PSD2 implementation: viewpoint of BEUC, the European Consumer Organisa...

PSD2 implementation: viewpoint of BEUC, the European Consumer Organisation

24 February 20

Share This

Disclaimer: The views expressed in this article are solely those of the author and should not be attributed to the European Payments Council.

This interview belongs to a series representing the views of various stakeholders on the implementation of the revised Payment Services Directive (PSD2). This time, we provide the perspective of European consumers by interviewing Jean Allix, special advisor to BEUC. Learn more about the European Consumer Organisation’s views on the current situation, its achievements and future evolution after the implementation deadline. 

First, let’s talk about the implementation of the final Regulatory Technical Standards (RTS) for strong customer authentication (SCA) and common and secure communication (CSC) under PSD2 and their impact on the market. How would you summarise the current status and, in particular, the degree of harmony across the EU?

BEUC is very much in favour of the activities of third party providers (TPPs) – in particular, payment initiation services providers (PISPs). Therefore, when the discussion on the communication channel (dedicated interface) started in early 2017, we asked for the establishment of a single application programming interface (API) at the EU level as the only means to guarantee full reachability and interoperability. The work done since has been put on hold for the time being, and the result is that each country, if not each bank, is creating its own API. We are opposed to screen scraping; this is why a single API is so important for us. 

How would you describe customer experience following the implementation of the RTS? 

In relation to SCA, the implementation of PSD2 on 14 September 2019 has been a non-event. In many countries consumers are already familiar with SCA. The e-commerce industry has sustained a strong lobbying campaign complaining that SCA will strongly impact their business. This has not been the case. The new rules had been globally known since 2015 but the acquiring banks responsible for their practical application according to the PSD rules have been unable to impose SCA on their big clients. So the European Banking Authority (EBA) has set a new deadline for the end of this year.

The main issue is to eliminate the cases where it is possible to make a payment on the internet by giving only the number of the card, the card verification value (CVV) and the expiry date.

It is necessary to set up solutions that are convenient for consumer. For example, the need to have both your mobile phone and a digipass to make a payment when you are on holiday is too complicated.

Q. Have the key objectives of PSD2 been achieved and, if not, what are the remaining challenges?

There were two key innovations in PSD2: the improvement of security (the SCA) and competition (data access). But there are some unresolved contradictions between the two objectives today.. Third parties should not have access to the credentials of the consumers due to security issues. But for the time being, in most cases, TPPs have access to those credentials and we consider it is too dangerous.

How do you see the future evolution of APIs both in the context of and beyond PSD2? What are likely future developments that will need addressing, e.g. further standardisation or business needs?  

See answer to the following question. 

Finally, do you already see a need to revise the RTS and if so, why?

There is a need to revise PSD2, and the RTS will follow as secondary legislation.  The main issue is to create consumer-friendly, open banking. BEUC accepts the idea of extending the scope of access to data from payment data to other financial data, but it must be done in a very different mode:

  • Consumers need to be adequately protected against data breaches, misuse of data and the privacy and security risks associated with the sharing of consumers’ financial data. Regulation must be adopted to ensure that consumers’ data is used in an ethical manner and that liability is clear if things go wrong. 
  • Consumers should have a right to instruct their bank not to share their data with third parties. 
  • Data should not be accessed without the explicit consent of the consumer. For the time being, nobody knows what explicit consent means in the context of PSD2.  
  • Consumers must be able to keep track easily of to whom they have granted consent/access, and the consumer’s bank should maintain a list of all third parties that have access to the consumer’s financial data (the ‘dashboard’ for UK open banking). 
  • The consumer should be able to give his or her consent to certain types of data being shared but not all (for instance, a consumer may wish to share his or her savings account information but refuse to share payment account information). When the consent is given by a consumer to a third party, the bank (as the guardian of the data) should be also informed as to which data the access agreement has been given and set up the access in conformity with the choice of the consumer.  
  • The consumer should be able to cancel at any time any specific agreement that he or she has given to a third party, and there should be a clear right for consumers to be forgotten. The cancellation should be made possible either through the third party or through the data guardian (i.e. the bank). 


Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.