What is it?
The so-called "PSD2" is the revision of an existing directive from 2007, called the "Payment Services Directive" or "PSD" or "PSD1". Since it is a directive, it will need to be transposed/ implemented within the law of the EEA Member States (as opposed to an EU Regulation that is "directly applicable" in the various Members States).
Most of the PSD2 provisions need to be "live" in the various Member States by January 2018, with the exception of the provisions on security (so-called "strong customer authentication" or "SCA") and the technical details of how banks are expected to provide access to third party players (so-called "TPPs"), which will only go live towards the end of 2018 or the beginning of 2019.
Why do you need to know about it?
On some topics, PSD2 is just updating/amending/refining PSD1 (e.g. in relation to the kinds of payment services that fall outside the scope of PSD, and therefore are/were unregulated).
However PSD2 also contains brand new provisions/topics compared to PSD1, including in particular SCA and the "access to account" that financial institutions need to grant to TPPs (so-called "Account Information Service Providers"/AISPs and "Payment Initiation Service Providers"/PISPs).
In terms of new provisions in PSD2 versus PSD1:
- Strong Customer Authentication: PSD2 requires that when a payer accesses its payment account online (e.g. logs into his/her PC banking platform) or initiates an electronic payment transaction (card payment or credit transfer – either face-to-face or "remote"), SCA should take place. SCA is defined as two of three factors: "something only you know" (e.g. a PIN), "something only you are" (e.g. a fingerprint) and "something only you have" (e.g. your card in a face-to-face context, your phone for a remote payment, etc.). For example: – in the case of a face-to-face payment, Chip & PIN should in principle qualify as SCA – In a "remote" (e.g. online) context, the phone (or more precisely a token stored on the phone) should qualify as the "something only you have", and a fingerprint or a selfie should qualify as the "something only you are", therefore meeting the requirements of SCA.
In addition, for "remote" payments, there is a requirement that SCA "includes elements which dynamically link the transaction to a specific amount and a specific payee" (Article 97(2)) which raises technical issues, in particular in relation to the card payments.
The EBA is requested to grant exemptions to the principle of SCA – and those exemptions are currently making a lot of "noise" in the market – e.g. the exemptions of 10 EUR for "remote" payments (and 50 EUR for face-to-face contactless payments) are considered to be too low; merchants and card issuers are requesting to be allowed to perform "Risk-Based Assessment" or "Risk-Based Authentication" (RBA) rather than applying exemptions in a mechanical way; some exemptions are limited to credit transfers (such as when the payee is "white-listed") whereas arguably card payments should benefit from the same exemptions; etc.
Finally, the issue of so-called "one-leg transactions" (i.e. transactions where one of the two service providers is located within the EEA, where the other financial service provider is located outside of the EEA) also raises a lot of "noise". The EC was considering that, should a card issued in the EEA be used at a merchant working with a financial institution located outside of the EEA (e.g. a web merchant in the US, working with a US acquirer), unless the merchant requests SCA, the EEA card issuer should decline the transaction which, given the low usage of SCA in the rest of the world, would have the potential of making cards issued in the EEA unusable at (web) merchants located outside the EEA. Clearly this is not the best way to favour e-commerce.
- Access to account: financial institutions (referred to as Account Servicing PSPs/ASPSPs, e.g. banks (so-called "credit institutions"), EMIs (E-Money Institutions) and PIs (Payment Institutions)) that are holding "payment accounts" (e.g. current account, but also a credit card account, a prepaid card account, etc.) are required to grant "access" to the account, for free, to so-called "TPPs"/Third Party Payment Service Providers – which are categorised as AIPSPs and PISPS. The former do not provide payment services but instead generally aggregate data from various accounts; whereas the latter initiate a payment (in practice, a credit transfer) to pay a merchant (presumably at a cheaper price than a card payment, as otherwise it is unclear why any merchant would prefer that form of payment over a card payment, that typically comes with a payment guarantee). The above mentioned draft RTS are expected to solve the issue of how, from a technical point of view, those TPPs should get access to the account e.g. through a so-called "direct access" and/or indirect access through a "dedicated interface" (typically referred to as an "API" or "open API"), the data that those TPPs can get access to (in the case of an AISP the same data as that available to the consumer, including transaction history; whereas in the case of a PISP just information from the financial institution on the initiation and the execution of the payment), how often an AISP can "refresh" the data when that refresh is not actively requested by the user, and so on.
The EBA is currently reviewing the very large number of written comments (200+ comments) that they received on their draft RTS, with a view to presenting their "final" draft RTS to the EC as soon as possible (the official deadline of 12 January 2017 has already been missed by the EBA).
