Amanda Khatri
Editorial Manager
What regulations are there for the payment services industry?
With new payment methods emerging all the time, accompanying regulations are also coming in thick and fast. But regulations don’t need to feel restrictive. Leading card providers like Mastercard and Visa leverage their compliance to gain a competitive advantage over other providers and upgrade their customer experiences.
Here are some of the biggest payment services regulations:
- Payment Services Directive 2
- Strong Customer Authentication
- Anti-Money Laundering Directives
- Suspicious Transaction and Order Reports
Payment Services Directive 2
The version of the Payment Services Directive, released in the mid-2010s, was the second iteration of the regulation. It’s an EU framework that aims to hold payment providers accountable and make the industry fairer for customers.
Here are some of the key takeaways from the PSD2:
- It eliminates surcharges on payment instruments by payment service providers for consumer protection.
- It makes T&Cs more visible so that customers are more informed about what they’re signing up for.
- It allows for the creation of APIs for third-party providers to increase access to open banking and reduce friction for customers.
The second payment services directive was well-received, as it provided a clear way for European payment institutions to take advantage of the disruptive embedded finance industry. Moreover, a call for feedback in 2018 for the payment services regulation found that the EBA’s requirements were effective in enhancing competition, facilitating innovation and protecting consumers.
Strong Customer Authentication
Strong Customer Authentication (SCA) is one arm of the PSD2. It is, therefore, also driven by the European Commission under the main payment regulation framework released in the last decade.
SCA focuses on customer-led payments such as contactless transactions in a shop, compared to direct debits or subscriptions which are typically merchant-led.
The SCA has two main points of focus:
- 2-Factor Authentication (2FA)
- 3DSecure2 Protocol (3DSP)
2-Factor Authentication
2FA is a payment validation tool which aims to verify the identity of the payment maker. This decreases the risk of fraud, as online money and payment channels become more secure against third parties.
Under the payment services regulation, 2FA requires at least two of the following three information categories before a payment can be made:
- Knowledge (such as a password)
- Possession (such as a code sent to your mobile phone)
- Inherence (such as fingerprint or facial ID)
3D Secure Protocol
3D Secure Protocol is a security protocol to facilitate online card transactions. Dynamic linking technology is used to track customer payments while protecting their identities by keeping the data anonymous.
3DSP was first adopted by leading payment brand Visa to increase the security of their online payments, without the intrusiveness of previous protocols.
Overall, SCA works to reduce the risk of fraud because it requires such specific validation for payments. This also increases confidence in risk management practices, even as less-established payment channels increase in popularity.
AMLD5 and AMLD6
Anti-money laundering directives AMLD5 and AMLD6 are both recent regulations that touch on payment services. As we move into the digital age, money laundering checks should focus on moving with the technology, including online payments.
AMLD5 became effective in 2020, and focused on four major areas:
- Online identification (including the SCA mentioned above).
- Better due diligence – including the purpose and background of each transaction.
- Ultimate Beneficial Ownership changes – including better verification methods and a new private register that’s specific for banks.
- Better due diligence for politically exposed persons.
It applies to all member states, including EU countries and the US, but not the UK. It clarified 22 separate offences with regard to illicit finance or money laundering. Many of these involve the internet or modern technologies, such as online piracy and cybercrime.
The regulation also places more emphasis on the penalties and punishments of those convicted of these types of crimes. This aims to deter potential criminals. Finally, 6AMLD6 also encourages member-state cooperation as regulators recognise the need for a collaborative approach to payment services and preventing fraud.
Suspicious Transaction and Order Reports (STORs)
Finally, STORs are required by any company which facilitates trading or investments, which could be considered a payment services regulation. They are reports which must be filed for investigation if one of seven key suspicious behaviours are noticed.
STORs were introduced under the EU system to prevent market abuse and help payment firms and financial services companies to monitor each payment transaction and their payment systems more closely.
Compliance made easy
For payment services companies, it can feel overwhelming to create new compliance strategies as more payment regulations are launched. Additionally, there is constant work to remain up to date with changes to existing legislation.
No matter your jurisdiction, CUBE can do the heavy lifting. We use horizon-scanning technology to help businesses stay ahead of the regulatory curve and eliminate the need for manual trawling of regulatory body sites, so that compliance officers can focus on what matters most.
Keep ahead of emerging regulations by speaking to CUBE.
