By: Shrey Narayan, Senior Consultant, LTI

Europe is about to undergo a massive shift that will fundamentally change the business and the payments landscape. It’s also likely to give an unexpected boost to digital and innovative models of IT and business platforms through various facets of this massive change. This biggest disruptor is Revised Payment Service Directive (PSD2).

While discussing on the various aspects of PSD2 with one of my colleagues, a thought came to my mind- “what exactly is the real intention and the motive of this revised directive-Is this just a directive due to which one has to upgrade the existing system in place, or one has to think out-of-the-box to create new systems in place. Is it telling us to figure out, how new payment systems can be thought of and look like”.

This thought provoked me to look into the implied narrative. While doing so, somehow, I was able to relate the same implied mechanism or the narrative, which is present in Distributed Ledger Technology (DLT)-based platforms as well. I was somehow able to see the convergence point of PSD2 and DLT-based platforms. In fact, the timing is also appropriate as DLT-based platforms are also making their presence felt worldwide.

So what exactly is this so-called ‘Biggest–Payment-Disruptor’ all about?

Emergence of Revised Payment Service Directive (PSD2)

It all started in 2007, when Payment Services Directive (PSD) was proposed, with the goal to create a single market for payments in the EU and EEA. It simplified payment processing, and created the rules and regulations for payment services in this geography.

The PSD provided the legal framework within which all payment service providers must operate. The regulations brought great benefits to the European economy. This includes quicker payments throughout the EU, more transparency and information for consumers, strengthened refund rights, and more.

In 2013, the European Commission published a proposal for the revised version of the Payment Services Directive, known as PSD2.

Main objectives of PSD2:

• Enhance the prerequisites for a single, efficient European payments market for retail payment transactions, and contribute to a more integrated and efficient European payments market, reducing market deficiencies, exemptions and creating the prerequisites for the digitization of the payments industry.
• Improve the level playing field for all payment service providers (including new players) and, consequently, encourage competition, as well as build the foundation for equal opportunities of all payment service providers.
• Increase the scope of directive by including not yet regulated payment service providers, not yet regulated transactions and reducing exemptions.
• Increase customer protection as well as security and safety of payments, by means of increasing transparency, efficiency and security of retail payments (e.g., stricter authentication mechanisms), as well as allocating obligations and liabilities to the involved stakeholders.
• Reduce the overall costs in the payments value chain, especially by increasing competition, encouraging lower prices for customers and setting baselines.

What has changed in PSD2? – Customer is going to be the king, and not a mere an Account ID

The PSD2 is a data and technology-driven directive, which was introduced as a way to respond to the changes in the landscape of payment services since the introduction of the original directive in 2007, and to drive further improvements in payment services across Europe. The revised version includes a number of changes and enhancements to the original paper, with the main goal of providing clarity, efficiency and ease-of-use of European payment services.

Under the new regulation, payment services will have to provide account information access of their customers to third-party service providers, after receiving proper customer-consent and authentication. So, the monopoly of having complete customer data with the Payment Service Providers and Banks are going to be a thing of the past now.

The directive significantly extends the scope of the original PSD regulations beyond Europe. Other features of the reforms include: new rules on access to payment accounts, liability allocation provisions, transparency requirements and secured customer authentication measures.

With this revised directive, two new very significant entities are going to be introduced- AISPs (Account Information Service Providers) and PISPs (Payment Initiation Service Providers).

‘Account Information Service Providers’ will provide consolidated information on payment accounts held by a payment service user with payment service providers, and a ‘Payment Initiation Service Provider’ will be able to initiate the transfer of funds on user’s behalf with their proper consent and authentication. Payment initiation services provide an alternative to paying online, using a credit card or debit card and thereby, will reduce the charges drastically.

All these changes are going to bring the customer at the centre-point and all the stakeholders will have to work around with a ‘customer-centric’ approach. In other words, the customers are going to be the king now, and won’t be treated like a customer ID or account ID anymore, as they will be final decision makers for their financial, transactional and analytical approach.

How Distributed Ledger Technology (DLT)-based platforms merge with PSD2? – Are they mutually inclusive?

One of the requirements in PSD2 for Banks and PSPs, is to open up their platforms to third- party entities through a secured platform for accessing account information and payment initiation. This is going to materialize through ‘Access to Account Platform’ (XS2A). Most of the PSPs and Banks are working extensively on APIs to ensure that this requirement gets catered effectively. Some consortiums have also come up to ensure adherence of the required guidelines and specified regulatory technical standards, like-CAPS, The Berlin Group, STET, etc. NETS, the biggest player in Nordic region in payment landscape, has come up with its own XS2A platform, NAAS. Even Temenos, one of the biggest ‘CORE Banking’ player, has also come up with its own XS2A platform.

But can APIs be the only means to achieve the guidelines and regulatory technical standards, as prescribed by the EBA for PSD2? Or is there any other innovative and secured platform available, which can change the dynamics of the entire business proposition.

Under PSD2, third-party providers (TPPs) will be granted consented access to customer information through the PSPs infrastructure to deliver new value-added services. Given the strategic and operational impact of this change, there has been wide speculation on how the access-to-account (XS2A) mechanism would work, and concerns echoed around malware attacks, fraud propensity and data privacy (driven by the General Data Protection Regulation).

There are certain challenges which PSPs might face in terms of data security, fraud prevention, interoperability, cost, and following other important regulatory regulations like GDPR, etc.

