Policy, regulatory, and legal issues
An Update on Changes to the New Payment Services Directive (PSD2) Agreement is reached at EU level to broaden the scope of the existing directive, capture a wider range of payment transactions and address questions of liability
28.07.15 By Maria Troullinou
The arrival of the new Payment Services Directive (PSD2) in the internal market repealing the current Payment Services Directive 2007/64/EC (PSD1) has been a closely monitored development since the publication of the European Commission's (the Commission) Green Paper on Card, Internet and Mobile Payments (COM (2011) 941) in January 2012. On 2 June 2015 the final compromise text of PSD2 was released. The updated PSD2 broadens the scope of PSD1, captures a wider range of payment transactions, and also addresses some of the concerns raised during the legislative process regarding questions of liability. Payment service providers (PSPs) will have to ensure that they comply with its provisions by the transposition date around end-2017. In this article, Maria Troullinou of Clifford Chance LLP looks at the key changes that PSD2 will introduce and at how the text has evolved since the initial Commission proposal was published in the summer of 2013.
The views expressed in this article are solely those of the author and should not be attributed to the European Payments Council.
Key Information in this Article
The arrival of the new Payment Services Directive (PSD2) means that payment service providers (PSPs) have to ensure that they comply with its provisions by the transposition date around end-2017.
An impact analysis should be carried out to determine what changes to legal documentation and operational processes will be required as a result of the new provisions.
Scroll to the end of the page and post a comment. Go to comments.
A similar structure, a much broader scope
The new Payment Services Directive (PSD2) retains the same basic structure as the original Payment Services Directive (PSD1). PSD2 is divided into six titles, each of which focuses on a different subject-matter. Accordingly, title I covers scope and definitions, title II deals with the authorisation and regulation of payment service providers (PSPs), title III focuses on transparency, title IV establishes the respective rights and obligations of payment service users (PSUs) and PSPs and titles V and VI set out provisions on delegated acts and implementation. In addition, the different categories of payment service are set out in the Annex.
Despite retaining the same basic structure, the reach of PSD2 is broader than its predecessor. This is because of the expansion of the territorial scope provisions and the simultaneous narrowing down of the exemptions (commonly known as the ‘negative scope provisions’).
Most provisions of title III and title IV of PSD2 will now apply to a broader range of payment transactions. Specifically, transactions in non-European currencies where both the payer's and the payee's PSP (or the sole PSP in the transaction) are located in the European Union (EU) will be caught, as will ’one leg out’ payment transactions in all currencies (i.e. where only one PSP is located in the EU). ‘One leg out’ transactions were outside the scope of PSD1, but PSD2 now brings them in scope "in respect of those parts of the payment transaction which are carried out in the Union". This wording operates as a limit to the reach of PSD2 and seeks to offer some comfort to PSPs who would not be able to fulfil their obligations in respect of transactions (or components thereof) taking place outside of the EU over which they have no control (e.g, because these are subject to foreign systems and rules). PSPs will need to carry out an impact analysis and assess which parts of each transaction qualify as having been "carried out in the Union"; in the absence of guidance as to the precise meaning of this wording, this may not be a straightforward exercise.
PSD2 amends some of the exemptions established under PSD1. Changes to the "commercial agent" exemption attempt to address the divergent interpretations taken by some EU Member States, making clear that the exemption applies when agents act only on behalf of the payer or payee (not both). Where agents act on behalf of both parties (e.g. in respect of e-commerce platforms) the exemption will only apply in cases where the agent does not come into possession, or have control of, clients’ funds. Moreover, it will no longer be possible to use the same payment instrument within more than one limited network, or to acquire an unlimited range of goods and services and therefore the "limited network" exemption will now only be available to genuinely small networks. PSD2 also limits the scope of the mobile device content exemption to individual payments that do not exceed 50 euros and, on a monthly basis, transactions not exceeding 300 euros in aggregate per subscriber.
The Automated Teller Machine (ATM) exemption set out in Article 3(o) of PSD1 which was removed from the European Commission's (the Commission) original PSD2 proposal, has now been reinstated. ATM operators will be subject to obligations to provide customers with information on withdrawal charges — both prior to the transaction and on the customer's receipt — aiming to enhance transparency.
PSD2 seeks to minimise divergent interpretations around the application of certain exemptions. In certain cases, PSPs pursuant to PSD2 will have to notify competent authorities, so that an assessment can be made as to whether the requirements of an exemption have been met.
Expanding the market
PSD2 creates two new types of PSP, commonly referred to as ‘third party payment service providers‘ (TPPs) and attempts to strike a balance between opening up the payments market and maintaining appropriate security standards for online payments.
