Payment Services Directive 2 (PSD 2) in short
December 2016 | PROFESSIONAL INSIGHT | BANKING & FINANCE
Financier Worldwide Magazine
PSD 2 came into force on 12 January 2016 and European Union (EU) member states must transpose PSD 2 into their national laws and regulations by 13 January 2018. Most importantly, the European Commission (EC) has stated that member states should interpret the existing rules on payment services in line with PSD 2 and must not adopt new measures contradicting PSD 2.
Exclusions to PSD 2
PSD 1 in Article 3 did not apply to certain transactions described in it. The scope of these exclusions was not in all cases clear. As a consequence, they were applied in different ways across member states. PSD 2 in Article 3 clarifies and tightens the exclusions, including the commercial agent’s exclusion, the limited network exclusion and the telecom exclusion.
PSD 2 states that: “services providers should be obliged to notify their activities to competent authorities so that the competent authorities can assess whether the requirements set out in the relevant provisions are fulfilled and to ensure a homogenous interpretation of the rules throughout the internal market. In particular, for all exclusions based on the respect of a threshold, a notification procedure should be provided (Recital 19 of PSD 2)”.
Extended scope of PSD 2 (non Euro and international transactions)
Article 2 extends the scope of PSD 2 by: (i) applying the Title III (transparency and information requirements) and Title IV (rights and obligations of payment services providers (conduct of business rules)) to payment transactions in the currency of a member state where both the payer’s payment service provider and the payee’s payment service provider are, or the sole payment service provider in the payment transaction is, located within the EU; (ii) applying most of Title III and most of Title IV to payment transactions in a currency that is not the currency of a member state where both the payer’s payment service provider and the payee’s payment service provider are, or the sole payment service provider in the payment transaction is, located within the EU, in respect to those parts of the payments transaction which are carried out in the EU; and (iii) applying most of Title III and parts of Title IV to payment transactions in all currencies where only one of the payment service providers is located within the EU, in respect to those parts of the payments transaction which are carried out in the EU.
New payment services
PSD 2 requires the provision by payment service providers of payment initiation services and account information services to be authorised (or registered where permitted as a small payment institution) so that they comply with the provisions of the directive as it applies to them. In this context, PSDs note that these types of service provider, when they provide such services exclusively, do not hold client funds. Accordingly, PSD 2 provides that it would be disproportionate to impose own funds requirements on those new market players. Nevertheless, PSD 2 requires that they should therefore hold either professional indemnity insurance or provide a comparable guarantee. Recital 36 of PSD 2 states: “in order to avoid abuses of the right of establishment, it is necessary to require that the payment institution requesting authorisation in the Member State provide at least part of its payment services business in that member state”.
‘Payment initiation services’ enable the payment initiation service provider to provide comfort to a payee that the payment has been initiated in order to provide an incentive to the payee to release the goods or to deliver the service without undue delay. Such services offer a low-cost solution for both merchants and consumers and provide consumers with a possibility to shop online even if they do not possess payment cards.
‘Account information services’ provide the payment service user with aggregated online information on one or more payment accounts held with one or more other payment service providers and accessed via online interfaces of the account servicing payment service provider. The payment service user is thus able to have an overall view of its financial situation immediately at any given moment.
Small payment institutions
Currently, member states have the option to apply a registration system for small payment institutions and apply reduced regulatory compliance requirements to them. This exemption right is continued under PSD 2 although slightly amended. It specifies the limits of this exemption by providing that: “the monthly average of the preceding 12 months’ total value of payment transactions executed by the person concerned, including any agent for which it assumes full responsibility, must not exceed a limit set by the member state but that, in any event, amounts to no more than EUR 3m”.
That requirement is assessed on the projected total amount of payment transactions in its business plan, unless an adjustment to that plan is required by the competent authorities. Additionally, none of the natural persons responsible for the management or operation of the business must have been convicted of offences relating to money laundering or terrorist financing or other financial crimes. Among other things, member states may also require that small payment institutions only may engage only in certain activities listed in Article 18 (i.e., ancillary activities).
However, small payment institutions have no rights to passport their payment services.
Access rights to payment systems and accounts
Article 35 regulates access rights to certain payment systems (article 35(2) excludes certain systems) by payment institutions and article 36 regulates access to payment accounts services. Both articles generate considerable complexity and the EBA is currently drafting the technical specifications and guidance on these access rights and more detail is expected in early 2017. The EC argues that: “for payment institutions, access to a payment account maintained by a credit institution is vital for the operation of their business. PSD2 provides specifically that member states will have to ensure that credit institutions do not block or hinder access to payment accounts and that payment institutions have access to credit institutions’ payment accounts services in an objective, non-discriminatory and proportionate manner”.
It should be noted that the payer’s right to make use of a payment initiation service provider does not apply where the payment account is not accessible online.
The role of the European Banking Authority (EBA)
The EBA has a number of roles under PSD 2, and referred to in article 98.2. Article 98.1 provides that the EBA shall develop by 13 January 2017 draft regulatory technical standards addressed to payment service providers including: (i) the requirements of the strong customer authentication referred to in Article 97(1) and (2); (ii) the exemptions from the application of Article 97(1), (2) and (3), based on the criteria established in paragraph 3 of this Article; (iii) the requirements with which security measures have to comply, in accordance with Article 97(3) in order to protect the confidentiality and the integrity of the payment service users’ personalised security credentials; and (iv) the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification and information, as well as for the implementation of security measures, between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers.
Power is delegated to the EC to adopt those regulatory technical standards in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010. The EBA will review and, if appropriate, update the regulatory technical standards on a regular basis in order, inter alia, to take account of innovation and technological developments.
Security
The new security related obligations throughout the directive and in particular in article 97 are one of its central pillars and every payment service provider will have to ensure its technology incorporates the directive’s requirements and the subsequent adopted Commission adopted RTS where they apply to its services. Applications for authorisation require, among other things, the submission of a security policy document, including a detailed risk assessment in relation to its payment services and a description of security control and mitigation measures taken to adequately protect payment service users against the risks identified, including fraud and illegal use of sensitive and personal data.
In short, PSD 2 introduces strict security requirements for the initiation and processing of electronic payments, which apply to all payment service providers, including newly regulated payment service providers. Payment service providers will (subject to exemptions to be defined by the EBA) be obliged to apply so-called strong customer authentication (as defined) when a payer initiates an electronic payment transaction. For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimising the risks in case of mistakes or fraudulent attacks. The EBA in its draft December 2015 paper has given initial indication as to what these exemptions might cover.
Current authorisations
Article 109 of PSD 2 foresees transitional provisions for payment institutions that are already authorised to provide services under the current Directive. These institutions are allowed to continue providing payment services for 30 months (authorised institutions) or 36 months (‘small’ institutions that benefited from the waiver under Article 26 of PSD) after the entry into force of PSD 2. In order to provide payment services beyond that transitional period, the existing payment institutions would need to submit all relevant information required under PSD 2 to the competent authorities that have granted them their existing licences and fully comply with the relevant PSD 2 requirements.
In addition, member states may provide for the existing payment institutions to be automatically granted PSD 2 authorisation if the competent authority already possesses evidence that the payment institution complies with PSD 2 requirements. Competent authorities shall make such an assessment on a case-by-case basis. They should inform the payment institution concerned before the authorisation is granted.
Paul Foley is a partner at McKeever Solicitors. He can be contacted on +35 31 859 0128 or by email: pfoley@mckr.ie.
© Financier Worldwide
BY
Paul Foley
McKeever Solicitors