The legislation that is applicable to the payment services market is currently subject to a lot of developments. In this blog an overview is provided of the highlights with regard to the development as of the first Payment Services Directive until the final draft regulatory technical standards published by the European Banking Authority on 23 February 2017. In the below overview, particular attention is dedicated to the first Dutch draft of legislation for the second Payment Services Directive, that was published for consultation in November 2016.
In 2007 the first Payment Services Directive (“PSD I“) was adopted. PSD I aimed to regulate the payment industry and to enhance consumer protection. PSD I however did not accurately reflect the manner in which certain payment methods operate. In addition the application of PSD I was not always clear. Furthermore, the European Commission (the “EC“) was concerned that many payment service providers (“PSPs“) escaped the regulation under PSD I. Among others for these reasons, the EC proposed a second iteration of PSD I.
Payment Services Directive II
On 2 June 2015, the Council of the EU published its final compromise text for the second Payment Services Directive (“PSD II“). PSD II will take effect from 13 January 2018. The 5 main objectives of PSD II are to:
- contribute to a more integrated and efficient European payments market;
- improve the level playing field for payment service providers;
- make payments safer and more secure;
- protect consumers; and
- encourage lower prices for payments.
Second Payment Services Directive in the Netherlands
Consequently, in November 2016, the first Dutch draft of legislation for PSD II was published for consultation. The three most significant changes in payment services regulation in the Netherlands following PSD II are as follows.
Three most significant changes
1. Extension of the scope (beyond Europe)
Under PSD I, the scope of application includes inter alia all types of payment services carried out in EU currencies, provided within the EU, to the extent that both the payer’s PSP and the payee’s PSP are located in the EU (in other words: “both legs in”). PSD II extends the scope beyond Europe by including transactions in which at least one PSP that is involved in the transaction is established in the EU (in other words: “one leg in transactions”). Furthermore, PSD II is applicable regardless of the currency used.
In addition, the scope of PSD II is extended with the purchase of physical goods and services through a telecom operator and third party PSPs, being: (i) payment initiation service providers, (ii) account information service providers and (iii) issuers of payment instruments.
PSD I states that charges shall be agreed between the payment service user and the PSP and shall be appropriate and in line with the PSP’s actual costs. Furthermore, PSD I left it up to each country to decide upon surcharging of card payments. This discretion created a scattered European landscape in which some countries banned surcharges and some others allowed it.
PSD II seeks to standardize the different approaches to surcharges on card-based transactions:
- surcharging will, in principle, still be allowed, but strictly limited by the direct costs borne by the payee;
- surcharging for payment cards that are regulated by Chapter II of the MIF Regulation and the SEPA Regulation (basically transactions by way of payment cards based on “four party payment card schemes”, money transfers and direct debit collections) are prohibited; and
- PSD II still leaves room for the Member States to prohibit or limit the right of the payee to request charges taking into account the need to encourage competition and promote the use of efficient payment instruments.
Under Dutch law, currently section 6:230k of the Dutch Civil Code (het Burgerlijk Wetboek, the “DCC“) states that surcharging for the use of a payment instrument can be charged on to a consumer, to the extent that the costs do not exceed the actual costs of the PSP. The Netherlands does not take advantage of the possibility to further prohibit or limit the right of the payee to surcharge. The content of the aforementioned section will therefore remain unchanged.
3. Introduction of strong customer authentication (“SCA“)
SCA means an authentication based on the use of two or more elements categorised as (1) knowledge (something only the user knows), (2) possession (something only the user possesses) and (3) inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.
Under PSD II Member States should ensure that a PSP applies strong customer authentication where the payer:
- accesses its payment account online;
- initiates an electronic payment transaction; or
- carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
On 23 February 2017, the European Banking Authority (the “EBA“) provided further guidance on how the new rules concerning SCA should be explained. In this framework, EBA published final draft regulatory technical standards (“RTS“) specifying the requirements of SCA and the exemptions from the application of SCA. In short, specific characteristics for the three elements constituting SCA were removed from the previous RTS, to ensure technology neutrality and allow for future innovations. Furthermore, with regard to the exemptions from the principle of SCA, the EBA introduced two new exemptions: one based on transaction-risk analysis and the other for payments at ‘unattended terminals’ for transport or parking fares.
The final draft RTS will be submitted to the Commission for adoption, following which they will be subject to scrutiny by the European Parliament and the Council before being published in the Official Journal of the European Union. The RTS will be applicable eighteen months after its entry into force, which would suggest an application date of the RTS in November 2018 the earliest.