (CNP) environment in the single euro payments area (SEPA; Figure 1).6
Figure 1: Share of CNP Fraud as a Percentage of Total Fraud in SEPA
CNP Fraud in SEPA, 2012 to 2016
1,292 1,320 73% 69% 71% 67% 1,031 60% 958 794
2012 2013 2014 2015 2016
Value of CNP fraud (in millions of euros) Share of total fraud
Source: European Central Bank (ECB)
6. SEPA covers payments in euro and consists of 38 countries and territories. See “Map of SEPA Scheme Countries and Territories,” European Payments Council, February 12, 2016, accessed January 19, 2019, https://www.europeanpaymentscouncil.eu/document-library/other/map-sepa-scheme-countries- and-territories.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 7 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
The market has responded with a number of innovations in fraud detection and prevention, such as 3-D Secure, risk-based authentication, tokenization of sensitive data, and advanced risk analysis systems. These developments have successfully contributed to containing fraud. According to the ECB, the data suggest that CNP fraud grew at a lower rate than CNP transactions as a whole within SEPA. Nevertheless, the share of CNP fraud in the total value of fraud amounted to 73% of total card fraud losses in 2016. In that year, the total value of CNP fraud increased by 2.1% compared to the previous year, reaching 1.32 billion euros.7 To combat fraud more effectively, the regulator decided to strengthen the security requirements for electronic payments with the PSD2.
RISE OF NEW PAYMENT PLAYERS Since the first payment services directive was published in 2007, new players—such as Sofort (now owned by Klarna) and Trustly—arrived on the scene, providing payment services to online merchants. These companies used “screen scraping” to access the customer’s account data, using the customer’s login credentials to programmatically access the bank’s e-banking portal, without the latter’s involvement. Banks objected to this practice for reasons of security. They argued that customers should not hand over their bank credentials to a third party, as the bank has legal responsibilities to authenticate customers and protect them against the risk of fraud. On the other hand, the success of new players indicated a need for payment innovation and increased competition. This would not be possible if banks maintained exclusive possession of their customers’ data.
The regulator decided to level the playing field and bring the new players under the payment services regulation. As regulated entities, these players obtained the right to access bank account data if the customer (account holder) gave them consent to do so. Banks had to provide this access. At the same time, the regulation imposed obligations on these third parties—e.g., to authenticate themselves to the bank before requesting access and to assume liability (and indemnity insurance cover) for any losses resulting from nonauthorized or fraudulent transactions.
ARRIVAL OF THE API E CONOMY APIs are one of the hottest topics in retail banking and payments. An API is similar to a user interface, but with different users in mind—i.e., computer applications and their programmers. By publishing an API, a provider of a service (e.g., a bank) makes it easier for developers to build applications that use that service. An API is called “open” when it can be accessed—under specified conditions—by third-party developers (from outside the service provider’s organization). In our digital world, the use of open APIs is common, and it’s even fundamental to the growth of companies such as Amazon, Google, Facebook, and other digital leaders. Stripe and PayPal’s Braintree are examples of PSPs that use APIs as the core of their product proposition.
But the increasing role of APIs in retail banking is a quite recent phenomenon. Banks are beginning to expose their data for use by third parties, in particular fintech companies, through
7. “Card Fraud Report,” European Central Bank, September 26, 2018, accessed January 14, 2019, https://www.ecb.europa.eu/pub/cardfraud/html/ecb.cardfraudreport201809.en.html#toc5.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 8 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019 open APIs. Banks can not only make their own product data available but also allow their customers to share their bank data with third-party providers (TPPs), thus paving the way for open banking.
The market has embraced APIs as the solution to comply with the regulatory requirement for access to the bank account.
DEFINITIONS PSD2 defines a number of new roles in the payment process, using specific terminology that is now widely adopted in Europe and is therefore also followed in this report. Readers in other countries may not be familiar with these terms, or these terms may have a different meaning than the same terms used elsewhere. For clarity, the roles and their definitions are listed in Table B as a reference.
Table B: PSD2 Terminology Explained Role Definition Practical examples Payment service user (PSU) Natural or legal person making Consumers and corporate users use of a payment service in the (end user) capacity of payer, payee, or both
PSP Regulated provider of payment Credit institutions, electronic services within the EU money institutions, and payment institutions
Account servicing PSP (ASPSP) PSP providing and maintaining a Banks, card issuers, and other payment account for a payer financial institutions holding payment accounts
Payment initiation service PSP providing a service (on PSPs such as Klarna/Sofort, provider (PISP) request of the PSU) to initiate a Rapid Transfer, Token.io, and payment order from the PSU’s Trustly payment account held at another PSP (i.e., ASPSP)
Account information service PSP offering a service to provide Personal financial management provider (AISP) consolidated information on providers (e.g., Envestnet one or more payment accounts Yodlee, Meniga, Strands), and held by the PSU with one or accounting software providers more ASPSPs (e.g., Sage, Intuit)
TPP PSP providing account AISPs and PISPs information services or payment initiation services
Source: Aite Group
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 9 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
WHAT ARE THE MAIN CHANGES OF PSD2? In March 2018, the official journal of the EU published the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Open Standards of Communication (the RTS).8 The RTS, developed by the EBA after several rounds of consultation with the payments industry, specify the requirements for the two major areas of change that PSD2 will bring:
• SCA: PSPs must apply multifactor authentication for all electronic transactions unless such transactions qualify as “low risk.”
• Access to the account: ASPSPs must provide TPPs with access to the payment account to for the following services:
• Account information services: TPPs can access balance and transaction information on behalf of their customers. • Payment initiation services: TPPs can initiate payments directly from their customers’ bank accounts. • Availability of funds check: PSPs that issue cards can check if cardholders have sufficient funds in their bank accounts. TPPs require the account holder’s consent to access their account. TPPs are only allowed to collect information that is necessary for the execution of the service requested by the customer.
