18



                   23.       The 2015 Payment Service
                   Directive (PSD II) opened the
                   market to a new set of players by
                   enabling bank customers to use
                   third-party providers to manage
                   their payments. PSD II extended the
                   scope of payment services by
                   including third party providers, the
                   application of rules to transaction in
                   all currencies, and one-leg-out
                   transactions (transactions with parties
                   outside the European Economic
                   Area). PSD II transfers personal data
                   ownership from banks to their
                   customers, by enabling them to grant third-party providers (Account Information Service
                   Providers—AISPs) permission to access their account data stored by banks—which become
                   Account Servicing Payment Service Providers (ASPSP). The directive also regulates
                   initiation of payments, internal dispute resolution procedures and customer authentication.
                   Third parties would thus be able to make payments to merchants directly from consumers’
                   accounts, circumventing card schemes. Third parties would also be permitted to consolidate
                   multiple accounts or financial services in one place. Moreover, PSD II contains enhanced
                   security requirements (see Annex II).

                   24.       Implementation of PSD II, including transposition into national law across the
                   EU, has spanned several years, but some gaps in legislation are still present. The
                   Directive mandated the European Banking Association (EBA) to develop technical standards
                   and guidelines in relation to payments security, authorization, passporting, and supervision.
                   However, the PSD II regulation was intended not to be prescriptive, but to facilitate
                   innovation and adaptation to member states’ circumstances. While PSD2 requires financial
                   institutions to share customer data with regulated third parties—if the customer provides
                   consent—it doesn’t mandate a specific technology. There are initiatives to create a common
                   application programing interface (API) standard, including NextGenPSD2 and Open banking
                   standards.  Banks have therefore adopted a mixed approach to implementation and seeking
                             12
                   to achieve minimum compliance with PSD II, while being lukewarm to customer-led
                                                                             13
                   solutions and innovation that provide access to third parties. The lack of a common
                   framework across the UK and the EU markets has tended to stall innovation, going against


                   12  NextGenPSD2 are the API standards developed by the Berlin Group—a group of banks, bank association and
                   payment service providers. Open Banking standards are the ones developed by U.K.’s Open Banking
                   Implementation Entity (OBIE).

                   13  Third party companies have pursued alternative like “screen scraping” in which a customer shares their
                   account credentials with them and uses these credentials to log into the relevant accounts and collect the data or
                   initiate a payment—circumventing the need to have an operational API.