Is payments initiation under PSD2 going the wrong way? And what can be done about it? or, “If I was
One of Bruce Springsteen’s most popular tracks with concert audiences, and a personal favourite, is ‘Hungry Heart’, the first verse of which goes:
"Got a wife and kids in Baltimore, Jack I went out for a ride and I never went back Like a river that don't know where it's flowing I took a wrong turn and I just kept going"
The last two lines reminds me of what might be said to be happening to payments initiation under the influence of the regulators and standards bodies, as ever greater complexity and specificity is incorporated into the standards, as they grapple with the complexities of interpreting the PSD2.
This article explores the historical context to payment initiation and provides a commentary on the emerging standards and roadmaps against a backdrop of this increasing complexity.
PSD2 and the interchange fee regulation (IFR) were originally conceived as part of a payments agenda to give real competition to card-based payments. Almost like IDEAL (the Dutch non-card-based payments scheme) writ large across Europe. But instead it has become increasingly bound around by ever more detailed rules and specifications. These risk killing the functionality of the service, until it becomes just a capability for very narrowly defined payments initiation. As each intervention seems to get more and more complex and specific, the original purpose seems to get even more forgotten.
Assuming this diagnosis is accepted, what are the impacts and options for the market players?
At this point, we argue that, for merchants and their service providers an increasingly attractive approach may be to work around the industry standards while they are so immature and non-functional, and devise their own solutions that:
Build on the fact that PSD2 does not preclude actors adopting an alternative approach to the PSD2 model (of no contract, no obstacles, only regulated parties, no possession of funds etc); and
Are designed with the end objective always in mind, of providing a service providing benefits to consumers and merchants, especially by reducing the costs as compared to card-based payments.
Exploring these ideas in more detail.
Defects baked into PSD2
“Laws are like sausages: one’s respect for them diminishes the more one knows what has gone into their manufacture”. Bismark.
In the context of Sofort’s original competition challenges to IDEAL and the private German bank arrangements, overlaid with some competition law theory from the Commission, it is not difficult to see how PSD2 got specified the way it was.
In consequence, PSD2 is not useful as a practical means of achieving its stated objective. Notably in relation to:
Specifying that no contract can exist between an ASPSP and a TPP:
Hence the ASPSP has no scope to charge for all of the work it needs to do to provide a truly functional service to consumers and merchants. In the circumstances it is not surprising that the ASPSPs are making so little effort to progress the compliance solution, and are making major efforts to ensure any added value use cases, take place outside the compliance framework. For example, identity.
Redress: Without clarity of SLAs and redress processes it is hard to envisage how any efficient and effective service can be made to work.
On-boarding: Without clarity up front of rights and responsibilities on-boarding is inevitably a less efficient and effective process.
No obstacles for TPPs access:
This prohibition by regulators continues to create issues, especially since it was originally suggested that testing could potentially be construed as an obstacle!
Some regulators took this objection to the extreme of precluding a functional scheme because its functionality would reduce the take up of the PSD2 unfunctional regulatory solution!
Restricting access to regulated parties:
The regulators have tried to hold a theoretical position that only regulated parties can participate in the ecosystem despite clear reasoned objections from the outset. For example, regarding incidental payments service providers and fourth parties (e.g. parties that act as an interface between ASPSPs and other TPPs, for example, Yodlee re AISPs) lawyers, accountants etc.
The ecosystem has been set up with the criticality asserted of regulatory registers and digital certificates granted only to regulated parties gaining access to accounts. However, many large merchants would rather self-PISP but are precluded from licensing by the regulatory exclusion of parties that perform regulated activities only incidentally rather than by way of business.
These objections are even more fundamental in relation to account information services.
The no possession of funds model for PISPs: While in theory this makes sense, in practice, this model implies that merchants will receive a whole load of individual payments in their accounts that they will need to reconcile. However, there is evidence that they would prefer to receive a statement of the proceeds of the day’s trading, as much as possible in the same statement format as they get it today. Just with quicker receipt of funds, and with a lower merchant service charge. Which implies their payments services provider must take receipt of the funds on behalf of the merchant initially.