THE SCA REQUIREMENTS Effective September 2019, PSD2 mandates SCA for the initiation of electronic payments, including (but not limited to) e-commerce transactions. SCA requires the ASPSP to invoke multifactor authentication of its customer. SCA must be based on at least two of the following independent factors that identify the cardholder:
• Knowledge: This is something only the customer knows, such as a password or PIN. Note that the EBA does not consider card data (e.g., card number, CVV, or expiry date) as a knowledge factor.
• Possession: This is something the customer has—for example, a smartphone or hardware token.
8. In June 2018, the EBA provided additional guidance to the market on a number of issues that required clarification. See “Opinion of the European Banking Authority on the Implementation of the RTS on SCA and CSC,” EBA, June 13, 2018, accessed January 14, 2019, https://www.eba.europa.eu/documents/10180/2137845/Opinion+on+the+implementation+of+the+R TS+on+SCA+and+CSC+%28EBA-2018-Op-04%29.pdf.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 10 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
• Inherence: This is something the customer “is”—e.g., a biometric factor such as fingerprint or facial recognition. Behavioral biometrics are also recognized by the EBA as valid inherence factors.
The authentication must result in the generation of an authentication code that is linked to the amount and the payee, and therefore binds the code uniquely to the transaction (“dynamic linking“). That means, for instance, that methods such as paper-based lists are not compliant.
The RTS specify a number of exemptions for the application of SCA. The implementation of these exemptions will vary by payment method (cards or credit transfers) and by channel (online/remote or physical channels). Table C provides an overview of the exemptions for remote card payments (CNP transactions). The ASPSP is the issuer in this case.
Table C: SCA Exemptions for Online/Remote Card Transactions SCA exemption Conditions Remarks Low-value Cumulative limits in place require SCA when these The cumulative limits (managed transactions limits are reached. Issuers have the choice to by the issuer) make it difficult for below 30 euros either challenge every fifth transaction (less than a merchant to predict if the low- 30 euros) or request SCA if the combined value of value payment exemption will be several unchallenged transactions goes above 100 applied. euros. This exemption doesn’t help much for merchants that sell goods at an average transaction value well above the threshold.
Recurring Recurring transactions with the same amount and The recurring transaction transactions with the same payee can be exempted. exemption can come in handy for subscriptions of a fixed amount PSPs shall apply strong customer authentication paid from a card account. when a payer creates, amends, or initiates for the first time. However, the exemption does not allow for variable amounts.
“Whitelisting” Whitelisting allows payers to inform the issuer that Whitelisting is a vital tool for by the payer of they trust a certain merchant. The request to merchants that offer card-on-file trusted whitelist the merchant can be offered to the or wallet payment options (card- beneficiaries customer with the first payment. SCA is required on-file payment volume (merchants) for the customer’s first payment to the business constitutes about one-third of all but not for subsequent payments, with no limit on online card payments). transaction amount. However, merchants will depend Whitelisting can only be done under the control of on issuers to implement the the issuer (not by the merchant or the acquirer). whitelisting exemption.
Issuers should limit whitelisting to low-risk merchants (e.g., based on merchant category code and fraud rates), and monitor traffic for whitelisted merchants to detect risk indicators, such as a change of delivery address. In such cases, issuers should invoke SCA.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 11 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
SCA exemption Conditions Remarks Transaction PSPs can make use of the exemption based on TRA. TRA can be applied by the risk analysis This exemption allows PSPs to skip SCA under a acquirer (not by the merchant) (TRA) certain threshold. This threshold depends on the and/or by the issuer. If the fraud rates of the PSP applying the exemption for acquirer uses the TRA exemption, the type of transaction (card or credit transfer). it will be liable for the payment in case of fraud. For cards, the threshold criteria are as follows: • PSP fraud rate below 0.13%: 100 euros Merchants can contractually • PSP fraud rate below 0.06%: 250 euros agree with the acquirer to share • PSP fraud rate below 0.01%: 500 euros the risk of applying the TRA exemption. The acquirer can For instance, an acquirer with a fraud rate then rely on the risk between 0.13% and 0.06% will be allowed to management systems of the exempt all transactions under 100 euros on behalf merchant. of its merchants.
Source: Aite Group
The SCA requirements legally only apply to intra-EEA transactions. For card payments, this means that both the issuer and the acquirer should be based in the EEA. However, some EEA- based issuers may apply the same rules regardless of merchant location, meaning that “one leg out” transactions (acquirer located outside EEA—for instance, in the U.S.) could trigger SCA, leading to a higher number of challenged transactions.
ACCESS TO THE ACCOUNT: COMMON AND SECURE OPEN STANDARDS OF COMMUNICATION PSD2 regulates that TPPs have the right to access the payment account held by ASPSPs for the purpose of providing account information and/or payment initiation services. For that purpose, ASPSPs must provide a secure interface for TPPs to exchange information.
Customer (PSU) consent is required for TPPs to access the account. Consent may be given to the TPP. For instance, consent for the execution of payment may be given via the PISP, and the PISP should pass the consent information to the ASPSP.
The RTS specify two interface options for ASPSPs. They can either offer a dedicated interface or allow the TPP to access the ASPSP’s regular online client portal (e.g., e-banking). Most ASPSPs will realize a dedicated interface through an API.
For banks as ASPSPs, this means that the dedicated interface/API must comply with the obligations specified in the RTS:
• The API must provide the same service level (availability, performance, support) as regular internet banking. Banks must publish quarterly service-level statistics on their websites to show they meet this requirement.
