On 12 / 01 / 2016, the amended Payment Service Directive (Directive (EU) 2015 / 2366 – PSD II) entered into force and must be transposed into national law by the Member States within two years – that is, by 13 / 01 / 2018. Along with numerous other new regulations, the PSD II also subjects so-called third-party payment service providers to regulation under bank supervision law. For providers of these kinds of payment services, such as iDEAL, Trustly, or in Germany Sofortüber- weisung, the PSD II has given rise to numerous fundamental innovations that need to be complied with in future. The European Commission views third-party payment service providers as a cost-effective and innovative payment option for consumers using the Internet, but has also raised issues regarding data protection, security, and liability, which the provisions of the PSD II are supposed to address.
The business model of the third-party payment service provider
The term “third-party payment service provider” includes payment initiation and account information services. These services are characterized by the fact that they gain access to accounts accessible via online banking using the personal access data of the holders of those accounts. In the case of payment initiation services, transfers to third parties – e.g., ecommerce retailers – are initiated; and in the case of account information services, the account status is queried to create a consolidated statement for all of the accounts of the user of the respective service. The common feature of these services is that – previously without any existing legal framework – they have their customers provide them with their personal security details (such as PIN, TAN, and passwords) and can access their accounts by online banking, even though the general business terms and conditions of the bank maintaining the account expressly require account holders to keep their personal security details secret.
Regulation of third-party payment service providers
The PSD II stipulates that the services offered by third-party payment service providers constitute a payment service which is subject to certain legal framework conditions. For providers of payment initiation services, regulatory approval is now needed, which requires a review of the business model and also the establishment of internal control mechanisms and procedures for dealing with security incidents. In addition, providers of payment initiation services must take out an appropriate professional liability insurance policy and meet an initial capital requirement of EUR 50,000.00. Although account information services do not require regulatory approval, they nonetheless need to be registered with the competent authority – in Germany, the Federal Financial Supervisory Authority (BaFin [Bundesanstalt für Finanzdienstleistungsaufsicht]). Various regulatory requirements apply likewise to these services, albeit to a lesser extent.
Cooperation between banks maintaining the accounts and third-party payment service providers
The PSD II now clearly establishes that customers may pass their security details to third-party payment service providers and that the banks maintaining the accounts have an obligation to cooperate with these third-party payment service providers. From a technical perspective, it is prescribed that, in order to provide their services, third-party payment service providers should in future gain access to bank systems through a technical interface set up specifically for them. For the design details of these interfaces, the European Banking Authority (EBA) will publish the final drafts of the corresponding technical regulation standards on 13 / 01 / 2017, which will then enter into force 18 months after publication.
Consumer and data protection
The regulation of third-party payment service providers is supposed to protect primarily the consumers who use them. For this purpose, the PSD II also stipulates that information about the initiation of a payment may be conveyed only to the recipient, but not to third parties. In addition, no sensitive data may be stored. Above all, however, it is clearly defined that a request for, or use of, any data other than that required for initiating the payment process is not permitted. The same applies to account information services. Here too, only the relevant account balances may be queried, but no other information. In addition, third-party payment service providers must now inform their customers about the content, scope, and configuration of their range of services.
Allocation of liability when using payment initiation services
Prior to the entry into force of the PSD II, liability with respect to payments initiated by payment initiation services was completely unclear. The PSD II now rules that the bank maintaining the account shall continue to be liable for payments that are delayed, incorrect, or not implemented at all. However, if the liability incident can be traced back to the culpability of the payment initiation service, then the bank maintaining the account can take recourse against the former. The payment initiation service shall bear the burden of proof of proper implementation.
Basically, we should welcome the regulation of third-party payment service providers and the creation of clear legal framework conditions, in particular because of the previous ambiguities regarding access to the online banking gateways of customers. Consumers in particular should benefit from the provisions of the PSD II. However, for the main participants, namely the banks maintaining the accounts and the third-party payment service providers, the implementation of the PSD II will involve the need for substantial changes in their operations.