Specified as fire and forget payments: PSD2 has specified that payments initiation provides an irrevocable payment where the initiation process is completed in a single session. Banks have increasingly stressed that building the ‘minimum compliant product’ should take priority over additional functionality. But in this case, it is hard to see how such a narrowly interpreted approach can comply with the purpose of the legislation. Given that, for example, merchants need to be able to ensure that they only initiate the payment once the goods are despatched, or they can find themselves required to ‘specifically perform’ on the contract. E.g. to deliver the goods ordered and paid for, even if these goods are no longer any in stock right now.
Issues created in standards processes
Moreover, having taken a wrong turn, the follow-on processes appear have got more involved in the detail and again risk forgetting the objective of being system and business model agnostic.
For example, trying to make an ASPSP’s ‘dedicated interface’ be at least as good as the best alternative customer channels in all circumstances makes the process of gaining approval for a dedicated interface extremely brittle and hard to plan for. The lack of the ability to give a ‘partial exemption’ makes this even worse. The binary nature of the dedicated interface assessment can give rise to ‘catastrophic curve’ outcomes with all their attendant uncertainties. These are not conducive to well-planned investments and developments.
This somewhat brittle bureaucratic evaluation process seems poorly aligned to an agile, API based delivery, which allows for continuous and incremental improvement over time. Is it any wonder therefore that second tier ASPSPs are waiting until first tier counterparts, like the CMA9, go through the sausage machine of regulatory approval of their PSD2 dedicated interfaces?
A more pragmatic approach would take account of the fact that payment initiation out of payment accounts, without credit card-like protections, would in fact be suitable in certain circumstances: notably low value point of sale (POS) scenarios, but less so in others (such as purchases of high value goods and services or with delayed delivery, like holidays and travel, and furniture). Hence in POS, a pure low-cost solution, albeit with less protections, would be valued more than in a delayed delivery model.
Moreover, recent developments in the roadmap process risk making things worse:
Moving away from payment agnosticism to specific payment systems: There is a risk that payments will become more difficult to execute, due to the increased complexity of options as well as the possibility that an ASPSP may reject a payment specified for a payment that is after the closing deadline for processing payments today for that payment system. Which rather seems to contradict the purpose of PSD2. Why would a merchant or consumer want to offer a payment system that would not work outside daily processing hours or on holidays or weekends? And how would this compete with card payments?
Making greater provision for PISPs to enquire on the status of the payments initiation: This was originally envisaged as an enhancement that would aid the adoption of the service. Whilst there is some merit in doing this in certain circumstances, the real issue, especially for retail payments, should be to make a real time decision on the payment initiation at the point of submitting the payment order. Providing a status by whatever means has no merit if there is a customer perception of delay at the POS. However, again there is a risk that by providing increased functionality at this first stage, the solution is made too complex and therefore too heavy to get off the runway.
Suggesting that payments initiation via redirection, where the consumer must see his available balance before making payment, needs to go through multiple strong customer authentications because one access is technically AISP access and another PISP access.
So, what should be done?
In establishing what to do, it is best to start with the greatest level of generality and then work back to the specifics: both geographically and functionally.
Start with the larger geographic contextand work back. The reason being that most actors, be they banks, TPPs or vendors, have locations outside Europe as well and are therefore looking for an approach that works globally, and will then seek to apply that as widely as possible. Thereby achieving efficiencies and economies of scale. Rather than emphasising the overly detailed regulations in each geography. Hence, as a commercially driven solution becomes clearer and gains traction it will overtake the European approach.
Globally, other geographies are already seeing the errors in the PSD2 approach and planning to go another way. For example, in Australia there is much more value and priority being given to account information rather than adopting a payments initiation focussed approach like the one in Europe. In other geographies it is assumed that you start with a solution that has contracts, even schemes, because they are necessary for certainty and clarity.
