The main objectives of the Payment Services Directive (EU) 2015/2366 (PSD2), transposed under Maltese law by inter alia the Financial Institutions Act, Chapter 376 of the Laws of Malta (FIA), were mainly to create a safer and more secure space for payments, to enhance protection for European Consumers and businesses and to contribute to an integrated and efficient European payments market. However, as Maired McGuinness, Commissioner for Financial Services, Financial Stability and Capital Markets Union stated: “The PSD2 has driven innovation in retail payments, to the benefit of consumers and financial service providers. It is now time to take stock with all stakeholders, and prepare our next steps. We want to boost innovation and increase consumer choice in payments and open finance, while keeping the companies and people who generate data in control”. With regards to this, the European Commission launched a public consultation to collect evidence regarding the application of the PSD2 together with any benefits and challenges which may have been encountered and any amendments which may be appropriate.
In response to the European Commission’s call for advice, the European Banking Authority (EBA) published an Opinion and Report reviewing PSD2, in which more than two hundred proposals were put forward with the aim of enhancing competition, facilitating innovation, protecting consumers as well as ensuring a harmonised application of the legal requirements across the EU creating a single EU Payments market.
Scope and definitions
The EBA is insisting on clarifications which need to be made to key concepts and definitions encompassed within the PSD2. By way of example, EBA is toying with the concept of merging together a number of payment services in Annex 1 of PSD2, due to their similar nature, particularly services 1 and 2 which deal with the placement and withdrawal of cash from a payment account, and services 3 and 4 which deal with the execution of payment transactions. Cross-referring to recent judgements by the European Court of Justice, the EBA also calls for clarifications with regards to certain terms used under PSD2, such as “payment account” and “payment instrument”.
The EBA also flirts with the notion of potentially amalgamating PSD2 and the Electronic Money Directive (Directive 2009/110/EC or EMD2) to address the challenges currently faced by the industry and supervisory authorities due to confusingly similar definitions, such as:
- payment accounts and electronic money accounts,
- payment services and electronic money-related services; and
- scriptural money and electronic money.
To tackle these dilemmas and to enhance harmonisation throughout the Member States, the EBA proposed that electronic money services are to be dealt with in the current payment services framework, due to their similar nature and risks. This will result in creating consistent and identical legal requirements for payment institutions (PIs) and e-money institutions (EMIs), particularly those obligations relating to safeguarding requirements, the initial capital and own funds.
The EBA concluded that amendments are needed to the current prudential requirements, in order to keep up with the ever-evolving business models:
- Initial Capital Requirements – The EBA proposed that all PIs, to the exception of payment initiation service provider and account information service provider should be regulated by the same initial capital requirements with the competent authority having discretion to decide whether to apply the threshold for initial capital or the one for own funds. The EBA acknowledged that since the adoption of PSD1, the initial capital requirements have remained unchanged and as a result there is no reflection of inflation or any other potential adverse changes to the economic environment which may have affected the PIs. Thus, the EBA proposed a mechanism to be incorporated within the directive to take into consideration such changes.
- Calculation of own funds – The EBA proposed the use of a single default method for the calculation of own funds to avoid regulatory arbitrage such as Method B, found under Article 9 of the PSD2, since it is the method mainly used across the EU and covers most of the applicable risks.
- Use of professional indemnity insurances –the Opinion proposes a clarification on the application of profession indemnity insurance highlighting the risks, the possibility of use of excess and the thresholds.
- Framework for recovery and wind-down – The EBA proposed the introduction of a simplified recovery and wind-down framework applicable to PIs and EMIs and the authorisation for competent authorities to have the power to manage the failures of these PIs and EMIs.
