AT A GLANCE:

PSD2 & DATA PROTECTION

January 2021 saw the introduction of new rules for online credit card payments. All online merchants must now meet the requirements of the EU PSD2 Directive with regard to strong customer authentication, which aims to make credit card payments on the Internet more secure. But what else has actually changed as a result of the PSD2 Directive coming into force three years ago?

RETROSPECTIVE

MILESTONES IN CASHLESS PAYMENTS

First credit cards

1950s

First credit cards

1950s

Introduction of EC cards

1980s

Introduction of EC cards

1980s

Digital bank transfers

2000s

Digital bank transfers

2000s

Payment Services Directive

2020s

Payment Services Directive

2020s
BACKGROUND

THE DIRECTIVE IN DETAIL

The PSD-what...?

 

The “Payment Services Directive 2” (PSD2 for short) is an EU Directive for payment services. With this Directive, the EU aims to strengthen consumer protection, increase the security of online payments and promote the further development of digital solutions in the European Economic Area. The Directive is being implemented in Germany in two stages: the first stage has been in force since January 2018 and the second stage since autumn of 2019.

 

What issues does the Directive regulate?

 

  • Fewer fees: online payments will become cheaper for consumers because merchants are no longer allowed to charge extra fees for using payment methods such as bank transfer, direct debit or credit card.
  • Less fraud, more security: additional security requirements will make fraud more difficult and better protect consumers; for example, strong customer authentication will become mandatory when making online payments and accessing online banking. So-called "two-factor authentication” allows the customer to be unequivocally identified using at least two features, from the customer’s knowledge (PIN, password), possessions (card, mobile phone) or inherence (biometric characteristics such as fingerprint, iris).
  • New services and more convenience for consumers: banks will have to allow third-party providers such as financial start-ups (fintechs) and insurance start-ups (insurtechs) offering new digital solutions to access their customers' account information via standardised interfaces, if the customer authorises one of these third-party providers to do so.

European Commission

“PSD2 offers several key benefits to consumers: it tackles fraud in online payments. It opens the EU payments market to competition. It increases consumers’ rights. It prohibits surcharges. It improves the complaints procedure".

Consumers own their data and have full control

 

Consumer advocates often warn against “data leeches”, suggesting that they allow anyone to easily and permanently access all data. This is not correct. It is true that until the introduction of the PSD Directive, there were two major problems: firstly, banks had had a monopoly on their customers' account data for a long time. Secondly, when the first providers of banking apps, contract cancellation services and instant transfers started accessing bank details, there were initially no clear rules. Consumers often simply gave these providers the login details to their accounts and the latter then accessed the data. This is where the PSD Directive comes in: it breaks up the banks’ monopoly on account data, and it creates a legal framework for third-party access to accounts, which sets out exactly under which conditions banking information may be accessed:

 

  • Nothing is permitted without consent: the PSD2 Directive increases the customer’s self-determination as the responsible owner of his data: He alone decides who may access to his banking information and who may not. Third-party providers are only granted access to account information if the customer explicitly agrees.
  • Revocable at any time: if the consumer changes his mind at any point, he can withdraw his consent at any time.
  • Time-limited: being granted access on one occasion does not automatically mean permanent access, because the customer must reiterate his consent periodically – usually every 90 days.
  • Purpose-specific: access and processing of personal data by third-party providers is limited to the content required for the purposes for which the consumer has given consent.
  • BaFin authorisation required: here in Germany, only providers that have a special permit from the Federal Financial Supervisory Authority (BaFin), which also supervises banks, are allowed to access account information on behalf of the consumer. The PSD2 Directive distinguishes between two types of services: payment initiation services and account information services.

 

The more concrete the benefits, the more open-minded consumers are

 

Germans are still rather cautious regarding the use of personal data, such as health or financial data, in comparison with digital pioneers such as Denmark, Estonia or Sweden. However, the proportion of those who cannot imagine sharing their account details under any circumstances is decreasing, according to the results of a study by PwC Strategy& published in September 2020. Today, one in five Germans (20%)* is willing to grant access to their account information if they receive benefits, additional services or similar in return (see below for practical examples). According to a study conducted by the market research institute Heute und Morgen in November 2018, willingness to provide access to insurance companies, with which the respondents are already customers, is among the highest (23%)**. Trust in insurance companies is reinforced by the fact that they are also supervised by BaFin.

Tim Kunde

Friendsurance
“The PSD2 Directive is an important step in terms of consumer protection and enables a lot of beneficial use cases that help customers to be obtain better insurance, for example."
USE CASES

HERE'S HOW THE PSD2 DIRECTIVE MAKES YOUR LIFE EASIER

BANKING

Through “account information services”, you are able to view account balances and transactions in edited form for all the accounts you hold at different banks, allowing you to keep an eye on your financial circumstances.

