Internal market is strengthened
So far, a total of 14 percent of fintechs were only covered by national regulation. In the view of the European Union, this had counterproductive effects on the emergence of an EU internal market for payment services (EU Parliament and Council, 2015). Therefore, the harmonization of regulation under PSD2 should promote market integration. In particular, the scope and the exceptions to the regulation are now clearly defined across the Union. For example, account information services and payment initiation services, which never come into possession of customer deposits, can under PSD2 now be uniformly identified and regulated across the Union (ibid., 2015). This should strengthen cross-border competition between financial service providers. In Germany, PSD2 will lead to a revision of the Payment Services Supervision Act (ZAG) as well as to changes in the Civil Code (Deutscher Bundestag, 2017, 79 ff.). The latter specifies the rights and obligations of the two contractual parties, the payment service providers and the payment service users, in relation to each other under German law.
Consumer rights and safety standards are improved
Strengthening the rights of users is a key concern of the Directive (Deutscher Bundestag, 2017, 78). Moreover, by increasing the security of payments, consumers should be better protected against cybercrime. Especially through the fully harmonized introduction of rules, better and uniform safety standards should apply in the EU. For example, PSD2 requires so-called strong customer authentication when accessing one's own account online (Deutscher Bundestag, 2017, 81). That is, at least two of the following characteristics have to apply: knowledge (e.g., PIN), possession (e.g., credit card), and inherence (e.g., fingerprint). The specification of the measures to be applied is based on regulatory technical standards by the EBA. However, these are binding at the end of 2018 at the earliest and thus almost a year after the installment of Directive (EBA, 2017b, 4).
Access to accounts and account information is possible
The EBA's regulatory technical standards also set out the conditions under which payment service providers will be given access to online banking accounts and associated account information. Previously, banks sometimes forbade their customers to pass on access data such as a password to other payment service providers. Consequently, these providers could not be used by customers. What's new now is that once a payment service provider is allowed to do business, the consumer has a right to use it and the account-providing bank must provide access to account and data without the bank customer breaching the bank's terms and conditions. PSD2 creates more legal certainty for customers and third-party service providers. However, only the information that is necessary for the third-party service and for which the customer has granted permission may be transmitted (Deutscher Bundestag, 2017, 80). For example, online retailers can now save costs by initiating payments directly from the customer's account instead of letting the bank initiate the payment process (Baumgarten, 2017).
More competition through a common technical standard
Until now, the banks were able to use the data of their customers on their own and use it for new business models and contracts. PSD2 breaks up this data monopoly. The customers can thereby use new payment services according to their own preferences and provide them with their information for the generation of individual products and services. Two possible access routes to the bank accounts were discussed against this backdrop:
- If screen scraping is used, the third-party service uses the customer's account login and, like the customer, accesses the customer's account via the bank's homepage. It can then access all account data, including those data that are not required for the respective service.
- Alternatively, the bank provides account access to the third party through a dedicated application programming interface (API). In doing so, the third-party service can only access a limited amount of data, such as only the data required to provide their respective service.
In its regulatory technical standards EBA favors access via the API. As long as the banks agree on a common technical standard for the API, or the EBA sets such a standard, there is a level playing field between banks and fintechs in the market for payment services. Account access via screen scraping would have given the less regulated fintechs a competitive advantage over the banks. In order to ensure fair competition, other conditions also have to be fulfilled. First, banks should not technically obstruct third-party suppliers to do business, for example by slowing down data access. Second, fintechs should not be allowed to request more information from a bank account by technical means than is needed to provide their service.
