When the second Payment Services Directive (PSD2) is transposed into national law among European member states in 2018, it will reflect a revolution in the payments industry.
PSD2 builds on the original payment services directive which was introduced in 2007 and led to a new relationship between consumers, retailers and banks. Customers now pay for goods and services through non-banking devices, and that trend will only accelerate and expand with the introduction of PSD2. The new directive aims to account for the pace of technological change in the payments industry since the introduction of the original directive by extending the scope of regulation, both in terms of geography and types of service providers. An ever-broader array of companies will fall under the scope of regulation as fintech companies and telecoms providers compete with established banks in this new financial world order.
Under the original directive, different interpretations and local implementation of certain matters of scope and exemption led to regulatory arbitrage, legal uncertainties and potential market distortions in practice, and it is hoped these can be tackled under the PSD2.
The recasted directive expands the geographic scope set out in the first directive beyond the European Economic Area (EEA), and covers any payment that has an EEA leg to it, irrespective of the currency it is transacted in. PSD2 will take effect from 13 January 2018, and its scope is set out in the Regulatory Technical Standards (RTS) created by the European Banking Authority. The RTS cover passporting, while enhancing protection of consumer rights and payment data protection in response to increasing levels of cybercrime and online fraud.
The introduction of PSD2 gives regulatory recognition to two new types of payment services—Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). Both can be either bank or non-bank institutions.
PISPs will be able to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider. PISPs will do this by establishing a software 'bridge' between the website of the merchant and the online banking platform of the payer to execute a credit transfer. Under PSD2, PISPs must apply for a license from a national regulator and fulfill various regulatory requirements covering levels of initial capital, permanent funds as well as safeguarding client money, and sound and prudent management. They must also demonstrate robust governance, a well-defined organisational structure, risk management and sound administrative and accounting procedures.
AISPs offer online services to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider.
Given that this does not involve payment, the rules governing AISPs are less onerous than PISPs, and as such they only need to register with their national competent authority to provide insurance cover. Both types of market participants will be able to benefit from the European Passport and provide their service throughout the EEA.
Under PSD2, financial institutions managing payments accounts which are active in the field of online banking must provide third-party providers with access to their customers' accounts, provided their customers grant their permission. This provides new business opportunities to traditional banks as well as fintech companies and other non-bank service providers which must comply with new regulations in order to access account information and handle payments.
Elements of the RTS covering passporting, notification and supervision will come into force on 13 January 2018. But the RTS covering strong customer authentication and secure communication will not be applicable by then and are likely to postpone final implementation of the PSD2 regime until late 2018 or early 2019.
- European Union Member States must implement PSD2 into national law by the January 2018 deadline, but there are local differences in terms of timing and transposition that need to be addressed.
- On 19 December 2016, the German Federal Ministry of Finance published the first proposal regarding the partial transposition of PSD2 into national law. This piece of legislation includes the supervisory provisions of PSD2 and amends the German Payment Services Supervisory Act.
- Meanwhile, the Federal Ministry of Justice and Consumer Protection has amended the German Civil Code which allocates responsibilities and liability among the parties and other provisions only governing the relationship between payee and the payment service provider, such as the rights of consumers. There are indications that during the process of enacting, the draft laws will be combined into one single act.
France is expected to follow suit by reforming the relevant articles (L521-1 to L526-40 in Title II) of the Code Monétaire et Financier. Article 70 of the Act, known as 'Sapin 2,' authorises the French government to implement PSD2 within 18 months.
Given that the UK government is likely to trigger the two-year 'Article 50' withdrawal process from the European Union in the coming months, it seems likely that the UK's EU withdrawal negotiations will still be 'in-progress' when the January 2018 deadline for implementation of the PSD2 arrives. All affected UK firms should therefore continue to progress with, and invest resources into, their own internal analysis and any change planning for PSD2 as guided or directed by the relevant national competent authorities, either the Prudential Regulatory Authority or the Financial Conduct Authority.
