Expanding reach - from leg out to negative scope
Through its Proposal for a Directive of the European Parliament and of the Council on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC () the European Commission (the Commission) has sought to expand the regulatory reach of the existing Payment Services Directive (PSD), by using various tools. Firstly, the Commission has amended the scope of the so called ‘leg-out’ transactions by ensuring that the Title III transparency and information requirements for consumer payments and the Article 78 value date and availability of funds requirements extend to transactions with third countries where only one payment service provider () is in a European Union (EU) Member State. The impact of these provisions will vary between Member States, depending on their transposition of the relevant PSD provisions. Secondly, the Commission has clarified that Title III will now apply to payments made in any currency. The Commission has also amended the negative scope provisions by clarifying - or rather narrowing - their scope. Specifically, the automated teller machine (ATM) exemption of Article 3(o) has been removed, while the limited network and the mobile device content exemptions have been amended. These are now restricted to being used in respect of genuinely small networks (and only upon recognition of such network from the competent authorities) and in respect of ancillary services with a cap per transaction (respectively). Accordingly, should consider their current arrangements and ensure that they have not been affected by these changes in scope. Opt-out and operational clauses contained in customer documentation may also have to be revisited.
Protecting payment service users?
Having come closer to achieving a single market for payment services, the Commission is now looking at using payments legislation as a consumer protection tool. Accordingly, are no longer able to charge payers for making the appropriate notification in the event of loss/misappropriation of the relevant instrument. therefore will need to revisit their policies in this respect and adapt them accordingly.
are also under an obligation to restore a debited payment account to its pre-unauthorised transaction state by no later than the date when the account was debited and a new unconditional right of refund has been introduced in respect of direct debits, except where the payee has already fulfilled its contractual obligations and the services/goods have already been received/consumed by the payer. This unconditional refund right is interesting as it is conditional on facts that are outside of the inter-bank relationship, as well as the payee/creditor bank relationship, and could potentially result in having to get involved in disagreements over whether payers have actually consumed or received the relevant goods or services, which may not be easily verifiable and provable in all cases. Moreover, the application of this concept to direct debit transactions is not feasible, as such payments operate on different premises to other types of payment. The amendments effectively turn a contractually agreed (optional) right into an absolute right and purport to bring the PSD regime in line with the 's Direct Debit Core Rulebook.
Here come the third party payment service providers
Arguably, the most significant amendment introduced by has been the ‘creation’ of a new type of regulated entity, the third party payment service provider (). This change is aimed at promoting innovation and low cost electronic payment solutions while ensuring that security and data protection are not compromised. offer services based on access to payment accounts provided by a in the form of payment initiation services and/or account information services and will be subject to all provisions applicable to payment institutions.1 The definition of a carves out of its scope account service providers (ASPSP), namely who provide and maintain payment accounts for a payer. offers a (slightly confused) explanation as to what the account information service includes. ‘Account information services’ are a service whereby consolidated and user-friendly information is provided to a on one or more payment accounts held by it in one or more . Conversely, ‘payment initiation services’ are payment services that enable access to a payment account provided by a . The payer can be actively involved in the payment initiation or the software. Moreover, under Article 59, Member States have to ensure that payers have the right to obtain payment card services by using a third party payment instrument issuer and are under an obligation to treat payment orders received in such a manner without discrimination, other than for objective reasons.
It would be fair to say that the introduction of has brought a flood of changes to the payments landscape, the most prominent of which are outlined below.
• A stricter application regime - the Article 5 authorisation application procedure has become more rigorous. Specifically, additional information must now be submitted with payment institution applications, including descriptions of the procedure for security incidents and the customer complaints reporting mechanism, procedures around sensitive payment information, business continuity plans and policies on the collection of statistical data and fraud. The prominence of risk assessment and security, in line with other Commission proposals, is evident in . One should note however that this stricter application regime does not sit well with Articles 10, 13 and 27 that effectively enable smaller to commence offering their services without prior authorisation.
• Free (access) for all – pursuant to Article 58 are given access to payment account information and are empowered to use such information. In return for such access, have to ensure that the personalised security features of the are not accessible to other parties, to authenticate themselves in an "unequivocal" manner towards the ASPSP and not to store sensitive payment data or personalised security features of the . This means that for the first time are allowed (or even encouraged) to communicate their personalised security features to a third party (the ). Admittedly, in a world of proliferating online fraud, this is an interesting development. More clarity is required on the elements of the requisite level of authentication and the procedures for achieving it. Moreover, the ASPSP has to immediately notify the of the receipt of a payment order, providing information on the availability of funds, in cases where the ASPSP has received the payment order through the services of a . The problem is that some of the obligations are not clear: for example, how would the ASPSP know how to notify the if the ASPSP does not know about such and what would happen in a case where the notification would amount to tipping off under anti-money laundering regulations? And most importantly, how (if at all) does mitigate the risks that may arise by allowing third parties to gain access to information that is stored behind another 's secure firewall? It may be that the 'answer' to this question is that , banks and other will have to adhere to regulatory security standards and the Cyber-security Directive. Some commentators are sceptical as to whether this would be an effective ex ante way of preventing misuse of the right to go behind another 's firewall.
• Confused liability – with the imposition of new obligations and responsibilities and the introduction of new actors into the regulated payments services arena came an amended liability allocation regime, reflecting these changes. It is questionable whether adequately grapples with the task at hand. Although the revised text seems to suggest that and can enter into contracts between them to allocate the liability in question, the actual legislative provisions are confused and it is questionable whether all issues can be addressed through such documentation. Article 63 effectively deems liable for unauthorised or incorrectly executed transactions even where a is involved. Although Article 64 attempts to place the burden of proof on in certain cases, in reality the most likely scenario is that the APPSP will have to compensate the and attempt to resolve the liability issue later. After all, Article 65 clearly states that APPSPs have an absolute duty to refund for unauthorised transactions, even though the authorisation aspect of the payment is under the control of the . are also liable in respect of payment execution as long as the can prove that the APPSP received the payment order.
It remains to be seen whether the final will manage to address the plethora of issues that the current proposal gives rise to. In a world of growing online fraud, it is crucial that the right balance is struck between innovation, security and consumer protection.
Dermot Turing is a Partner and Maria Troullinou is an Associate in the financial regulation group at Clifford Chance in London.
Related article in this issue:
Analysis of Selected Aspects of PSD2 Reveals: There is Considerable Scope for Clarification. A closer look at PSD2 with regard to the payer´s refund right and the introduction of third party payment service providers
Related articles in previous issues:
On the Difference between Innovation and the Wild West: How to Ensure the Security of Bank Customers' Funds and Data with Payment Account Access Services. Convenience is a priority. Security is indispensable. Promoting payment innovation to the benefit of both payers and payees requires combining the two ( Newsletter, Issue 19, July 2013)
European Commission Published ‘Payments Legislative Package’ on 24 July 2013. The package includes proposals for a revised Payment Services Directive and a new Regulation on interchange fees for card-based payment transactions ( Newsletter, Issue 19, July 2013)
1 It is however to be noted that Article 27 of allows Member States to waive certain authorisation requirements in respect of whose average total amount of expected payment transactions of the preceding 12 months does not exceed EUR 1 million per month. This could effectively lead to many remaining unauthorised.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.