Big changes are on the way for the laws and regulations on payment services. These changes will have an impact throughout the payments community, including for banks and building societies, cards issuers, merchant acquirers, previously unregulated payment facilitators and merchants.
The changes will arrive in the form of a second Payment Services Directive (PSD2). PSD2 is part of a package of measures intended to modernise and improve the European retail payments regulatory framework. It is a response to new innovative payment services across all channels, including internet and mobile devices, which seeks to improve security and consumer protection and address various areas of legal uncertainty in the original Payment Services Directive (PSD1).
The original PSD2 proposal was published in July 2013, with the final compromise proposal having been published in June 2015. It is anticipated that Member States will be required to transpose PSD2 into national law by sometime in 2017. Therefore it is essential that the industry is considering now the technical and compliance challenges that are posed by PSD2 and how they will respond.
Key changes include:
- Many obligations contained within PSD1 will now apply to a broader range of payment transactions (i.e. they will apply to all currencies where both the payer’s and payee’s payment service providers (PSPs) (or the sole PSP) are located in the EU and will also apply to transactions carried out where only one of the PSPs is in the EU (in respect of the parts of the transaction which are carried out in the EU).
- There are new types of payments services being brought within the remit of the directive in order to regulate types of PSPs which have become prevalent in the market since PSD1 was put in place in 2007. These new regulated providers will be known as payment initiation service providers (PISPs) and account information service providers (AISPs) and detailed provisions around their obligations and interaction with account servicing PSPs (i.e. banks and building societies) are included in the text.
- There are amendments to the exemptions in PSD1 to address differing approaches across Member States and close down unintended loopholes in previous exemptions which allowed certain entities to remain unregulated when this should not have been the case. Amended exemptions include the “commercial agent” exemption, the “limited network” exemption, the “mobile device content” exemption and the ATM exemption.
- There will be new security requirements including the obligation for PSPs to apply “strong customer authentication” and establish a framework with appropriate mitigation measures and control mechanisms to manage operational risks. There will also be additional notification obligations where major security incidents arise.
- The liability provisions are amended to reduce a payment service user’s liability for an unauthorised payment transaction from €150 to €50. There are also amendments to the liability provisions to take account of the interaction between an account servicing PSP and the AISPs and the PISPs to make it clear where liability should sit depending on where in the payments chain the issue has arisen.
Although it is clearly some time until the relevant provisions will enter into local law, our international payments practice has already been busy advising a large number of payment providers on how the new regime will impact on their business. This has included bespoke training sessions, advice on lobbying as the Directive has progressed, reviews of terms and conditions to advise on likely changes, advice on changes to business processes and technical solutions, assistance with analysis of whether previously unregulated entities will require an authorised payment institutions license and analysis of security requirements in comparison to the EBA’s security of internet payment guidelines.
In addition to the above, PSD2 contains a number of other interesting changes from the original legislation and we would be happy to discuss those with you if required. The international payments group also advises day to day on putting in place terms and conditions which reflect the current regime (such as for current accounts, cards products and merchant acquiring arrangements), FCA authorisation/licensing issues, the directive’s passporting regime and advising on the contractual arrangements between financial institutions and technology providers as they look to take advantage of new innovative technology and payment services whilst remaining compliant (e.g. Apple Pay and Paym).