In a previous blog, entitled ‘On the Difference between Innovation and the Wild West: How to Ensure the Security of Bank Customers’ Funds and Data with Payment Account Access Services’, the observed: Convenience is a priority. Security is indispensable. Promoting payment innovation to the benefit of both payers and payees requires combining the two. Anyone with an interest in incentivising payers and payees to embrace new payment solutions, (regardless of whether these are offered by ‘banks’ or ‘non-banks’), should adhere to the principle of ‘safety first’. Consequently, the has emphasised the need for the future revised Payment Services Directive () (and other legislative and regulatory initiatives) to address key requirements related to payment account access services such as supervision and licensing, security, consumer and data protection, transparency, liability allocation and the need for explicit consent. Following a detailed analysis of the European Commission’s (the Commission’s) proposal for , the has identified considerable scope for amendment of the proposed new set of rules related to the activity of so-called third party payment service providers offering payment initiation or payment account information services.
This blog updates on the state of play of the European Union (EU) legislative process leading to the adoption of . It also provides an overview of the ’s key considerations with regard to aspects related to third party payment service providers set out in the Commission’s proposal for . In the view of the , substantial amendments to the Commission’s proposal will have to be agreed in the further dialogue between the EU co-legislators, i.e. the European Parliament and the Council of the EU representing EU Member States, to ensure the security of bank customers’ funds and data with payment account access services under the forthcoming . Moreover, an interim solution would be required to address the current lack of legal framework regarding the licensing of third party payment service providers until the revised PSD is fully implemented in EU Member States’ legislation and effective. (Sources cited in this blog and other related information are included in the ‘related links’ below.)
The legislative process leading to the adoption of : state of play
The Commission has the right of initiative to propose laws for adoption by the co-legislators, i.e. the European Parliament and the Council of the . (The Council of the is the institution where the Member States’ government representatives sit, i.e. the ministers of each Member State with responsibility for a given policy area.)
The PSD as currently in effect was implemented in most Member States by 1 November 2009. Article 87 of the PSD requires the Commission to present a report on the implementation and impact of the PSD together with proposals for its revision by 1 November 2012. On 24 July 2013 the Commission published its proposal for . (The formal title of this proposed legislative act is “Proposal for a Directive of the European Parliament and of the Council [of the ] on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/ and 2009/110/EC and repealing Directive 2007/64/EC.”)
legislation proposed by the Commission related to payments is considered by the European Parliament Economic and Monetary Affairs Committee (ECON) prior to the European Parliament taking a vote on a proposal. The ECON agreed its proposed version of including amendments to the Commission’s proposal on 20 February 2014. According to the ECON press release, entitled ‘Economic Affairs Committee backs plan to update online payment rules’, the draft text as amended by the ECON will be put to a vote in first reading by the European Parliament plenary “during one of the upcoming parliamentary sessions”.
The Council of the representing Member States is planning to progress its work on in the second quarter of 2014. The Council of the may decide to accept the European Parliament’s position on in which case the legislative act is adopted, or it may amend Parliament’s position, and return the proposal for to the European Parliament for a second reading. (For next steps in the process, refer to the infographic included with the link ‘European Parliament Website: Legislative Powers’ below.)
Aspects of related to third party payment service providers
With the proposed , the Commission is introducing the notion of ‘third party payment service provider ()’ in the European legislative framework. (Provisions in the proposed mentioned in this blog refer to the Commission’s proposal for published on 24 July 2013, see links below.)
The recognises the existence of a market demand for payment service providers () granting third parties access to their online payment services in a regulated and secure way to enable a wider range of payment services to European merchants and consumers, thus fostering innovation and competition in Europe. are described in as pursuing business activities as referred to in point 7 of Annex I, i.e. services which are based on access to payment accounts provided by a who is not the ‘account servicing’ , in the form of so-called (a) payment initiation services and / or (b) account information services. The focus of the proposal is mainly on payment initiation services, regarding which the has identified the following areas of concern.
