Getting Ready for PSD2
Introduction Overview Exemptions Access to payment systems and accounts New payment services Security of Payments Action points Contacts
2 3 5
8 9 10 13 16
1 | www.bakermckenzie.com
www.bakermckenzie.com | 2
The recast Payment Services Directive (PSD2) will have a dramatic effect on the EU's payment landscape, providing the framework for the evolution of the FinTech Industry and effecting changes for traditional payment institutions such as payment card businesses and operators of payment accounts. PSD2 will apply and be of interest to a broad range of banks, card companies, money services businesses, outsourcing suppliers and mobile network operators. For new entrants it provides opportunities and for incumbent firms it will create challenges. Evolution or revolution? While PSD2 builds on the current framework it will be a key enabler of the payments revolution. Changing customer behaviours mean that incumbents must review their business models to make themselves everyday banks and partners of their customers. The alternative will be to be used as a utility service. PSD2 will take effect from 13 January 2018. The European Banking Authority (EBA) is in the process of developing Regulatory Technical Standards (RTS) on passporting and on strong customer authentication and secure communication. These developments must be looked at together with the EU's Interchange Fee Regulation (IFR) which has introduced major changes to the European payment card industry. This Briefing considers the principal changes and the issues that firms should consider to get ready for implementation of PSD2.
PSD2 - Key Changes
More transactions will fall within scope, including through a new geographical ambit and its application to transactions in currencies other than the Euro and Member States Implementing narrower exemptions and new notification obligations to regulators Requirements relating to non-discriminatory access to payment systems and accounts C reation of new regulated payment services of payment initiation and account information Strengthened security requirements and strong customer authentication New consumer protections
3 | www.bakermckenzie.com
PSD2 responds to a variety of developments that have arisen since 2007 when the current Directive was first adopted. Most markedly, there has been rapid technological change in the payments industry, which is in the vanguard of FinTech developments. Many customers are embracing new technology; the volume of online and mobile payments has increased significantly. According to a recent report by Payments UK, the proportion of payments in the UK made using cash has fallen from 64% in 2005, to 45% in 2015, with electronic payments surpassing cash payments for the first time, and cash is expected to reduce to 27% in 2025. Technological innovation has facilitated the development of new types of services, which presently fall outside the regulatory framework. The new Directive will extend the scope of regulation to cover new services including payment initiation. As a quid pro quo of crossing the regulatory perimeter, operators of such services will be able to passport their activities across the EU, and avoid the current patchwork of Member State specific regulations. PSD2 will therefore simplify matters but at a price. The Commission also aims to increase competition in the payments sector by promoting non-discriminatory access to payment systems and accounts, as well as by recognising new services. Consumer protection will be boosted through greater transparency of costs and protection from charges. It will also benefit from PSD2's extended geographical reach and the corresponding restrictions on current exemptions, which are intended to prevent their abuse and to achieve a more level playing field across the EU in terms of their application. Finally, in response to growing cyber crime and online fraud, PSD2 continues the trend towards enhancing the security around the making of payments.
Interchange Fee Regulation
PSD2 is closely linked to the Interchange Fee Regulation for card based payment transactions. The IFR aims to increase competition through new conduct of business rules, a cap on multilateral interchange fees and requiring the separation of scheme and processing activities. The cap applied from 9 December 2015 limits the level of interchange fee between acquirers and issuers that can be applied to credit or debit card transactions. Additionally, new conduct of business rules that apply from 9 June 2016 prohibit requirements, such as the "honour all cards rule," whereby card schemes or payment service providers oblige merchants to accept all cards of a particular brand. Even more far reaching, there are provisions which will bring about the separation of payment card schemes and processing entities and mandate their independence in terms of accounting, organisation and decision-making. The EBA has published draft RTS on the separation of scheme and processing but given the limited scope of the EBA's mandate, the RTS are light on detail. The new UK regulator, the Payment Systems Regulator, has published its own guidance on the IFR.
www.bakermckenzie.com | 4
PSD2 has an extended geographical reach. The current Directive only governs payments made wholly within the European Economic Area (i.e. where both legs take place in the EEA) in Euros or in the currency of a Member State (e.g. pound sterling). PSD2 will in contrast cover transactions in any currency and, additionally, even where only "one leg" is within the EEA. To the extent they do not already do so, money remittance services will need to give more information to customers. Increased transparency may result in more competitive cross-border services which due to limited investment in systems and processes are still relatively expensive, slow and lack transparency. Some Member States (but not the UK) have unilaterally extended aspects of PSD protections to the EU-leg in respect of payments outside Europe.