ONLINE SHOPPING

Payment initiation services initiate payments on your behalf. This means that when you shop online, you don't have to log into the online banking area separately, but can make the transfer directly through the service offered on the merchant's site.

CREDIT APPLICATIONS

Before now, consumers had to spend time collating and sending in bank statements and pay slips. Thanks to automatic recognition of account information, this information is now available in digital form within seconds.

INSURANCE

PSD2 is also improving the customer experience in the insurance sector. More details on this below.

TAX RETURN

You decide which information is automatically transferred to your digital tax return from your online banking.

PRICE COMPARISON

Comparison sites can check whether you are paying too much for electricity, for example, on the basis of your account information.

Please note: Many banks and building societies have a function in their online banking set-up that allows you to see which account information or payment initiation services have accessed your account on your behalf, and to manage that access.

Benefits of the PSD2 Directive for insurance policyholders:

 

the PSD2 Directive also offers benefits in relation to insurance, including in the field of so-called “digital bancassurance”. This involves incorporating insurance into the range of online products offered by banks, so that consumers can manage their financial and insurance affairs quickly, easily and efficiently in one central location. With the help of digital bank account analytics, customers can be offered more convenient, more suitable and more affordable insurance solutions:

 

  • Digital insurance folders: many consumers want to manage their insurance policies digitally, rather than with lots of paper forms. The PSD2 Directive makes it much easier to transfer policies into a digital insurance folder: consumers no longer need to have their insurance documents to hand or to manually enter policy details. Instead, insurance-related information such as the policy number is automatically recognised from bank account entries and is presented in a digital insurance summary.
  • Tailor-made coverage: major life events can also be identified and appropriate adjustments to the insurance cover can be proposed. If the bank account has recently started receiving child benefit payments, the insurer can ask the customer whether there has been an addition to the family and, if necessary, check that the insurance cover is suitable for families. If the rent has changed, the customer may have moved and home insurance coverage may need to be reviewed. Using the account information allows insurance companies to offer prompt, individually tailored and therefore relevant insurance quotes.
  • Cheaper contracts: overpriced old contracts can be identified from the account information and more cost-effective alternatives can be offered, which the customer can accept at the click of a button directly through their online banking, which they log into regularly anyway.

 

Benefits of the PSD2 Directive for insurance companies and banks:

 

  • Insurance companies can offer their customers more convenient, more suitable and more affordable insurance solutions based on the new information. They also have the opportunity to significantly increase the frequency of contact with their customers, becoming more relevant in their daily lives.
  • Along their traditional banking business, banks can now also incorporate external offers from insurers and insurtechs into their own platforms, offering appropriate services to their customers and thus increasing customer satisfaction and loyalty.

 

PSD2 as a cornerstone of Friendsurance's product range

 

In its “Friendsurance Business” division, the Berlin-based tech company develops and operates B2B2C digital insurance sales platforms for insurers, banks and other partners. The range includes:

 

  • A scalable and modular technology platform with various features for digitally managing and optimising insurance. Friendsurance facilitates a deep and seamless integration into each partner's business environment.
  • Various cooperation models in the field of digital bancassurance (agent and broker licences as well as white-label solutions, customised solutions and mixed models where a white-label solution can be combined with customised modules).
  • Support in the digitalisation of other insurance distribution channels
  • A deep understanding of customer needs based on many years of experience in B2C business, as well as a wide range of customer services and CRM tools for an improved customer experience.
  • PSD2-compliant bank account analytics to automatically identify customer needs, supply gaps and optimisation potential.

 

Digital account analytics: Highest data protection and data security standards

 

Friendsurance's digital bancassurance solutions can also use account information in accordance with the PSD2 Directive if the customer gives their express consent: firstly, when creating the digital insurance folder, and secondly, to identify life events. Friendsurance complies with the principle of data minimisation and the customer is fully informed about all information collected and must explicitly consent to their data being processed.

As account information may only be accessed in Germany by so-called account information services with a special permit from the Federal Financial Supervisory Authority, Friendsurance only works with state-regulated providers with the appropriate licence. Friendsurance itself does not have access to its customers’ account access credentials at any point.

Friendsurance processes the account information generated in this way using its own algorithms specially developed for insurance data. Only data relevant to the specific use case is processed. No data is passed on to third parties.

All legal data protection requirements are complied with and the customer receives the highest possible level of data security: Friendsurance operates strictly in accordance with consumer protection regulations and complies with all legal requirements under the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG) and the General Data Protection Regulation (GDPR). All data-related processes are also initially approved by the company’s legal department and data security expert and are subsequently monitored on an ongoing basis. Furthermore, Friendsurance maintains close contact with all regulatory authorities.

Dr. Sebastian Herfurth

Friendsurance
"At Friendsurance, we see ourselves as custodians of our customers' data. Responsible handling of data in the best interests of our customers is our top priority."

Last update:  09.02.2021