Access to accounts
First and foremost, the strongly disapproves of using the personal security credentials of the payment service user (i.e. the account holder) to effectuate such access. It is to be noted that pursuant to Article 56, PSD currently in effect the validity and the use of the payment service user’s personal security credentials are defined in the (bilateral) terms governing the issuance and the use of the payment instrument. Article 56 of the PSD currently in effect explicitly states that the payment service user shall take all reasonable steps to keep its personalised security features safe. Clearly, this also means that the account holder cannot share his or her security credentials (such as his/her personal identification number (PIN) code) with a . Likewise, the is obliged “to make sure that the personalised security features of the payment instrument are not accessible to parties other than the payment service user entitled to use the payment instrument, without prejudice to the obligations on the payment service user set out in Article 56” (Article 57, §1(A) PSD). The use of these personal security credentials by therefore risks not being compliant with the aforementioned usage terms and could impact the legitimacy of such use by the payment service user.
Furthermore, in the view of the it is of the utmost importance that would authenticate themselves in an unequivocal manner towards the account servicing when accessing a payment service user’s account. The account servicing therefore need to be made aware in each use case, and prior to any activity of payment initiation or account information being performed by the , of the identity of that (licensed entity).
The account servicing should also be notified of the payment service user’s explicit consent with regard to the service being provided by the , in a manner which allows keeping records of such notifications.
The proposal currently does not seem to provide the certainty that the account servicing will be notified – ex ante – about the consent from the payer in the case of each payment initiation or account information service. Furthermore, in light of the current text of the question arises whether the account servicing should carry the burden of proof that a acted with explicit consent of the payment service user. Such burden of proof to the disadvantage of the account servicing would not appear appropriate.
Furthermore, the account servicing would not be in a position to comply with its own obligations to safeguard the funds of the payment service user if it would be impossible for the online banking environment to reliably identify in an upfront manner. The therefore recommends that should always be able to identify the requesting access to a payment account. The use of for payment account access services must in each single case be transparent for all actors involved.
The has noted that the proposed surprisingly provides for a liability for account servicing in the event of a payer’s decision to make use of a for payment initiation services. Or, as Commission representatives have called it on several occasions, the account servicing would be the “first port of call” for the payment service user. Account servicing are neither allowed nor able to control such involvement and yet would be expected to assume responsibility for it vis-à-vis the payer if anything does go wrong (e.g. an unauthorised transaction as a result of involvement). Account servicing may be able to recover their losses from the but the risk and burden of recovery lie with the account servicing (in the event that they are unsuccessful for any reason, such as insolvency of the , or in case of an unsuccessful legal action).
The is of the opinion that under no circumstances should the account servicing be held liable for the ’s mistakes, failures or for specific risks resulting from the ’s sphere or activities. The only exception to this principle would be in the event of an agreement between the and account servicing concerning the terms of payment order initiations and account information services offered by such .
The recommends that all should be subject to authorisation prior to commencing the provision of their services. Any ‘grandfather rule’, (for currently operational as envisaged under Article 97 of ), should only foresee a limited period of transition – in the interest of the protection of the payment service user.
Under no circumstances should the need for a comprehensive licensing or authorisation regime of be linked to the total amount of payment transactions, (executed annually as envisaged under Article 10 in conjunction with Article 27 of ), wherever the limits are set. Indeed, the number of transactions should not trigger the need for a regulatory oversight and an adequate authorisation regime, instead it should be the risks related to the pursued activity. The mere fact that a third party directly intervenes in the payment transaction chain is of such a nature that should be subject to the same licensing and prudential regime as other in the chain.
Scope of ‘account information services’
The is of the opinion that ‘account information service’ should not be presented as a ‘payment service’ in the strict sense as these are not necessarily linked to payment transactions. It is our understanding that such services would only comprise historical payment transaction data, or ‘aggregation services’, but would never lead to a payment initiation. Therefore, the current qualification as a ‘payment service’ could be considered misleading. Consequently, it could also be questioned if it should be included with . However, on balance it should be preferable to include this type of service in rather than face the continuation of this type of services without the appropriate supervision as is currently the case in various Member States.
