European Payments Council Blog and Discussion Board
Join the European Payments Council (EPC) discussion board to have your say on recent Single Euro Payments Area (SEPA) developments and highlight subjects that you would like to debate. The platform has been designed to ensure the communication of frequent and useful EPC information as well as engage the payments community and encourage the exchange of opinions. Please note that by accessing or contributing to the discussion board you agree to abide by the terms of the EPC Blogging Policy, so please read them carefully before doing so.
To receive notification when a new EPC blog goes live, subscribe using the RSS feed in the left-hand column of this webpage.
PSD2: Almost final – a state of play Viewed 14894 times
The European Commission (the Commission), which has the right of initiative to propose laws, published its proposal for the revised PSD2 on 24 July 2013 (the formal title of this proposed legislative act is “Proposal for a Directive of the European Parliament and the Council [of the EU] on payment services in the internal market and amending Directive 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC”.) The draft legislation was then subject to review and adoption, respectively, by the EU co-legislators. These are the European Parliament and the Council of the EU. The Council of the EU is the EU institution where the EU Member States’ government representatives sit, i.e. the ministers of each EU Member State with responsibility for a given policy area. EU Directives, such as the PDS2, lay down certain end results that must be achieved in every EU Member State. National authorities have to adapt their laws to meet these goals.
The members of the European Parliament approved the final report of its Economic and Monetary Affairs Committee (ECON) on PSD2 at its plenary session on 3 April 2014. On 5 December 2014, the Council of the EU agreed its final compromise text on PSD2. The next step was the so-called ‘trialogue’ process during which the Commission, the European Parliament and the Council of the EU agreed the final version of the forthcoming PSD2 on 5 May 2015. To finalise the text, a few ‘technical’ trialogue meetings were planned. The PSD2 is expected to be approved by the Parliament in September 2015. This would indicate that PSD2 will be published between October and December 2015 in the Official Journal of the European Union. The EU Member States will then have to implement PSD2 into their national legislation by a set date between October and December 2017.
This blog outlines the European Payments Council’s (EPC) opinion on two key aspects of the agreed PSD2 proposal, namely the unconditional refund right for direct debits and the authentication of the bank customer, and provides an update on the state of play of the legislative process.
Unconditional refund right for direct debits
PSD2 is of particular relevance with respect to SEPA Direct Debit (SDD) services due to the fact that it defines common rules for the authorisation and the refund of direct debits. In a blog written for the EPC website in April 2014 (see ‘related links’ below), the author stressed the need for a review of the proposed new Article 67 (entitled ‘Refunds for payment transactions initiated by or through a payee’), regarding the details of the unconditional refund right for direct debits. In the view of the EPC, the Commission’s proposal for PSD2 risked undermining the consumer’s unconditional refund right for direct debits included with the SDD Core Scheme developed by the EPC in close dialogue with all stakeholders.
The SDD Core Scheme, as set out in the SDD Core Rulebook, goes beyond the requirements of the PSD currently in effect, by granting consumers a ‘no–questions-asked’ refund right during the eight weeks following the debiting of a consumer’s account. This means that during this time, any funds (money) collected by SDD will be credited back to the consumer’s account upon request. (In the event of unauthorised direct debit collections, the consumer’s right to a refund extends to thirteen months as stipulated in the PSD.)
Article 67(1) of the Commission’s proposal for PSD2 contained a paragraph regarding the payer’s refund rights in case of direct debits. Article 67(1) PSD2 (Commission’s proposal) which built on the existing Article 62 PSD read as follows:
“For direct debits the payer has an unconditional right for refund within the time limits set in Article 68. Except where the payee has already fulfilled the contractual obligations and the services have already been received or the goods have already been consumed by the payer. At the payment service provider’s request, the payee shall bear the burden to prove that the conditions referred to in the third subparagraph.”
At the time, the EPC stressed that although it appreciated the Commission’s apparent intention to align the PSD2 with the SDD Core Rulebook, upon closer review of the proposed last sentence, the text initially proposed by the Commission risked missing its goal. The existing ‘no-questions-asked’ refund right under the SDD Core Rulebook would have been undermined by such provision proposed by the Commission, which effectively allows the payee (businesses and other entities or persons collecting direct debit payments) to unilaterally limit the refund right of the payer when the payee has fulfilled its contractual obligations and the payer has received the related services or consumed the related goods. The EPC, therefore, suggested amending Article 67(1), last subparagraph PSD2 of the Commission’s proposal. In addition, both the European Central Bank (ECB) and the European Parliament found that the approach, as provided in PSD2 proposal, would conflict with the currently unlimited refund rights under the SDD Core Scheme.