In terms of changes from PSD1 to PSD2, here are a few select examples:
- The concept of "commercial agent", that was used in particular by online market places (e.g. Amazon, Fnac, etc.) in order to avoid falling within the scope of the PSD, is being narrowed down since a commercial agent will only be able to operate for either the payer or the payee (Article 3(b))
- The concept of a "limited network" payment instrument (e.g. "closed loop" cards or "filtered loop" cards, such as gift cards, petrol cards, meal voucher cards) is being narrowed down (Article 3(k))
- The services that telcos can offer to consumers without being regulated under the PSD are also been narrowed due to some maximum amounts (50 EUR per transaction and 300 EUR per month) (article 3(l))
- Three party card schemes that are not entirely closed will be forced to grant "access" / licenses, in particular to acquirers – who will pay regulated levels of interchange fees on those transactions (see below), and therefore should be able to undercut the pricing (Merchant Service Charge/MSC or Merchant Discount Rate/MDR) currently offered to merchants (Article 35 and recital 51).
EU Interchange Fee Regulation
What is it?
The IFR is an EU regulation impacting card payments – in three "tranches": June 2015, December 2015, and June 2016. In particular, the IFR impacts the economics of card payments by capping the amount of "interchange fees" that merchant acquirers (and, in most cases, ultimately merchants) pay to the card issuer on every (consumer) card transaction. In that respect, the IFR is the continuation of the competition law cases that have been pursued, for many years, by the EC and various national competition authorities (NCAs) in relation to MasterCard, Visa and some of the domestic debit card schemes that exist in a few EEA countries (such a Cartes Bancaires in France, Pagobancomat in Italy, etc.). In addition, the IFR also regulates a series of so-called "business rules", i.e. imposes new obligations and creates new rights for the various participants in the payment card value chain, namely merchants, acquirers, issuers, cardholders, card schemes and processors.
Why do you need to know about it?
The IFR covers various topics – which we address briefly below:
- Interchange fees: the IFR caps the amounts of interchange fees applicable to consumer card transactions in the EU (Articles 3 and 4). It also contains an anti-circumvention clause, and in particular the concept of "net compensation" which requires calculations of how much the card scheme is paying to the issuer, and how much the issuer is paying to the card scheme (Article 5 IFR).
- Pan-European licenses: the IFR requires that licenses granted by card schemes to issuers and acquirers should have a pan-EU geographic scope (Article 6 IFR).
- Separation of scheme and processing: the IFR requires that companies operating both a "scheme" business as well as a "processing" business should implement a "functional separation" of these two activities. In particular, those two businesses need to be operated independently in terms of "accounting, organisation and decision-making process" (Article 7 IFR).
- Co-badged cards: the IFR provides more freedom to issuers in terms of which brands/schemes they can place on a card. Under one interpretation of the IFR, it is in fact the consumer who can choose, amongst the brands that are issued by an issuer, which brands he/she would like to see placed on his/her card. When a co-badged card is used to make a payment (whether face-to-face or online), the IFR provides that, ultimately, it is the cardholder who can choose which brand/scheme will be used to make the payment – although the merchant may seek to influence that choice by having a priority selection installed in the terminal (Article 8 IFR).
- Steering: the merchant can also steer the consumer towards its preferred means of payment or card brand, e.g. by setting a minimum price below which he does not accept the card, or offering a discount for cash payments (Article 11 IFR). In countries that allow merchants to surcharge card transactions (such as e.g. the UK, Belgium, etc.), merchants may continue to surcharge consumer cards until January 2018 at the latest; as from January 2018 such surcharging will no longer be allowed (however may be allowed to continue in relation to commercial cards) – this is regulated by the revised version of the PSD2.
- More information for merchants: acquirers are required to provide more information to merchants, both in the merchant contract (Article 9 IFR) as well as on a regular basis – e.g. once a month (Article 12 IFR).
- Relaxation of the Honour All Cards Rule (HACR): historically, a merchant who had decided to accept a brand of card payments was required to accept all the cards under that brand, including commercial cards under that brand. In a nutshell, that is no longer the case: a merchant is now free to determine which brands and/or categories of cards it would like to accept – e.g. only accept consumers' cards (that are subject to the interchange fee caps) but not commercial cards under that same brand (that are not subject to interchange fee caps).
- By June 2019, the EC is expected to produce a report on the impact of the IFR on the market (e.g. will issuers increase the fees they charge to consumers so as to recoup the reduction of interchange fee revenue? Will merchants pass onto consumers the reduction of interchange fees/Merchant Service Charges in the form of lower retail prices, or not?).
How will it affect your business?
The IFR essentially grants new rights to EU consumers and EU merchants – and creates additional obligations for issuers, acquirers and card schemes. It raises of lot of questions of interpretation – for example:
- As an issuer, how are you expected to perform net compensation calculations? Are you required to issue a MasterCard/Visa co-badged card to a consumer if he/she would like one, or a tri-badged MasterCard/Visa/domestic scheme card? Do so-called "individual pay" cards qualify as commercial cards in your country (attracting unregulated interchange fees), or as consumer cards (capped interchange fees)?
- As an acquirer, how are you supposed to comply with the transparency requirements that are imposed in relation to the merchant contract (Article 9), as well as the regular information requirements contained in Article 12?
As a merchant, how do you differentiate the cards that you are forced to honour based on what is left of the HACR, or those cards that you are free not to honour? How do you identify the cards that you are free to surcharge vs. those cards that you are not allowed to surcharge? If you are operating a co-brand programme, in particular with three party card schemes, do the interchange fee caps interfere with the economics of that program, and if so how?