On 17 April 2018 the Lithuanian Parliament amended the laws regulating the activities of the payment service providers. New rules and requirements set by these laws are mainly related to:
- regulation of newly emerged payment services;
- conditions for applying certain exemptions on certain payment-related activities;
- security measures ensuring a high level of payment security and protection of consumers;
- access by payment institutions to payment account services of credit institutions;
- requirements of good repute;
The changes result from adoption of the following amended and restated Lithuanian legal acts: the Law on Payments; the Law on Payment Institutions; and the Law on Electronic Money and Electronic Money Institutions (Amended Laws). Adoption of the Amended Laws transposes into Lithuanian law changes introduced by the second Directive on Payment Services (PSD2), amending several existing Directives and repealing the Directive on Payment Services (PSD1). If the Lithuanian President signs the Amended Laws, they should come into force on 1 August 2018.
Regulation of “one-leg transactions”
Some provisions of the Amended Laws apply to transactions with third countries where only one of the payment service providers is located within the EU in respect of those parts of transactions which are carried out in the EU (“one-leg transactions”). This extension of scope primarily concerns payment service providers located in the EU. These payment service providers will have to provide information and transparency on the costs and conditions of international payments, at least in respect of their part of the transaction.
New types of payment services
The scope of payment services regulation is widened by:
- covering new services and players, ie payment initiation service providers and account information service providers;
- extending the scope of existing services (ie payment instruments issued by payment service providers that do not manage the payment service user’s account), enabling their access to payment accounts.
The Amended Laws require payment service providers of these new services to be authorised and regulated.
The new regulation enables bank customers to use third-party providers to manage their finances (to pay bills, make person-to-person transfers and analyse their spending), while still having their money safely placed in their bank account. Banks, though, must allow these third-party providers access to their customers’ accounts through an open application program interface. This enables third parties to build financial services on top of bank data and infrastructure by increasing competition in the Baltic payment market where “bank-link” services currently dominate.
Access to payment accounts
Under the Amended Laws, credit institutions cannot block or prevent access to payment accounts, while payment institutions should have access to payment account services of credit institutions objectively, non-discriminatorily and proportionately. A credit institution that refuses to open an account must immediately notify the Bank of Lithuania.
Conditions for using exemptions on certain payment-related activities are clarified:
- The commercial agent exemption should apply when agents act only on behalf of the payer or payee, regardless of whether they are in possession of client funds. The recitals of PSD2 state that where agents act on behalf of both payer and payee ‒ such as certain e-commerce platforms ‒ they should be excluded only if they do not at any time enter into possession or control of client funds.
- The limited network exemption applies if at least one of the following conditions are met: (i) the payment instrument is used for the purchase of goods and services from a specific retailer or specific retail chain where the entities involved are directly linked by a commercial agreement; (ii) the instrument is used for the purchase of a very limited range of goods or services; or (iii) where the payment instrument is regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services.
- The exemption for payment transactions by means of telecom of information technology devices is specified and narrowed down as follows: (i) limited mainly to micro-payments for digital services downloaded on to a digital device or of electronic tickets or donations to charities; and (ii) only payments under a certain threshold are excluded.
- Conditions for notifying the Bank of Lithuania when acting under the limited network exemption or the telecom exemption are set so that the Bank of Lithuania can assess whether or not the activities are subject to licensing requirements. These activities will be listed in public registers.
Strong customer authentication
To make electronic payments safer and more secure, payment service providers will be obliged to apply so-called strong customer authentication when a payer initiates an electronic payment transaction. For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimising risks in case of mistake or fraud.
Enhanced rules on authorisation
Licencing requirements are largely the same as under PSD1. However, the Amended Laws introduce a new requirement to provide evidence that all security measures are in place ensuring safe and secure provision of payment services. The main changes relate to the enhanced levels of payment security under PSD2. Entities applying for a licence for a payment or electronic money institution additionally will have to provide a security policy document as well as a description of security incident management procedure, contingency procedures, and the like. The secondary legal acts providing new detailed licencing requirements are not adopted yet. They should be adopted not later than 31 July 2018.
Capital requirements have largely remained the same. Specific capital requirements are defined for third-party service providers in relation to their activities and the risks these represent. The third-party service providers are not subject to own funding requirements. However, both payment initiation service providers and account information service providers must hold either professional indemnity insurance or some other comparable guarantee covering the territories in which they offer services.
The Amended Laws provide a legislative basis for the right to an unconditional refund that already exists for the Single Euro Payments Area (SEPA) direct debit.
New rules oblige payment service providers to provide a written answer to any complaint of the payment service users within 15 business days. In exceptional cases this period can be longer, although the extended period for providing such written answer cannot exceed 35 business days.
Changes in the requirements for management
Under the Amended Laws there is no mandatory requirement to maintain a supervisory board and/or a management board for payment and electronic money institutions. Forming these corporate bodies is optional.
Requirements for payment and secrecy of electronic institutions
The Amended Laws indicate that payment institutions and/or electronic money institutions are subject to rules governing protection of banking secrecy.
All procedures initiated before the Amended Laws come into force will be finalised following the rules set in the Amended Laws.
Validity of authorisations already granted
Transitional provisions are foreseen for payment and electronic money institutions that are already authorised to provide payment services. These institutions are allowed to continue providing payment services and must also submit all relevant information required under the Amended Laws to the Bank of Lithuania not later than 1 November 2018. If the required documents and evidence are not provided by 1 November 2018 and/or full compliance with the new requirements is not ensured by 1 February 2019, the Bank of Lithuania can impose a sanction against the market player concerned.
Existing providers of payment initiation and account information services
Providers of payment initiation and account information services that are already established and licensed in Lithuania can continue to perform their activities. However, a three-month transition period is set during which they must submit all relevant information and documents to the Bank of Lithuania evidencing that they operate in accordance with the new requirements, unless such evidence was already submitted to the Bank of Lithuania.
Different date of application for security requirements
A different date of application is foreseen for the new security measures – strong customer authentication and standards for secure communication. As a result, the new security measures will apply from 14 September 2019. Payment initiation and account information service providers applying for a licence need not submit proof of compliance with these security requirements until that later date.