A similar structure, a much broader scope
The new Payment Services Directive () retains the same basic structure as the original Payment Services Directive (PSD1). is divided into six titles, each of which focuses on a different subject-matter. Accordingly, title I covers scope and definitions, title II deals with the authorisation and regulation of payment service providers (), title III focuses on transparency, title IV establishes the respective rights and obligations of payment service users () and and titles V and VI set out provisions on delegated acts and implementation. In addition, the different categories of payment service are set out in the Annex.
Despite retaining the same basic structure, the reach of is broader than its predecessor. This is because of the expansion of the territorial scope provisions and the simultaneous narrowing down of the exemptions (commonly known as the ‘negative scope provisions’).
Most provisions of title III and title IV of will now apply to a broader range of payment transactions. Specifically, transactions in non-European currencies where both the payer's and the payee's (or the sole in the transaction) are located in the European Union (EU) will be caught, as will ’one leg out’ payment transactions in all currencies (i.e. where only one is located in the EU). ‘One leg out’ transactions were outside the scope of PSD1, but now brings them in scope "in respect of those parts of the payment transaction which are carried out in the Union". This wording operates as a limit to the reach of and seeks to offer some comfort to who would not be able to fulfil their obligations in respect of transactions (or components thereof) taking place outside of the EU over which they have no control (e.g, because these are subject to foreign systems and rules). will need to carry out an impact analysis and assess which parts of each transaction qualify as having been "carried out in the Union"; in the absence of guidance as to the precise meaning of this wording, this may not be a straightforward exercise.
amends some of the exemptions established under PSD1. Changes to the "commercial agent" exemption attempt to address the divergent interpretations taken by some Member States, making clear that the exemption applies when agents act only on behalf of the payer or payee (not both). Where agents act on behalf of both parties (e.g. in respect of e-commerce platforms) the exemption will only apply in cases where the agent does not come into possession, or have control of, clients’ funds. Moreover, it will no longer be possible to use the same payment instrument within more than one limited network, or to acquire an unlimited range of goods and services and therefore the "limited network" exemption will now only be available to genuinely small networks. also limits the scope of the mobile device content exemption to individual payments that do not exceed 50 euros and, on a monthly basis, transactions not exceeding 300 euros in aggregate per subscriber.
The Automated Teller Machine (ATM) exemption set out in Article 3(o) of PSD1 which was removed from the European Commission's (the Commission) original proposal, has now been reinstated. ATM operators will be subject to obligations to provide customers with information on withdrawal charges — both prior to the transaction and on the customer's receipt — aiming to enhance transparency.
seeks to minimise divergent interpretations around the application of certain exemptions. In certain cases, pursuant to will have to notify competent authorities, so that an assessment can be made as to whether the requirements of an exemption have been met.
Expanding the market
creates two new types of , commonly referred to as ‘third party payment service providers‘ () and attempts to strike a balance between opening up the payments market and maintaining appropriate security standards for online payments.
contains provisions requiring Member States to ensure that all payment institutions have access to payment account services provided by banks. This is designed to prevent banks from refusing to open and maintain bank accounts for payment institutions. Although the right of a bank to reject account applications on valid grounds (such as anti-money laundering concerns) would not be affected, banks that decline to provide a bank account to another payment institution will have to explain the rejection to the regulator.
Under , payment initiation service providers () are required to be authorised but are subject to a reduced minimum own funds requirement of 50,000 euros. Account information service providers (AISPs) are expressly exempt from authorisation, but are subject to a registration requirement. Both types of entity have to hold professional indemnity insurance or a comparable guarantee in order to ensure that they are able to meet liabilities arising in relation to their activities, as aims to achieve a level of supervision commensurate with the risk such new entrants introduce into the system. that want to provide different payment services involving holding users' funds will need to obtain full regulatory authorisation.
– payment service provider
– payment service user
ASPSP – account servicing payment service provider, usually being the bank of the payer or the payee in the context of payment transactions made via online banking
PISP – payment initiation service provider providing a software "bridge" between a payer and the of the payer so as to facilitate online payments by initiating an order at the request of the payer
AISP – account information service provider providing with aggregated online information for multiple payment accounts held with multiple and accessed via the online systems of those
– third party payment service provider (i.e. a PISP and/or an AISP)
Payment initiation services
operate at the heart of online banking transactions, providing the interface through which customers access their online account and transmitting the requisite data to effect a payment. In the case of a PISP issuing card based payment instruments, the PISP acts as a facilitator that enables the transmission of funds, by confirming that the payer has sufficient funds in its account to execute a transaction. clarifies that a PISP will not receive or handle customer funds at any stage and will not provide a statement of account balance. Following extensive debate in respect of security and data protection issues, the role of has been confined to giving a 'yes' or 'no' answer as to whether the payer has sufficient funds in its account to complete a transaction. sets out various conditions that must be met before a PISP can offer its services (e.g. the payer must give its explicit consent to the account servicing payment service provider (ASPSP) to respond to requests from a specific PISP prior to the first request for confirmation being made) and imposes obligations on (such as making sure that they authenticate themselves and communicate securely with the ASPSP for each confirmation request made by a payer). After debate during the legislative process, the final text prohibits from obliging to enter into contracts with them prior to the provision of the service.
