Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
January 30, 2017
Pssst…Have You Heard about PSD2?
No, I'm not talking about the latest next-generation video gaming console. I am referring to the revised Directive on Payment Services (PSD2) that the European Parliament adopted in October 2015 and that will serve as the legal foundation for a single market for European Union (EU) payments. The original PSD was adopted in 2007 but, according to official statements, the Parliament found that an update was necessary to incorporate new types of payment services, improve consumer protection, strengthen payment transaction security, and increase competitiveness with an expected result of lower consumer fees in the payments processing market. PSD2 applies only to digital payments and must be in force in all EU countries by January 13, 2018.
The directive and subsequent implementation rules that the European Banking Authority* is developing make a number of major changes in the European banking landscape, including:
- Opens up the regulated financial services system to merchants and processors who might initiate payments on their consumer customer's behalf as well as data aggregator firms. In particular, PSD2 will apply to any financial institutions already operating within the scope of the PSD but will also apply to third parties such as operators of e-commerce marketplaces, gift card and loyalty plans, bill payment service providers, public communication networks, account access services, mobile wallets, and those who receive payment by direct debit.
- Requires financial institutions, upon the request of their customers, to allow these approved nonbank, third parties significant, but not unlimited, access to the customer's account and transaction data through APIs (application program interfaces). Many financial institutions see having to turn over customer data to potential competitors as a significant threat to the retention of their customer's business as well as concerns with data security.
- Sets out two-factor customer authentication as an absolute minimum, with additional security such as one-time passwords required for higher-value transactions. The card issuer must actively authenticate all transactions above 10 euros. Critics of these provisions point out that the criminals will have fixed transaction amounts and authentication methodology information to modify their attacks.
- Supplementing card interchange limits imposed in December 2015, prevents merchants from adding surcharges to payment card transactions. Under the original directive, each country established rules regarding surcharging on card payments. It has been a common practice of European merchants to levy a surcharge on payment card transactions to offset the interchange fee paid to issuers.
While such a comprehensive single package of regulations is unlikely to occur in the United States, various flavors of these items have been and continue to be discussed. Do you favor such types of regulation here in the United States? I suspect the answer depends on your role in the payments ecosystem. I am interested in hearing from you.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
* Final rules are expected to be published in January 2017.
- Merchant Surcharging: Winners and Losers
- Fintech for Financial Wellness
- Advice to Fintechs: Focus on Privacy and Security from Day 1
- Convenience Always Wins, In One Form or Another
- Mobile Banking and Payments' Weakest Link: Me
- Webinars Discuss Mobile Banking and Payments Survey Results
- Webinar to Explore Faster Settlement and Funds Availability
- Explosive News Regarding ATMs
- Best Practices for Data Privacy Policies
- If the Password Is Dying, Is the PIN Far Behind?
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud