Sam Bennett, Head of Compliance and Operations, Frontierpay
Taking effect at the beginning of 2018, the second Payment Services Directive (PSD2) is set to directly impact all organisations involved in the payments industry. Sam Bennett, Head of Compliance and Operations at Frontierpay, discusses why businesses need to be prepared – and the risks they expose themselves too if they fail to do so.
What exactly is PSD2?
PSD2 is a new iteration of a piece of legislation that was introduced in 2009 to monitor the safety of the electronic payments industry. Technology, as we all know, is rapidly developing and in the eight short years since PSD2’s predecessor was enacted, the world of ecommerce has become a very different place. Contactless payment devices, e-wallets, online and mobile banking, many of which were still very much in the early stages of development in 2009, are now commonplace.
As such, the EU has deemed that a regulatory refresh is required to ensure that consumers and businesses alike can use today’s technology to make payments safely and securely. Ultimately, it’s about ensuring that consumers can continue to make electronic payments in the knowledge that the organisations handling their money have taken all of the necessary safety precautions.
Does my business qualify?
If your organisation is involved in the processing of electronic payments in any way, you need to make sure that you’re compliant with PSD2. As you might expect, this means that banks and building societies have their work cut out, but the new legislation will also stretch to organisations such as retailers and charities.
Uber, for example, is one such company that provides a platform to facilitate transactions but doesn’t actually handle those transactions itself. Companies with similar frameworks will need to assess whether they’re in scope or not. If you’re unsure whether your business needs to be complaint with PSD2, the best thing to do is either speak to a compliance consultant or find out directly from the Financial Conduct Authority (FCA).
If your business doesn’t need to be PSD2 compliant but you rely heavily on financial service providers as part of your supply chain, don’t be afraid to ask them about their regulatory status. Don’t put your own business at risk by working with partners who are cutting regulatory corners.
How do I make sure I’m compliant?
It’s important that all businesses involved in making payments are up to scratch with the necessary requirements, given that there are just a few short months left until compliance with PSD2 becomes a legal requirement.
For businesses involved in the financial services industry and already regulated, the first step is to reauthorise with the FCA. This will involve extra scrutiny of security policies, risk assessment and IT capabilities. If an organisation isn’t currently authorised but is in scope of PSD2, they will need to be PSD2 ready too.
Two stage authorisation, which is already widely respected as a security measure, will become a necessity once the new legislation takes hold next year. Many systems will need to be built or adapted in order to accommodate this extra layer of security.
What are the risks of being unprepared?
For starters, as compliance with PSD2 will be a legal requirement as of next year, if businesses can’t prove that they have taken the necessary steps, they will be seen as operating illegally and will need to cease trading immediately.
Banks, building societies and financial services companies in particular will already be on top of this, considering their daily activities revolve around the handling of payments. However, the organisations with the most work to do will be those who aren’t already regulated by the FCA. There are some that might not even be aware that PSD2 will apply to them.
Will Brexit impact PSD2?
PSD2 must be implemented by all countries within the European Union. We therefore have to ensure it’s implemented in the UK, as it will be a mandatory requirement before we have left the EU. We could, in theory, abandon PSD2 once we exit the EU. However, companies will have gone to such lengths to ensure that they are complaint, it would be counter-productive to drop it once the opportunity arises.
Abandoning PSD2 would also risk damaging the UK’s status as a standard bearer from a regulatory point of view. Considering that all of our trading partners in the EU will be operating in accordance with PSD2, I think it’s unlikely that we would want to be seen as the weak link, as opposed to the regulatory technology leader that we currently are.
For companies that need to be regulated but haven’t yet taken steps to ensure they are, the immediate priorities should be to assess their degree of regulatory responsibility and begin putting the necessary processes in place. For those who are already regulated but need to reauthorise, I recommend planning the timings of this process carefully, to ensure that all technology and compliance implementations are completed in time.
Finally, I encourage all organisations affected to look at PSD2 as a positive change. The purpose of the new legislation is to once again put the UK at the forefront of regulatory development, but it will also help to promote further innovation in the industry. The consumer journey will be updated with safer, cheaper and more easily accessibly services, which, ultimately, has to be viewed as a positive move.