The PSD2 proposal, as agreed on 5 May 2015, has extended the unconditional refund right for direct debits to enhance consumer protection.
The final compromise text now states:
“Without prejudice to paragraph 3, Member States shall ensure that, in addition to the right referred to in paragraph 1, for direct debits as referred to in Article 1 of Regulation EU No 260/2012, the payer has an unconditional right for refund within the time limits set in Article 68.”
Recital 57 of the final compromise text clarifies that: “[…] In order to ensure broad public support for SEPA and to ensure a high level of consumer protection within SEPA the existing pan-European direct debit scheme provides for an unconditional refund right for authorised payments. Reflecting this reality, this Directive aims at laying down the unconditional right to a refund, of any disputed payment transaction, as a general requirement for all euro denominated direct debit transactions in the Union. […]”
This amendment ensures that consumers making SDD payments can continue to rely on the ‘no-questions-asked’ refund right which is vital for the operation of the SDD Core Scheme.
It is to be noted that the third paragraph of Article 67 of the draft amendment proposal provides for the possibility for the debtor to waive the unconditional refund right. Additional requirements apply, most importantly that the mandate must (also) be given to the debtor bank and the debtor must have the option to withdraw his mandate with the debtor bank. From an EPC Scheme Management perspective, it is paramount that the unconditional refund right remains intact in the SDD Core scheme under all circumstances. Therefore, direct debits for which the debtor has waived his refund rights should take place in the context of an optional, separate scheme. Discussions on the possibility of such a scheme are ongoing within the Euro Retail Payments Board (ERPB).
Another key question in PSD2 centres on the authentication of the bank customer. With its legal opinion on the proposed PSD2 published in February 2014, the ECB stated: “In order to combine security requirements and customer protection with the idea of open access to payment account services, the ECB suggests that customers are appropriately authenticated by relying on a strong customer authentication system. TPPs [“third party payment service providers”] could ensure this through either redirecting the payer in a secure manner to their account servicing payment service provider or issuing their own personalised security features. Both options should form part of a standardised European interface for payment account access. This interface should be based on an open European standard and allow any TPP to access payment accounts at any PSP [“payment service provider”] throughout the [European] Union.”
The account servicing PSP would not be in a position to comply with its own obligations to safeguard the funds of the payment service user (PSU) if it is impossible for the online banking environment to reliably identify TPPs in an upfront manner. The EPC, therefore, recommended that PSPs should always be able to identify the TPP requesting access to a payment account. The use of TPPs for payment account access services must, in every single case, be visible for all actors involved. The final compromise text appears to tackle this issue: pursuant to the provisions of Article 58 1b (b), every time a payment is initiated, the payment initiation service provider should identify itself towards the account servicing PSP of the account owner and communicate with the account servicing PSP, the payer and the payee in a secure way.
Furthermore the compromise package includes the amendment to Article 87 PSD2. Under Article 87 of PSD2, the EU Member States will be obliged to ensure that PSPs apply “strong customer authentication when the payer: (a) accesses his payment account on-line; (b) initiates an electronic payment transaction; [or] (c) carries out any action, through a remote channel, which may imply a risk of payment fraud or other abuses”.
In the case of paragraph 1 (b) for electronic remote payment transactions, Member States shall ensure that PSPs apply strong customer authentication that shall include elements dynamically linking the transaction to a specific amount and a specific payee. Member States must also ensure that PSPs have in place adequate security measures to protect the confidentiality and the integrity of the PSU’s personalised security credentials.
However, certain ambiguities remain, for example regarding the sharing of the personalised security credentials of the PSU. Recital 51b of the final compromise text stipulates that “the obligation to keep personalised credentials safe is of the utmost importance to protect the funds of the payment service user and to limit the risks related to fraud and unauthorised access to the payment account. However, terms and conditions or other obligation imposed by payment service providers on the payment service users in relation to keeping personalised security credentials safe should not be drafted in a way that prevents payment service users from taking advantage of services offered by other payment service providers, including payment initiation services and account information services. Furthermore, the above mentioned terms and conditions should not contain any provisions that would make it more difficult in any way to use the payment services of other payment service providers authorised or registered under this Directive.”
The EPC strongly advises against the possibility for TPPs to use the personal security credentials of the PSU, to get access to a customer’s account, and reiterates that personalised security credentials should not be shared with third parties. The only way forward to ensure an adequate level of consumer protection with the PSD2 is to maintain trust and guarantee minimal risk exposure for consumers in the area of online payments. This includes establishing a clear liability model based on the principle that consumers must not share any personalised security credentials with any other party than the consumer’s own PSP. This approach allows conveying straightforward security advice to consumers with respect to online payments involving third parties that can easily be understood and adhered to.
