Aspects of related to third party payment service providers
In July 2013, the European Commission (the Commission) issued the proposal for a Directive of the European Parliament and of the Council [of the European Union] on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC, commonly referenced as the revised Payment Services Directive ().
With the proposed , the Commission is introducing the notion of ‘third party payment service provider ()’ in the European legislative framework. The European Payments Council () recognises the existence of a market demand for payment service providers () granting third parties access to their online payment services in a regulated and secure way to enable a wider range of payment services to European merchants and consumers, thus fostering innovation and competition in Europe. are described in as pursuing business activities as referred to in point 7 of Annex I, i.e. services which are based on access to payment accounts provided by a who is not the ‘account servicing’ (AS ), in the form of so-called (a) payment initiation services and / or (b) account information services. The focus of the proposal is mainly on payment initiation services, regarding which the has identified the following areas of concern.
Access to accounts
First and foremost, the strongly disapproves of using the personal security credentials of the payment service user (, i.e. the account holder) to effectuate such access. It is to be noted that pursuant to Article 56, PSD currently in effect the validity and the use of the ’s personal security credentials are defined in the (bilateral) terms governing the issuance and the use of the payment instrument. Article 56 of the PSD explicitly states that the shall take all reasonable steps to keep its personalised security features safe. Clearly, this also means that the account holder cannot share his or her security credentials (such as his/her personal identification number (PIN) code) with a . Likewise, the is obliged “to make sure that the personalised security features of the payment instrument are not accessible to parties other than the payment service user entitled to use the payment instrument, without prejudice to the obligations on the payment service user set out in Article 56” (Article 57, §1(A) PSD). The use of these personal security credentials by therefore risks not being compliant with the aforementioned usage terms and could impact the legitimacy of such use by the .
Furthermore, in the view of the it is of the utmost importance that would authenticate themselves in an unequivocal manner towards the AS when accessing a ’s account. The AS therefore need to be made aware in each use case, and prior to any activity of payment initiation or account information being performed by the , of the identity of that (licensed entity).
The AS should also be notified of the ’s explicit consent with regard to the service being provided by the , in a manner which allows keeping records of such notifications.
The proposal currently does not seem to provide the certainty that the AS will be notified – ex ante – about the consent from the payer in the case of each payment initiation or account information service. Furthermore, in light of the current text of the question arises whether the AS should carry the burden of proof that a acted with explicit consent of the . Such burden of proof to the disadvantage of the AS would not appear appropriate.
Furthermore, the AS would not be in a position to comply with its own obligations to safeguard the funds of the if it would be impossible for the online banking environment to reliably identify in an upfront manner. The therefore recommends that should always be able to identify the requesting access to a payment account. The use of for payment account access services must in each single case be transparent for all actors involved.
The has noted that the proposed surprisingly provides for a liability for AS in the event of a payer’s decision to make use of a for payment initiation services. Or, as Commission representatives have called it on several occasions, the AS would be the “first port of call” for the . AS are neither allowed nor able to control such involvement and yet would be expected to assume responsibility for it vis-à-vis the payer if anything does go wrong (e.g. an unauthorised transaction as a result of involvement). AS may be able to recover their losses from the but the risk and burden of recovery lies with the AS (in the event that they are unsuccessful for any reason, such as insolvency of the , or in case of an unsuccessful legal action).
The is of the opinion that under no circumstances should the AS be held liable for the ’s mistakes, failures or for specific risks resulting from the ’ sphere or activities. The only exception to this principle would be in the event of an agreement between the and AS concerning the terms of payment order initiations and account information services offered by such .
The recommends that all should be subject to authorisation prior to commencing the provision of their services. Any ‘grandfather rule’, (for currently operational as envisaged under Article 97 of ), should only foresee a limited period of transition – in the interest of the protection of the .
Under no circumstances should the need for a comprehensive licensing or authorisation regime of be linked to the total amount of payment transactions, (executed annually as envisaged under Article 10 in conjunction with Article 27 of ), wherever the limits are set. Indeed, the number of transactions should not trigger the need for a regulatory oversight and an adequate authorisation regime, instead it should be the risks related to the pursued activity. The mere fact that a third party directly intervenes in the payment transaction chain is of such a nature that should be subject to the same licensing and prudential regime as other payment service providers in the chain.
