How Does the Payment Service Directive (PDS2) affect Crypto Exchanges
Since January 2018, the Payment Service Directive (PSD2) has had a significant impact on the practices of banks, payment processors, e-money institutions, but it also impacted crypto exchanges and crypto brokers. More so, if a crypto exchange desires to widen their business model and offer new payment solutions for their crypto offerings.
In this piece, we are going to see what is the PSD2, what are the changes and how those changes affect crypto exchanges.
What is PSD2?
The PSD2 is a regulatory change that follows the technological disruptions in the retail payments industry in recent years, especially in areas of the payments market. This means payments such as using cards, internet, mobile payments, and such still remain fragmented along national borders to a certain level.
The fact was that payment-related activities have proved to be too ambiguous, too general and outdated. In order to embrace this new disruptive technology, the regulator needed to take into account market developments, focusing on enhanced security in online payments, higher level of legal certainty, enabling additional means of payment in order to reach global market, enabling new players on the market, ensure consumer protection and strengthen trust of consumers with the enhanced transparency (see the Preamble 4 to 6 of PSD2).
PSD2 implements three core changes
1. Access to Accounts (XS2A) also known as Open Banking
Before the PSD2 changes, access to bank accounts was restricted to either the account issuer or unregulated providers using ‘screen scraping’ and consumer security credentials. With the new PSD2, any regulated third party is able to access a consumer’s bank account if it has consumer’s consent. Third-party providers (such as merchants) now have the opportunity to get access to data and the ability to initiate payments and banks are obliged to provide interfaces to support such access. It means that the banks no longer have a monopoly over their customer’s data.
2. Strong Customer Authentication (SCA)
This is also known as two-factor authentication or 2FA. The PSD2 is enhancing security and reducing fraud enacting stronger identity checks of users when they are paying online. Since 14 September 2019 all payment transactions need to be authenticated by at least two out of three independent security methods:
– knowledge (something only the user knows),
– possession (something only the user possesses) and
– inherence (something the user is, such as fingerprint or face recognition).
There are exceptions to this rule, in short: trusted third parties, recurring payments with the same merchants, low value (below 30 EUR) transactions, payments with a low-risk profile.
The main method for complying with the SCA standards is the 3D Secure Protocol, which has been in use for some time now and is basically become a requirement for every online merchant after 14 September 2019. Additionally, the PSD2 promotes a new standard called 3D Secure 2, created in 2015 by EMVCo, and enables the issuer to challenge a cardholder into performing additional authentication in order to finish the payment, such as using one-time passwords, biometrics or the cardholder’s mobile banking app.
3. Limited or banned surcharging
PSD2 limits on costs for card payments and bans all surcharging for payments where a consumer’s credit, debit or prepaid card is used.
The scope of the PSD2
It has to be noted that the PSD2 Directive does not apply to crypto exchanges unless there is a purchase of credit or debit cards involved.
In one of the papers about Cryptocurrencies and blockchain, The European Parliament suggested several different ways to regulate crypto exchanges and custodian wallet providers. The first one was to make exchange platforms obliged entities under Anti-money laundering Directive (AMLD5) and submitting them to customer due diligence requirements. The second one was to bring virtual currency exchange platforms under the scope of PSD2.
The difference between the two options is that PSD2 goes further than AMLD5 and, besides the AML and CTF requirements, the PSD2 also establishes a licensing obligation for regulated entities, minimum capital requirements, safeguarding requirements, and consumer protection rules and is as such more burdensome for exchanges. The regulator decided he will bring crypto exchanges and custodian wallet providers under the scope of the 5th Anti-Money Laundering Directive (AML5), instead of the PSD2.
Users of Crypto Exchanges
As already mentioned, as of 14 September, all electronic transactions in the European Economic Area shall require a Strong Customer Authentication (SCA), also known as the 2-factor authentication (2FA). This essentially means that users of crypto exchanges will have to put in extra security information to buy crypto in Europe.
This is good from the security point of view, but not from the view of user experience – we all know that the more information you ask a user to provide during payment, the more friction is added to the purchase process, which could result in dropouts.
It is important to mention that additional payment methods, such as e-Wallets, are also subject to 2FA as of September 2019.
It is obvious that the exchanges, which provide the best and the easiest user experience in the purchase process will most likely gain more users than others. In order to reach as many users as possible worldwide it is important that crypto exchanges implement a wide selection of payment methods, the more opportunities are there for users to use such crypto exchange.
If you need a Fintech Lawyer or help with getting a PSD2 license, we are here to help.