Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with affiliated limited liability partnerships conducting the practice in France, Italy, Singapore, and the United Kingdom and as affiliated partnerships conducting the practice in Hong Kong and Japan. Latham & Watkins operates in South Korea as a Foreign Legal Consultant Office. Latham & Watkins works in cooperation with the Law Office of Salman M. Al-Sudairi in the Kingdom of Saudi Arabia. Under New York’s Code of Professional Responsibility, portions of this communication contain attorney advertising. Prior results do not guarantee a similar outcome. Results depend upon a variety of factors unique to each representation. Please direct all inquiries regarding our conduct under New York’s Disciplinary Rules to Latham & Watkins LLP, 885 Third Avenue, New York, NY 10022-4834, Phone: +1.212.906.1200. © Copyright 2018 Latham & Watkins. All Rights Reserved. Latham & Watkins Financial Regulatory Practice 15 January 2018 | Number 2270 The Race Toward PSD2 Implementation Intensifies Latest milestones in the transformation of the payment services market: final text of the RTS and the member states’ implementation of PSD2. Key Points: • The EC has adopted the final text of the RTS, which includes amendments on the EBA draft RTS following “back and forth” between the EC and the EBA. • While France, Germany, Italy, and the United Kingdom have published implementing legislation for PSD2, other EU Member States — such as Spain — are lagging behind. • Various Pan-European initiatives have emerged that aim to create and develop open, common, and standard European APIs to access customers’ accounts under PSD2, with the support of industry bodies across Europe. Overview Latham is producing a series of Client Alerts to provide an overview of the key points and the current status of the upcoming regime introduced by the second Payment Services Directive (PSD2). The upcoming regime was developed in light of the adoption of the final draft Regulatory Technical Standards (RTS) on strong customer authentication and secure communication (SCA) and common and secure open standards of communication (CSC). This second Client Alert focuses on the European Commission’s (EC’s) adoption of the final text of the RTS on November 27, 2017, after “back and forth” with the European Banking Authority (EBA) as well as the passage of PSD2 implementing measures in certain Member States. This Client Alert briefly touches upon the various pan-European harmonization initiatives that aim to create and develop open, common, and standard European Application Programming Interfaces (APIs) that third-party providers (TPPs) will use to access customers’ accounts. Institutional discussions on the RTS As discussed in Latham’s first Client Alert, PSD2 paves the way to the new approach in the banking industry known as “open banking”1 by allowing third-party developers to build and adapt payment service infrastructures around the existing online platforms of established financial institutions, as well as by providing third-party developers with access to client account information (upon customers’ authorization), mainly via open APIs. On February 23, 2017, following a public consultation with the industry that lasted longer than expected (which, according to the EBA, was due to the fact that the agency collected an “unprecedentedly wide Latham & Watkins 15 January 2018 | 2270 | Page 2 number of stakeholders’ views and input” during such period2), the EBA issued its final report on the RTS on SCA and CSC. The report sought to define the technical framework for implementing PSD2. According to market players and observers, the report clarified certain ambiguities contained in the preliminary draft version3 while still leaving a number of open questions. 4 However, on May 24, 2017, the EC sent a letter to the EBA expressing the EC’s intention to amend the last version of the RTS through four substantial changes, as well as through “numerous improvements to the legal drafting.”5 On June 29, 2017, the EBA published an opinion in response that voiced disagreement with certain amendments proposed by the EC on the basis that they would “negatively impact the final trade-off and balances previously reached with the RTS published in February 2017.” Nonetheless, the EC eventually adopted the final text of the RTS on November 27, 2017, implementing the amendments with few changes. The EC’s amendments The amendments proposed and finally approved by the EC include, most importantly: • A new exemption from SCA for corporate payments6, provided that they are performed with certain processes and protocols that achieve a high level of security7 • A requirement that banks and other payment service providers offer a dedicated communication interface to the TPPs. Such an interface would allow TPPs to use direct access (whereby TPPs effectively login as the customer in order to obtain relevant information, also known as “screenscraping”) only when banks’ systems are unavailable or are performing inadequately (known as the “fall-back option”). In this way, the amendments try to address the above-mentioned concerns recently raised by FinTech industry stakeholders. 