The Payments Crossroad – June 2023 recap – PSD3 beyond the highlights
It’s here, the European Commission published PSD3. Everyone is talking about it. You know us, we didn’t want to share yet another high-level coverage of its impact.
So we went through it with our payment nerds lens, focusing on the topics we know and love, including what we believe will have the most significant impact in the payment area: opening direct access to payment systems for PIs and EMIs and writing their right to a bank account in the law.
Also, in this month’s payments crossroad: Railsr’s latest setbacks and Wise going after Swift.
Our payment nerds’ take on PSD3
This June, the European Commission published its legislative proposal to amend and modernise the current version of the Payment Services Directive, PSD2. In other words, the European Commission officially introduced PSD3, and it’s a big bang. Let’s deep dive.
PSD what?
The Payment Services Directive, in its current version PSD2, is the EU directive that regulates payment service providers throughout the European Union and the European Economic Area. Let’s say Europe for the sake of simplicity.
Its objectives were and remain to increase competition in the payment industry, to drive innovation, new use cases, lower prices and broader adoption of existing and new payment products for European citizens and businesses, while establishing the highest standards of consumer protection.
The Payment Services Directive is the primary legislation within which regulated fintechs, namely payment and electronic money institutions, operate.
A major component of PSD2 was the introduction of a legal framework for open banking in Europe and the legal requirement for banks in the region to build and make available open banking APIs enabling third-party access to account information and bank payment initiation.
As you’ve probably noticed, it led to the creation of dozens of open banking companies and the adoption of open banking products by dozens more existing fintech companies.
PSD2 looks like a great success, so why introduce a new version?
What is in PSD3
You will find many excellent summaries of the changes introduced by PSD3, including our own, of course, so we’ll keep it brief in this newsletter. The main themes included in this new proposal are, as summarised in the?European Commission’s press release:
The proposal also includes various rules around sharing customers’ financial data beyond payment accounts.
The legislation is expected to be passed by June 2024, with full enforcement not likely before 2025.
As you know by now, some of these topics are closer to the topics we use to cover than others. In the rest of this newsletter, we will share our takes on some of them. Starting with IBAN/name check.
IBAN/name check for all
Part of the “Combat and mitigate payment fraud” propositions of the legislation is the extension of mandatory IBAN/name checks for all SEPA credit transfers, instead of SEPA instant credit transfers only, as the?EU legislative proposal on instant payments?published in October 2022 stated.
We’ve covered the topic, the potential technical and privacy challenges it introduces, its equivalents in other markets and possible solutions to enforce the legislation in a?previous newsletter.
As we shared at that time, and as noted by various companies and business associations in their?feedback on the instant payments legislative proposal, the European Commission didn’t share any directions on how this IBAN/name check requirement should be technically implemented.
Great news, they did this in the PSD3 proposal:
The PSP of the payee will be required, at the request of the PSP of the payer, to verify whether the unique identifier (IBAN number) and the name of the payee as provided by the payer match.
In simpler terms, the receiving bank will need to provide the information to the sending bank before the sender can confirm its payment.
This is quite similar to how the UK’s?Confirmation of Payee, or French interbank initiative?SEPAmail’s DIAMOND?work, with one major unknown left: will the final legislation require the IBAN/name verification for every single payment, or only when registering a new beneficiary in its PSP system?
The answer to this question is crucial. Let me explain: the technical implementation described in the proposal at first glance disqualifies?database-based?solutions, in which some entities would have purpose-built central repositories of all IBAN/name associations in Europe, updated by PSPs at a given frequency (e.g. at bank account creation/close and every three months), and used by PSPs when required by the regulation. A centralised, purpose-built system could easily (relatively speaking) withstand the volumes required to check the IBAN/name match for every single SEPA credit transfer.
But the proposal seems to mandate:
Some versions of 2. already exist at a similar European scale for interbank payments (and now?Request-to-Pay), whether classic or instant. The?EPC?defines the rules, and entities like?EBA Clearing?provide the infrastructure. It’s robust, trusted, and proven. And again, with?SEPAmail’s DIAMOND, such systems already exist and work at a local scale.
So no doubt it can be done even if the checks have to be done for each payment.
But 1. will be trickier, especially for traditional banks relying on legacy systems. While extremely robust for all the use cases they cover as of today, they haven’t been designed with the ability to answer high volumes of IBAN/name queries instantly. PSPs relying on legacy systems will most likely have to build (or buy) additional systems mirroring their core systems’ IBAN/name data capable of supporting such throughput.
A new promising market for fintech vendors.
Fixing open banking APIs
Since its legislative introduction in Europe with PSD2 in 2018, open banking did get certain traction. In 2020, Europe counted half of the global users of open banking, with 12.2 million users. Good, but maybe less than expected.
Part of the explanation might come from the frictions introduced by strong customer authentication (SCA) in the user experience and?the notorious unreliability of banks’ open banking APIs.
While this unreliability sure is frustrating for businesses who built their products upon these APIs and their end users, they are quite understandable: banks were given only a few years to develop them, on top of legacy (but again, very robust) core systems that were not built to interface with APIs.