At present, a payment transaction in U.S. dollars made by a payment service user (or customer) via payment service providers from London to Frankfurt will not fall within the ambit of the existing directive. Nor would a payment transaction (in any currency) between London and Hong Kong. The former transaction would fall outside the scope of the PSD as a U.S. dollar (non-euro / Member State) transaction and the latter on the basis that both legs were not within the EEA.
In future, both of the above examples will be subject to regulation, although there will be a reduced level of protection for customers in respect of information requirements and the obligations owed to them by payment service providers. In the first case, there would be no obligation on payment service providers to specify a maximum execution time, to refrain from deducting charges from the amount transferred or to ensure that the payee receives funds by the following business day or D+1. Where only part of the payment transaction is within the EEA (i.e. from London to Hong Kong), then the payment service provider will only be responsible for that "leg." In this regard, a further reduced level of obligations and protections will apply, for instance, over the provision of information, the imposition of charges, the timing of receipt of funds and liabilities towards customers for defective, late or non-execution. Current terms and conditions and service standards will require review.
5 | www.bakermckenzie.com
The recast directive will scale back the existing exemptions from the need to obtain (full) regulatory authorisation. In the absence of a uniform approach to implementation, firms benefiting from an exemption as it applies in each Member State may achieve a competitive advantage over authorised providers that are regulated. The main exemptions and the changes are as follows:
Small payment institutions
Under the existing directive Member States may waive certain regulatory requirements for small payment institutions which, amongst other criteria have average monthly payment transactions not exceeding 3 million over the previous 12 months. According to the Commission while 15 Member States have offered this exemption it has only been relied on by firms in nine jurisdictions. These providers generally undertake low value remittances and retail foreign currency transactions, except in Poland where it is used to provide bill payment services.
PSD2, however, allows Member States that exercise this option to choose a lower threshold. In this event, firms currently using this exemption would either need to reduce their turnover, review their business model, or apply to become an authorised payments institution (with all that entails). In any event, they should monitor carefully their turnover lest they exceed the applicable threshold. Small payment institutions remain without a passport for payment services.
In general terms a payment transaction undertaken by an agent (including a commercial agent) that negotiates the sale of goods or services for another is not considered to be a payment service. This exemption has been used for many years by bill payment service providers, for example, to allow customers to pay utility bills. Recently, it has been used increasingly by operators of e-commerce platforms that facilitate the exchange of goods and services and likewise payment in return for a fee.
Consequently, concerns have arisen that customers are being exposed to risks that payments regulation seeks to mitigate. The Commission considers that the exemption is too widely drawn, besides its uneven application across Member States. PSD2 seeks to control and limit its use by requiring firms to put in place a formal agreement to negotiate or conclude the sale or purchase of goods or services on behalf of either the payer or payee, but not both. In practice, in future, e-commerce platforms are most likely to choose to act on behalf of the payee as recipient of the payment. Such platforms will need to review carefully their business model to confirm whether they remain compliant and, if changes are necessary, whether they are feasible.
www.bakermckenzie.com | 6
This exemption is commonly used by retail chains (e.g. gift cards or loyalty bonus cards) for low value payments. The precise extent of this exemption has been unclear and despite attempts to restrict its availability, in PSD2 uncertainty remains, especially, over what is meant by "limited". In the UK cards market, some types of payment instruments might avail themselves of this exemption although other Member State regulators have taken a stricter approach. Again, the Commission considers that its use has gone significantly beyond what was originally envisaged, exposing users to security and operational risks. In this respect, confusion can arise on the part of consumers over instruments issued under this exemption and those falling within and benefiting from regulation. PSD2 therefore restricts its use to "instruments" in the following circumstances:
where a payer acquires goods or services on the premises of the issuer or within a limited network of service providers under a direct commercial agreement with a professional issuer. The reference to a "direct" commercial agreement in the second limb suggests an absence of intermediaries between a provider and the issuer. The requirement for a "professional" issuer is new and undefined but suggests an entity which specialises in that activity.
the purchase of a very limited range of goods or services. What is meant by "very" limited is unhelpfully not defined. Whether this is one, two, three or more is unclear.
in a single Member State the purchasing of specific goods or services regulated by a public body for social or tax purposes. This use could encompass luncheon vouchers.
There is also a new notification obligation (for the first two circumstances) if the value of payment transactions exceed 1 million over the preceding 12 months to allow national regulators to monitor the use of the exemption. National regulators will review whether the activities qualify for exemption. Firms may find that regulators require them to seek authorisation if they are to continue and, therefore, careful analysis of the nature of their services and monitoring their extent will be necessary.