8 With regard to the first amendment, the EC justified the exemption on the basis that specific types of corporate payments, such as machine-to-machine payments, are less risky, as “security is achieved through other means than the authentication of a particular individual.” However, the EBA has voiced its disagreement with this exemption on the grounds that: a) there is no reliable evidence to suggest that all corporate transactions are low risk, and b) there are already a number of exemptions under the RTS and various exclusions under PSD2 that would cover many corporate transactions. Moreover, the EBA feared that the lack of a definition of “corporate” and the unclear overall scope of, and thresholds for, the exemption may result in an inconsistent implementation among the Member States. The EC resolved to include the exemption in the final text of the RTS, and only partially addressed the EBA’s concern about the ambiguity of the provision, by further specifying that the dedicated payment processes or protocols considered are only those made available to payers who are not consumers. Turning the focus to the second amendment, the EC provided a fall-back option that TPPs can exercise in the event that a dedicated interface is unavailable or the Account Servicing Payment Service Providers (ASPSPs) do not comply with the obligations provided under the RTS. For background, the RTS places requirements on the communications between ASPSPs and TPPs. Among these requirements, ASPSPs must offer at least one interface for TPPs to access payment account information. This helps ensure that TPPs can access only the data necessary to provide clients a given service and that the TPPs will identify themselves in the process. 9 (For more information, please see the first Client Alert in this series.) Latham & Watkins 15 January 2018 | 2270 | Page 3 Thus, under the new rules, the current practice of third-party access through screen scraping would not be compliant. Under this regime, ASPSPs may choose to adapt their customer online banking interface or create a new dedicated interface that includes all necessary information for the relevant payment service providers. Given this scenario, the EC amended the EBA's draft RTS to introduce a contingency measure in the form of a fall-back mechanism, which involves opening the user-facing interfaces as a secure communication channel for TPPs (solely in case of failures by the ASPSPs to provide a dedicated interface). This measure aims to ensure that TPPs can access the data that they need to provide services and effectively compete against banks and other payment service providers on a discrimination-free basis. The EBA has criticized this amendment on a number of grounds including, most importantly, the potential cost increases for ASPSPs associated with maintaining both dedicated and fall-back interfaces. The EBA’s concern is that the potential cost increases will likely lead to ASPSPs abandoning the dedicated interfaces altogether, thus compromising the development of standardised APIs across the European Union (EU) and fostering fragmentation. In light of the EBA's comments, the EC reviewed its amendments to the RTS, maintaining the fall-back mechanism as a general principle, but empowering national competent authorities to exempt banks from having to provide it when strict conditions are met, thus seeking to ensure that the dedicated interfaces genuinely open the market for payment services. 10 In short, this means that the dedicated interfaces will be stress-tested and monitored by competent authorities. In the event that those dedicated interfaces fail in the testing phases or during the stress tests, payment service providers will be able to use the fall-back mechanism. Moreover, in cases when a dedicated interface no longer meets the requirements for the exemption from the fall-back mechanism, or in cases when an ASPSP fails to offer any interface that complies with the requirements of PSD2 and the RTS, competent authorities will be required to ensure that the ASPSPs establish the fall-back mechanism within two months. This practice ensures that TPPs are not blocked or obstructed in the provision of providing their services. Following the EC’s adoption of the RTS, the European Parliament and the Council will have three months to scrutinize the RTS pursuant to Article 290 TFEU (i.e., by ensuring that the EC has not misused delegated power in order to reopen discussions on matters agreed at political level in trilogues). Subject to the scrutiny period, the new rules will be published in the Official Journal of the EU. After the publication of the RTS, banks and other payment services providers will have 18 months to implement the security measures and communication tools in order to meet the RTS requirements. Implementing PSD2 European Member States had a deadline of