In 2016, the Payment Services Directive (PSD2), the European Union's revised Directive on payment services, came into force. Even in 2020, the concept of PSD2 is still unknown to many or not entirely clear, despite the fact that its rules were transposed into the Hungarian legal system in November 2017 (by the Act of CXLV/2017).
PSD2's most important innovation is not only allowing banks to provide payment services, but also supporting the entry of new service providers into financial markets.
While digital technologies rapidly spread, the financial sector had not kept pace: payment service providers had struggled to introduce secure and easy-to-use digital solutions, these were not available to consumers and retailers. Therefore, it was decided at EU level to include such participants in the world of financial services, who are primarily active in the digital world and the financial sector could use their IT innovations.
In fact, PSD2 obliges member state financial institutions to create standard application programming interfaces (APIs) that allow applications from third-party service providers to connect to banking systems. These service providers can access certain data of bank customers or initiate payment transactions upon the request of the users. The data enables service providers to develop and integrate their own services and solutions into the payment services process.
The new participants are the so-called fintech companies, which have to be registered to be able to provide payment services. In the International Register of the European Banking Authority (EBA) (https://eba.europa.eu/risk-analysis-and-data/register-payment-electronic-money-institutions-under-PSD2) and at Member State level (https://intezmenykereso.mnb.hu/) anyone can check whether a company is registered, or licensed as a PSD2 service provider. Access to the register is free of charge and information is easily accessible and searchable.
PSD2 creates the opportunity for fintech companies to enter the financial sector, but only if they can meet certain strict criteria. Beside the EBA, also the central bank of Hungary (MNB) oversees service providers in Hungary, but data protection and consumer protection authorities also investigate the operation of payment service providers.
In addition to fulfilling the legal requirements, service providers must also demonstrate that they act on behalf of the consumer during the given financial service, based on the explicit authorization of the consumer.
This explicit authorization is given by the consumer by carrying out the pre-financial service identification in two steps (so-called two-factors). Two-factor identification requires two independent data to ensure that the customer really wants to complete the transaction.
If the user had to enter only one username and password into an interface, if these were leaked or obtained by a third party, the transaction could be completed without the authorization of the real customer. Therefore, beyond possessing information, the fulfilment of a second factor is necessary, which can be achieved either by owning a particular device or by unambiguously identifying the user (biometric identification) (e.g. after entering a password, the code provided in the confirmation SMS must be entered on the platform or the user must approve the transaction after biometric data is provided via mobile phone).
Two-factor authentication corresponds to strong client authentication according to PSD2, meaning that authentication must be based on at least two criteria that are independent of each other, and the hacking of one of them does not affect the reliability of the other. Such criteria may be the category of knowledge (something only the user knows), possession (something only the user possesses) and biological property (something pertaining exclusively to the user). Confidentiality of the identification data is ensured by using two of the abovementioned factors.
PSD2 prescribes that payment service providers use strong customer authentication when the customer accesses online his/her payment account; initiates an electronic payment transaction or executes transactions through a remote channel that may be vulnerable to payment fraud and other abuse.
The PassByME mobile app developed by Microsec fully meets the legal and technical requirements for strong customer authentication, therefore several banks already provide their customers with this convenient and PSD2-compliant mobile banking solution.
These service providers provide aggregated information online about one or more payment accounts with one (possibly more) payment service provider, which can be accessed through the online interface of the accounting payment service provider. This will enable the payment service user to immediately get a comprehensive picture of his financial situation at any time. The data may be used to provide additional financial services.
This third party service provider can be any fintech company, bank, or traditional player known from other markets (e.g. Amazon, Apple, Facebook, etc.) These third parties typically provide the service through, for example, mobile apps that can track payment transactions in connection with a particular bank account, so that the user can clearly see how much and what he/she has spent.
The payment initiation service provider is empowered to know the user's current payment balance and to make a payment from the user's bank account, such as paying the utility bill (e.g. dijnet.hu) as an "intermediary" between the user and the service provider, and settle the price of goods purchased in an online shop (e.g. Net Pincer, Wolt).
© 2021 Microsec Ltd. | Company registration number: 01-10-047218 | Tax number: 23584497-2-41