7 | www.bakermckenzie.com
This is relevant to providers of electronic communications networks or electronic communications services such as mobile phone operators. In tightening this exemption, the PSD2 aims to address the fact that the exemption has been used to cover a very broad range of services which permit users to make purchases of goods, services and products through their mobile phone. The exemption is for digital content and voice-based services, for example, ringtones, music, games, videos or apps provided to subscribers. These must be purchased by a digital device (i.e. a mobile phone), alongside the core electronic communication services and charged to the same bill. The principal risk relating to this exemption under the PSD was its failure to prevent operators from using it for payments for real goods and services, on occasion through the distribution of vouchers. PSD2 now specifically refers to digital content and voice-based services although one concession is its extension to charitable donations and payments for the purchase of tickets. Again, to control potential risks to customers, the value of any single payment will be limited to 50 and, cumulatively, to not more than 300 per month. Operators will also need to provide national regulators with an audit opinion on an annual basis certifying that their activity does not exceed these monetary limits.
Automated teller machines
This applies where automated teller machines (ATMs) are operated independently from payment services providers that offer payment accounts. The Commission considers that the exemption has helped to improve the coverage of ATMs across the EU, especially in more rural areas where historically there has been less provision. In this light, the exemption will be maintained, but in future ATM operators will have to comply with the transparency provisions in PSD2 so that customers will receive information on withdrawal charges.
www.bakermckenzie.com | 8
Access to payment systems and accounts
PSD2 provides that access to both payment systems and to payment accounts should be on an objective, non-discriminatory and proportionate basis. Moreover, rules on access may not go beyond what is necessary to safeguard against specific risks such as settlement risk, operational risk and business risk and to protect the financial and operational stability of the payment system. Restrictions on participating in other payment systems and rules which discriminate between payment service providers are prohibited. Payment systems made up exclusively of payment service providers belonging to the same group, such as true three-party schemes, however, are excluded from this requirement on the basis that they provide competition to or cater for parts of the market that are under-served. For payment accounts, the degree of access must be sufficient to allow firms to provide payment services in an unhindered and efficient manner. Access to payment accounts may only be denied by an account provider to other service providers on the basis of objective evidence-based reasons concerning unauthorised or fraudulent use.
9 | www.bakermckenzie.com
New payment services
In the context of mandating access on an objective, non-discriminatory and proportionate basis, PSD2 gives regulatory recognition to two new types of payment services that join the existing services listed in the recast directive:
Payment initiation services
A payment initiation service is a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider.
A customer will have the right to use a payment initiation service where their account is accessible online. In the context of consumers and retailers such a service offers the potential for cheaper payment transactions without the use of a credit or debit card allowing payment directly from a customer's account. Customer consent to the transaction is given through the payment initiation service which will use the customers' identity and security information to access the account. Moreover, the account provider must allow the payment initiation service to rely upon its authentication procedures. Access is not dependent on a contract as the basis for providing the service is set out in the recast directive. For example, it allocates liability between the account provider and the payment initiation service, each bearing responsibility for their respective parts of the transaction. Under PSD2, in the case of an unauthorised payment, it will be the account provider which must reimburse its customer before seeking compensation from the payment initiation service.
Account information services
An account information service is an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider.
Consumers will be able to access and view all their accounts through a single gateway and login. Currently, the use by customers of these services is often contrary to the terms and conditions of their account providers. Given that this service does not involve payment transactions, in contrast to payment initiation services, it is subject to a reduced authorisation and supervisory regime.
While such services already exist, as the PSD is silent, their legal and regulatory basis is at best unclear. These services are one of the key developments of the recast directive and have led to concerns by payment account providers about the possible loss of revenue to security of access, data privacy and liability. Non-bank digital entrants into the payments market including technology giants and small start-up businesses, may win significant market share from traditional banks which may face the loss of more profitable part of their businesses. Customers are becoming ever more accustomed to faster and easier payments and, potentially, will go elsewhere if providers do not respond. Other factors include changing consumer preferences and increasing, costly regulation.
www.bakermckenzie.com | 10
Security of Payments
As the recitals to PSD2 explain, in recent years the security risks relating to electronic payments have increased. In part, this is because of the increasing technical complexity, the ever growing volume of electronic payments and the development of new types of payment services. PSD2 places responsibility for security risks on payment service providers and aims to mitigate them through a clear and harmonised regulatory framework. Payment services providers must have a security policy document which includes a detailed risk assessment and a description of their security control and mitigation procedures. They should also establish a framework to manage operational and security risks relating to their payment services. In doing so there must be effective incident management procedures, which include the detection and classification of major operational and security incidents, Reporting must take place to national regulators on an annual, if not more frequent basis. The EBA is tasked with issuing guidelines on security measures to national regulators and firms over the steps required to comply, including the certification process. Currently, these are likely to be available by mid 2017. Firms will also have to report major operational or security incidents to their national regulator. Perhaps more problematic is the requirement to notify customers where it may impact their financial interests without undue delay and the steps they can take to mitigate any adverse effects. Quite how firms should interpret the impact to customers' financial interests is unclear. Moreover in terms of remedial action, in extreme cases, this might include the unpalatable option of closing a service.
