PSD2 RTS - Regulatory Technical Standards for 2nd Payment Security Directive

PSD2 RTS – what are technical guidelines for new EU Directive?

The final shape of the Regulatory Technical Standards, regarding the PSD2 Directive, shall be published in November this year. This will give banks and other stakeholders another 18 months to implement those guidelines. The future of banking is right on the way.

The financial crisis of 2008 gave reasons to introduce a number of new EU laws, concerning aspects such as the security of payment infrastructure, digital identification and authorisation, supervision and risk analysis, terms and conditions related to financial services. New regulations are constantly imposed, which generates large expenses for the interested parties. Maintaining the compliance of the IT infrastructure with the existing laws and regulations, is a constant and costly process for many organisations.

Despite the fact that the adoption rate for new technologies in the financial sector is on the rise, banks seem to have problems keeping up with constant digitisation. Since they are an important link in the global economic chain, the PSD2 Directive aims at forcing them to open up and adapt at a faster pace.

User-oriented economy

As a result of this EU move, IT infrastructure of financial organisations will be forced to evolve. But, the directive is about more than that, namely stimulate innovation, thus increasing competition on the market. These days, we can already see that the entire market focuses on end users, their comfort, security and customer service quality. By enacting new Directive, European Parliament is creating a new standard that will determine the functioning of the entire global financial market.

PSD2 is not the only law promoting openness in the financial sector. In the United Kingdom, banks are currently adopting new guidelines, included in Open Banking Standard, enacted in 2015.

The overarching goals of the PSD2 Directive are to ensure the proper security of the financial system, as well as unify the rules for all units, involved in the process. What is additionally important, is the principle stating that, all the players should learn to cooperate and understand that they can develop more innovative solutions as collaborating partners. This is going to bring benefits for the whole market, and especially for users and consumers.

In December 2016, the European Banking Authority (EBA) published the Discussion Paper, document presenting the project of new directive. It went under public debate. EBA distributed the document during numerous conferences in the European Union in order to gather the largest possible number of opinions and guidelines from the interested units and stakeholders.

The industry reacted with a record number of responses to the DP, regarding around 300 issues and request for clarification, sometimes even conflicting ones. For the financial sector, PSD2 turned out to be one of the most widely discussed and interesting issues in recent history.

A directive is a legislative tool of the European Union, the main goal of which is to present goals and general conditions of a change. The adoption of the law in the Member States takes place with taking the local legal circumstances into consideration – Habte Woldu, founder and CEO of Inteca explained. The dates may not be different to those imposed by the EU authorities; however, the timeframes of the directives give the Member States a chance to adapt at an individual pace and to provide guidelines regarding their implementation in their own legal system. In the case of PSD2, the pace of implementation will be directly correlated to the economic growth. The aim of this great directive is to stimulate the market and only those, who take good starting positions will succeed in this race.

Updated regulatory document, titled Final drafts RTS on SCA and CSC under PSD2 contains a result of difficult compromises after the public debate on the principles of the directive, published in the DP. The latest version of the RTS contains improvements regarding better security, support for competition, as well as ensuring neutrality – both competitive and for the business models. This version of the document emphasises the overarching goal of integrating payments in the European Union, and to better protect the customers, thus increasing the innovative potential of the entire market and maximise the convenience for end customers.

The final shape of the RTS guidelines will be presented to the European Commission pending approval, then the Parliament will analyse it and finally send to be published in the Official Journal of the European Union. 20 days later, it will enter into force. The adoption of these guidelines in each of the Member States, will follow after locally enacted laws. The financial institutions have time until 2019 or 2020 (depending on potential delays with publishing the RTS) to adapt their infrastructure.

However, they may start even now. Though there might still be some insignificant changes in the technical specifications, the overall message will stay the same – the infrastructure of banks needs to be opened. Quite a short time, required to implement APIs and other solutions mandated by the act, matters too.

The growing need for user-oriented regulatory frameworks

PSD2 comes into the big picture when the market of modern financial services is already well-developed – to the point, when it requires regulation, mostly in order to ensure the security and comfort of their users. The directive aims to protect our money, since we are dealing with hundreds of millions of euros, transferred every day between accounts in Europe and around the world. Growing volume of transactions and various services providers, results in increasing  number of possible attack and fraud factors.

RTS were prepared by EBA in close collaboration with the EBC (European Banking Commision). The document contains a detailed specification of requirements related to SCA – Strong Customer Authentication – and permitted exceptions from it.

RTS also describes requirements for security measures, stated to protect the privacy and integrity of payment service users’ security clearances, as well as requirements concerning Common Standards of Communication (CSC) between all Third Party Providers (TPP), defined in the Directive: ASPSPs – Account Servicing Payment Service Providers, PISPs – Payment Initiation Service Providers, AISPs – Account Information Service Providers, payers, recipients and other PSPs – Payment Service Providers.

 Read more:  Open API and open banking – 7 product ideas

RTS under PSD2 – the most important groups:

1. Minimum ranges and solutions’ technological neutrality
– with this guidelines, the principles of the Directive will remain universal for years to come. And while proposing already existing, available and open solutions for compliance, gives chance for parties to adapt quicker.

2. Exceptions regarding the use of strong authentication
– in the specific cases, where the risk of fraud involved is low, RTS allow using less rigorous verification methods and describes these methods.

3. The conditions for accessing bank accounts by TPP and communication standards between market participants
– their detailed definition aims to ensure efficient communication and information flow, while demanding a high level of transaction analytics and automation in order to reduce the risk of fraud.

Members of Inteca team have fix a document, describing the technical guidelines simplier. With this knowledge, you can be complaint faster!