The EU’s Payment Services Directive: following a road well-travelled
October 2022 | SPECIAL REPORT: FINANCIAL SERVICES
Financier Worldwide Magazine
October 2022 Issue
In the EU, the second Payment Services Directive (PSD2) effectively laid the groundwork for ‘open banking’. ‘Payment services’ include a wide range of services that, taken together, establish the infrastructure for enabling the payment of money. Examples include services enabling cash to be placed on, or withdrawn from, a ‘payment account’ and the execution of payment transactions. PSD2 laid down certain rules for regulating this sector. PSD2’s main innovation was to open access to customers’ bank account data, enabling third-party information and payment initiation services providers (TPPs) to use this data, with customers’ agreement, to provide new FinTech products to them.
Almost five years since it entered into effect, the PSD2 is being ‘reviewed’. On 20 October 2021, the European Commission (EC) sent a ‘call for advice’ to pan-EU banking regulator the European Banking Authority (EBA), with the objective of gathering evidence on the application and impact of the PSD2. On 23 June, the EBA responded with a comprehensive opinion. In the opinion, the EBA set out its findings on the implementation of PSD2 and a number of proposals (more than 200) for reform. In the meantime, the EC also sought feedback from the industry and the public at large. On 10 May, it published a set of documents – two calls for evidence and three consultations – with a view to progressing the review of the PSD2 and its related open finance initiative. These requested responses to many detailed questions.
These policy documents, although representing the first stages of the review, signal that regulatory intervention in the payments services sector is far from over. The aim of the PSD2 was to achieve a well-functioning market, characterised by competition and innovation, which allows for safe, convenient and cost-efficient payment solutions. With the EC’s review, the regime looks set to follow the trajectory of other financial services regulations that have sought to open up competition and take on board new technologies, such as the Markets in Financial Instruments Directive, with new rules aimed at harmonisation, closing gaps and reducing fragmentation likely to result from the review and the possibility of a directly applicable Level 1 regulation.
The aim of this article is to highlight three of the major landmarks along the direction of travel: (i) the possibility that the scope of the regime may be expanded; (ii) the transition to ‘open finance’; and (iii) the strengthening of strong customer authentication (SCA) requirements.
Widened scope of application
The review documents place several potential reforms on the table, which could broaden the scope of the framework if adopted.
The EBA has proposed clarifications to key terms like ‘payment account’ and ‘payment instrument’ that could expand these concepts. It calls for the definition of ‘payment account’ to allow for a variety of use-cases, including those where only a single payment transaction is executed on the payment account, without restriction on the applicable payment services. In addition, card tokens that allow payment order initiation should constitute payment instruments. On the other hand, technical services related to the operation of a digital wallet should not be considered a payment service.
The EBA is especially keen to avoid circumvention of PSD2 and targets “EU merchants circumventing the requirement to implement/apply SCA by contracting acquirers from third countries outside the EU”. In this regard, it proposes amending the directive to provide rules of the road for determining the place of provision of services, including a clarification that in cases where the online sale of goods and services is carried out within the EU, the acquiring of payment transactions is considered to be carried out in the EU. This suggests a particularly extraterritorial approach to the legislation, which may disrupt certain cross-border business models.
The EBA also has in its crosshairs “resellers that do not bear the responsibility for the goods and/or services being provided but are nevertheless in control of the financial flows”, suggesting that these should be clearly in-scope of the legislation. The reseller industry will be keen to ensure that any new rules distinguish legitimate reseller business models where resellers “actually and legally” act as sellers.
Of particular conceptual interest is the idea that PSD2 could be merged with the second Electronic Money Directive (EMD2), with the aim of avoiding regulatory arbitrage. This invokes the debate over whether regulation should be entity or activity based, which has re-emerged in recent times as policymakers strive to accommodate new technologies and ensure that rules are technological and business model neutral. As e-money products and services continue to evolve, including as crypto or digital assets, alongside innovations in payments processing and wider banking services, a coherent and consistently applied regulatory framework is key.
Open finance
‘Open finance’ represents the next step after open banking: while open banking is limited to data from banks, open finance refers to TPPs’ access, subject to the customer’s agreement, to customers’ entire financial footprint, including potentially pensions, mortgages, insurance, consumer credit, and so on.
Strictly speaking, the EC’s open finance initiative is expected to culminate in a separate legal framework, which the EC wants to have in place by 2024, though this timetable is likely to slip. However, the transition from open banking to open finance will require PSD account servicing payment services providers (ASPSPs) to further shift their mindset toward enhanced data sharing and openness, and an acceptance that financial customers own the data they supply. A proprietary and territorial view of account data that tracks toward the regulatory minimum required by PSD2’s access to accounts provisions is therefore likely to prove a short-term strategy only.