Strong Customer Authentication (SCA)
The supranational banking authority also put forward proposals for the clarification regarding application of SCA, specifically its role in the regulatory treatment of merchant-initiated transactions and transactions excluded from the scope of SCA, the mitigation of social engineering fraud and the ensuring of non-exclusion of certain groups of society. SCA is a requirement put forward by PSD2 on payment service providers within the European Economic Area (EEA) to ensure a multi-factor authentication is used when any electronic transaction is made, to certify maximum security on electronic payments. The EBA focused inter alia on the following points:
- The reliance of SCA on third party technology (TPP) – third party technology is when for instance, the authentication approach is integrated within a smartphone such as a fingerprint reader. The EBA acknowledges that often there is no contractual relationship between the PIs and smartphone manufacturer, and it may be the case that the control of the SCA falls in the hands of the latter. Therefore, there may be certain concerns if the PI does not carry out checks with regards to compliance with the PSD2. The EBA requests clarification on whether an outsourcing agreement is needed between the PI and the smartphone manufacturer and if this is not the case whether certain conditions need to be applied;
- The delegation of SCA to TSPs – The PI has no control over any credentials provided by the TSP and therefore cannot ensure compliance with the directive. Therefore, the EBA put forward that the delegation of SCA to TSPs such as digital wallet providers, should require an outsourcing agreement between the PI and TSP; and
- Whether the application of SCA should be considered a corrective and preventive measure, therefore offered free of charge.
Apart from dealing with the clarification of SCA, the Opinion also deals with the short-comings of the implementation of SCA for e-commerce card-payment transactions. The lack of readiness on the part of the actors in the payment chain and the need for competent authorities not to enforce the SCA requirements to avoid a negative impact on PSUs and the economy, led to a delay in the implementation of SCA for card-based e-commerce. The EBA put forward proposals in order to tackle this situation in the future:
- The imposition of certain requirements on the actors in the payment chain which in turn impacts the implementation of security requirements.
- The consideration of implementing such a project in stages so that the competent authority may guarantee consistent and harmonised implementation.
The EBA also addressed the move from open banking (i.e. the secure practice of granting access to third-party payment services to banking transactions and other data from financial institutions) to open finance (which is the next step in the Open Banking journey involving a person’s entire financial footprint being opened to trusted third parties APIs). The EBA put forth several recommendations to the European Commission with regards to this move including:
- A proposed legal framework on Open Finance which would incorporate adequate security requirements to ensure that the customer’s data is secure, and the risk of fraud is minimised. The legal framework would include expectations of the scope of the data to be shared and the interfaces to be used by the firms to access data. When dealing with the legal framework the interplay of such with the PSD2 should be considered to ensure that no grey areas are created with regards to provisions relating to AISPs.
- Assessing the viability of a single EU API standard – the development of such a standard should take into consideration the industry itself and the market initiatives already in place and ensure that there is equal representation of all parties.
- Addressing any uncertainties regarding the General Data Protection Regulation (GDPR) within the PSD2 in future Open Finance regulatory framework such as compliance with GDPR in the accessing of data and the application of the data minimisation principle.
- High Quality APIs – the EBA proposed to the European Commission that the decision regarding the suitable compensation for the use of APIs by third parties should be left up to the market.
In this opinion, the EBA also addressed unwarranted de-risking practices by banks affecting PIs and EMIs. The EBA proposed that the Directive puts forth ‘duly justified reasons’ for refusing access or terminating an existing account such as lack of information and documents, breach of contract, shortcomings of money laundering/terrorist financing controls etc. The EBA also stated that a mandate should be developed which could be used by supervisors in assessing whether the refusal or termination of such accounts for PIs/EMIs are justified.
The EBA through its Opinion not only exposes some unsafe potholes in PSD2 but also proposes several potential avenues on the evolution of the payment regulatory canvas in Europe. The Opinion gives a clear indication of what will be expected in the revamped PSD3, as well as how the new European legislative instrument will interplay with other acts such as the Markets in Crypto Assets Regulation (MICA), General Data Protection Regulation (GDPR), and the Digital Operational Resilience Act (DORA).