11 | www.bakermckenzie.com
Strong customer authentication
All payment services providers will need to increase online transaction security. Strong customer authentication must be used which is defined as a means of authentication based on the use of two or more elements:
Knowledge - something only the user knows (e.g., a password or PIN)
Possession - something only the user holds (e.g., a card or a token)
Inherence - something only the issuer is (e.g., a finger print or voice recognition)
Firms must use strong customer authentication where customers access a payment account online and initiate an electronic payment transaction in respect of "any action, through a remote channel which may imply a risk of payment fraud or other abuses." Moreover, some remote payment transactions, that include payments over the internet, will have to "dynamically link" the transaction to a specific amount and to a specific payee. Although technical standards will provide exemptions for low value payments at the point of sale, such as contactless and mobile payments, firms may find
implementing the requirements of strong customer authentication challenging and may encounter customer resistance. Where a firm fails to use strong customer authentication the payer will not bear any financial loss unless they have acted fraudulently.
Detailed requirements in respect of encryption will be provided in RTS on strong customer authentication and secure communication to be drafted by the EBA. Unfortunately, these are not expected to apply until autumn 2018, some six months after PSD2 takes effect although a draft text should be available in 2016. In the meantime, there are the European Central Banks's recommendations for the security of payment account services and mobile payments and the EBA's guidelines on the security of internet payments. As for the latter, the FCA has said that they will not require firms to follow them ahead of PSD2 transposition. Where, however, firms carry out crossborder payment transactions they may wish to adopt the EBA's guidelines earlier bearing in mind that national regulators in other Member States may have asked their firms to follow them.
www.bakermckenzie.com | 12
New consumer protections
In addition to the geographical extension of regulation and the narrowing of exemptions, customer rights are further strengthened under PSD2. The following are particularly relevant:
customer liability in the case of third party fraud (e.g., arising from a lost, stolen or misappropriated payment instrument) will be reduced to a maximum of 50 compared to 150.
customers will have an unconditional right to a refund for a SEPA direct debit. While this is already available in the UK and some Member States via direct debit guarantee schemes this will now be put on a legal basis;
customers will have to agree before sums in their accounts are "blocked" by payees (e.g. deposits taken by car hire companies) to ensure funds are available when payment becomes due;
customer complaints must receive a substantive and comprehensive reply within 15 business days of receipt except in exceptional situations where a maximum of 35 business days will apply (currently a maximum of 8 weeks for UK financial services firms). Member States may introduce stricter rules; and
in most cases customers may only be surcharged by a payee for the direct cost of using a credit or debit card.
PSD2 also clarifies that a customer may reject proposed changes to a framework contract (e.g., the terms and conditions governing a bank account) at any time before they take effect and can terminate the agreement at any time up to that point. A customer's right to terminate extends to all agreements, not only those which have lasted over 12 months. While customers may be charged for termination where the contract has been in force for less than 6 months this is limited to any costs actually incurred.
Business customers may continue to opt out of various of the protections available under PSD2, for example, the prohibition on charging for information required to be provided under the regulations.
13 | www.bakermckenzie.com
Firms should be planning for implementation of PSD2 on 13 January 2018. Amongst matters they should consider are: the expanded geographical scope and narrowed exemptions mean that firms which are not regulated now
may need to become authorised payment institutions or revise their business model; reviewing systems and procedures to identify how their business is impacted and what changes are required,
for example to, IT, documentation (terms and conditions), processes and staff training; if relevant, the impact on their business from the creation of payment initiation and account
information services; whether their security measures in respect of payments transactions are compliant; and the opportunities to develop their business in a changing regulatory and technological environment such as
the growth in data capture from electronic payments.
www.bakermckenzie.com | 14
15 | www.bakermckenzie.com
www.bakermckenzie.com | 16
Partner 020 7919 1285 Arun.Srivastava@BakerMcKenzie.com
Senior Associate 020 7919 1403 Mark.Simpson@BakerMcKenzie.com
Baker & McKenzie has been global since inception. Being global is part of our DNA.
Our difference is the way we think, work and behave we combine an instinctively global perspective with a genuinely multicultural approach, enabled by collaborative relationships and yielding practical, innovative advice. Serving our clients with more than 4,200 lawyers in more than 45 countries, we have a deep understanding of the culture of business the world over and are able to bring the talent and experience needed to navigate complexity across practices and borders with ease.
2016 Baker & McKenzie. All rights reserved. Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.