PSD3 aims to fix these issues. First, regarding SCA, the European Commission wants to simplify its application. Currently, SCA is required for any open banking payment initiation and open banking account information access. While SCA will still be required for each payment, PSD3 will only require SCA for the first access to account information data.
PSD3 will also “require payment services providers to ensure that all users can benefit from methods to perform SCA which are adapted to their needs and situations and, in particular, that those methods do not depend on one single technology, device or mechanism, for instance on the possession of a smartphone.” That’s great for the end users, especially in terms of accessibility. But that might introduce other challenges for open banking providers and take a big chunk of their roadmap in the next year.
Regarding open banking APIs reliability and availability, PSD3 aims at further “protecting the business continuity of open banking providers.” Specifically, it says that:
if a bank’s open banking interface is down, causing providers potential harmful data access disruption, and if the bank cannot rapidly offer an effective alternative solution to the providers, they can then request their national authority to be allowed to use another interface (such as the one that banks use for their customers) until the provider's dedicated interface is restored to functioning.
That’s a quite… interesting approach. First, PSD2 already mentioned that open banking providers “shall be allowed to” use these interfaces in case of banks’ open banking APIs unavailability. It led to open banking providers relying on screen scraping as fallbacks, which came with its load of drawbacks for customers, open banking providers and banks alike. And sometimes led to some annoyance from banks.
Is PSD3 pushing this fallback further? On paper, yes, banks now all have decent, if not great, web and mobile applications, most likely relying on internal APIs, and sometimes even offer public APIs to access bank accounts and send payments.
But I do wonder how on earth these interfaces will be usable by open banking providers for open banking applications. They are built for totally different use cases, with totally different authentication methods, access rights and probably completely different designs than open banking APIs.
Unless banks agree to provide some kind of Frankenstein interface to open banking providers when their open banking APIs are down, I don’t see it happening.
My humble opinion is that this part of the legislative proposal is more aimed at incentivising banks to make their open banking APIs more robust in a more subtle way than writing SLAs in the law than enforcing such degraded fallbacks.
Getting payment and electronic money institutions closer to payment schemes
The “further levelling the playing field between banks and non-banks” part of PSD3 introduces groundbreaking proposals in our payment nerds world. Let’s unpack.
领英推荐
First, on access to payment schemes itself. Today, PIs and EMIs have no choice but to work with a commercial bank (or, in some cases, a central bank, as we will cover below) to access SEPA and send and receive SEPA payments.
This means that for most PIs and EMIs, to operate their most core services. They can do so via two different models: as?corporate customers of the bank or as SEPA indirect participants.
The European Commission wants to change that by including PIs and EMIs in the list of institutions authorised to access payment systems, opening the door to direct participation in said systems.
This has several significant implications: any PI or EMI will be able to connect directly to clearing and settlement mechanisms (CSMs) without going through a sponsor bank — after strict risk assessment by these CSMs.
It has the potential to enable more fintech companies to become SEPA participants, as they won’t depend on sponsor banks’ compliance policies to do so. Cutting an intermediary will also reduce the direct cost per payment for these payment companies and potentially their customers.
And we’re not talking about a hypothetical change in many years: “Given the urgency of introducing this indispensable level-playing-field measure, Member States are given six months to transpose it in their national law.”
Is this closing the SEPA indirect participant market for banks? Not necessarily. First, most banks that could legally be direct participants in payment systems are actually indirect participants. And there are many reasons for that.
Sponsor banks aren’t just pass-through. While they require strict compliance procedures from their indirect participants, they will run their own compliance frameworks on their indirect participants’ flow, ensuring any payment sent to interbank payment systems is safe. And PSD3 is very clear that PIs and EMIs looking to be direct participants in payment systems will have to meet the same risk standards as banks.
The stakes are also increasing for large indirect participants, as PSD3 specifies that “where justified due to systemic risk, Member States should be allowed to consider an indirect participant as a participant of the system.”
And whichever access to payment systems they choose, PIs and EMIs will still need banks to hold their customer deposits and open and manage their settlement accounts. Which has been a significant blocker for companies in areas considered risky such as gambling and crypto, or new companies without existing payment flows.
The failure of SVB also pushed banks to re-assess their risk strategy and exposure to a fintech industry with unusual cash flows, low inertia to changing market conditions and strong herd behaviour.?The almost $2b per hour bank run on SVB of 9 March 2023?gave cold sweats to more than one banker.
To circumvent this difficulty for many fintech companies to find a partner bank, which is a sine qua non to start operations, PSD3 introduces PIs and EMIs right to a bank account.
Whether access refusal or withdrawal of service, banks will be required to motivate their decision. “Justification for refusal must be based on the specific situation of that PI, including serious grounds to suspect illegal activities being pursued by or via the PI, or a business model or risk profile which causes serious risks to the credit institution.”
All those elements make us say that banks’ SEPA indirect participant offers for fintech companies won’t disappear. They will evolve.
Direct participation represents a new step in the payment value chain for fintech companies, adding on top the BaaS agent model, the corporate customer model, and the indirect participant model. PSD3 allows these payment companies to avoid becoming a credit institution just for the sake of becoming a direct participant.