January 13, 2018, to implement PSD2 on a national level. However, the implementation has gotten off to an uneven start across Member States. Below is a summary of the status of the implementation process in select Member States. Italy • Law No. 170 of August 12, 2016 granted the Italian government the power to implement PSD2 in the domestic legal framework within 12 months of PSD2’s entry into force of the law (i.e., September 16, 2017). The issuance of a paper on July 18, 2017 initiated a public consultation on PSD2 implementation that ended on July 31, 2017. On September 15, 2017, the Italian government approved the draft decree implementing PSD2 on a preliminary basis. The final text of the implementing law entered into force on December 11, 2017. Latham & Watkins 15 January 2018 | 2270 | Page 4 • The Bank of Italy has not issued any draft guidance on PSD2 yet. However, the Bank of Italy previously issued comprehensive guidance on the implementation of PSD1 that it will likely amend for the implementation of PSD2. UK • The Payment Services Regulations 2017 (PSRs 2017) were laid before Parliament on July 19, 2017 and came into force on August 13, 2017, entirely replacing the previous Payment Services Regulations 2009. Accordingly, some of the existing provisions in other UK legislation have also been amended to reflect PSD2. The PSRs 2017 took effect on (or, in relation to some provisions, in advance of) the implementation deadline of January 13, 2018. • The UK Financial Conduct Authority (FCA) published two Consultation Papers for PSD2 on April 13, 2017 and July 13, 2017 that provided feedback on necessary changes to the FCA’s Handbook of Rules and Guidance (Handbook). Following the consultation period, the FCA published its final rules implementing PSD2 in a Policy Statement on September 19, 2017. The Policy Statement confirms changes to the FCA’s Handbook, and new non-Handbook directions for excluded firms, to reflect PSD2 and the PSRs 2017. The Policy Statement also amends the FCA’s current Approach Document guidance relating to PSD1, to reflect the changes implemented by the PSRs 2017 and the amended FCA Handbook. Germany • On June 1, 2017, the German parliament (Bundestag) adopted an implementation act on the implementation of PSD2. The implementing law which revises, inter alia, the Payment Services Supervision Act (ZAG) was published on July 21, 2017 in the Federal Law Gazette (Bundesgesetzblatt) and took effect on the implementation deadline of January 13, 2018. • On November 29, 2017, the Federal Financial Supervisory Authority (BaFin) published the updated guidance notice regarding the revised ZAG-2017. 11 In this notice, BaFin addresses the changes required due to the implementation of PSD2. The notice also provides for guidance on the changes in BaFin’s administrative practice relating to situations that the ZAG-2017 already includes. France • On August 10, 2017, the French government published Ordinance no. 2017-1252 implementing PSD2 into French law. 12 The government then supplemented the Ordinance with two decrees and four orders that were published on September 2, 2017. Spain • Spain’s Ministry of Economy ran a public consultation process with all relevant stakeholders that ended on May 5, 2017 before drafting the PSD2 implementing law. On December 22, 2017, the Spanish Treasury published the preliminary draft, which is now subject to public consultation until January 16, 2018. 13 Once finalized, the Spanish Council of Ministers will submit the resulting draft bill for approval. The Spanish Council of Ministers will then present the bill before the Spanish Parliament for final approval. Based on publicly available information, no estimated transposition date for the implementing law has been set yet. • As is the case in Italy, the Bank of Spain has not issued any draft guidance on PSD2 yet. Latham & Watkins 15 January 2018 | 2270 | Page 5 Pan-European initiatives on harmonized APIs Banks, TPPs, and other payment service providers will likely race against each other to capitalize on opportunities arising from the technical implementation of PSD2, and in particular, of APIs, pending the entry into force of the final RTS. National institutions, industry groups, and FinTech experts will guide and influence them during this process. The various initiatives being pursued include “The Berlin Group” and its special “NextGenPSD2” taskforce, which is backed by various industry bodies across Europe. The Berlin Group is a panEuropean payments interoperability standards and harmonization initiative that primarily aims to create and develop open, common, and standard European APIs to access customers’ accounts under PSD2. This approach intends to address and overcome the problem of multiple competing standards in the market while ensuring maximum interoperability across Europe. On October 2, 2017, the Berlin Group launched a six-week public market consultation on its proposed Access to Accounts Standard (XS2A), aiming to publish a final version of the standard before the end of January, 2018. On October 14, 2017, a dedicated FAQ NextGenPSD2 / Market Consultation website page opened14 and, on October 25, 2017 the NextGenPSD2 Conference 2017 took place in Berlin, as part of the public market consultation. 