Draft regulatory technical standards (RTS) will be developed by the European Banking Authority (EBA) and submitted to the Commission within 12 months of PSD2 entering into force that will specify:
- “The requirements of the strong customer authentication procedure;
- The exemption to the application of [strong customer authentication];
- The requirements that security measures have to comply with […] to protect the confidentiality and the integrity of the payment service users’ personalised security credentials; and
- The requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, as well as for the implementation of security measures, between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers.”
The EPC hopes that the EBA will take into consideration the related concerns voiced by the ECB and the EPC in this context.
The EPC welcomes the amendments proposed to Article 67 and Article 87. Under Article 67, consumers making SDD payments can continue to rely on the ‘no-questions-asked’ refund right for direct debits as stipulated under the SDD Core Scheme. At the same time Article 67 paragraph 3 leaves open the option for a waiver of the refund right by the debtor, which, in EPC’s view, would require a separate scheme if supported by the ERPB. In addition, subject to the draft RTS to be developed by the EBA, the changes to Article 87 should ensure a strong customer authentication procedure which, in turn, ensures confidentiality and security for consumers as well as technological neutrality. The EPC looks forward to the EBA’s consultative process in this area and to the opportunity it will provide to contribute to achieving those objectives.
- European Commission website: Directive on Payment Services (PSD)
- EPC Blog: European Union Regulatory Initiatives Impacting the Security of Euro Payments: the 2015 Outlook
- EPC Newsletter (July 2014): PSD2: EPC Calls on EU Lawmakers to Maintain the Firewall Protecting Consumers Making Internet Payments. This Means: No Sharing of Any Personalised Security Credentials with Third Parties
- EPC Newsletter (April 2014): PSD2: Analysis of Selected Aspects of Recent European Parliament Report Raises More Questions for Clarification
- EPC Blog: PSD2: The New Article 67, (‘Refunds for Payment Transactions Initiated By or Through a Payee’), Proposed by the European Commission Risks Undermining Consumer’s Unconditional Refund Right for Direct Debits Included with the SEPA Direct Debit Core Scheme
- EPC Blog: PSD2: EPC Identifies Considerable Scope for Amendments of the Proposed New Set of Rules Related to the Activity of Third Party Payment Service Providers Offering Payment Initiation or Payment Account Information Services
- European Central Bank (5 February 2014): Opinion on a Proposal for a Directive of the European Parliament and of the Council on Payment Services in the Internal Market and Amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and Repealing Directive 2007/64/EC
- EPC Newsletter (January 2014): PSD2: EPC Key Considerations Address Aspects Related to Third Party Payment Service Providers and Article 67 (Refund Rights for Direct Debits)
- EPC Newsletter (January 2014): PSD2: European Parliament Economic and Monetary Affairs Committee (ECON) Draft Report Introduces Improvements and Reveals the Need for Further Clarifications, Says Payments Regulatory Expert Group
- EPC Newsletter (October 2013): The Long Awaited Arrival of PSD2: a Summary of Some of the Key Provisions and Issues
- EPC Newsletter (October 2013): Analysis of Selected Aspects of PSD2 Reveals: There is Considerable Scope for Clarification
- European Commission (24 July 2013): Proposal for a Directive of the European Parliament and of the Council [of the EU] on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC (commonly referenced as the proposed revised Payment Services Directive – PSD2)
- European Commission (24 July 2014): Payment Services Directive and Interchange Fees Regulation: Frequently Asked Questions
- European Central Bank: Final Recommendations for the Security of Payment Account Access Services Following the Public Consultation (developed by the European Forum on the Security of Retail Payments)
- European Parliament Website: Legislative Powers
- Council of the European Union Website
- European Commission Website: Application of EU Law/Directives
- European Commission Communication: A Digital Agenda for Europe
- European Central Bank (January 2013): Recommendations for the Security of Internet Payments – Final Version After Public Consultation (developed by the European Forum on the Security of Retail Payments)
- European Banking Authority Website: About us
- European Banking Authority press release (20 October 2014): ‘EBA consults on implementation of Guidelines on internet payments security’
If you would like to comment on this blog entry or propose a subject for discussion, please identify yourself with your first and last name. Please note that your name will appear next to your comment. Email addresses will not be published.
To receive notification when a new comment is added to this specific discussion, please subscribe to get updates by email (using the "Subscribe" link below) or RSS (using the "RSS Feed" at the top left of the page). (These links are not available on the mobile version of the EPC Website, to subscribe by email or RSS, please visit the standard version of the EPC Website).