Article 67 – refund rights in the case of direct debits
Article 67 (1) of the European Commission’s proposal for a revised Payment Services Directive () contains a new paragraph regarding the payer’s refund rights in case of direct debits. Upon close review of the new Article 67 (1), last paragraph of it appears questionable whether it would be practicable that the payee’s would be exposed to situations where it would have to argue with the payee, in accordance with Article 67 (1) last sentence, about whether or not the services have already been received or the goods have already been consumed by the payer. The factual details of consumption of services and / or the receipt of goods are outside and disconnected from the customer-to-bank relationship and thus are distinctly more difficult to establish between the payee and his .
It is currently not the role - and it should not be the role - of the payee’s or of any to verify and argue with their payee customers about (factual) details of a commercial transaction which are entirely between the payee and the payer. The are not in a position to have first-hand knowledge about whether or not services or goods have been consumed or delivered. The relationship and the contractual details between the creditor customer and his would become significantly more complex if the would be forced, (as a result of new legislation), to get involved in the details of the underlying commercial transactions to which they are not a party. Any additional complexity in the relationship between the payment service user and his AS should be avoided in the interest of all parties. It is not recommended that the principle of separation of the payment transaction, (between the payment service user and his ), from the underlying commercial transaction, (between a payee and a payer - not involving any ), which has been respected until now is abandoned in the future.
Furthermore, the additional practical question for clarification would be: who should decide whether or not the services have already been received or whether the goods have already been consumed by the payer? It does not seem to be clear from the current wording of Article 67 (1).
While it is understood that it was the intention in to change from the current model of conditional refund rights under Article 62 of the PSD to an unconditional refund right while at the same time recognising that it does not make sense to grant an unconditional refund right in all circumstances a critical look at the current concept in Article 67 (1) is necessary. A careful assessment would be required to establish whether Article 67 (1) in its current form is sustainable. It could have very serious consequences for the future success of the direct debit instrument.
About as a new type of regulated players
The concept of the as a new type of regulated actor and their inclusion in the scope of as currently proposed is tantamount to opening Pandora’s box
There are good reasons for including into the scope of and there seems to be consensus among most relevant stakeholders that this important change is inevitable and a vital step in the right direction. The nature of the activity which resulted from technological innovation in some (European Union) EU countries however continues to raise important questions in the area of security of payments, data protection, liability allocation, transparency and consumer protection. These aspects are recognised in Recital 18 of the proposal and in Annex III, point 1.5.3, second indent, (under the heading ‘Lessons learned from similar experiences in the past’), to the proposal. Many stakeholders noted already that until the future date of implementation of under national law, (in several years to come), there continues to be an important vacuum from a regulatory, liability and supervisory perspective for a type of activity which directly impacts on the payment account of consumers but which for reasons of definition does not happen to fall within the scope of the current PSD3. The current vacuum is detrimental for payment service users as well as for AS and should also be avoided from a level playing field perspective.
What are ?
are described in as pursuing business activities as referred to in point 7 of Annex I, i.e. services which are based on access to payment accounts provided by a who is not the ‘account servicing’ , in the form of so-called (a) payment initiation services and / or (b) account information services.
It should be noted – in the context of payment initiation services - that are generally understood to be (third) parties that intervene in the communication and in the instructions sent from customers to their so-called online banking environments (offered by the AS ). From the perspective of online (internet) banking environments, it is important to understand that it appears as if their customers are giving instructions, while TPPs are acting as these customers towards the online banking environment. This means that the online (internet) banking environments (AS ) are currently most likely not able to (reliably) detect the involvement of such TPPs. It appears that the online banking environment is consequently also not in a position to identify the . This situation leads to important consequences for both the AS as well as for the .
The inclusion of implies an important structural change for the regulated payment services environment
While it is widely recognised that the inclusion of is inevitable and the right step to take, it is nonetheless an important structural change for the regulated payment services environment. This step comes with a lot of complexity in the area of transparency, security, allocation of liabilities and data protection. It is doubtful if the description of services as “a software bridge between the website of the merchant and the online banking platform of the consumer in order to initiate internet payments on the basis of credit transfers or direct debits”, (please refer to Recital 18 of the proposal), is the appropriate description of the concept. The focus in the context should not be about the purely technical aspect or possibility of ‘establishing a software bridge’ but rather about the fact that certain – with the help of the internet and a specific software - are able to have direct access to the personal security credentials of consumers. There is always a responsibility and liability issue that inevitably arises from the fact that an intervention by a third party in the payment initiation takes place, in particular if it is based on the concept that the personal security features have been passed on to a third party. There is an aspect of ‘impersonation’4 which is implied in this concept. Even the current PSD can be interpreted to be at odds with the concept whereby the personal security features are systematically passed on to third parties (please refer to Articles 56 (2), 57 (1) (a), 60 and 61 of the current PSD). It is doubtful whether all necessary aspects of the new concept of and the services which they provide such as ‘payment initiation services’ and ‘account information services’ (please refer to the relevant definitions for these terms in Article 4 (11), (32) and (33) ) have been adequately addressed in and whether there are no inconsistencies in the currently proposed set of rules.
