In July 2013, the European Commission (the Commission) published its proposal for the second version of the Payment Services Directive (). The Commission counts on the European Union (EU) legislative bodies, i.e. the European Parliament and the Council of the EU representing EU Member States, to reach agreement on its proposal before the summer of 2014. The EU decision making has quickly gained pace with the European Parliament Economic and Monetary Affairs Committee (ECON) due to agree its position on the PSD2 text in February 2014. Some proposed changes to the text included with the related ECON draft report published in November 2013 appear to be key improvements. However, other draft amendments to the text considered by the ECON are less clear cut and in some areas the possibility for improving the PSD2 proposal has not yet been embraced. In this article, Ruth Wandhöfer, Chair of the European Banking Federation’s Payments Regulatory Expert Group (PREG), re-examines some of the key PSD2 provisions in light of the ECON draft report. Against the backdrop of the overall EU decision-making timetable, which could be seen to be ambitious, it is unclear whether some of the complex stumbling blocks in PSD2 can be properly resolved in time. The risk of agreeing headline requirements in the Directive without having a plan around executing compliance is high. This author suggests some potential solutions to key issues identified with PSD2 and hopes more time will be allocated to confirm the details of this important regulatory piece.
The views expressed in this article are solely those of the author and should not be attributed to the European Payments Council.
Key Information in this Article
The proposal for a revised Payment Services Directive (PSD2) published by the European Commission (the Commission) in July 2013 is currently being reviewed by both European Union (EU) legislative bodies, i.e. the European Parliament and the Council of the EU representing EU Member States.
Member of the European Parliament (MEP) Diogo Feio is the Rapporteur of the European Parliament’s Economic and Monetary Affairs Committee (ECON) for PSD2. In November 2013, MEP Feio issued the ECON draft report including suggested amendments of the Commission’s proposed text for the PSD2.
This article reflects the analysis of the European Banking Federation’s Payments Regulatory Expert Group (PREG) of the ECON draft report on PSD2.
The PREG welcomes important improvements to the PSD2 text introduced with the ECON draft report. However, it also identified a number of areas of concern and need for further clarification in relation to, inter alia:
This article details the PREG proposals for further revision of the PSD2 text with regard to these aspects.
The ECON will submit its report on PSD2 for vote by the European Parliament. In parallel, the Council of the EU representing EU Member States is reviewing the text for the PSD2 introduced by the Commission. In a next step of the co-legislative process, the European Parliament and the Council of the EU, together with the European Commission, will have to agree on the final version of the PSD2 text.
Sources providing detailed information on the EU legislative process and the ECON draft report on PSD2 are included in the ‘related links’ at the end of this article.
Recap: the European Union legislative process
The European Commission (the Commission), has the right of initiative to propose laws for adoption by the European Parliament and the Council of the European Union (EU) representing EU Member States (national ministers)1. The vast majority of European laws are adopted jointly by the European Parliament and the Council of the EU under the so-called ordinary legislative procedure. This legislative procedure gives the same weight to the European Parliament and the Council of the EU in a wide range of areas (see the link to the European Parliament Website, entitled ‘Legislative Powers’, below).
Revision of the Payment Services Directive
EU Directives lay down certain end results that must be achieved in every EU Member State (see the link to the European Commission Website ‘Application of EU Law/Directives’ below). The Payment Services Directive (PSD) was implemented in most EU Member States by 1 November 2009. Article 87 of the PSD requires the Commission to present a report on the implementation and impact of the PSD together with proposals for its revision by 1 November 2012. On 24 July 2013 the Commission published a ‘payments legislative package’ (see ‘related links’ below), which includes the proposals for a revised PSD () and a new Regulation on interchange fees for card-based payment transactions. The proposal for the PSD2 and the Regulation on interchange fees for card-based payment transactions, respectively, will have to be adopted by the EU legislator, i.e. the European Parliament and the Council of the EU. The Commission counts on the European Parliament and the Council of the EU to reach an agreement on the Commission’s ‘payments legislative package’ published in July 2013 “by Spring 2014.”2
This timeline seems ambitious but it is assumed that this tight planning reflects the Commission’s desire to have the ‘payments legislative package’ adopted by the EU legislator prior to the European Parliament elections in 2014.
This article focuses on the proposed PSD2.