PSD2 contains provisions requiring EU Member States to ensure that all payment institutions have access to payment account services provided by banks. This is designed to prevent banks from refusing to open and maintain bank accounts for payment institutions. Although the right of a bank to reject account applications on valid grounds (such as anti-money laundering concerns) would not be affected, banks that decline to provide a bank account to another payment institution will have to explain the rejection to the regulator.
Under PSD2, payment initiation service providers (PISPs) are required to be authorised but are subject to a reduced minimum own funds requirement of 50,000 euros. Account information service providers (AISPs) are expressly exempt from authorisation, but are subject to a registration requirement. Both types of entity have to hold professional indemnity insurance or a comparable guarantee in order to ensure that they are able to meet liabilities arising in relation to their activities, as PSD2 aims to achieve a level of supervision commensurate with the risk such new entrants introduce into the system. PISPs that want to provide different payment services involving holding users' funds will need to obtain full regulatory authorisation.
PSD2 jargon buster:
PSP – payment service provider
PSU – payment service user
ASPSP – account servicing payment service provider, usually being the bank of the payer or the payee in the context of payment transactions made via online banking
PISP – payment initiation service provider providing a software "bridge" between a payer and the PSP of the payer so as to facilitate online payments by initiating an order at the request of the payer
AISP – account information service provider providing PSUs with aggregated online information for multiple payment accounts held with multiple ASPSPs and accessed via the online systems of those ASPSPs
TPP – third party payment service provider (i.e. a PISP and/or an AISP)
Payment initiation services
PISPs operate at the heart of online banking transactions, providing the interface through which customers access their online account and transmitting the requisite data to effect a payment. In the case of a PISP issuing card based payment instruments, the PISP acts as a facilitator that enables the transmission of funds, by confirming that the payer has sufficient funds in its account to execute a transaction. PSD2 clarifies that a PISP will not receive or handle customer funds at any stage and will not provide a statement of account balance. Following extensive debate in respect of security and data protection issues, the role of PISPs has been confined to giving a 'yes' or 'no' answer as to whether the payer has sufficient funds in its account to complete a transaction. PSD2 sets out various conditions that must be met before a PISP can offer its services (e.g. the payer must give its explicit consent to the account servicing payment service provider (ASPSP) to respond to requests from a specific PISP prior to the first request for confirmation being made) and imposes obligations on PISPs (such as making sure that they authenticate themselves and communicate securely with the ASPSP for each confirmation request made by a payer). After debate during the EU legislative process, the final PSD2 text prohibits ASPSPs from obliging PISPs to enter into contracts with them prior to the provision of the service.
Account information services
AISPs provide PSUs with aggregated online information for multiple payment accounts held with different ASPSPs (which are accessible through the online systems of those ASPSPs). In light of the fact that such entities require access to those payment accounts to provide their services, PSD2 requires ASPSPs to respond to data requests from AISPs in a non-discriminatory manner and gives PSUs the right to make use of account information services. The final PSD2 text stipulates that the provision of account information services shall not be made dependent on the existence of a contractual relationship between the ASPSP and the AISP.
Generally, the provisions and approach relating to AISPs are similar to those that apply to PISPs.
Moving towards strong customer authentication
PSD2 places great emphasis on the security of electronic payments and introduces and defines the concept of "strong customer authentication", which will be further refined by the European Banking Authority (EBA) and the European Central Bank (ECB) in guidance and regulatory technical standards. PSPs have to apply strong customer authentication where a PSU accesses its online account or initiates an electronic payment transaction.
The EBA guidelines on the security of internet payments (guidelines), using PSD1 as the legal basis, were published on 19 December 2014 (see ‘related links’ below). These should be implemented by PSPs by 1 August 2015, and the EBA has stated that it intends to publish more stringent requirements as required under PSD2 once that has come into effect. The guidelines include an enhanced version of customer authentication for all electronic payment transactions and place various obligations on PSPs to carry out risk assessments and to monitor security incidents. The authentication approach is one based on two out of the three components set out in the guidelines: something only the user knows, something only the user possesses and something the user is. It remains to be seen what the content of the updated guidelines that the EBA will publish pursuant to PSD2 will be and it is expected that a similar ’comply or explain’ approach will be followed.
Reducing the liability burden?
The publication of the original PSD2 Commission proposal in the summer of 2013 rang alarm bells among stakeholders: the attempt of the draftsmen to reallocate the liability burden to cater for the introduction of TPPs into the regulated payment services arena was considered by many as potentially giving rise to more issues than it was attempting to solve.
Under PSD2, PSPs are liable for unauthorised payment transactions although PSUs may be obliged to bear losses up to 50 euros (reduced from 150 euros under PSD1) in cases of lost or stolen payment instruments.
