Strengthened competition in payment services

Starting on January 13, 2018, the Second Payment Services Directive (PSD2) will apply in the European Union. Among other things, the Directive’s aim is to adapt regulation to the innovations in payment services and to promote the Single Market for non-cash payments. However, PSD2 will only strengthen competition between payment services under a common standard for the access to banking accounts.

Markus Demary / Christian Rusche ·
IW-Kurzbericht No. 4 ·
8 January 2018

Themen:

Banking ·

Digitisation ·

Financial Markets

The First Payment Services Directive (PSD) of 2007 uniformly regulates all services providing the remittance of money, the execution of payment transactions, cash withdrawals, the placing of cash on a bank account as well as the issuing and acquiring of payment instruments (EU Parliament and Council, 2015, 36). Since then, smartphones have become very popular, e-commerce has grown enormously, and the market entry of financial technology companies, the so-called fintechs, has created new opportunities for non-bank payment services. Thus, there is a need to adapt the rules of the PSD (EU Parliament and Council, 2015, 36).

Adapting regulation to innovation

Dr. Markus Demary

Senior Economist for Monetary Policy and the Economics of Financial Markets

Dr. Christian Rusche

Economist for Industrial Organization and Competition

Until the PSD2 regulation, some of the new competitors with their innovative business models were not covered by regulation (Figure). One of the reasons for this is that fintechs only need a banking license if their business involves transactions in securities, loan origination, the execution of payment transactions or deposit-taking. As long as they only provide technical support to a bank, they do not need such as license. Technical support includes, for example, the provision of software and hardware.

The European Banking Authority (EBA) estimated a total of 1,500 fintechs in the EU in 2017 (EBA, 2017a, 20). For 282 of those, the EBA had detailed information allowing for a determination of the relevant regulation. The EBA found that 31 percent of those fintechs were not regulated. For another eight percent, the regulation was unknown. Only 18 percent fell directly into the scope of the PSD. Another two percent had a novel business model that was also covered (so-called hybrid payment service). Eleven percent were classified as an investment company, nine percent as a bank, and seven percent as an e-money institution and were regulated accordingly.

Fintechs obtain insight into the finances of bank customers. Precisely because access to the accounts and the financial data contained therein are sensitive information, regulation seems to be necessary (EU Parliament and Council, 2015, 39).

Embed code for this graphic

Internal market is strengthened

So far, a total of 14 percent of fintechs were only covered by national regulation. In the view of the European Union, this had counterproductive effects on the emergence of an EU internal market for payment services (EU Parliament and Council, 2015). Therefore, the harmonization of regulation under PSD2 should promote market integration. In particular, the scope and the exceptions to the regulation are now clearly defined across the Union. For example, account information services and payment initiation services, which never come into possession of customer deposits, can under PSD2 now be uniformly identified and regulated across the Union (ibid., 2015). This should strengthen cross-border competition between financial service providers. In Germany, PSD2 will lead to a revision of the Payment Services Supervision Act (ZAG) as well as to changes in the Civil Code (Deutscher Bundestag, 2017, 79 ff.). The latter specifies the rights and obligations of the two contractual parties, the payment service providers and the payment service users, in relation to each other under German law.

Consumer rights and safety standards are improved

Strengthening the rights of users is a key concern of the Directive (Deutscher Bundestag, 2017, 78). Moreover, by increasing the security of payments, consumers should be better protected against cybercrime. Especially through the fully harmonized introduction of rules, better and uniform safety standards should apply in the EU. For example, PSD2 requires so-called strong customer authentication when accessing one's own account online (Deutscher Bundestag, 2017, 81). That is, at least two of the following characteristics have to apply: knowledge (e.g., PIN), possession (e.g., credit card), and inherence (e.g., fingerprint). The specification of the measures to be applied is based on regulatory technical standards by the EBA. However, these are binding at the end of 2018 at the earliest and thus almost a year after the installment of Directive (EBA, 2017b, 4).

Access to accounts and account information is possible

The EBA's regulatory technical standards also set out the conditions under which payment service providers will be given access to online banking accounts and associated account information. Previously, banks sometimes forbade their customers to pass on access data such as a password to other payment service providers. Consequently, these providers could not be used by customers. What's new now is that once a payment service provider is allowed to do business, the consumer has a right to use it and the account-providing bank must provide access to account and data without the bank customer breaching the bank's terms and conditions. PSD2 creates more legal certainty for customers and third-party service providers. However, only the information that is necessary for the third-party service and for which the customer has granted permission may be transmitted (Deutscher Bundestag, 2017, 80). For example, online retailers can now save costs by initiating payments directly from the customer's account instead of letting the bank initiate the payment process (Baumgarten, 2017).

More competition through a common technical standard

Until now, the banks were able to use the data of their customers on their own and use it for new business models and contracts. PSD2 breaks up this data monopoly. The customers can thereby use new payment services according to their own preferences and provide them with their information for the generation of individual products and services. Two possible access routes to the bank accounts were discussed against this backdrop:

If screen scraping is used, the third-party service uses the customer's account login and, like the customer, accesses the customer's account via the bank's homepage. It can then access all account data, including those data that are not required for the respective service.
Alternatively, the bank provides account access to the third party through a dedicated application programming interface (API). In doing so, the third-party service can only access a limited amount of data, such as only the data required to provide their respective service.

In its regulatory technical standards EBA favors access via the API. As long as the banks agree on a common technical standard for the API, or the EBA sets such a standard, there is a level playing field between banks and fintechs in the market for payment services. Account access via screen scraping would have given the less regulated fintechs a competitive advantage over the banks. In order to ensure fair competition, other conditions also have to be fulfilled. First, banks should not technically obstruct third-party suppliers to do business, for example by slowing down data access. Second, fintechs should not be allowed to request more information from a bank account by technical means than is needed to provide their service.