In addition, ASPSPs must provide contingency measures for the case that the API would not work properly—i.e., allow the TPPs access to the regular online client portal. ASPSPs can ask for an exemption from their national regulator to provide the
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 12 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
contingency measures if they can show that the API is working properly for at least three months.
• The API must enable the TPP to rely on the authentication procedures of the bank to perform SCA. When a customer requests a service from the TPP and gives it consent to execute, in principle, the TPP can offer three authentication scenarios relying on the bank’s authentication procedure (Figure 2).9
• The API should not create “obstacles” for TPPs to deliver their services. The RTS mention the authentication model using redirection as an example of a potential obstacle. The EBA clarifies that “the RTS do not state that redirection per se is an obstacle to AISPs and PISPs providing services to their PSUs. Instead, the RTS state that it ‘may’ be so, if the ASPSP implements it in a manner which is restrictive or obstructive for AISPs or PISPs.”
• This is one of many points in the RTS that may lead to divergence in the view of national regulators. In U.K. Open Banking, for instance, redirection has been the default model (decoupled will be supported as well).
• ASPSPs must provide a testing facility for TPPs to test the API interface by March 14, 2019 (six months before the RTS become effective).
9. The figure represents a simplified flow. For more detailed examples of these authentication flows, see “Authentication (Strong Customer Authentication): Key Topic Clarification for API Standards Initiatives,” API Evaluation Group, accessed January 14, 2019, https://www.europeanpaymentscouncil.eu/sites/default/files/kb/file/2018-05/API%20EG%2030- 18%20Authentication%20guidance%20%28SCA%29.pdf.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 13 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
Figure 2: SCA Models
Source: The Berlin Group
The TPP will be dependent on the bank if it supports the bank’s preferred authentication scenario. A fourth “delegated” scenario does not rely on the bank’s authentication procedure. See Table D for the scenarios with their advantages and challenges.
Table D: Authentication Scenarios Between Banks and TPPs Scenario Description Advantages Challenges Redirect The customer is Authentication is in full Redirection interrupts redirected to the control of the bank. the experience offered bank’s website for Customer credentials by the TPP, as the authentication and is are not shared with the customer is redirected then redirected to the TPP. to the different PISP’s website. (although familiar) Customers may be bank environments. used to redirection, as existing payment Redirection is limited methods such as iDeal to browser technology. and Giropay work in It may limit payment this way. innovation—e.g., for point-of-sale use cases.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 14 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
Scenario Description Advantages Challenges Decoupled SCA takes place via a Authentication is in full TPP is dependent on dedicated control of the bank. the bank’s authentication app Customer credentials implementation of the provided by the bank are not shared with the authentication app to (e.g., mobile app). TPP. complete the customer journey. It allows TPPs to develop new use cases, relying on the bank’s app for authentication.
Embedded The TPP captures the TPP is in full control of Customer credentials customer credentials the customer are shared with a TPP, and transmits those experience. and the bank is liable securely to the bank, for any damage toward which then the customer. authenticates the customer. The embedded model may also limit the bank’s freedom to roll out new authentication technology (TPPs will need time to implement that too).
Delegated The TPP issues its own The TPP can select its The legal status of this credentials and own authentication model is not entirely authenticates the technology and provide clear. In any case, the customer on behalf of a fully consistent delegated model will the bank. service to its customer. require a contract between the TPP and the bank to allow the former to authenticate the customer.
Source: Aite Group interviews with 20 payment executives, November 2018
API STANDARDIZATION Most ASPSPs will provide access to their clients’ bank accounts for payment initiation services through an API. There is no standard for these APIs, and it would take a tremendous effort for a PISP to connect to thousands of bank APIs all over Europe. Fortunately, market initiatives are underway to develop common standards, and broad adoption of such standards will be critical to the success of payment initiation services as an alternative payment model. Preferably, a certification process would test new APIs against the standard. There are several initiatives to develop common API standards on a European and national community basis (Table E).
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 15 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
Table E: European API Standards Initiatives Name Scope Governance Remarks Berlin Group European—26 The Berlin Group is NextGenPSD2 offers a NextGenPSD2 members as of open for participation framework rather than framework November 2018 to any bank (ASPSP), a standard. banking association, Implementation is left payment association, to individual payment scheme, and companies that can interbank processor choose to develop APIs active in the SEPA that are compliant with payment industry. the framework.
STET France STET is a private The STET API is being company owned by aligned with the work French banks. STET is of the Berlin Group. one the largest European ACH processors.
Open Banking U.K. Open Banking Limited Open Banking provides is governed by the U.K. a comprehensive API Competition and standard as well the Markets Authority necessary governance (CMA) and funded by to manage the the U.K.’s nine largest functioning of open banks and building banking in the U.K. societies (the CMA9). Open Banking is live. However, the standard has been designed specifically for the U.K.
PolishAPI Poland The standard of the Polish payment sector is maintained by the Polish banking association,
Slovak Banking API Slovakia The Slovakian standard standard is maintained by the Slovak Banking Association.
Source: Aite Group, company websites
Banks may choose to work with these standards or develop their own RTS-compliant APIs. The very existence of multiple standards already means that TPPs will have to work with different APIs across Europe. Further complexity is added with the realization that bank implementations of the same standard will differ as well, and the U.K. shows evidence of this.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 16 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
This means that there is an opportunity for aggregators—technology companies that can offer a single API to PSPs to connect with any bank that the aggregator has integrated with.
IMPACT OF PSD2 ON E-COMMERCE PAYMENTS PSD2 will affect every business operating on the European payments market, but the most significant impact is expected for e-commerce payments. In the following sections, the following questions will be addressed:
• How will merchants and acquirers maintain a convenient and consistent end-user experience in the face of stringent SCA requirements?
• What are the opportunities for payment innovation in e-commerce that PSD2 enables?