PSD2 enters the EU decision-making process
Since the publication of the Commission proposal for PSD2 in late July 2013, the European decision-making process has kicked off in earnest. The European Parliament’s Economic and Monetary Affairs Committee (ECON) has focused on a tight timetable with the objective of adopting a position in February 2014. The ECON’s rapporteur of the PSD2, Member of the European Parliament (MEP) Diogo Feio, issued a draft report on PSD2 in November 2013 and set a deadline for amendments by ECON members of early January 2014. In parallel, the EU Council, representing EU Member States, is currently focussing its attention on other key pieces of legislation (such as recovery and resolution, and banking union), which are on the table. The EU Presidency under the leadership of Greece is planning to begin its work on PSD2 only in the second quarter of 2014.
However, we should also not forget that PSD2 is not a standalone legislation. Instead, it is part of the Commission’s ‘payments legislative package’, which also includes the Commission proposal for a Regulation on interchange fees for card-based payment transactions (commonly referenced as the multilateral interchange fee (MIF) Regulation). The objective is therefore that PSD2 and the MIF Regulation are decided together. After all, a number of provisions cross-reference between these two texts, which also means that one cannot be decided in the absence of the other. Other cross-references in PSD2 include the EU Data Protection legislation, which is currently under review, and the proposed Network and Information Security (NIS) Directive3.
There are other challenges impacting the timing for the PSD2 adoption. The European Parliament is going to be reconstituted after the elections taking place at the end of May 2014. This means that any decision-making that has not been agreed by May 2014 is likely to move to the new European Parliament and hence to the second half of the year. In parallel, the Commission will also change and new European Commissioners will be voted by the European Parliament in October and enter into office on 1 November 2014. All of this means of course that there is currently no certainty on whether there will be a speedy adoption of the ‘payments legislative package’ or whether more time will be allocated to properly amend and decide on these important payments legislative changes. With the amount of technical issues in PSD2, expert guidance will be very important in any case, in order to ensure that PSD2 will not bring more problems for the European payments market but will rather solve some of the existing issues.
Key points in PSD2 and the perspectives of the ECON draft report
The European Banking Federation’s Payments Regulatory Expert Group (PREG) welcomes important improvements to the PSD2 text introduced with the ECON draft report. However, it also identified a number of areas of concern and need for further clarification in relation to some of the key provisions of PSD2 and the amendments proposed in the ECON draft report.
Third party payment service providers
One of the central themes of PSD2 is the introduction and regulation of third party payment service providers (TPPs). These types of providers, which have already offered services to consumers for some time without being regulated, (apart from some specific exemptions), are defined and regulated by PSD2. This is a positive step as this will help to ensure greater security and confidence for consumers.
When analysing PSD2, TPPs are to be authorised as payment institutions (Article 10) unless eligible for a waiver under Article 27. With regard to TPPs and their relationship to account servicing payment service providers (AS ), specific provisions are defined. However for the remainder of the text – in particular in Title III and IV, which define the conduct of business requirements – PSD2 refers to the generic term of . In those cases it is not clear whether all requirements apply to TPPs in the same way as to other PSPs, such as payment institutions and banks. For example, Articles 60(1), 61(1)(b), 62(1)(c), 62(2), and Article 69(1), which currently refer to a ‘payment service provider’ should refer to ‘account servicing payment service providers’. It is recommended that a consistency check is applied and for PSD2 to be reviewed in that regard to ensure that the appropriate Articles apply to the relevant type of PSP. This has however not yet been considered by the draft ECON report and hence remains a suggestion to be included.
Another area that still lacks clarity relates to the different types of TPPs and their activities. First we have the TPP that offers payment initiation services (a PIS TPP) and second we have the TPP that offers account information services (an AIS TPP).
The PIS TPP, as described in PSD2, should only be able to: (i) check for the availability of sufficient funds, (ii) request/initiate a payment and (iii) receive confirmation that the payment has been made. (For the purpose of clarity one should realise that only the AS PSP can execute the payment.)
The AIS TPPs, on the other hand, would require access to more account information than for payment initiation services, in order to perform account information aggregation, but this information would be accessible on a ‘view only’ basis.