Transparency for all actors involved in the payment initiation is essential
Transparency about involvement
One important question mark is about the level of transparency that is needed for all actors in the payment chain: It is about how much transparency is appropriate and should be required for all actors. Currently, the question arises when, how, and in which instances will the AS learn about the involvement of a in the context of payment initiation services. Firstly, the draft Articles 39, 40 seem to imply that AS will only learn about the initiation of a payment order by a in case of fraud or dispute. In addition, the criterion of fraud or dispute would suggest the AS will only be informed about the involvement in an ex-post manner (i.e. after the transaction). It is unclear from Article 40 as to who is expected to assess and decide and who is expected to notify whom in circumstances which – in the eyes of some of the actors involved (but maybe not from the perspective of all actors) – would constitute fraud or a dispute. Secondly, it would seem appropriate that the AS should be informed as much as the payer and the payee about the initiation of a payment order by a on the request of the payer, in all cases and not only in the case of fraud or dispute. The level of transparency as envisaged appears insufficient given that AS have a vital duty to safeguard the funds for the account holder.
Furthermore, one would wonder whether the concept of limited transparency as provided for under Articles 39 and 40 is consistent with what is foreseen under Articles 58 (2) and 87 (2) . In fact, Articles 39 and 40 could appear inconsistent with the obligations for under Articles 58 (2) and 87 (2) of . The latter Articles specify that the shall have the obligation to authenticate itself in an unequivocal manner towards the AS of the account owner – in all cases. In addition, it is noteworthy in this context that Articles 58 (2) and 87 (2) do not stipulate at what moment the authentication should take place, whether it should take place ex ante or ex post. However, it would appear essential that the correct sequence of this activity is clear for all actors. It would be necessary that the should authenticate itself to the AS prior to passing on the instruction for payment initiation (ex ante). Any other sequence would undermine the duty of the AS to safeguard the funds for the account holder.
Moreover, the approach taken under Articles 39 and 40 does not seem to match with the obligations of the AS under Article 58 (3) prescribing that where, for a payment initiation service, the AS has received the payer’s payment order through the services of a , it shall immediately notify the latter of the receipt of the payment order and provide information on the availability of sufficient funds for the specified payment transaction. The AS would not be in a position to notify the of the receipt of the payment order and provide information on the availability of sufficient funds if it does not have the details of the concerned.
Transparency about consent from the payer for involvement
In addition, there is an important need for transparency and for the possibility of AS to keep records regarding the explicit consent from the payer concerning the services of in each case. The payer not only has to give an explicit consent to the for its services, (and he / she should be properly informed about the extent of this access), but it is also necessary that such a consent has to be given in a provable way which is transparent for his AS . As mentioned above the AS is under a duty to safeguard the funds for the payer. Therefore, his is entitled to be duly informed about the payer’s explicit consent before any services can be executed. does not seem to provide for such minimum of transparency.
The currently envisaged concept in , which seems to be based on the assumption that consent has been given if the is – in practice - able to use the personal security features of the payer, appears to clash with the need for transparency for purposes of the AS about the explicit consent from payer. The current (legislative) concept of allowing the use of the payer’s personal security credentials for services could be seen to legitimise the model of the ‘man-in- the middle’ (and even without the other end knowing about it) which is far from ideal from a security, transparency and from an oversight and liability perspective. It is noted that there are public institutions in several Member States who have financed several campaigns to educate payment service users not to apply this method as it easily allows for abuse and for fraud. Furthermore, it is still entirely unclear from a technical perspective how it would be feasible for the to properly authenticate itself to the AS (as required under Article 58 (2) of ) if the would be allowed to use the personal security features of the payer. This appears to be a key (technical) aspect which does not seem to be clear but its clarification could trigger many important consequences.
Level of supervision / regulation for
The need for a comprehensive licensing or authorisation regime of should probably not be linked to the total amount of payment transactions, (executed annually as envisaged under Article 10 in conjunction with Article 27 of ), wherever the limits are set. Not the number of transactions should trigger the need for a regulatory oversight and an adequate authorisation regime, but the fact that a third party intervenes in the payment transaction chain which is triggered (requested) by a bank customer who has to rely on the proper conduct of the , the security of this payment, the protection of its data, the speed and reliability of the execution and that, in case of any mishandling of a payment order, the responsible party is able to rectify it and stand up for any losses incurred.