Moreover, an interim solution would be required to address the current lack of legal framework regarding the licensing of until the revised PSD is fully implemented in member states’ legislation and effective.
Scope of ‘account information services’
The is of the opinion that ‘account information service’ should not be presented as a ‘payment service’ in the strict sense as these are not necessarily linked to payment transactions. It is our understanding that such services would only comprise historical payment transaction data, or ‘aggregation services’, but would never lead to a payment initiation. Therefore, the current qualification as a ‘payment service’ could be considered misleading. Consequently, it could also be questioned if it should be included with . However, on balance it should be preferable to include this type of service in rather than face the continuation of this type of services without the appropriate supervision as is currently the case in various European Union (EU) Member States.
Given that any account information (both for private individuals as well as for corporate entities) is of an extremely delicate nature (in the context of, for example, data protection) it would appear essential that a more suitable definition for such services be found.
The therefore proposes amending the definition for ‘account information services’ in Article 4 (33) of as follows:
“‘account information service’ means a payment service where consolidated and user-friendly information is provided to a (third party) payment service provider () based on the explicit consent of the payment service user on one or several payment accounts held by the payment service user with one or several account servicing payment service providers.”1
While it is noted that there is scope for improvement of the definition of ‘account information services’ as provided for in Article 4(33) , it is also felt that generally a wide definition of ‘account information services’ should nonetheless be in the interest of many stakeholders who should benefit from the regulatory supervision of this type of services in the future. The relevant Articles 10, 13 and 27 of however lack sufficient clarity as to the details of the authorisation regime that would be applicable to this specific type of activity for or other . In particular, the waiver for entities with a total amount of transactions of less than 1 million euro cannot apply in this context, since there are no transactions at all.
It would also appear necessary to review the scope of such ‘account information services’ from a data protection angle.
Article 67 – refund rights in the case of direct debits
The calls attention to the fact that will continue to be of particular relevance with respect to Direct Debit (SDD) services due to the fact that it defines common rules for the authorisation and the refund of direct debits.
Article 67 (1) of the Commission’s proposal, which builds on the existing Article 62 PSD2, contains a new paragraph regarding the payer’s refund rights in the case of direct debits, which reads as follows:
“For direct debits the payer has an unconditional right for refund within the time limits set in Article 68, except where the payee has already fulfilled the contractual obligations and the services have already been received or the goods have already been consumed by the payer. At the payment service provider’s request, the payee shall bear the burden to prove that the conditions referred to in the third subparagraph.”
The appreciates the Commission’s apparent intention to align the applicable legal framework with the Rulebook, which already provides an unconditional refund right for direct debits. Upon closer review of the proposed new last sentence of Article 67(1), it appears however that the text risks missing its goal. Indeed, the existing ‘no-questions asked’ refund right under the Rulebook would be undermined by such provision, which effectively allows the payee to unilaterally limit the refund right of the payer when the payee has fulfilled its contractual obligations and the payer has received the related services or consumed the related goods.
The proposed Article 67(1) also has some undesirable practical effects, since it is questionable whether it would be sensible for the payee’s to argue with the payee, in accordance with the last sentence of Article 67(1), about whether or not the services have already been received or the goods have already been consumed by the payer. The factual details of consumption of services and / or the receipt of goods are in principle outside and disconnected from the customer-to-bank relationship and thus are distinctly more difficult to establish between the payee and his . As stated in a previous Newsletter Article, (see ‘Analysis of Selected Aspects of Reveals: There is Considerable Scope for Clarification’ included in the ‘related articles in previous issues’ below), are not in a position to have first-hand knowledge of whether or not services or goods have been consumed or delivered. The relationship and the contractual details between the creditor customer and his would become significantly more complex if the would have to get involved in the details of the underlying commercial transactions which they are not party to. Simply put, should remain outside disputes regarding the underlying contract between the payer and the payee.