The following analogy illustrates the difference between payment initiation services and account information services: whilst the owner of a house (this is the customer with the bank account) has all the keys required to enter every room in his house and he can obviously do inside these rooms whatever he pleases, a PIS TPP will only be given the key to access the kitchen where he is allowed to cook (nothing else). On the other hand, the AIS TPP will receive all keys of the house but is not allowed to do anything in any of the rooms apart from inspect them. This means an AIS TPP can see everything in the house and present information on what he has seen, but is not authorised to perform any actions in the house. (The AIS TPP must not act on the customer’s account, e.g. the AIS TPP cannot initiate a payment.)
It will be important to clarify in PSD2 that a TPP is not able to offer both payment initiation services and account information services, in order to prevent the situation that the TPP can see everything on a customer’s account and also act, i.e. create payment orders. Both the definitions in, and the Annex to, the PSD2 would need to reflect a clear separation of services in that regard.
Amendment 30 included with the draft ECON Report provides improved clarity around the precise scope of payment initiation services, whilst amendment 31 aims to provide more clarity with regard to account information services. However, there is still some room for improvement with regard to account information services, which obviously do not offer any payment service, but only information services. Hence the word ‘payment’ should be removed from the definition of account information services. In addition, any Article that relates to payment transactions, (e.g. Articles 63, 64 and 69), should not apply to all types of TPPs but only to PIS TPPs.
With regard to other definitions, it is surprising that the Commission’s PSD2 proposal does not define the ‘third party payment instrument issuer’, but uses this terminology extensively in Article 59. The ECON draft report attempts to remedy this gap. However, the current amendment only refers back to the list of services in the Annex. This unfortunately does not provide sufficient detail on the role and activities of a third party payment instrument issuer. This will need to be looked at in more detail before adopting the ECON PSD2 position.
A key question in PSD2 centres on the authentication of the bank customer. When a TPP is used, it has to be clear that for authentication purposes the payment service user’s (PSU’s) personalised security credentials are not re-used by the TPPs. This would not fit with the Commission’s intentions to limit what information or action can be carried out through payment initiation services or account information services. It would also not be conducive to ensuring the security and integrity of payment services. TPPs will therefore require their own, distinct security credentials in order to authenticate themselves unambiguously to the AS PSP. The ECON draft report suggests exactly that, by amending Article 4(21) to establish the principle to distinguish between authenticating the PSU and the TPP. However, the term ‘personalised security features’ also needs to be defined, so that the potential re-use of customer credentials is clearly prohibited.
To ensure maximum PSU security, Article 58(2), to which the ECON draft report makes a number of amendments, as well as Article 61(2), should also remove any references to the use of PSU’s ‘personalised security features’ by the TPP. A further point of clarification along the same lines should be considered for Article 87(1). The ECON draft report still does not change the Commission’s wording, suggesting that TPPs can re-use the customer’s personalised security credentials. Again, the text should clearly reflect that this is prohibited. Also, logically the authentication of the TPP should happen before any services are provided to the PSU. Hence Article 87(2) should be amended to that effect. These modifications would need to be introduced into the European Parliament’s position on PSD2 (which will be reflected with the final ECON report).
The Single European Interface
A new suggestion in the ECON draft report (amendment 115, Article 94 (b new)) is the creation of a Single European Interface, which would be a key tool in achieving maximum security for all PSUs, also with regard to TPPs accessing the accounts of PSUs. In addition, ECON Rapporteur Feio suggests creating a multi-stakeholder panel, under the leadership of the European Banking Authority (EBA), to develop the details of how the interaction between the TPP and the AS PSP should work in practice. This is a positive proposal as it will be essential to develop a common approach to avoid unnecessary costs and an inefficient outcome. However, it is currently far from clear as to what shape such an interface would take in practice. Endorsing such an idea without any clarity around the content or execution path is certainly risky and may not be technologically neutral enough in order to be future proof. Legislation should be more principle-based than specific and any such ideas should therefore be left to possible technical rules that the EBA could develop in the future.
Instead of giving this role to EBA, the Euro Retail Payments Board (), a newly established multi-stakeholder body chaired by the European Central Bank4, would be better placed to work on this interface together with all stakeholders represented on the ERPB.
Another key area of change under PSD2 is the extension of provisions to one-leg-out transactions, i.e. transactions where one of the PSPs is located outside the EU / European Economic Area (). The Commission’s text proposes to apply, in addition to the value dating Article 78, all of Title III to one-leg-out transactions, (see PSD II proposal Article 2(1)). Title III covers information requirements to PSUs. A number of EU Member States had already required their PSPs to apply Articles of Title III to one-leg-out transactions, which makes this scope extension consistent with the market reality.