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 17 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
MANAGING FRICTION AT THE CHECKOUT
The PSD2 SCA requirements will add more friction to the payment process, in particular for e- commerce. Merchants and their PSPs need to define their strategy to implement the SCA requirements while maintaining a superior user experience for their clients.
The SCA requirements mean that buyers will experience many more stepped-up authentications than they do today. Respondents estimate that, on average, the number of stepped-up authentications will double. This may expose merchants to the risk of cart abandonment and loss of sales if the new process is not properly managed. The question is which tools are available for merchants and acquirers to reduce conversion risk as much as possible (Figure 3).
Figure 3: Measures to Minimize Conversion Risk as a Result of SCA
E-commerce transactions
Offer nonregulated payment methods Alternative e-payment methods Apply TRA to filter out low-risk Transaction risk transactions analysis Filter transactions that are exempted from SCA SCA exemptions
Optimize user Optimize the user experience for experience transactions that require SCA
Source: Aite Group
OFFER NONREGULATED PAYMENT METHODS The SCA requirements only apply to electronic payments that are initiated by the payer. Merchants can offer their clients payment options that do not fall under the SCA requirements because they are initiated by the payee (merchant). The most common example is direct debit. Direct debits are popular for recurring transactions such as subscriptions, utility bills, and telecom bills. Direct debits are out of scope of the SCA requirements; SCA is only required when an electronic direct debit mandate must be signed by the customer.
Merchants offering direct debits online for new customers incur a credit risk, because this payment method offers a “no questions asked” refund policy for consumers until eight weeks after the transaction date. For instance, in Germany, the net loss (after representment and collection activity) is estimated at 3 to 5 basis points.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 18 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
APPLY TRA TO FILTER OUT LOW-RISK TRANSACTIONS When a payer-initiated payment method is selected—e.g., a card payment or credit transfer— the SCA obligations will apply. This raises the issue of how to mitigate the risk of increased friction in the payment process.
TRA is mentioned by many respondents as an important tool for merchants for that purpose. Many categories of merchants have average transaction values (ATV) well above the low-value payment limit of 30 euros and will require the TRA exemption to raise the threshold of the frictionless flow. Table F shows some examples of ATV by merchant category for the U.K.
Table F: ATV and Share of Total CNP Transactions by Online Merchant Category in the U.K. Merchant category ATV (in euros) Share of transactions Airlines 299 2%
Hotels 225 2%
Household (furniture, electronics, etc.) 160 2%
Utilities 74 1%
Supermarkets 73 6%
Clothing 57 7%
Transportation 50 2%
Telecoms 47 2%
Restaurants 25 5%
Online stores (catalog sales, department stores, etc.) 24 22%
Digital entertainment 20 4%
Gambling 18 15%
Other - 30%
Source: Aite Group analysis of UK Finance data
With TRA, the risk of a particular transaction is assessed in real time to spot abnormal spending or behavioral patterns, changes in the user’s device, suspected location of the payer and/or the payee, and other criteria. The application of the TRA exemption depends on the average fraud rate of the PSP. Respondents believe that the average fraud rate of many acquirers is well above the lowest threshold of 13 basis points (Table C). Given the strategic relevance of a smooth customer experience for merchants to drive conversion, PSPs that may apply the TRA exemption for the higher thresholds will be in demand.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 19 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
Strategies for PSPs to improve reported fraud rates and stay competitive follow:
• Deploy new technology: As a result of the SCA requirements, the average risk on CNP transactions is expected to decrease significantly (which was, of course, the whole idea of the directive). PSPs may be able to meet the lower exemption rates (and higher amount thresholds) by deploying advanced fraud prevention and detection systems. Respondents have different opinions on this matter—some believing that the threshold of 250 euros (or even 500 euros) could be reached and others doubting that the fraud rates could be improved to this extent.
• Rebalance the merchant portfolio: PSPs may offer incentives to large merchants that have a low-risk profile to reduce the average fraud rate. Such merchants may be looking for pricing discounts from acquirers to turn their low-risk profiles to their own advantage.
• Create separate entities: PSPs may decide to create separate entities for low-risk and high-risk merchant portfolios. This would enable them to meet the highest TRA thresholds for the low-risk portfolio. The organizational impact of such a split would be substantial, however, and it would also require a second payment license for the newly created unit. It remains to be seen if the business case can be made.
FILTER TRANSACTIONS THAT ARE EXEMPT FROM SCA PSPs can make use of the other exemptions (next to the TRA exemption) offered by the RTS, such as the low-value payment exemption or the exemption of recurring payments of a fixed amount (Table C).
The trusted beneficiaries (whitelisting) exemption deserves special mention. This option is important for merchants that depend on card-on-file payments. Whitelisting is also an option for recurring card payments for a variable amount.
However, the whitelisting exemption can only be applied by the issuer. Market reality is that whitelisting may not be supported by a majority of issuers, at least not by September 2019, for the following reasons:
• For many issuers, minimal compliance with PSD2 is the priority. Whitelisting and other exemptions are being viewed as “nice to haves” that are not part of the current projects.
• Issuers may decide not to apply the exemptions when they believe that customers feel more comfortable if SCA is always applied and get used to the experience. This view is quite common, for instance, in the Nordics. The availability in these markets of a mobile-friendly, interoperable authentication solution helps to overcome the potential friction in the payment process.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 20 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
This means that merchants cannot rely on a consistent implementation of the whitelisting exemption across all markets. The card networks are pushing to get whitelisting on the issuers’ agenda. Visa has announced a solution to enable merchant whitelisting.10 Mastercard “strongly recommends issuers to support (the whitelisting) exemption, given the improved cardholder experience and potential for increased volumes.” 11
OPTIMIZE THE USER EXPERIENC E FOR TRANSACTIONS THAT REQUIRE SCA Even after applying the filters mentioned before, a large number of transactions will require stepped-up authentication. When implemented badly, SCA can introduce friction in the checkout process that impacts conversion in a negative way. But merchants have several measures at their disposal that will mitigate this risk.