Consent Management: How DLT-based platform can help PSPs to manage that efficiently

‘Consent Management’ and addressing the required inputs as per the prescribed PSD2 RTS, along with various aspects related to Data security, Fraud Management, Interoperability, Cost Consideration, etc. can be leveraged efficiently through DLT-based platform.

Some of the challenges in providing secured access to customer accounts are:

• Verifying whether the TPP is a registered and authorised entity with the competent authorities
• Whether the registration and authorisation is still valid or has been expired/not renewed
• List of registered and authorised TPPs at one single glance
• How the consent given by the customers are going to be void when a TPP is not authorised anymore for any reasons, as it has got serious ramification related to GDPR aspect of “Data to be forgotten”.
• How to maintain an audit trail of Customer consent for various registered and authorised TPPs as the risk lies on the PSPs for sharing data with TPPs, and also when the ‘Right to Forgotten’ aspect pf GDPR needs to be complied.

PSPs will be required to provide access to payment accounts upon their customers’ request while having to ensure at the same time that end users and third parties are properly authorized and permissioned to access data.

DLT-based platforms hold the potential to help PSPs comply with these new regulations, while preparing for a future where the controlled sharing of data and value within and between organisations, is facilitated on a large scale.

DLT-based platforms can enable enhanced consent management in two ways:

a. By giving PSPs an up-to-the-second, unified view of all authorised third-party providers in Europe
b. By giving end users control over which entities they have authorised to access their bank account information.

Each of these solutions addresses a different side of the same problem by ensuring that third-party access to bank account data is authorised, and that end users retain control of their bank account data.

• PSPs can have ‘read-only’ access to this ledger to verify any TPP requesting bank account information of one of the bank’s customers. Once the entity is verified as being an authorised TPP under PSD2, it would only have to provide proof of a customer consent/mandate to receive specified access to customer information.
• Should a TPP lose its authorization for any reason, the automated verification using ‘crypto technologies’ could also void all existing consent given to the TPP from end users. This will help the PSPs immensely in maintaining a fine balance between PSD2 and “Right to be forgotten” aspect of GDPR as well.
• PSPs would merely be accessing the crypto register to verify the data stored on the ledger, they would not need to add data or transactions to the ledger itself. They would instantly check third-party authorisation and ensure that unauthorised entities do not gain access to sensitive bank account information.

PSPs can provide their customers with interfaces to help control and manage data, and a fully auditable record of which entities have been given consent to access bank account data, could be a key enabler of regulatory compliance and an improved customer experience.

• A ‘crypto technology’ ledger can give a PSP a single, unified view of which permissions their customers have given to various third-parties or divisions within the PSP, without the need to store sensitive data itself on the ledger.
• Customers may not have direct access to a ‘crypto technology’ ledger, and PSPs will play a crucial role in providing straight-forward and user-friendly interfaces to enable advanced functionality for end users.
  Users could either give or withdraw consent for third-parties to access their bank account data via a front-end app on a mobile phone or online.
• PSPs would receive these requests via APIs, and then immediately (and immutably) store the record of consent on the DLT ledger.
• Once consent is revoked, the record on the ledger would be instantly updated to reflect this. Any future disputes could easily be resolved by reviewing the record of consent on the ledger, and users could verify their information on the ledger via the interface provided by their bank.
• The only information stored on the ledger would be the record of consent given to each third-party; the end user’s bank account information would be stored off-ledger at the bank as it is done today.
• End users would be able to review this record online or via a mobile app, giving them added control and security of their data even when using multiple third-party apps or bank products.
• The concern about immutability of data on a ledger would not be relevant because no private customer information is stored on the ledger, only a record of when consent is given and taken away. In fact, the immutability of this data would be a positive aspect due to the ability to fully audit an entire history of customer authorizations.

Benefits and practical considerations for Consent Management

• Greater speed and efficiency in ensuring TPP authorization and customer consent
• Improved customer experience through enhanced control over third-party access to data
• Enables compliance with regulations such as the PSD2 and GDPR
• Instant identification of authorized TPPs increases efficiency and lowers the risk of fraud or error
• Increased transparency due to fully auditable record of all entities that have been authorized under PSD2, or given access by customers to bank account information

Distributed Ledger Technology (DLTs) -based platforms provide those basic nuances through which most of the requirements and regulatory technical standard can be looked into in a secured, cost-effective and efficient manner.

The prevailing view in Europe is that legacy payment mechanism has been holding back growth in commerce and finance. PSD2 is different in that it is not upgrading current systems. It is creating new ones. It wants all stakeholders to rethink how payments are made. And rather than telling market participants what the new system should look like, it wants them to figure it out for themselves.

It is exactly what DLT thinkers and doers around the world are working on, to not only improve current processes, but develop entirely new ones, bypassing legacy systems and unleashing a new wave of innovation – and in the process, change how people transact money.

DLT-based platform will also help in redefining business opportunities. For example, financial institutions could end up offering DLT-based payment offerings through partnerships. Bank accounts and cryptocurrency holdings can be aggregated on wealth management dashboards (in cases where regulatory body allows that). The operations of distributed ledger trading platforms could fundamentally alter how the payment transaction cycle works today.

Hence, we can say that somehow there is a possibility of Distributed Ledger Technology (DLT)-based platforms and PSD2 to be mutually inclusive and has the capability to transform the way, payment will take place in secured and efficient environment, in the coming future. How exactly the convergence point should look like, is something that remains to be seen.