Account information services
AISPs provide with aggregated online information for multiple payment accounts held with different (which are accessible through the online systems of those ). In light of the fact that such entities require access to those payment accounts to provide their services, requires to respond to data requests from AISPs in a non-discriminatory manner and gives the right to make use of account information services. The final text stipulates that the provision of account information services shall not be made dependent on the existence of a contractual relationship between the ASPSP and the AISP.
Generally, the provisions and approach relating to AISPs are similar to those that apply to .
Moving towards strong customer authentication
places great emphasis on the security of electronic payments and introduces and defines the concept of "strong customer authentication", which will be further refined by the European Banking Authority () and the European Central Bank (ECB) in guidance and regulatory technical standards. have to apply strong customer authentication where a accesses its online account or initiates an electronic payment transaction.
The guidelines on the security of internet payments (guidelines), using PSD1 as the legal basis, were published on 19 December 2014 (see ‘related links’ below). These should be implemented by by 1 August 2015, and the has stated that it intends to publish more stringent requirements as required under once that has come into effect. The guidelines include an enhanced version of customer authentication for all electronic payment transactions and place various obligations on to carry out risk assessments and to monitor security incidents. The authentication approach is one based on two out of the three components set out in the guidelines: something only the user knows, something only the user possesses and something the user is. It remains to be seen what the content of the updated guidelines that the will publish pursuant to will be and it is expected that a similar ’comply or explain’ approach will be followed.
Reducing the liability burden?
The publication of the original Commission proposal in the summer of 2013 rang alarm bells among stakeholders: the attempt of the draftsmen to reallocate the liability burden to cater for the introduction of into the regulated payment services arena was considered by many as potentially giving rise to more issues than it was attempting to solve.
Under , are liable for unauthorised payment transactions although may be obliged to bear losses up to 50 euros (reduced from 150 euros under PSD1) in cases of lost or stolen payment instruments.
The final text suggests that some of the concerns raised during the legislative process have been taken on board. For example, the concept of deemed consent and the ability of a payee to indirectly give consent for a transaction that featured in the original Commission proposal have been removed. Generally, the relevant principle in the final text is one of each relevant taking responsibility for the respective parts of the transaction under its control. Accordingly, where a initiates a payment transaction through a PISP, the PISP shall have the burden of proving that, within its sphere of competence, such transaction was authenticated, accurately recorded and not affected by deficiencies linked to the payment service it is in charge of. However, in the absence of a contract between a PISP and an ASPSP, and in light of the fact that in the interests of consumer protection a payer is entitled to claim a refund from the ASPSP (even where a PISP has been involved), it remains to be seen how the allocation of liability provisions will operate in practice. Again, in this respect the final text of deals with some of the concerns that the industry had raised in response to the Commission’s original proposal, as it provides that if the PISP is liable for an unauthorised, non-executed or defectively executed transaction or a payment transaction that was executed late, it shall immediately compensate the ASPSP at its request for sums paid or losses incurred as a result of any refund. However, concerns at the possibility of widespread losses caused by a thinly capitalised PISP remain unaddressed.
The legislators of have tried not to lose sight of other initiatives and legislative measures and, accordingly, refers to other laws or concepts that are relevant to its provisions. For example, data protection issues are expressly mentioned in , especially in the context of Directive 95/46/EC and Regulation EC No 45/2001 (see ‘related links’ below): makes clear that should ensure that data protection laws are complied with. The references to the Network and Information Security (cyber-security) Directive (NIS) (see ‘related links’ below) that were contained in the Commission's earlier draft proposal have now been replaced with an independent obligation under to maintain and establish incident management procedures, to report assessments on operational and security risks to competent authorities and to engage in incident reporting.
Maria Troullinou is a Senior Associate in the financial regulation group at Clifford Chance in London (firstname.lastname@example.org).
European Commission Website: Green Paper on Card, Internet and Mobile Payments
European Commission Website: Proposal for a directive of the European parliament and of the Council on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC
European Banking Authority Website: EBA issues guidelines to strengthen requirements for the security of internet payments across the EU
European Union Website: Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
European Union Website: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Related articles in this issue:
Related articles in previous issues:
PSD2: EPC Calls on EU Lawmakers to Maintain the Firewall Protecting Consumers Making Internet Payments. This Means: No Sharing of Any Personalised Security Credentials with Third Parties ( Newsletter, Issue 23, July 2014)
PSD2: Analysis of Selected Aspects of Recent European Parliament Report Raises More Questions for Clarification ( Newsletter, Issue 22, April 2014)
PSD2: European Parliament Economic and Monetary Affairs Committee (ECON) Draft Report Introduces Improvements and Reveals the Need for Further Clarifications, Says Payments Regulatory Expert Group ( Newsletter, Issue 21, January 2014)
PSD2: EPC Key Considerations Address Aspects Related to Third Party Payment Service Providers and Article 67 (Refund Rights for Direct Debits) ( Newsletter, Issue 21, January 2014)
The Long Awaited Arrival of PSD2: a Summary of Some of the Key Provisions and Issues ( Newsletter, Issue 20, October 2013)
Analysis of Selected Aspects of PSD2 Reveals: There is Considerable Scope for Clarification ( Newsletter, Issue 20, October 2013)
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.