The Central Bank of Ireland is now accepting applications for authorisation/registration under the revised Payment Services Directive (“PSD2”) and has published new draft PSD2 compliant application forms and associated guidance.
The Central Bank will contact separately those firms that are already authorised as a Payment Institution or E-Money Institution under Irish law, with a view to ensuring that the Central Bank is able to assess whether such firms are PSD2 compliant by 13 July 2018.
Firms relying on the limited network exclusion should also be making preparations to notify the Central Bank of this fact, if they fall within the PSD2 notification thresholds. Notification requirements also apply to firms relying on the digital downloads exclusion.
Authorisation requirements for payment institutions and conduct of business rules for payment service providers are currently set out in the European Communities (Payment Services) Regulations 2009, which transpose the Payment Services Directive 2007/64 (“PSD”) into Irish law.
As set out in our earlier briefing (here), PSD has been substantially revised by PSD2, which must be transposed into Irish law by 13 January 2018. Among other things, PSD2 sets out extensive transparency requirements which apply broadly, including when carrying out dynamic currency exchange.
Significantly, as PSD2 has a broader scope than PSD, a number of entities that currently carry-on activities in Ireland without authorisation, will need to become authorised or apply for registration (in respect of Account Information Services) if they wish to continue carrying-on those activities, once the transposing legislation starts to apply. In particular, PSD2:
- narrows the scope of several of the exclusions currently provided for in PSD, including in particular those relating to commercial agents, limited networks, digital downloads and independent ATMs; and
- provides for two new payment services, namely Account Information Services and Payment Initiation Services.
PSD2 also amends the authorisation requirements applicable to e-money institutions so as to align these with the authorisation requirements applicable to payment institutions.
In July 2017 the European Banking Authority published its final Guidelines on the information to be provided for the authorisation as payment institutions and e-money institutions and for the registration as account information service providers (“Guidelines”).
The Draft Forms
Although PSD2 has not yet been transposed into Irish law, any application for authorisation as a payment institution or e-money institution from this point on can be expected to fall for decision under the relevant transposing legislation, in view of the time-frames applicable to such authorisations.
Consequently, the Central Bank has published the draft application forms for each of the following:
- Authorisation as a Payment Institution (here);
- Registration as an Account Information Service Provider (here);
- Authorisation as an Electronic Money Institution (here); and
- Registration as a Small Electronic Money Institution (here).
The Central Bank has also issued a new Guidance Note document which aims to provide further support to applicants completing the new application forms.
According to the Central Bank, the draft application forms meet the Guidelines, and, while technically draft, should be used by firms for applications from now on. The forms remain open for comment from stakeholders ahead of them being finalised upon the coming into force of the regulations transposing PSD2 into Irish law.
Existing Payment Institutions
Payment institutions and e-money issuers that are currently authorised as such do not need to apply for a new authorisation under PSD2, however they must submit all relevant information required under PSD2 to the Central Bank in order to allow it assess their compliance with the PSD2 requirements.
Payment institutions and e-money issuers are grandfathered to continue operating under their existing authorisation until 13 July 2018, by which date the Central Bank must have assessed whether they comply with the relevant PSD2 requirements, and if not, which measures need to be taken in order to ensure compliance or whether a withdrawal of authorisation is appropriate.
According to the Central Bank, it will contact these firms separately in respect of the applicable transitional arrangements.
PSD2 Excluded Entities
A number of existing entities that are excluded from the scope of PSD will continue to benefit from an exclusion under PSD2 and consequently will not need to apply for authorisation as a payment institution under the PSD2 framework.
Nevertheless, entities relying on the limited network exemption will have to notify the Central Bank of this fact if they are providing services based on specific payment instruments that:
- allow the holder to acquire goods or services only in the issuer’s premises or within a limited network of service providers under direct commercial agreement with a professional issuer; and/or
- can be used only to acquire a very limited range of goods or services;
where the total value of payment transactions executed over the preceding 12 months exceeds EUR 1 million.
The relevant notification must contain a description of the services offered, specifying under which of the above exclusions the activity is considered to be carried out.
Entities relying on the digital downloads exemption must also send a notification to the Central Bank and provide it with an annual audit opinion, testifying that the activity complies with the limits specified in that exemption.
With the imminent approach of 13 January 2018, any entity that will require authorisation or registration under PSD2 in order to continue carrying on its existing activities, or to carry on new activities from January 2018 should be making immediate arrangements to apply for authorisation from the Central Bank, if it has not already done so.
We expect that any entity currently relying on an exclusion under PSD will already have carried out an analysis as to whether or not it will be able to continue to rely on the relevant exclusion after January 2018, for example, certain e-commerce platforms with respect to their handling of payments. However, any entity that intends to rely on the limited network exclusion or the digital download exclusion should also ensure that it has carried out an analysis as to whether or not it will be required to make the relevant notifications set out above and be in a position to make these notifications, if necessary. This will include some operators of gift and/or store cards.
Finally, any existing payment institution authorised under PSD should ensure that it carries out a detailed gap analysis of the applicable requirements under PSD and PSD2, and puts in place any measures necessary to address any identified gaps. Relevant payment institutions should also make sure to document any measures taken to prepare for PSD2 so as to be in a position to supply the relevant information to the Central Bank on request.