15 Key areas of focus at the conference included: • The “core services” (i.e., payment initiation services and account information services) that are supported and the “extended services” (provided by a contract between ASPSPs and TPPs) that may be supported by the implementation of the XS2A interfaces • The designs of different variants of XS2A interfaces that the ASPSPs may choose to support. (The XS2A interfaces may vary according to, inter alia, the requirements for the identification of TPPs, the approaches for executing SCA, and the products a service will support.) • The harmonization of currently differing approaches to SCA implementation • The management of the payment service user’s consent for TPPs Conference members agreed that the Berlin Group will work toward: • Publishing the NextGenPSD2 Framework standards before the end of January 2018 • Supporting the implementation of APIs (e.g., by facilitating market involvement on both the supply and demand side) • Harmonizing the testing facility requirements that ASPSPs will need to make available for connection and functional testing by TPPs Another interesting initiative is the “Open Bank Project,” an open source API and App store for banks. The initiative aims to help banks and other FinTech market players enhance their digital offerings in a rapid and secure way. 16 In addition, on June 12, 2017, Preta — a wholly owned subsidiary of EBA Clearing, a Paris-based provider of pan-European payment infrastructures — launched a project to help payment service providers and TPPs meet PSD2’s account access requirements. Preta’s initiative aims to deliver a Latham & Watkins 15 January 2018 | 2270 | Page 6 European directory service consisting of shared information on account services payment service providers and TPPs. Conclusion The EC’s adoption of the RTS marks an important step towards the implementation of PSD2. However, the back and forth process between the EC and EBA has not resolved all of the concerns of the EBA, which continues to primarily argue that the fall-back mechanism could threaten the development of common standard European APIs. Certain Member States, including Italy, Germany, France, and the UK, are leading the race to implement PSD2, having already published their respective implementing laws in 2017. Others, such as Spain, are still waiting for the relevant government bodies to approve draft regulation. In the meantime, a number of interesting, privately driven pan-European initiatives have arisen, backed by industry groups and institutions. These initiatives are working on different projects aimed at developing open, common, and standard European APIs to access customers’ accounts under PSD2. In light of these developments, 2018 will certainly be a transformative year for the banking industry. PSD2 is poised to fundamentally change the market for payment services — a shift that presents unique opportunities, as well as unprecedented challenges, to financial services providers. Latham will continue to monitor and report back on this fast-evolving and critical area of financial regulatory policy. Latham & Watkins 15 January 2018 | 2270 | Page 7 If you have questions about this Client Alert, please contact one of the authors listed below or the Latham lawyer with whom you normally consult: Isabella Porchia firstname.lastname@example.org +39.02.3046.2078 Milan Filippo Benintendi email@example.com +39.02.3046.2072 Milan Christian F. McDermott firstname.lastname@example.org +44.20.7710.1198 London You Might Also Be Interested In: Understanding PSD2: Key Points to Know About the Upcoming Regime New Handbooks Will Clarify Market Abuse Regulation Policies in Italy Europe as a Hub for Initial Coin Offerings? Client Alert is published by Latham & Watkins as a news reporting service to clients and other friends. The information contained in this publication should not be construed as legal advice. Should further analysis or explanation of the subject matter be required, please contact the lawyer with whom you normally consult. A complete list of Latham’s Client Alerts can be found at www.lw.com. If you wish to update your contact details or customize the information you receive from Latham & Watkins, visit https://www.sites.lwcommunicate.com/5/178/forms-english/subscribe.asp to subscribe to the firm’s global client mailings program. Endnotes 1 Please note that from a UK perspective, “Open Banking” has a slightly different meaning since it is used to define the initiative of the Competition and Markets Authority (CMA) to promote open API access to retail banks in a manner which is compliant with the PSD2 requirements, though not identical. The CMA’s initiative requires the nine largest current account providers in the UK to implement common open API standards. However, the CMA’s initiative only covers personal and current accounts, meaning that the CMA’s initiative, therefore, has a more limited scope compared to PSD2; the latter covering all range of accounts including, inter alia, flexible savings accounts, corporate accounts and credit card accounts. Further details on the differences between CMA Open Banking initiative and PSD2 are available at https://www.paymentsuk.org.uk/news-events/news/openbanking-and-psd2-clarifying-differences. 