PAY -LATER METHODS Increasingly, merchants offer their customers the option to defer payment. They will send an invoice (e.g., via email) with a request to pay after delivery. This is convenient for customers, as they can choose the moment of payment at their leisure and check the delivery of the goods ordered before paying. Of course, SCA will still be required when the customer initiates the payment, but the control of the customer over when, where, and how to pay will make an SCA challenge less intrusive for them. Pay-later methods can contribute to higher client satisfaction and increased conversion.
The downside of pay-later methods is that merchants incur a credit risk. PSPs could offer value- added services to help merchants manage the credit risk associated with such payment methods.
Also, online consumer lending at the moment of purchase has emerged in the past decade as a way to facilitate payment at the point of sale. The consumer is offered a loan instantly using minimal customer data, based on alternative credit decisioning software. Lending at the moment of purchase reduces friction and drives sales.12
10. Mark Nelsen, “Delivering a Secure and Seamless Customer Experience,” Visa Vision, September 11, 2018, accessed January 14, 2019, https://vision.visaeurope.com/blogs/delivering-a-secure-and- seamless-customer-experience.
11. “Strong Customer Authentication and PSD2: How to Adapt to New Regulation in Europe,” January 18, 2018, accessed January 14, 2019, https://newsroom.mastercard.com/eu/files/2018/02/Security- Matters-Authentication-under-PSD2-and-SCA-Mastercard-White-Paper.pdf.
12. See Aite Group’s report Lending at the Moment of Purchase: The Online/Mobile Opportunity, August 2018.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 21 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
3 -D SECURE 2.0 FOR C ARD PAYMENTS Right on time, the payments industry has delivered a new version of the 3-D Secure (3DS) protocol for remote card payments. This new protocol is commonly called (EMV) 3DS 2.0 to mark the major upgrade compared to the earlier versions of the protocol (3D Secure 1.0).13
3DS 2.0 provides the framework to implement the SCA requirements for card payments. It enables issuers to make more informed decisions based on data provided by merchants and acquirers. 3DS is a globally defined common standard across card networks, although all have their separately branded programs and rule structures (e.g., Verified by Visa, Mastercard Identity Check).
The key differences between 3DS 1.0 and 3DS 2.0 are summarized in Figure 4 and are further elaborated below.14
Figure 4: Differences Between 3DS 1.0 and 3DS 2.0
Source: Aite Group
13. “EMV 3-D Secure Specification,” EMVCo, accessed January 14, 2019, https://www.emvco.com/media- centre/emv-3ds-press-kit.
14. See Aite Group’s report 3-D Secure 2.0: Key Considerations for Card Issuers, February 2018.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 22 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
• Sophisticated authenticators: 3DS 2.0 enables the use of modern authenticators such as biometrics and one-time passwords.
• Mobile enabled: 3DS 2.0 is capable of seamlessly integrating with mobile apps as well as browser-based environments. This allows for integration with mobile authentication solutions, including issuer-provided solutions and third-party- provided solutions such as Apple Pay.
• No enrollment required: 3DS 2.0 eliminates the requirement that consumers actively enroll.
• Merchant opt-out: Many merchants would like the ability to turn on 3DS in nonchallenge mode so that they can feed those results into their own risk models and use them to inform their own approve/decline decisions (understanding that they wouldn’t benefit from the liability shift). 3DS 2.0 provides this ability. However, this opt-out is not possible under the SCA rules of PSD2.
• Additional use cases: 3DS 2.0 supports additional use cases next to payments, such as account verification and token provisioning.
• Enriched dataset: 3DS 1.0 supports 15 data elements. The 3DS 2.0 dataset has significantly expanded with more than 150 data elements. The richer dataset exchanged in the new protocol enables issuers to make more informed decisions based on data provided by merchants and acquirers. This will improve fraud detection and reduce false declines.
From April 2019, the card networks have announced a liability shift for 3DS 2.0. This means that merchants that are early adopters of 3DS 2.0 will receive chargeback protection, providing a strong incentive to migrate.
Although live data are not yet available, the market recognizes the promise of 3DS 2.0. Research by Aite Group and Mobey Forum shows that almost half of payment executives view 3DS 2.0 as having high or very high potential to provide a better balance between security and a frictionless payment experience (Figure 5).
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 23 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
Figure 5: Market Assessment of 3DS 2.0
Q. How much potential do you see in 3DS 2.0 to provide a better balance than the original 3DS 1.0 between proper security and frictionless user experience in m-commerce payments? (n=66) Don’t know 14% Very high potential No potential 17% 1%
Some potential 15%
High potential 29%
Moderate potential 24%
Source: Aite Group and Mobey Forum online survey of 76 executives, November 2017
BIOMETRIC AUTHENTICA TION 3DS 2.0 enables biometric authentication, which is widely considered as the way forward in user- friendly authentication solutions. Consumers are already used to fingerprint or voice technologies to authenticate themselves on their smartphones, and banks are widely rolling out authenticators that support biometrics.
