You’ve seen one acronym, you’ve seen them all:  NACHA, INTERAC, SWIFT (10 payment nerd points to whomever knows what SWIFT actually stands for).  Yet, out of the allegedly stodgy and overly bureaucratic EU comes a seismic shift in how payments acquiring could get done.

The specifics of PSD2 are still pending as of my writing this (or – at least – I don’t fully understand them yet).  This blog by no means threatens to illuminate the full complexity of the mandate.  If you are interesnted, there are several great resources for getting to the bottom of what PSD2 is, including Accenture’s write-up and Finextra/CA’s white paper.

Here is my simple understanding of the big items:

1. The bank account belongs to the consumer – not the bank!  While the bank can

   

   charge for services on that account, they cannot force a cost for access to the account for either Information or Payment Initiation.

2. Banks must open up these accounts via an “Open API.”  This means that licensed third parties can access the accounts to provide services to/for/on behalf of the consumer who is the true account owner.
3. Once licensed, a Payment Initiation Service Provider (PISP) can leverage this API do “Push” a payment on behalf of a consumer – often referred to as XS2A (access to accounts).  A logical use case is to replace the traditional cards interchange “pull” model – with a real-time “push” model to get good funds to a merchant when proper authentication is provided.

Wait – did that last line say replace Interchange?  But, that can’t really happen  –  can it?

Losing my (Cards) Religion

The idea of Interchange being replaced by a single sweeping “Open API” standard should be viewed with a deal of skepticism.  After all, much as the Merchant community likes to demonize the card brands – the real costs of interchange go to the Issuer who, in exchange, is providing some real value.  Guarantee of good funds, a dispute management process, fraud management, etc…  These services are both not free and are critical to the conduction of commerce.  In an eCommerce world, these services are critical.

So – how will a Payment Initiation Service Provider (PISP) ensure these services in a post-PSD2 world?  The limited adoption of ACH in the US as a real eCommerce tool should serve as a caution; just because a payment type is cheap – it does not mean that is meets the needs of merchants (particularly eCommerce merchants).  There are a few key services that need to be brokered by either the bank servicing the account or the PISP.

1. Dispute Management:  Inevitably handling disputes (whether they are chargebacks, refunds or other discrepancies) is one of the more costly elements of the operation.  Even a 1% rate can introduce significant cost into a merchants operation.  For all the challenges, the card brands have mature rules and processes that give both consumer and merchant piece of mind.  Similar mechanisms will be needed to reach scale.
2. Fraud Prevention:  There are a lot of great systems in place to fight the ever more sophisticated fraudsters.  The portability of the 16-digit card has made it an easy target – but the regulators behind PSD2 should be cautious about the confidence they are putting around gurantees of “strong” customer authentication.  The initial concept of multi-factor authentication and one-time codes generated per tran certainly improve upon today’s fraud risks, but to think that the sophisticated fraud networks will simply pack up their shops in the face of the improved security of PSD2-style transactions is wishful thinking.  The regulation introduces tremendous opportunity for Security and Fraud Providers to introduce new, more sophisticated forms of prevention – these will be needed.
3. Deposits and Reconciliation:  I have yet to find a great explanation of how a merchant will receive these funds.  It would seem that the TPP who initiates the transaction would, in effect, collect funds into a merchant account and then provide regular deposits, really, no different than in today’s model.  What is not clear is which player in the ecosystem will be responsible, in other words, if there will be limitations on who can handle the money given the regulations placed on the TPP.

All solvable.  All existing functions – but, functions built around a card-centric system.  The subtle shifts (i.e. who needs to handle the dispute if the Bank servicing the account is not being compensated on the transaction) can and will be worked out.  So – how does this fairy tail come together – let’s think about the steps that need to fall in place for us to remain a happy ecosystem.

If you believed they put a man on the moon

A roadmap to a successful adoption of PSD2 should look something like this:

• Clarify the data accessed / exposed via the OpenAPI:  The sooner this work reaches a completed state, the more innovation can be applied.  There appears to be a daunting amount of consent requirements and data disposition requirements that will put new pressures on a TPP.  This will not be easy.  Large acquirers product enhancement  often require 12-18 months (or more) of development and testing.  As final regulations are made clearer, the mechanisms required to handle the Payment Initiation in compliance with the mandate could require significant new investments.  Large card acquirers will have to make a decision if they invest to create these capabilities or not.
• Construct the proper capabilities in the PISP to access the OpenAPI:  Those that go down the road to be a TPP will have their work cut out for them.  An important question is whether the idea of a “PayFac” or “PSP” as allowed in the cards world will be likewise available in the PSD2 world (or even of value).  The flattening of the system implied by the Open API upends the histroical Cards model where large acquirers provide PSP services to payment gateways.  This model may be invalidated by the democratization of access.  A scary prospect for the historical ecosystem.
• Introduce a cadence and systems of governance for updates to the API:  How can a standard as far-reaching as this keep up with the times?  The rate of change in consumer expectations and technology upheaval remain perpetually accelerating.  While this is a trite soundbite – it also happens to be true.  Updates to the Open API must come with enough frequency to meet these expectations.  As at least 51% of Britons told us, the EU is filled with slow, bureaucratic chambers who over-regulate.  We shall see if the intentions of PSD2 are betrayed by the historical speed of large government regulatory processes, or if the openness thrust on the industry genuinely enables innovation that competes with the historical privately driven payments industry.  A front row seat to this spectacle will be very expensive.

The Great Beyond

PSD2 in place, the world will open up to be very interesting.  PISPs who gives the most control and power to the consumer (the account holder who will PUSH the funds) will become the most desirable partner for merchants.  That simple dynamic should spur massive innovation.  As we saw even this week, both Visa and MasterCard are taking notice (Visa partnering with PayPal and MasterCard buying Vocalink).  As smart guys like Gareth Lodge highlighted, MasterCard’s move grants them an asset that could serve as primary rails for Immediate Payments in line with that PSD2 mandate.  Yet, PSD2 is representative of a broader set of changes that threaten the oligopoly that has marked payments for 30+ years.  But I wouldn’t rush to bet against these historical magnates.  They hold the assets needed to usher in a new era of payments based on rich data, consumer engagement and real-time payments.  The questions abound for the entire ecosystem on prospective winners and losers.