The original Payment Services Directive (PSD) was adopted in 2007. Since then, the retail payments market has experienced significant technical innovation and the existing regulatory regime has become outdated. Consequently, the European Commission proposed an amended and recast Payment Services Directive (PSD2) in September 2013, which was, following trialogue and various amendments, recently adopted by the European Parliament and is expected shortly to be adopted by the EU Council of Ministers. (http://data.consilium.europa.eu/doc/document/PE-35-2015-INIT/en/pdf)
PSD2 updates and complements the EU rules put in place by PSD. Its main objectives are to:
- contribute to a more integrated and efficient European payments market;
- improve the level playing field for payment service providers (including new players);
- make payments safer and more secure;
- protect consumers; and
- encourage lower prices for payments.
The key changes, which are discussed in this briefing concern:
- new payment services;
- exemptions to the regime;
- scope of application; and
- conduct of business rules.
It is expected that PSD2 will be published in the Official Journal of the EU by the end of 2015. From 20 days after publication, Member States will have two years to introduce the necessary changes in their national laws in order to comply with the new rules.
New payment services
Since PSD was adopted, new services have emerged in the area of internet payments, where payment providers offer specific payment solutions or services to customers. As anticipated in earlier drafts, the draft PSD2 covers new payment services.
- Payment initiation. Services whereby consumers initiate payments directly from their bank accounts (rather than using a card) will be regulated. This provides consumers with the possibility of shopping online even if they do not possess a payment card. Examples of providers of this type of service are Sofort Überweisung in Germany and iDEAL in the Netherlands.
- Account information. Services which collect and consolidate information on the different bank accounts of a consumer in a single place will also be regulated.
These services are not currently covered by the PSD. The effect of bringing the services into the scope of regulation will mean that entities providing these services will need to be authorised (to the extent that they do not fall into an exemption) and will need to comply with transparency and conduct of business rules.
However, the benefit of being authorised is that a bank holding a payer’s account must provide access to an authorised payment institution with access to the account on an objective, non-discriminatory and proportionate basis. Such access must be sufficiently extensive to allow payment institutions to provide payment services in an unhindered and efficient manner. Banks will only be able to deny access for a ‘duly motivated’ reason, that will need to be provided to the competent authority.
Further, when payment institutions exclusively provide those services, PSD2 recognises that they do not hold client funds and that it would therefore be disproportionate to impose own funds requirements. However, these entities should still be able to meet liabilities in relation to their activities, so will be required to hold either professional indemnity insurance or a comparable guarantee.
PSD2 contains some amendments to existing exemptions in PSD. The European Commission noted in its review of PSD that certain exemptions had been transposed or applied by Member States in different ways, leading to regulatory arbitrage and legal uncertainty. With that in mind, PSD2 contains some clarifications and amendments to the existing exemptions.
- Limited network exemption. PSD currently provides an exemption for payment services based on instruments used to acquire goods or services in or on the issuer's premises or within a limited network of service providers or for limited range of goods or services. PSD2 includes a recital that payment activities covered by the limited network exemption often comprise significant payment volumes and values, as well as hundreds or thousands of different products or services. This does not fit the purpose of the original limited network exemption. Consequently, this exemption has been significantly narrowed and the circumstances in which a payment instrument should be considered to be used in a limited network are clarified. Further, where the network of service providers is limited to particular merchants, this should not fall into the exemption.
- Download exemption. PSD also provides an exemption for payment transactions executed by means of any telecommunication, digital or IT device, where the goods or services purchased are delivered to and are to be used through a telecommunication, digital or IT device, provided that the operator does not act only as an intermediary between the payment service user and the supplier. Whilst there has been no evidence that this exemption has been expanded beyond its original intentions, PSD2 clarifies the position as to when the download exemption can be relied on and gives examples – the exemption should focus specifically on micro-payments for digital content and voice-based services. Limits have been included in the exemption, such that an individual transaction cannot exceed €50, the cumulative value of payment transactions for an individual subscriber cannot exceed €300 per month and an account cannot be prefunded by more than €300 per month.
- ATM exemption. ATM services will continue to be exempted as long as the provider does not carry out any other payment services. However, ATM operators falling within the exemption will be required to comply with the transparency provisions of PSD2, which will mean the provision of information on withdrawal charges before the withdrawal, as well as on receipt of the cash. Moreover, charges applied by ATM operators should be without prejudice to Regulation (EC) No 924/2009 (on cross-border payments in the community).
Service providers relying on the limited network and download exemptions will be obliged to notify relevant activities to competent authorities so that the competent authorities can assess whether the requirements of the exclusions are fulfilled and to ensure a homogenous interpretation of the rules throughout the EU.
The scope of the transparency and conduct of business requirements for payment service providers has been widened. In PSD, these provisions only apply where both the payer's payment service provider (PSP) and the recipient’s PSP are (or the sole PSP is) located in the EU and where the payment is made in euro or the currency of a Member State outside the euro area.
This has led to divergent approaches across Member States to the detriment of consumers.
However, the application of these provisions under PSD2 is broader than that of PSD. The provisions will not only continue to apply to EU PSPs transacting in EU currencies, but also, with amendments:
- where both of the payment service providers are in the EEA but the payment transaction is not in the currency of an EU Member State; and
- to the ‘EU part’ of a transaction, in all currencies, where one of the payment service providers is located within the EU.
Key changes to conduct of business rules
For the majority of existing PSPs (as well as banks and e-money institutions which are also subject to the conduct of business rules when carrying out payment services), other than the amendments to scope discussed above, the amendments to the conduct rules should require updates to existing compliance procedures and documentation, rather than a wholesale rewrite. There are also certain changes to consumer protection measures.
- Surcharges. PSD2 will help lower charges for consumers by preventing recipients from adding a ‘surcharge’ for card payments in the vast majority of cases, both online and in shops. In situations where card charges imposed on merchants are capped (in accordance with the recently published Interchange Fee Regulation), merchants will not be allowed to surcharge consumers for using their payment card.
- Security. PSD2 introduces enhanced security measures to be implemented by all payment service providers. All PSPs, including banks and e-money institutions, will need to prove that they have certain security measures in place ensuring safe and secure payments. The PSP will have to carry out an assessment of the operational and security risks at stake and the measures taken on a yearly basis.
- Liability. As regards losses that consumers may face, the new rules streamline and further harmonise the liability rules in case of unauthorised transactions, ensuring enhanced protection of the legitimate interests of payment users. Except in cases of fraud or gross negligence by the payer, the maximum amount a payer could, under any circumstances, be obliged to pay in the case of an unauthorised payment transaction will decrease from €150 to €50.
- Capital requirements. Capital requirements imposed on PSPs have largely remained the same under PSD2 as set out in PSD. Specific capital requirements have been defined for providers of the new payment services described above in relation to their respective activities and the risks these PSPs represent.