The second Payment Services Directive came into force on 12 January 2016 and Member States have until 13 January 2018 to implement it into national law. HM Treasury recently consulted on the UK Government’s approach towards implementation, with draft regulations being published alongside a summary of the main changes introduced by the Directive. Feedback from the consultation is now awaited.
The European Union’s second Payment Services Directive (PSD2) came into force on 12 January 2016 and Member States are required to transpose it into national law by 13 January 2018. HM Treasury recently published draft regulations as part of a wider consultation on the UK Government’s approach towards implementing PSD2. The consultation closed on 16 March 2017 and feedback is now awaited.
Background to PSD2
PSD2 widens the scope of the first Payment Services Directive (PSD1) which came into force in 2009. The aim of PSD1 was to harmonise the regulatory regime for payment services across the EU as well as to increase competition within the payments market.
PSD1 created a new authorisation regime for any person providing a payment service in the UK, subject to certain exceptions such as credit unions and municipal banks. Such persons are known as payment service providers (PSPs). Services falling within the definition of a payment service include those which allow a customer to, for instance, pay money into or out of an account, transfer funds between accounts, make debit card payments or remit money.
All PSPs authorised under the regime are subject to certain transparency and conduct of business requirements. These include the procedure to be followed for obtaining consent from a customer before entering into a payment transaction, as well as the need to provide customers with certain information at various stages during that payment transaction.
Since the introduction of PSD1, developments in technology have seen new forms of payment services (such as internet banking and mobile banking apps, as well as the use of so-called e-wallets) significantly alter the payment services market. These developments, together with the emergence of several new types of PSP, the everchanging nature of security threats faced by PSPs and the need to ensure consistency throughout the Member States, prompted a review of the current PSD regime and the eventual proposal to introduce PSD2 in 2013.
The main changes introduced by PSD2 are:
Extends geographical scope
Under PSD1, the transparency and conduct of business requirements applied only to those transactions where both the payer’s and the recipient’s PSP were located in the EU and where payment was made in Euros or another Member State currency. PSD2 extends the directive’s geographical scope to include transactions where only one PSP is located in the EU (known as ‘one-leg’ transactions) and to transactions in Non-EU currencies where one PSP is located in the EU.
Third Party payment providers
Third party PSPs are now required to be authorised or registered (as appropriate) for the first time under PSD2. This includes PSPs who do not actively manage the account of a customer themselves, but who provide online payment initiation or account services:
a. Payment Initiation Service Providers (PISP)
PSPs who provide the software through which a customer can access their account online. PISPs act as a bridge between the customer and their bank by initiating an online payment order with the relevant bank when instructed to by the customer; and
b. Account Information Service Providers (AISP)
PSPs who provide the software through which a customer can access aggregated information from multiple online accounts that they hold, often with different banks.
The activities of PISPs and AISPs were previously unregulated and their inclusion in PSD2 ensures that they are now subject to certain security, risk management and transparency requirements under the regime. The changes introduced by PSD2 also mean that banks (or other payment institutions that operate and manage a customer’s bank account) are now required to provide PISPs and AISPs with access to a customer’s online payment account, so as to provide them with the same functionality (in respect of PISPS) or account information (in respect of AISPs) as would be available to the customer.
Changes to exemptions
PSD1 exempted certain payment transactions from falling within its scope. PSD2 narrows a number of these exemptions:
a. Commercial agent exemption – PSD1 excluded payment transactions made via a commercial agent authorised to conclude or negotiate the sale on behalf of the payer and/or payee. Under PSD2, this exemption applies only to situations where the commercial agent acts for either the payer or payee. Certain ‘platform’ businesses which match buyers and sellers for goods and services are now likely to fall outside this exemption;
b. Limited network exemption – PSD1 exempted payment transactions based on payment instruments accepted only within a limited network (i.e. store cards, membership cards or public transport cards). PSD2 clarifies this exemption by providing certain explicit conditions which a payment instrument must meet before it can qualify for the exemption, such as that the payment instrument is used to acquire goods and services only ’in the issuer’s premises’ or ’within a limited network of service providers’;
c. Electronic communications networks and services exemption – Under PSD1, payments made through mobile phones, the internet or other IT devices were exempt (i.e. payment for the download of ringtones or music, electronic tickets or charity donations). PSD2 restricts this exemption by imposing a €50 cap on any single transaction, and a €300 cap per customer per month.
Stricter Security Requirements
PSD2 adopts a stricter approach towards security than was evident under PSD1, with a number of new security requirements relating to the initiation and processing of electronic payments being introduced. All PSPs will, for instance, be required to apply a ‘strong customer authentication’ when a customer accesses an account online or initiates an electronic payment. Strong customer authentication is an authentication process that validates the identity of the customer by the use of two or more distinct and independent elements, these being categorised as knowledge (something known only to the customer, such as a password or pin), possession (something held only by the customer, such as a payment card) and inherence (something inherent to the customer, such as a fingerprint or voice recognition).
PSD2 also introduces an obligation on all PSPs to inform a customer directly, and without undue delay, of any incident which has or may have an impact on that customer’s financial interests, together with all the measures that a customer may take to mitigate the adverse effects of the incident. For their part, customers are required to notify the PSP once they become aware of the theft, loss or misappropriation of a payment instrument such as a bank card or password.
Changes to Surcharges
PSD2 introduces a prohibition on charging a customer any fees which exceed the direct cost which has been borne by the PSP for the specific payment instrument. The customer must also be made aware of any surcharges prior to the initiation of a payment transaction.
PSD2 introduces a number of significant changes to the current payment services regime. At the outset, all PSPs should familiarise themselves with the draft Regulations and the timeline for implementation. PISPs and AISPs requiring authorisation for the first time will also need to consider the application process and the various requirements to be met by their organisations, while PSPs currently authorised under the regime will need to be aware of the deadline for submitting additional information to the FCA. A review of internal processes and documentation will also be required by all PSPs to ensure that they comply with the updated security and information requirements.