The ECON draft report however expands this concept by proposing to apply all of Title IV, (except for Articles 72 and 74(1)), to one-leg-out transactions, (amendment 23, Article 2(1)). Upon close examination there are unfortunately a number of provisions that would pose a practical challenge if applied to one-leg-out transactions. Here are some examples:
- The Share-Charging-Principle (Article 55(2)), which requires the payee and the payer to pay the charges levied by their respective PSPs, is clearly difficult to apply in case of one-leg-out transactions given that the full amount must travel end-to-end and charges may not be known for transactions that are received from outside of the EU Single Market.
- Another example would be the ‘Notification of unauthorised or incorrectly executed payment transactions’ (Article 63), where a period of 13 months is given in which a PSU can obtain rectification from his PSP if the PSU notifies his PSP of any unauthorised or incorrectly executed payment transactions. This period of 13 months does not necessarily apply in all markets outside the EU/EEA. In some countries the record keeping timeframes can be as short as six months, which would mean that if a claim was made after this time, the merchant may no longer be in possession of the necessary records.
Similarly, the receipt of payment orders under Article 69 cannot be guaranteed by a PSP located in the EU/EEA, when it is on the receiving side.
Other problematic articles in relation to one-leg-out transactions include the following PSD2 Articles: 73, 74, 75, 76, 77, 80, 81, 82 and 91. It would be strongly recommended to review the feasibility of applying that many Articles of Title IV to one-leg-out transactions, given the practical and legal limitations highlighted above.
PSD1 had introduced the principle that every PSU pays the charges levied by their respective PSP, whilst the full amount of the payment transaction had to arrive at the beneficiary PSP. However, the PSD1 included some confusing wording which suggested that this principle would only apply in the absence of a currency conversion. Given the fact that currency conversions are, in any case, separate to the payment transaction and hence should have no bearing on the charging principle, it should therefore be clarified in PSD2 that the Share-Charging-Principle applies at all times to PSD2 transactions that have both legs of the transaction within the EU/EEA.
Hence the reference to currency conversion should be removed from Article 55(2). This opportunity has not been taken in the draft ECON report, but should be considered as part of the final ECON position.
Direct debit refund right
PSD2 proposes a reformulation of the refund right with the aim of clarifying that an unconditional refund right should apply to direct debits, in line with the SEPA Direct Debit Core Rulebook developed by the European Payments Council (). However, the wording proposed by the Commission could have the unintended consequence of mixing the responsibility for the technical payment execution, which lies with the PSP, with the commercial agreement that exists between payer and payee. Unfortunately, the ECON draft report does not suggest any proposals to modify the Commission’s original text.
In order to ensure that an unconditional refund right can be applied, whilst at the same time offering the opportunity for a payer and payee to agree on a no-refund option as part of the direct debit mandate, (for example in case of amounts that are pre-defined), the EPC proposes that this Article could read as follows: “For direct debits the payer has an unconditional right for refund within the time limits set in Article 68. The payer and the payer’s payment service provider may agree on an exclusion of the refund right provided that the absence of the refund right is clearly mentioned in a specific mandate under a payment scheme which does not provide for the right to a refund.” To the benefit of rendering this provision both practicable and consumer protective, this wording should be adopted for PSD2.
(For details on the EPC position on PSD2, refer to the article entitled ‘PSD2: EPC Key Considerations Address Aspects Related to Third Party Payment Service Providers and Article 67 (Refund Rights for Direct Debits)’ included with the ‘related articles in this issue’ below.)
International Bank Account Numbers on debit cards
The ECON draft report also introduces a new provision (Recital 19 (a new) and Article 53a (new)), the so-called International Bank Account Number (IBAN) readability. This new provision suggested with the ECON draft report states that issuers of debit cards or mobile/online applications that are based on debit card functionality should ensure that the IBAN of the underlying customer account is visible and can be electronically read by merchants. It is not clear what this amendment is trying to achieve. The cost benefit of re-issuing new debit cards with the IBAN printed on the card, outside the normal card replacement cycle, would certainly be disproportionate and economically absurd and should therefore be avoided.