Given that any account information (both for private individuals as well as for corporate entities) is of an extremely delicate nature (in the context of, for example, data protection) it would appear essential that a more suitable definition for such services be found. The therefore proposes amending the definition for ‘account information services’ in Article 4 (33) of as follows (underlined new wording proposed by , strikethrough relates to deletions proposed by ):
“‘account information service’ means a
payment service where consolidated and user-friendly information is provided to a (third party) payment service provider () based on the explicit consent of the payment service user on one or several payment accounts held by the payment service user with one or several account servicing payment service providers.”
While it is noted that there is scope for improvement of the definition of ‘account information services’ as provided for in Article 4(33) , it is also felt that generally a wide definition of ‘account information services’ should nonetheless be in the interest of many stakeholders who should benefit from the regulatory supervision of this type of services in the future. The relevant Articles 10, 13 and 27 of however lack sufficient clarity as to the details of the authorisation regime that would be applicable to this specific type of activity for or other . In particular, the waiver for entities with a total amount of transactions of less than 1 million euro cannot apply in this context, since there are no transactions at all. It would also appear necessary to review the scope of such ‘account information services’ from a data protection angle.
calls on legislator to provide the necessary attention to data protection, limiting fraud risk, the identification of roles and related liabilities and the need for a level playing field
When considering amending the PSD, the co-legislators should give the necessary attention to data protection, limiting fraud risk, the identification of roles and related liabilities and the need for a level playing field, all of which constitute prerequisites to stimulating competition and supporting innovation. The draft text agreed by the ECON introduces several changes to the Commission’s proposal. However, additional amendments will have to be agreed in the further dialogue between the co-legislators to ensure the security of bank customers’ funds and data with payment account access services under the forthcoming .
Interim solution would be required to address the current lack of legal framework regarding the licensing of until the revised PSD is fully implemented in Member States
It has to be kept in mind that Directives, such as the forthcoming , lay down certain end results that must be achieved in every Member State. This means: national authorities have to adapt their laws to meet these goals; i.e. have to implement an Directive, but are free to decide how to do so. National implementation measures are texts officially adopted by the authorities in a Member State to incorporate the provisions of an Directive into national law. The Commission proposes that Member States are given two years to implement into national law following (pending) adoption of the final revised Directive by the co-legislators. (By comparison: Regulations have binding legal force throughout every Member State, on a par with national laws, as of an effective date determined by the co-legislators.)
In the view of the therefore, an interim solution would be required to address the current lack of legal framework regarding the licensing of until the revised PSD is fully implemented in Member States’ legislation and effective.
Please note: the also sees a pressing need for a review of the proposed new Article 67 included with , (entitled ‘Refunds for payment transactions initiated by or through a payee’), regarding the details of the unconditional refund right for direct debits. This topic will be addressed in the next Blog. Related information is also detailed in the Newsletter article ‘: Key Considerations Address Aspects Related to Third Party Payment Service Providers and Article 67 (Refund Rights for Direct Debits)’ (see below).
- EPC Newsletter: PSD2: EPC Key Considerations Address Aspects Related to Third Party Payment Service Providers and Article 67 (Refund Rights for Direct Debits). EPC identifies considerable scope for amendments to European Commission PSD2 proposal
- EPC Blog: On the Difference between Innovation and the Wild West: How to Ensure the Security of Bank Customers´ Funds and Data with Payment Account Access Services
- EPC Newsletter: Articles Published in the Section ‘Legal and Regulatory Issues’
- European Commission (24 July 2013): Proposal for a Revised Payment Services Directive (PSD2)
- European Commission (24 July 2013): Payments Legislative Package
- European Central Bank (5 February 2014): Opinion on a Proposal for a Directive of the European Parliament and of the Council on Payment Services in the Internal Market and Amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and Repealing Directive 2007/64/EC
- European Parliament Economic and Monetary Affairs Committee (ECON) Website
- European Parliament Economic and Monetary Affairs Committee (ECON) Press Release (20 February 2014): ‘Economic Affairs Committee Backs Plan to Update Online Payment Rules’
- European Parliament Economic and Monetary Affairs Committee (ECON) (11 March 2014): Report on the Proposal for a Directive of the European Parliament and of the Council on Payment Services in the Internal Market and Amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC
- European Parliament Website: Legislative Powers
- European Commission Website: Application of EU Law/Directives
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.