The card networks mandate the support of biometric authentication by card issuers. A summary of the key milestone dates is provided in Figure 6.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 24 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
Figure 6: European Milestone Dates
2019 2020 2021
1 2 4
3
▪1 April 2019 2▪ September 2019 • Mastercard/Visa liability shift, introducing • All banks in the EEA must chargeback protection for merchants using comply with the PSD2 SCA 3DS 2.0 requirements • Mastercard requires European issuers (except • Mastercard requires issuers in Central and Eastern Europe (CEE)) to support the CEE to support 3DS 2.0 3DS 2.0 • Mastercard requires issuers in • Mastercard requires European issuers (except CEE countries to offer biometric CEE) to offer biometric authentication authentication • Mastercard requires European acquirers • Mastercard requires acquirers in (except CEE) to ensure that online merchants the CEE to ensure that online support 3DS 2.0 merchants support 3DS 2.0
4 3 Starting April 2019 April 2020 (expected) • Visa will mandate support of • Visa will mandate European 3DS 2.0 for online merchants on issuers to offer biometric a market-by-market basis authentication
Source: EBA, Mastercard, Visa, and Aite Group
IS THE MARKET READY FOR SCA? Sufficient tools are available in the market to mitigate the risk of a deterioration of the consumer experience in e-commerce due to the PSD2 SCA requirements. However, the issue is a lack of orchestration of the PSD2 implementation around Europe. Varying choices in the implementation of the SCA requirements on a country and individual bank level, differences in interpretation of the directive, and different timelines may create confusion that merchants have to navigate.
Another issue is market awareness of the SCA requirements. Mastercard recently conducted a quantitative survey among European merchants to understand to what extent small and midsize e-commerce merchants are aware of and prepared for PSD2’s SCA requirements.15 The results indicate that awareness is low, particularly among small merchants:
15. Mastercard shared preliminary results with Aite Group for this report. The survey was executed from September to November 2018. By November 21, 2018, the survey had collected 327 responses from merchants in 17 countries.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 25 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
• Only 25% of European online merchants are aware of SCA requirements under PSD2. Awareness is twice as high among merchants that have more than 500 transactions per month (40%) compared to those with less than 500 transactions per month (20%)— possibly a function of higher importance of cards for their online business.
• Of those merchants that are aware of SCA requirements and PSD2, only 10% were informed about it by their acquirers. Forty-four percent were informed by their PSP (payment gateway provider) and 37% via the internet.
• Only 14% of European online merchants already support SCA, while another 28% mention that SCA will be ready on September 2019. Twenty-four percent of European online merchants interviewed have no plans (yet) to support it.
• The majority of online merchants are not aware of the challenges the new European legislation may pose to their business.
• European online merchants have a preference for receiving further information through their PSP (32%) and by email (31%), less so via banks (18%). Thirteen percent of European online merchants believe that they don’t need any further information on PSD2.
This is a call to action for acquirers and PSPs to step up their communication and realize a smooth transition to the SCA requirements.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 26 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
OPEN BANKING: BETWEEN HYPE AND REALITY
PSD2 provides an opportunity for TPPs to experiment and develop innovative services in several areas of the business, generally referred to as open banking. Examples of open banking applications are the following:
• Personal financial management: TPPs can collect balance and transaction information through account information services on a multibank basis. This information can be used to provide customers with detailed insights into their personal finances, spending behavior, savings opportunities, and so on.
• Credit scoring and lending: TPPs can use account information services to develop a credit score on the customer that is based on recent transactional data. Such a service will give lenders more certainty about the identity and credit status of the customer, and allow for easier and faster access to consumer loans.
• Loyalty: Retailers can use their customers’ transaction data to make better offers.
• Decoupled debit: PSPs that issue cards can check the availability of funds on their customers’ accounts before executing the payment. This facilitates the issuance of debit cards by issuers that do not own the account relationship, including large retailers.
• New payment methods: TPPs can use payment initiation services to develop account-based payment services that compete with cards.
All of this is not new, however. PSPs are already active in Europe, providing account information and payment initiation services. The difference is that PSD2 now regulates the rights and obligations of the TPP as a regulated PSP.
THE TESTING GROUND: OPEN BANKING IN THE U.K. The U.K. is ahead of the game in open banking. Following an investigation in retail banking, the CMA concluded that the U.K. banking market was not competitive enough. As one of the remedies, the Open Banking Implementation Entity (OBIE) was set up in September 2016 as a separate entity to develop the API standards and manage the transition to open banking. Since September 2018, the nine largest U.K. banks (CMA9) are live for account information services and payment initiation services.
Respondents for this survey involved in U.K. banking found that, so far, takeup of open banking by TPPs has been slow, or even disappointing. This assessment is confirmed by the figures published by OBIE, which show that no more than six TPPs are live with customers. Token.io was the first PISP to initiate a payment transaction.16
16. “Open Banking September Highlights,” Open Banking Ltd, October 1, 2018, accessed January 14, 2019, https://www.openbanking.org.uk/about-us/news/open-banking-september-highlights.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 27 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
TPP respondents point at a number of issues with the implementation of open banking, in particular the customer journey. This is confirmed by performance metrics on open banking APIs as published by Credit Kudos (credit bureau active as AISP with all nine CMA9 banks). The dashboard shows that the total processing time for a data request varies considerably among banks, with the fastest bank taking less than 25 seconds and the slowest bank taking close to 100 seconds to complete.17
But it is still early days, and the implementation of open banking within a period of two years can, in fact, be considered a great achievement. The OBIE continues to work closely with the industry to resolve the issues. At least the U.K. has the central governance in place to identify the issues and coordinate the required activities to resolve those.
THE PROMISE OF OPEN BANKING FOR PAYMENTS The payment initiation models enabled by PSD2 hold a lot of promise for e-commerce payments, particularly in combination with RTP payment clearing rails that are rolled out all over Europe.18 PISPs would be able to offer merchants a service that seems to beat existing card solutions because of service and price. The advantages of payment initiation services follow:
• Faster settlement of funds: The PISP can initiate payments directly from the consumer’s account and expect these payments to clear in real time using the RTP rails. Although merchants would not require (or even wish) to receive each individual payment, the funds could, for instance, be received at the end of the same business day. This provides the merchant with improved liquidity and working capital.