Non-execution, defective or late execution
Article 80 of PSD2, which defines liabilities of PSPs in case of non-execution, defective or late execution is a very important provision. However, the Commission’s proposal does not provide an easily understandable set of requirements. In fact, there are passages where the liabilities are clearly allocated to the wrong party. For example at the end of paragraph 2 of Article 80(1) the Commission suggests making the payer’s PSP liable to the payee, whilst in fact the payer’s PSP should always be liable to the payer, as this is his customer. Other areas of this Article would need similar clarifications and modifications. As a general observation, Article 80 is highly complex and difficult to follow. It will need further analysis once the implications of AS PSPs interacting with TPPs are more clearly understood and defined.
Sufficient time for review of this important legislative proposal should be allocated to ensure the best possible outcome
With a significant number of PSD2 aspects still requiring further review and improvement, it is unclear at this stage in the process whether this can be accomplished within the timelines envisaged by the Commission, i.e. a final co-decision between the European Parliament, the EU Council representing EU Member States and the Commission on PSD2 can be reached before Summer 2014. It also has to be taken into consideration that, in parallel, formal adoption of the PSD2 by the EU legislator depends on the adoption of the MIF Regulation and other ancillary legislative texts such as the NIS Directive and updated EU data protection rules5.
This author suggests allocating more time to decide this important regulatory piece to ensure the best possible outcome.
Ruth Wandhöfer chairs the European Banking Federation’s Payments Regulatory Expert Group (PREG). She also chairs the EPC Information Security Support Group.
European Parliament Economic and Monetary Affairs Committee (ECON): Draft Report on the Proposal for a Directive of the European Parliament and of the Council on Payment Services in the Internal Market
Related articles in this issue:
PSD2: EPC Key Considerations Address Aspects Related to Third Party Payment Service Providers and Article 67 (Refund Rights for Direct Debits). EPC identifies considerable scope for amendments to European Commission PSD2 proposal
SEPA 2014: EPC Calls on European Parliament and EU Governments Represented in the Council of the European Union to Provide Clarity on SEPA Compliance Requirements As Soon As Possible. On 9 January 2014, the European Commission introduced a proposal to effectively postpone the deadline for compliance with Regulation (EU) No 260/2012 from 1 February 2014 to 1 August 2014
Related articles in previous issues:
Analysis of Selected Aspects of PSD2 Reveals: There is Considerable Scope for Clarification. A closer look at PSD2 with regard to the payer´s refund right and the introduction of third party payment service providers (EPC Newsletter, Issue 20, October 2013)
The Long Awaited Arrival of PSD2: a Summary of Some of the Key Provisions and Issues. The proposed changes could have a significant impact on the European payments market (EPC Newsletter, Issue 20, October 2013)
On the Difference between Innovation and the Wild West: How to Ensure the Security of Bank Customers’ Funds and Data with Payment Account Access Services. Convenience is a priority. Security is indispensable. Promoting payment innovation to the benefit of both payers and payees requires combining the two (EPC Newsletter, Issue 19, July 2013)
European Commission Published 'Payments Legislative Package' on 24 July 2013. The package includes proposals for a revised Payment Services Directive and a new Regulation on interchange fees for card-based payment transactions (EPC Newsletter, Issue 19, July 2013)
Committee on Payment and Settlement Systems’ Working Group Publishes Report ‘Innovations in Retail Payments’. Central bank research identifies market trends and elements geared to assessing what an innovation-friendly environment should look like (EPC Newsletter, Issue 15, July 2012)
EPC Newsletter: Articles Published in the Section 'Legal and Regulatory Issues'
1 European Commission Website: http://ec.europa.eu/atwork/index_en.htm.
2 European Commission: Payment Services Directive and Interchange fees Regulation: frequently asked questions. http://europa.eu/rapid/press-release_MEMO-13-719_en.htm?locale=en.
3 European Commission Proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union: http://ec.europa.eu/digital-agenda/en/news/commission-proposal-directive-concerning-measures-ensure-high-common-level-network-and.
4 European Retail Payments Board (ERPB): http://www.ecb.europa.eu/paym/sepa/stakeholders/governance/html/index.en.html#erpb.
5 European Commission proposes a comprehensive reform of data protection rules to increase users' control of their data and to cut costs for businesses: http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website Terms and Conditions.