The EC and EBA are animated by the benefits of open finance, including enhanced customer experiences through bespoke products and services, better consumer financial decision making and management, improved efficiency and productivity for corporates, and greater competition, fostering innovation. These are compelling policy drivers, which underpin the EC’s overall digital economy strategy.
Data sharing in the digital economy would require a dedicated infrastructure that enables machine-readable access and machine-to-machine communication, so that the various firms in the data value chain can interact and cooperate efficiently. Accordingly, the new framework could see the development of a single EU API standard, in place of the myriad API standardisation initiatives that currently coexist in the EU, such as the Berlin Group standards, the French STET standards or the Czech and Polish API standards, and potential mandatory use. Clarifications may also be made to the EU General Data Protection Regulation (GDPR), to avoid the latter being used to avoid API adoption.
Indeed, firms are likely to have limited room to manoeuvre out of the requirements. The EBA has flagged, in particular, the need to carefully consider the interplay between the PSD2 and the eventual future legal framework on open finance “to avoid any grey area regarding the legal regime(s) applicable to [account information services providers] or loopholes in said regime(s)”.
Strong customer authentication
The PSD2’s SCA rules require the use of two authentication factors, out of three categories – something only the user knows, something only the user possesses, and something the user ‘is’ – where the user accesses its payment account online, initiates an electronic payment transaction, or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. The EBA has given guidance that the two authentication elements need to belong to different categories.
The harmonisation of provisions on SCA are generally considered to have had a positive effect on the security of customers’ electronic payments and financial data. Nonetheless, both sides of the sector, both ASPSPs and TPPs, have found reason to complain about the requirements. As a general matter, the requirements are unclear. The EBA has already provided many clarifications on the application of the SCA requirements through opinions and Q&As. For ASPSPs, the prescriptive requirements can be difficult to apply in practice. For instance, the definition of what counts as an authentication factor can be too restrictive for some providers’ business models, causing unwarranted frictions in the customer journey and potentially stifling innovation. On the other hand, some TPPs complain that some ASPSPs might use SCA to unjustifiably restrict or deny access.
The review documents do not betray any plan to lighten the regime. Indeed, the EBA’s opinion generally points to a broader application of SCA. For instance, the EBA proposes requiring SCA for the initiation of all payment transactions subject to specified exemptions. It also proposes new requirements for setting up electronic mandates for payee-initiated transactions as well as the introduction of limits on the maximum number of payment transactions that can be executed and the duration of the mandate before it needs to be renewed by the user. Further, in a potential blow to ASPSPs with advanced behaviour tracking technologies, the EBA has reiterated its position that ‘behaviour biometrics’ are not an inherent authentication factor (something the user is) which, in its view, refers to physical properties of body parts, physiological characteristics and behavioural processes created by the body.
On the other hand, account information services TPPs (AISPs) may see enhancements. Going beyond the rule amendments recently adopted by the EC, which, once in effect, will require ASPSPs to disapply SCA in certain circumstances where a payment service user accesses balance and recent transactions data without disclosure of sensitive payment data through an AISP, the EBA opinion calls for the EC to “reconsider more fundamentally the application of SCA for [AISPs]”. The EBA is of the view that there is merit in amending PSD2 to require AISPs to apply their own SCA, using their own security credentials, instead of the ASPSP’s, after an SCA has been performed with the ASPSP the first time the customer accesses the payment account through the AISP.
Ferdisha Snagg is a counsel, George Bumpus is an associate and Tricia Moffat-Noel is an international lawyer at Cleary Gottlieb Steen & Hamilton LLP. Ms Snagg can be contacted on +44 (0)20 7614 2251 or by email: fsnagg@cgsh.com. Mr Bumpus can be contacted on +44 (0)20 7614 2235 or by email: gbumpus@cgsh.com. Ms Moffat-Noel can be contacted on +44 (0)20 7614 2281 or by email: tmoffatnoel@cgsh.com.
© Financier Worldwide
BY
Ferdisha Snagg, George Bumpus and Tricia Moffat-Noel
Cleary Gottlieb Steen & Hamilton LLP
Q&A: Managing AI in the financial services sector
Facing unexpected events in the US financial markets: advice for regulated and unregulated entities
US SEC updates regulatory strategic plan – global capital markets impact
The EU’s Payment Services Directive: following a road well-travelled
The Financial Services and Markets Bill: a mixed bag of regulatory reform
A new era for moveable transactions in Scotland
The outsized impact of blockchain on finance
The regulation of cryptoassets: EU agrees new regulatory framework
Why the metaverse and AI are a double-edged sword
Stakes deals – investments in alternative asset managers