• Irrevocable payments: All payments will be fully authenticated by the customer and authorized by the bank, making payments irrevocable (no chargebacks for unauthorized payments). PISPs could still offer buyer protection and dispute resolution to give consumers peace of mind when shopping online.
• Lower fees: As PISPs do not use the card rails, they save on interchange costs and card scheme fees. And given the low risk of such transactions, PISPs can offer competitive pricing to merchants.
The University of Regensburg (Germany) published an interesting study about the cost of payment methods in Germany (Figure 7).19
17. “Credit Kudos Open Banking Performance Tracker,” Credit Kudos, accessed January 14, 2019, https://p.datadoghq.com/sb/b4d6cd609-4120e34513defb37820e67a57868bc50.
18. For instance, see “InstaPay Tracker,” InstaPay, accessed January 14, 2019, https://www.instapay.today/tracker/#.
19. “Gesamtkosten von Zahlungsverfahren im E-Commerce: Ergebnisse zu den Kosten von Kreditkarten nach der MIF-Verordnung,” IBI research, November 2016, accessed January 14, 2019, https://www.ecommerce-leitfaden.de/studien/item/gesamtkosten-von-zahlungsverfahren-im-e- commerce-august-2016-ergebnisse-zu-den-kosten-von-kreditkarten-nach-der-mif-verordnung.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 28 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
Figure 7: Cost of Payment Methods in Germany
Average Cost of Payment Methods in Germany as a Percentage of Turnover
Pay later
Pay later (secured)
Pay on delivery
PayPal Total cost Credit card Indirect cost
Direct debit Direct cost
Direct debit (secured)
Pay before
Sofort Überweisung
0% 1% 2% 3% 4% 5% 6% 7% 8% 9%
Source: IBI Research
This study indicated that the total cost of Sofort, a popular payment method in that market, is the lowest of all online payment methods. Sofort (now owned by Klarna) is providing payment initiation services in many markets in Europe, including Germany. It is a real-time bank transfer payment method that shoppers can use to transfer funds directly to merchants from their bank accounts.20 The direct cost of Sofort (the merchant service fee) already compares favorably with card payments or PayPal pricing. But taking into account the indirect costs, such as credit checks, delayed receipt of funds, exception handling, collections, and chargeback handling, it turns out that the total cost of Sofort is the lowest of all payment methods—even more efficient than receiving the money upfront before delivery (pay before delivery, German “vorkasse”) or direct debit. However, Sofort does not yet belong to the most popular payment methods in Germany. Pay later (on invoice), PayPal, and direct debit are the most popular among consumers.21
Sofort (branded Klarna Pay Now in other markets) is available in 12 EEA countries as well as in Switzerland. Competitors with a comparable product are Trustly (29 markets) and Paysafe Group’s Rapid Transfer (15 markets). These companies are growing quickly and have an established presence in countries such as Germany and Austria. Still, the market share of these PISPs is modest compared to the bank-owned schemes that exist in these countries (see the next section).
PSD2 may accelerate the development of similar payment models. Respondents expect that some of the largest online merchants will start their own PISP. But a number of factors will
20. For instance, see “About Sofort and Pay now,” Worldpay, accessed January 31, 2019, http://support.worldpay.com/support/kb/gg/alternativepayments/content/sofortbanking.htm.
21. “ECC Payment Studie Vol. 22: Management Summary,” ECC, March 2018, accessed January 14, 2019, https://www.ifhkoeln.de/nc/downloadbereich/?tx_hmifhdownloads_registration%5Baction%5D=crea te&tx_hmifhdownloads_registration%5Bcontroller%5D=Registration&cHash=f7fa31442a895d31cf813 ef26d3fab7a.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 29 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019 hinder the adoption of payment initiation services from both the demand and the supply side— how to change established consumer payment preferences and how to develop a consistent offering in a fragmented European market.
CUSTOMER PAYMENT PREFERENCES: HARD TO CH ANGE Each country in Europe has its own payment culture. For online payments, cards are the most popular, but account-based payments dominate in a number of markets too (Figure 8).
Figure 8: Dominant Online Payment Cultures in the EEA
Bank transfer Card payment Other
Source: Aite Group, central banks, and PSP websites
Card payments dominate in the Nordics (except Finland), the U.K., Ireland, Belgium, France, Spain, and Italy. In Portugal, the most popular payment method is Multibanco, an ATM network that is widely used by Portuguese consumers for making payments. In Eastern Europe, cash on delivery is still widely used.
Payment by bank transfer is most popular in Austria, Estonia, Finland, Germany, Latvia, the Netherlands, and Poland. Adoption of payment initiation services could go faster in these markets, as customers are used to paying by bank transfer or other account-based payment methods.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 30 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
At the same time, existing online banking e-payment (OBeP) schemes in these countries are strong competitors for PISPs. Examples of popular OBeP schemes are Pay by Link in Poland (estimated 75% market share in e-commerce), iDeal in the Netherlands (56% market share), Verkkopankki in Finland (40% market share), Giropay in Germany (16% market share), and EPS in Austria (about 15% to 20% market share). OBeP works as follows:
• The customer selects the OBeP brand (e.g., iDeal) on the online merchant’s checkout page.
• The customer then selects his or her bank and is redirected to that bank’s e-banking portal to authorize the payment.
• After authorization, the merchant receives a notification that the payment has been completed, which serves as a payment guarantee under the scheme. The bank then initiates a credit transfer to transfer the funds to the merchant.
It should be noted that OBeP schemes are not PISPs. OBeP is an overlay service that links the merchant to the bank’s regular e-banking portal but it is not a regulated PSP.