Further, the approach to the regulatory perimeter is being rejected in favour an approach that recognises that, with 'open everything' required to achieve the required benefits for the customer, the financial services regulatory perimeter starts looking random. It’s also dangerous. As we have seen with LIBOR and more recently RBS GRG it creates the illusion of regulation, but when push comes to shove, it becomes clear the regulatory regime does not provide the required cover. Which illusion of regulation gives rise to systemic risk in that consumers act believing they are protected by regulation when, in matter of fact, they are not.
Problem statement from the merchant and customer’s perspective
One of the primary noticeable things about the approach in PSD2 is that it is driven by experts, especially regulators, ASPSPs and increasingly TPPs, with remarkably little opportunity for merchants and consumers to have a say. Genuine innovation is normally messy and disruptive, even destructive (hence Schumpetarian ‘creative destruction’) with the market as the ultimate arbiter of success. And as we saw with video and music tapes, the best technical design, often does not prevail in the market.
Therefore, it is suggested that a more robust solution is likely to prevail where merchants, especially retailers, get involved in the process of devising an appropriate policy approach to payments initiation because, as PSD2 has shown, otherwise their needs will be overlooked. Many merchants, feel that they work hard to bring together goods and services to the customer, only to give a disproportionate amount of the profit margin over to the acquirer. Especially as relates to point of sale, having to cater for the cost and process of chargebacks that the consumer and merchant do not value.
Also, the approach should be to get competing minimum viable products (MVPs) out to the market to see what the merchants and the consumers want, balancing considerations of risk mitigation, security, and lack of friction. This means unworkable solutions fail fast. And learning points from MVPs are identified and built on quickly. Moreover, there is no solution ‘to rule them all’. Different solutions will succeed in different areas.
This MVP approach neatly aligns with the agile approach and lets the market decide by ‘natural selection’ what works or what is a gap. This philosophy is inherently absent from the roadmap approach being adopted which risks trying to predict the functionality required and enforce its implementation without a true, genuine demand or properly validated business cases from the TPPs.
Continuing to consider relatively green field jurisdictions, and returning to some of the detailed issues raised above, it would seem more pragmatic, rather than prohibiting contracts between ASPSPs and TPPs, to permitcontracts as required, even multi-party ‘schemes’. To address the concern that ASPSPs might abuse their powers to make this contracting process onerous, disadvantageous or slow, regulators could specifically police this. In relation to a scheme there are principles laid down for the regulation of financial market infrastructures designed for just this sort of situation.
Similarly, the prohibition of possession of funds should be re-considered. This would seem to be capable of being adequately protected against by requiring segregation of client funds in much the same way as applies to payments institutions and e-money issuers. Incidentally, this suggests that PISPs should ensure when obtaining their licences that they should, in order to future-proof apply for licences that include wider permissions, notably merchant acquiring, as well as pure PISP permissions.
In general, it would appear best to avoid other aspects of PSD2’s over-specific rules, notably as relates to security, which risks setting in stone security approaches thought applicable at a particular point in time.
What is the way forward for payments initiation in Europe and especially the UK ?
Which brings us back to the specifics of the way forward for payments initiation. Because the payments initiation compliance standards miss the mark with regard to the objectives of the original legislation most innovation is going on around rather than through the official compliance payments initiation standards. As discussed in a previous paper, most of the innovation is therefore taking place not in the compliance layer but rather as solutions provided in the walled garden or gated community part of the API provision.
Hence, if a merchant wants to achieve something innovative in payments initiation it is best to try to do it directly, rather than seeking to get the payments initiation standards updated. This is partly because the roadmap is moving too slowly, but more to the point, it is going in the wrong direction. And besides, if an innovator wants to make progress it is better to act to get ahead of the curve and establish a market share rather than waiting for the standard to be established. By which time the chance for super-normal profits will have evaporated.
In conclusion, most of the work we are observing in payments initiation, and all of it relating to innovation, is being devised using interfaces other than the compliant standards. This is likely to emerge as the definitive approach for innovation in this space.
If want to discuss the ideas in this paper and/or sign up for other thought pieces, please e-mail firstname.lastname@example.org or email@example.com, call 07986 680 283, or contact us via our website at www.triari.co.uk.