The UK will likely want to retain an arrangement that will be closely aligned with the EU to secure easy and seamless payments throughout the EEA in general and the Single Euro Payments Area (SEPA) in particular.
As well as the legal framework, there are administrative guidelines, recommendations or explanatory notes published by the national competent regulatory authorities which also have to be updated and adapted to the new PSD2 regime. The current documents can be found on the websites of the French Authority for prudential supervision and resolution (Autorité de contrôle prudentiel et de resolutionACPR), the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) and the UK Financial Conduct Authority (FCA).
Harmonisation of national laws
The new directive seeks to clarify exemptions that national supervisory authorities have interpreted differently within the different Member States.
Among them is the limited network exemption which is used by retail chains for low-value payments. Under PSD1, diverging administrative practices throughout Europe created a competitive advantage for firms operating in certain Member States. For example, shopping centres in the UK could benefit from the limited network exemption while those in Germany could not. In France, the ACPR originally took a narrow view on the limited network exemption, but was in one case ("Printtemps") overruled by a decision of the Conseil d'état which held that the exemption is not limited to a single company but might also apply to several companies belonging to the same group.
Against this backdrop, the EU Commission considers it necessary to restrict the limited network exemption, and as a consequence, some firms currently not requiring a license as e-money institution or payment institution will become regulated under PSD2. However, uncertainty remains in the wording of the limited network exemption. There are no clear-cut thresholds which local authorities can look at, and it will be interesting to see how administrative practice develops. PSD2 introduces a new obligation to notify the national regulator if the value of payment transactions within a limited network exceeds €1 million over the preceding 12 months. The regulator will then decide if the activities qualify for exemption.
PSD2 also limits exemptions for telecom companies. There will be an upper limit which, in the case it is exceeded, will lead to a license requirement and the supervision of those companies by national regulators. Below-the-threshold payment services of telecom companies remain unregulated.
Improvement of the security of payments
PISPs shall comply with so-called strong customer authentication which is defined as authentication via at least two components categorised as knowledge (something only the user knows, such as a static password, code or personal identification number); possession (something only the user possesses, such as a token, smart card or mobile phone); and inherence (user's biometric data, such as a fingerprint). These components will act independently of each other, so that the breach of one does not compromise the reliability of the others.
This strong customer authentication is required if customers access their payment accounts via the internet, initiate an electronic payment or take any action via remote access that poses a risk of fraud in the payments area or any other abuse.
The EBA was due to submit the draft RTS on strong customer authentication to the European Commission by 13 January 2017. The EU Commission will then carry out a legal review before adopting it with the EU Council and EU Parliament having scrutiny rights in the process. It is expected that the EBA will publish the final version of its regulatory standards in February or March 2017 with an enactment by the EU Commission as a Delegated Act shortly thereafter.
Once the EU Commission has adopted the RTS, they will come into force 20 days after its publication in the Official Journal of the EU. Member States must then ensure the application of the RTS 18 months after the date of their entry into force. Given these timelines, the RTS will not be applicable before October 2018. An application in 2019 seems more realistic.
The preliminary discussion paper for RTS received a critical response from members of the EU Parliament as well as from some of the 147 market participants including banking associations, credit card organisations and consumer protection groups which took part in the consultation.
The main criticism referred to a lack of exemptions that would make payments above a threshold of €50 overly burdensome in terms of booking, payment and settlement of transactions. Furthermore, market participants fear that the requirement of strong customer authentication in Europe and not in other jurisdictions such as North America could cause friction. For example, credit card companies expressed concerns that European business travelers could not use their credit cards in the US and vice-versa—US business travelers would not be able to process their credit card transactions in Europe.
PSD2 will act as a catalyst for the payments services sector. PSD2 aims to address inconsistences that have arisen from the original directive and keep pace with current and future developments. But whether it will bring about the much-heralded revolution in Europe's financial services sector is yet to be seen.