The Second Payment Services Directive, aka PSD2, contains much that is admirable, some that is debatable and yet more that is downright mysterious. As we await the forthcoming final version of the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA), putting everyone on a 21-month implementation cycle, I thought I’d cast an eye over one of the, as yet, largely undiscovered areas of the directive; namely the exclusion from SCA for direct carrier billing (DCB). Like so much in PSD2 no exemption comes without penalty.
It’s the directive itself that excludes direct carrier billing from regulation, in Article 3, where it specifically excludes:
(f) payment transactions by a provider of electronic communications networks or services provided in addition to electronic communications services for a subscriber to the network or service:
(i) for purchase of digital content and voice-based services, regardless of the device used for the purchase or consumption of the digital content and charged to the related bill; or
(ii) performed from or via an electronic device and charged to the related bill within the framework of a charitable activity or for the purchase of tickets;
provided that the value of any single payment transaction referred to in points (i) and (ii) does not exceed EUR 50 and:
— the cumulative value of payment transactions for an individual subscriber does not exceed EUR 300 per month, or
— where a subscriber pre-funds its account with the provider of the electronic communications network or service, the cumulative value of payment transactions does not exceed EUR 300 per month;
If you care to deconstruct this it means that PSD2 doesn’t apply to direct carrier billing – payments made using a subscriber’s existing mobile account – if the subscriber doesn’t spend more than €300 a month or pay more than €50 on any single payment. Which is a useful exclusion for network operators and providers of DCB services, but does rather put a limit on any ambitions to extend and grow these services into genuine competitors for consumer payments. The exclusion also doesn’t apply to physical goods, limiting any expansion plans in that area.
Fail to meet those conditions and DCB automatically falls into the jaws of the RTS on Strong Customer Authentication, requiring two factor authentication to be applied, subject to the normal exemptions not being invoked. Given that banks, who have a track record of applying authentication to consumer payments, are finding meeting the SCA requirements challenging it’s not immediately obvious how mobile operators are going to address this, although you’d imagine that they could use the mobile handset itself as the possession factor. Nonetheless, forcing customers to enter passwords or implementing a handset based biometric through an app isn’t going to do anything for the customer payment experience which hitherto has largely been invisible.
The problem is that doing nothing is not an option. Not implementing SCA means capping the amount customers can spend each month and failing to do that will mean customers have the automatic right to apply for a refund as payments over the limit will, in PSD2 terms, be unauthorised. T&Cs will need to be rewritten to make sure the operators can get their money back, although in the absence of regulatory guidance it’s not clear that the directive might not override that – if PSD2 is about one thing it’s about the pre-eminence of consumer rights. Oh, and go over that limit and the operator will find themselves considered a payment service provider under the regulatory conditions of PSD2 with all that it entails.
Some DCB providers have already taken the initiative and become Electronic Money Institutions, which means they don’t have to worry about the restrictions but do have to suffers the slings and arrows of Strong Customer Authentication, outrageous or otherwise. Others seem so far less bothered, although no doubt the proposed regulatory penalties when published will concentrate minds. What’s really interesting is that the other side of PSD2 – the so called XS2A, Access to Account, via bank implemented APIs – actually opens up a real opportunity for any mobile operator or DCB player smart enough to spot it. After all, if you can connect to any consumer’s bank account to draw funds or examine their spending patterns you’re halfway to a pervasive retail consumer payments solution.
As for the other half, well that’s what we at Consult Hyperion are paid to solve. We think that the elements to allow this are already in place, all it needs now is someone with the foresight to take advantage of them. At that point the European Commission may well get the kind of innovation and competition in consumer payments that it desires, but in the meantime we’ll just continue twiddling our thumbs waiting for the RTS.