In light of the approach taken in Articles 10 and 27 one could consider setting up a number of separate and independent – each one of them with an average total amount of payment transactions of less than 1 million euros- who together would be authorised to initiate a considerable number of payments transactions without any prior authorisation. Such possibility may not be desirable.
In light of the above it might be more appropriate to ensure that all are subject to authorisation prior to commencing the provision of their services. Any ‘grandfather rule’, (for currently operational as envisaged under Article 97 of ), should only foresee a narrow period of transition – in the interest of the protection of the payment service user.
Risks and liabilities in case of involvement
One of the most problematic (core) issues in the context is that provides for a liability for AS in the event of a payer’s decision to make use of a for payment initiation services. AS are neither allowed nor able to control such involvement and yet are expected to stand up for it vis-à-vis the payer (and refund the amount in the account) if anything goes wrong (e.g. unauthorised transaction as a result of involvement). AS may be able to recover their losses from the but the risk and burden of recovery is with the AS (in the event that they are unsuccessful for any reason such as insolvency of the or in case of an unsuccessful legal action). This approach is not sound and not healthy from a legislative perspective. The risks and responsibilities under the legislation should be with those who are the actors and who are able to decide upon and control the relevant activity. This is an important fundamental principle of any sound legislation – otherwise the door is open for abuse and market distortions of one type of player versus another type of player. The responsibilities and liabilities envisaged in new legislation should not be for those actors who are neither allowed nor able to control these types of service. One of the primary objectives of is to provide for an enhanced level playing field among the various actors. It is difficult to see how the approach taken with respect to responsibilities and liabilities will enhance the level playing field. There is a strong concern that the opposite will be the case.
New Definitions included in the proposed
Payment initiation services
One question would be if this definition (please refer to Article 4 (32) of ) could be seen as restricting the concept of payment initiation services (‘’) only to cases based on the use of the payer’s personal security credentials by the . It appears that the concept of impersonation5 (i.e. the use of the payer’s personal security credentials by the ) is encouraged with this definition.
It is not clear what could be meant with the wording: “the payer can be actively involved in the payment initiation or the third party payment service provider’s software”. This wording could be understood to imply that the payer is in control (“be actively involved in … ”) of what happens if he decides to involve a . It is questionable whether this is the case. The reference to a ’s software being used already suggests that the payer would not be in control of the payment initiation process given that it is the ’s software that would be activated and would be in the middle between the payer and his AS ’s online banking environment.
Account information services
seems to be lacking any suitable limitation of the scope of such ‘account information services’ (please refer to Article 4 (33) of ) which would be essential for any concept of ‘account information services’. Recent global initiatives in the area of payment standards speak about their efforts to ‘enhance the security of digital payments’ and about the safeguarding of the sensitive data of a payer customer. However, upon review of the most important legislative initiative in the area of payments in the , the PSD review, it is difficult to find an adequate limitation to the scope for ‘account information services’. The definition seems far too wide. One should wonder whether customers will appreciate the vagueness of this new concept. It would therefore also be of interest to understand the position of the competent European data protection supervisors in this context. Are we not all customers whose account data should be adequately protected?
Hartmut Seibel is Legal Counsel to the . The views expressed in this article are solely those of the author and should not be attributed to the .
Related article in this issue:
Related articles in previous issues:
On the Difference between Innovation and the Wild West: How to Ensure the Security of Bank Customers' Funds and Data with Payment Account Access Services. Convenience is a priority. Security is indispensable. Promoting payment innovation to the benefit of both payers and payees requires combining the two ( Newsletter, Issue 19, July 2013)
European Commission Published ‘Payments Legislative Package’ on 24 July 2013. The package includes proposals for a revised Payment Services Directive and a new Regulation on interchange fees for card-based payment transactions ( Newsletter, Issue 19, July 2013)
1 Please refer to Recital 5 of stating: “… Equivalent operating conditions should be guaranteed to both existing and new players on the market, facilitating new means of payment to reach a broader market and ensuring a high level of consumer protection in the use of these payment services across the whole of the Union….”
2 Please refer to Recital 5 of as quoted in the footnote above.
3 Directive 2007/65/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market (Payment Services Directive – or commonly referred to as ‘PSD’)
4 ‘Impersonation’ means in this context that - in violation of the online banking conditions strictly foreseeing the use of this infrastructure for personal use only of the ’s customer - it is another (third) party that pretends to act as if it were the ’s customer - without the AS being able to reliably detect this set of facts.
5 Please refer to footnote 4 above.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.