Just like the other models, the direct participant ones won’t be the right one for all fintech companies at all stages. It’s up to banks to make the indirect participant model relevant as long as possible for their fintech customers.
And they have many levers to do so: higher remuneration on customer deposits tied to payment flows, payments filtering, easier connectivity and now probably have a card to play in providing IBAN/name verification to their indirect participants.
Oh, one last interesting bit from PSD3: “central banks will also be allowed to provide account services to non-bank PSPs, at their discretion.” Well, Lithuania didn’t wait for PSD3 to do it, but the rules are now clear.
The Crossroad
Lithuania’s 5-year plan to become Europe’s leading fintech hub
Talking about Lithuania, the country revealed its new strategic plan to become the leader of the fintech sector in Europe by 2028. In short, they are doubling down on?what made them successful: attracting international investors and fintech talents, providing a clear and predictable regulatory framework, and involving all relevant public authorities, public authorities and associations in the effort. As we highlighted in February, developing the fintech industry in Lithuania is a state-wide initiative.
But following several major compliance issues with Lithuania-licensed fintech companies (see below), the country acknowledges that future development and credibility of its fintech sector will come with stronger risk management. Much of this new plan is focused on compliance, including training of fintech employees and better consulting offers on these topics.
To assess the success of their fintech policies over the past six years, Lithuania surveyed fintechs operating in and from the country. An interesting insight of the report (in Lithuanian?here) is the importance of CENTROlink in the positive results of the countries’ strategy to date. Well, to be fair,?it’s not that much of a surprise for us.
But now that PSD3 provides the common rules for all central banks to replicate what the Bank of Lithuania does with CENTROlink, and opens direct access to payment systems for PIs and EMIs, will this competitive advantage remain?
Railsr meltdown, s02e07
To put it mildly,?2023 hasn’t been the greatest year for Railsr. And it goes on. Railsr’s payment subsidiary, PayrNet, has seen its electronic money institution licence revoked by the Bank of Lithuania. In regards to the increased scrutiny highlighted in their new strategic plan for their fintech industry, we cannot say Lithuania don’t put their money where its mouth is.
The immediate consequence is that PayrNet can no longer service its existing customers and cannot onboard any new agents. Bank of Lithuania is also looking to petition the court to initiate PayrNet’s bankruptcy.
Luckily for customers, according to information PayrNet shared with the Bank of Lithuania, it seems that the payment company was?safeguarding customer funds?by the book, enabling a prompt return of these funds to customers.
So what went wrong? According to the Bank of Lithuania, PayrNet had poor and sometimes non-existent anti-money laundering and countering the financing of terrorism practices from many levels: organisational, IT systems and processes. They should have used our friends?Marble’s tool ;)
Wise is going after Swift
Wise published its fiscal year 2023 annual report. And it includes many very interesting bits in our beloved payment area.
First, Wise is going more and more clearly after Swift (without naming it). With Wise Platform, their international payment infrastructure, Wise declare they are “building the replacement infrastructure for the world’s money.” Will Swift remain “the way the world moves value” for long?
This angle obviously goes beyond corporate marketing. Wise Platform now serves more than 60 partners, including significant banks such as Indonesia’s Bank Mandiri or South Korea’s Shinhan Bank. Through these partners, 25m additional people have access to Wise services.
They are basically playing the Amazon-AWS move on international payments, which makes sense, given the global payment infrastructure they’ve built.
Second, Wise is doubling down on its payment infrastructure as a competitive advantage. Wise did build an impressive infrastructure, made of more than 70 banking partners and direct connections to 4 domestic payment systems.
And this massive investment is paying off today and, according to Wise, for the foreseeable future: “A lower unit cost and price also presents any potential competitors or new entrants with a significant economic challenge to consider, even before they break ground in constructing their own infrastructure.”
Again, being in the business of building payment infrastructure and bank connectivity, we could not agree more. At Numeral, we know how hard it is to build these things from the ground up. That’s why, shameless plug, we build them for you: to avoid making payment infrastructure engineering armies the prerequisite to compete in the payment industry. To enable new, innovative entrants to launch with a non-0 chance of survival and thrive.
Finally, in my humble opinion, Wise gave the perfect pitch regarding rising interest rates.
When you hold £10bn+ of customer deposits, rising interest rates are fantastic. Interest income net of customer benefits grew to £118m in 2023 from ... -£2.8m, massively contributing to Wise total income and gross profit this year.
But high-interest rates could go as fast as they came, and Wise recognised that. They make it very clear that while they will take advantage of the current context, they don’t want to become dependent on it.
In their analyst presentation, they go as far as clearly stating that their most strategic and significant investments are and will not be funded by interests.
And while they count on 20% of this interest income to fuel their EBITDA, they plan on using the 80% remaining to reward customers on their balances and provide account incentives on products that don’t allow for interest. Without dropping prices on other products or funding general opex to “avoid creating dependency.”
I guess this is an attitude investors are expecting to see from any payment company.
Latest news from Numeral