Local payment culture is an inhibitor to the development of payment initiation services in Europe. PISPs will face strong competition from existing payment methods, which can be cards, OBeP, or other methods. PISP offerings can be attractive to merchants, but they need to provide strong incentives to their customers to make them change their payment preferences.
THE RISK OF FRAGMENTATION FOR OPEN BANKING Contrary to the situation with Open Banking in the U.K., there is no centrally governed program to implement the PSD2 requirements across Europe. The Euro Retail Payments Board has reported on “a common set of technical, operational and business requirements for the development of an integrated market for payment initiation services,” but the implementation was left to market forces.22 It is not difficult to see that this lack of governance will lead to fragmentation and a lack of standardization that will hinder the development of such services in Europe.
The card schemes have developed the global brands and acceptance networks that allow consumers and businesses to pay in a convenient and secure way all around the globe. Governance, scheme rules, customer rights and obligations, and standards are documented in detail for any jurisdiction, and the rules have been tested in practice for every possible business situation. Such a scheme is clearly missing for payment initiation services. Multiple initiatives may go to market, each offering a different user experience, thus creating confusion and slowing down adoption. PISPs will also be challenged to provide a consistent user experience to their customers, as they have to deal with API interface specifications, interpretations of the RTS requirements, and service levels that are different for each ASPSP. It is true that PISPs that are
22. “Final Report of the ERPB Working Group on Payment Initiation Services,” Euro Retail Payments Board, November 29, 2017, accessed January 14, 2019, https://www.ecb.europa.eu/paym/retpaym/shared/pdf/8th-ERPB- meeting/PIS_working_group_report.pdf?483e4d28242cd84322850a01e549d116.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 31 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019 already active in the market, such as Sofort and Trustly, have learned to deal with such differences. One respondent likens payment initiation services to rocket science, stressing the complexity of the bank integrations to provide a consistent and user-friendly offering.
Compare this with the situation for card payments. The card networks have already included the SCA requirements into their rule books, and they are providing detailed guidance for scheme participants to facilitate the transition to the world of PSD2.
The card networks can leverage their expertise, brand, and network to develop new services fit for the EU market that can compete with the new PSD2 payment initiation models. They should be agnostic of the payment rails (cards, ACH, instant payments) on which these services operate.
The conclusion is that account-based payment methods using payment initiation services will not form a threat to card-based payments in the short to medium term, say within the next five years. It is not yet clear how a consistent, user-friendly offering that is attractive enough for consumers to change their payment preferences can be developed for the European market.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 32 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
CONCLUSION
PSPs (banks and other providers of payment services):
• PSPs are strongly recommended to implement the SCA exemptions allowed by PSD2, particularly the whitelisting and TRA exemptions. This will help merchants to support a convenient user experience for their customers and reduce the risk of cart abandonment.
• Given the strategic relevance of a smooth customer experience for merchants to drive conversion, PSPs that may apply the TRA exemption for the higher thresholds will be in high demand. There are different strategies for PSPs to improve reported fraud rates and stay competitive.
• Acquirers and PSPs should step up their communication efforts to inform small to midsize merchants about the SCA requirements.
• PSD2 provides an opportunity for TPPs to innovate and develop innovative services in several areas of the business, including personal financial management, credit scoring and lending, loyalty, third-party card issuing, and new payment methods.
• TPPs can make use of aggregators to connect to different banks with a single API. This reduces the complexity of working with different API standards and implementations across Europe.
Merchants:
• Online merchants need to prepare for PSD2 and assess the impact of the SCA requirements on the customer journey. Migration to 3DS 2.0 is a key tool for card payments to become compliant and benefit from the liability shift starting April 2019.
• PISP offerings can be attractive to merchants, but they need to provide incentives to their customers to make them change their payment preferences.
Card networks:
• The card networks can leverage their expertise, brand, and network to develop new services fit for the EU market that can compete with the new PSD2 payment initiation models. They should be agnostic of the payment rails (cards, ACH, instant payments) on which these services operate.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 33 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
RELATED AITE GROUP RESEARCH
European Acquiring: Opportunities and Challenges, September 2018.
Global Consumers’ Authentication Preferences: Have Your Cake and Eat It Too, September 2018.
3-D Secure 2.0: Key Considerations for Card Issuers, February 2018.
The Strategic Importance of Merchant Payment Management, February 2018.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 34 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
ABOUT AITE GROUP
Aite Group is a global research and advisory firm delivering comprehensive, actionable advice on business, technology, and regulatory issues and their impact on the financial services industry. With expertise in banking, payments, insurance, wealth management, and the capital markets, we guide financial institutions, technology providers, and consulting firms worldwide. We partner with our clients, revealing their blind spots and delivering insights to make their businesses smarter and stronger. Visit us on the web and connect with us on Twitter and LinkedIn.
AUTHOR INFORMATION Ron van Wezel +31.6.3629.6515 [email protected]
CONTACT For more information on research and consulting services, please contact:
Aite Group Sales +1.617.338.6050 [email protected]
For all press and conference inquiries, please contact:
Aite Group PR +1.617.398.5048 [email protected]
For all other inquiries, please contact: [email protected]
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 35 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com PSD2: Advent of the New Payments Market in Europe MARCH 2019
ABOUT IOVATION iovation, a TransUnion Company, was founded with a simple guiding mission: to make the internet a safer place for people to conduct business. Since 2004, the company has been delivering against that goal, helping brands protect and engage their customers, and keeping them secure in the complex digital world. Armed with the world’s largest and most precise database of reputation insights and cryptographically secure multifactor authentication methods, iovation safeguards tens of millions of digital transactions each day.
For all press and conference inquiries, please contact: iovation +1 (503) 224-6010 [email protected]
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 36 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com