2 For further information, see European Banking Authority, ‘Consultation Paper: on the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication under PSD2’ (12 August 2016) available at https://www.eba.europa.eu/-/eba-consults-on-strong-customer-authentication-and-securecommunications-under-psd2. Latham & Watkins 15 January 2018 | 2270 | Page 8 3 In summary, the EBA (i) removed any references to particular international standards, technology and other characteristics in order to ensure technology neutrality and allow future innovations; and (ii) confirmed the scope of the requirement to apply SCA set out in PSD2 which includes e-money transfers. The EBA also specified that SCA will not apply to electronic payments initiated by the payee only. 4 In particular, one of the main concern is that the lack of specific technologies and standards in the RTS could cause a risk for market fragmentation, an obstacle to PSD2 implementation, and therefore raise costs for both TPPs and customers. 5 The EC amended Chapters I, III, and V of the Draft RTS presented by EBA. In particular, the EC had proposed that: (i) the audit performed in relation to the exemption based on using transaction risk analysis should be performed by statutory auditors; (ii) certain corporate payments shall be exempted from SCA; (iii) ASPSPs should report the outcome of their monitoring, in relation to the use of exemptions from SCA, to the EBA, in addition to the national competent authorities; and (iv) in the case of inadequate performance of a dedicated interface, the TPPs should be allowed to access information through the customer interfaces (“fall-back mechanism”). 6 The exemptions from SCA are set forth under Chapter III of RTS and include (i) access to payment accounts by the payment service user (ii) contactless electronic payments at the point of sale provided that the individual and cumulative amounts of the payment do not exceed, respectively, €50 and €150; (iii) electronic payment transactions at unattended terminals for the purpose of paying transport fares or parking fees (iv) payments made vis-a-vis a list of trusted beneficiaries (“whitelist”); (v) recurring transactions with the same amount and with the same payee (vi) credit transfers between accounts held by the same person (vii) remote transactions, provided that the individual and cumulative amounts do not exceed, respectively, €30 and €100 (“low-value transactions”); and (viii) remote transactions identified by the ASPSPs as posing a low level of risk according to the transaction risk analysis set forth under the RTS. The EC justified the exemptions from SCA on the basis that “this is to avoid disrupting the ways consumers, merchants and payment service providers operate today and because there may be alternative authentication mechanism that are equally safe and secure.” In any case, payment service providers that wish to be exempted from SCA must first apply mechanisms for monitoring transactions to assess if the risk of fraud is low. For a general overview and more details on the exemptions from SCA please refer to the first Client Alert available at: https://m.lw.com/thoughtLeadership/LW-Understanding-PSD2-Key-Points-to-Know-About-the-Upcoming-Regime. 7 Art 17 RTS. The provision requires that the competent authorities are satisfied that the processes and protocols available guarantee at least an equivalent level of security to those provided under PSD2. 8 Art 33 RTS. 9 Please note that the RTS only apply to payment accounts, in accordance with the scope of PSD2. The RTS thus does not cover the access to accounts other than payment accounts, which falls under the competence of the Member States. 10 Art 33 RTS. 11 The German version of the Guidance notice is available at: https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Merkblatt/mb_111222_zag.html;jsessionid=B70B4430076228C9A58 E535339C70CFF.1_cid363. 12 The French version of the Ordinance implementing the PSD2 is available at: https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000035394629&dateTexte=&categorieLien=id. 13 The Spanish version of the preliminary draft implementing act of PSD2 is available at: http://www.senado.es/web/conocersenado/temasclave/procedimientosparlamentarios/detalle/index.html?lang=en&id=PROCLE GORDENG. 14 Available at https://www.berlin-group.org/faqnextgenpsd2. 15 Conference papers and presentations are available on the Berlin-Group website at https://www.berlin-group.org/nextgenpsd2- conference-2017. 16 Further details can be accessed at https://openbankproject.com/.