The therefore suggests the following amendment to Article 67 (1), last subparagraph :
“For direct debits the payer has an unconditional right for refund within the time limits set in Article 68. The payer and the payer’s payment service provider may agree on an exclusion of the refund right provided that the absence of the refund right is clearly mentioned in a specific mandate under a payment scheme which does not provide for the right to a refund. where the payee has already fulfilled the contractual obligations and the services have already been received or the goods have already been consumed by the payer. At the payment service provider’s request, the payee shall bear the burden to prove that the conditions referred to in the third subparagraph.”3
The suggested rewording aims to ensure the agreement of both payer and payee with the limitation of the payer’s refund right, through the use of a dedicated direct debit scheme. This can already be catered for via the usage of the ’s SDD Business to Business (B2B) Scheme for professional customers. Provided that there is sufficient market demand, the could additionally contribute to the provision of a no-refund scheme open to consumers. This suggestion is also aligned with Article 5(3) (d) (ii) of the Regulation () No 260/2012 establishing technical and business requirements for credit transfers and direct debits in euro, commonly referenced as the Single Euro Payments Area () Regulation which speaks about ‘a mandate under a payment scheme not providing for the right to a refund’. The ’s approach would furthermore be beneficial to the payee, who would no longer bear the burden to prove that certain conditions have to be fulfilled towards its .
The recognises that its proposed rewording would imply the introduction of the concept of ‘payment scheme’ into . Currently, the notion of payment scheme does not exist in but it already exists in the Regulation, Article 2(7), and is also present in the Commission’s proposal for a Regulation on interchange fees for card-based transactions (the MIF Regulation). Article 2(13) of the proposed MIF Regulation contains a definition of ‘payment card scheme’. As such, the addition of a definition of ‘payment scheme’ in the proposal would only appear logical.
calls on legislator to provide the necessary attention to data protection, limiting fraud risk, the identification of roles and related liabilities and the need for a level playing field
To conclude, this author wishes to reiterate that it is worth taking into consideration the genuine concerns which have shaped the legal environment to its current state, even beyond the (pressing) need for review of the proposed new Article 67 and the -related aspects of the . When considering amending the PSD, the legislator should give the necessary attention to data protection, limiting fraud risk, the identification of roles and related liabilities and the need for a level playing field, all of which constitute prerequisites to stimulating competition and supporting innovation. The amended PSD should also be aligned with other rules and regulations, for example in the fields of AML (Anti Money Laundering) and data privacy rules. Last but not least, the should not prevent European actors from operating outside the and playing a major role at the global level. Equally, non-European players operating in the should be subject to the same provisions as European .
Gijs Boudewijn is the Chair of the Legal Support Group. Gert Heynderickx and Hartmut Seibel, in house Legal Counsels to the , contributed to this article.
Related articles in this issue:
PSD2: European Parliament Economic and Monetary Affairs Committee (ECON) Draft Report Introduces Improvements and Reveals the Need for Further Clarifications, Says Payments Regulatory Expert Group. Recommendation is to allocate sufficient time for the EU decision-making process on the PSD2 proposal to ensure best possible outcome
SEPA 2014: EPC Calls on European Parliament and EU Governments Represented in the Council of the European Union to Provide Clarity on SEPA Compliance Requirements As Soon As Possible. On 9 January 2014, the European Commission introduced a proposal to effectively postpone the deadline for compliance with Regulation (EU) No 260/2012 from 1 February 2014 to 1 August 2014
Related articles in previous issues:
Analysis of Selected Aspects of PSD2 Reveals: There is Considerable Scope for Clarification. A closer look at PSD2 with regard to the payer´s refund right and the introduction of third party payment service providers ( Newsletter, Issue 20, October 2013)
The Long Awaited Arrival of PSD2: a Summary of Some of the Key Provisions and Issues. The proposed changes could have a significant impact on the European payments market ( Newsletter, Issue 20, October 2013)
On the Difference between Innovation and the Wild West: How to Ensure the Security of Bank Customers' Funds and Data with Payment Account Access Services. Convenience is a priority. Security is indispensable. Promoting payment innovation to the benefit of both payers and payees requires combining the two ( Newsletter, Issue 19, July 2013)
European Commission Published 'Payments Legislative Package' on 24 July 2013. The package includes proposals for a revised Payment Services Directive and a new Regulation on interchange fees for card-based payment transactions ( Newsletter, Issue 19, July 2013)
1 Underlined new wording proposed by , strikethrough relates to deletions proposed by .
2 Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market.
3 Underlined new wording proposed by , strikethrough relates to deletions proposed by .
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.