The final PSD2 text suggests that some of the concerns raised during the legislative process have been taken on board. For example, the concept of deemed consent and the ability of a payee to indirectly give consent for a transaction that featured in the original Commission proposal have been removed. Generally, the relevant principle in the final PSD2 text is one of each relevant PSP taking responsibility for the respective parts of the transaction under its control. Accordingly, where a PSU initiates a payment transaction through a PISP, the PISP shall have the burden of proving that, within its sphere of competence, such transaction was authenticated, accurately recorded and not affected by deficiencies linked to the payment service it is in charge of. However, in the absence of a contract between a PISP and an ASPSP, and in light of the fact that in the interests of consumer protection a payer is entitled to claim a refund from the ASPSP (even where a PISP has been involved), it remains to be seen how the allocation of liability provisions will operate in practice. Again, in this respect the final text of PSD2 deals with some of the concerns that the industry had raised in response to the Commission’s original proposal, as it provides that if the PISP is liable for an unauthorised, non-executed or defectively executed transaction or a payment transaction that was executed late, it shall immediately compensate the ASPSP at its request for sums paid or losses incurred as a result of any refund. However, concerns at the possibility of widespread losses caused by a thinly capitalised PISP remain unaddressed.
The legislators of PSD2 have tried not to lose sight of other initiatives and legislative measures and, accordingly, PSD2 refers to other EU laws or concepts that are relevant to its provisions. For example, data protection issues are expressly mentioned in PSD2, especially in the context of Directive 95/46/EC and Regulation EC No 45/2001 (see ‘related links’ below): PSD2 makes clear that PSPs should ensure that data protection laws are complied with. The references to the Network and Information Security (cyber-security) Directive (NIS) (see ‘related links’ below) that were contained in the Commission's earlier draft proposal have now been replaced with an independent obligation under PSD2 to maintain and establish incident management procedures, to report assessments on operational and security risks to competent authorities and to engage in incident reporting.
Maria Troullinou is a Senior Associate in the financial regulation group at Clifford Chance in London (firstname.lastname@example.org).
European Commission Website: Green Paper on Card, Internet and Mobile Payments
European Commission Website: Proposal for a directive of the European parliament and of the Council on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC
European Banking Authority Website: EBA issues guidelines to strengthen requirements for the security of internet payments across the EU
European Union Website: Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
European Union Website: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Related articles in this issue:
Related articles in previous issues:
PSD2: EPC Calls on EU Lawmakers to Maintain the Firewall Protecting Consumers Making Internet Payments. This Means: No Sharing of Any Personalised Security Credentials with Third Parties (EPC Newsletter, Issue 23, July 2014)
PSD2: Analysis of Selected Aspects of Recent European Parliament Report Raises More Questions for Clarification (EPC Newsletter, Issue 22, April 2014)
PSD2: European Parliament Economic and Monetary Affairs Committee (ECON) Draft Report Introduces Improvements and Reveals the Need for Further Clarifications, Says Payments Regulatory Expert Group (EPC Newsletter, Issue 21, January 2014)
PSD2: EPC Key Considerations Address Aspects Related to Third Party Payment Service Providers and Article 67 (Refund Rights for Direct Debits) (EPC Newsletter, Issue 21, January 2014)
The Long Awaited Arrival of PSD2: a Summary of Some of the Key Provisions and Issues (EPC Newsletter, Issue 20, October 2013)
Analysis of Selected Aspects of PSD2 Reveals: There is Considerable Scope for Clarification (EPC Newsletter, Issue 20, October 2013)
Other articles in this issue
28.07.15 Euro Retail Payments Board Meets for a Third Time - Topics discussed include instant payments, person-to-person mobile payments, technical standards related to payment cards and e-invoicing payment issues By Javier Santamaría 28.07.15 Realising the European 'Payments Dream' - Ecommerce Europe's perspective of creating a truly pan-European 'one-click' payment environment By Paul Alfing 28.07.15 Progress Towards a Single Digital Market in the EU - The EU Digital Single Market Strategy has now been formally adopted (in May 2015) by the European Commission By Liz Oakes 28.07.15 Who Does What In Payment Standards? - Understanding the players who develop and maintain the standards used by payment service providers to exchange information By Christophe Godefroi 28.07.15 Instant Payments at Point of Sale – Overcoming Customer and Merchant Barriers - Will instant payments ever replace card payments? By Pierre-Antoine Vacheron 28.07.15 A Corporate View of Instant Payments - Harmonised payment, communication and reconciliation are needed for corporates to join the 'instant payments' revolution By Massimo Battistella 28.07.15 Highlights of EPC Report to the Euro Retail Payments Board on Instant Payments - The EPC recommends the establishing of an instant payments multi-stakeholder working group By Anthony Richter 28.07.15 MyBank: Update on e-authorisation Solutions - Society needs new secure payment methods and trusted identity tools for the digital single market. MyBank provides an example. By John Broxis and Giorgio Ferrero
If you would like to comment on this article, please identify yourself with your first and last name. Please note that your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC Newsletter Terms and Conditions, so please read them carefully before doing so.