The legislative proposal for the implementation of PSDII (2015/2366/EU) is submitted to the Dutch Parliament on 23 October 2017, together with advice of the Council of State and of the Dutch Data Protection Authority. PSDII is due to be implemented on 13 January 2018, but the Minister of Finance already indicated that the legislative proposal will likely enter into force in the spring of 2018.
Main changes to be expected under PSD II
PSDII will have a broader scope than its predecessor PSD I, for example it shall include a number of new payment operators from gift card operators to account information service providers
- PSDII includes in its scope “one leg” payment transaction, which are payments made to or from locations outside Europe. Transactions made in a non-European currency will be captured by the regulation if both the payer and the recipient are located in the EU.
- There will be two new types of third party providers, namely payment initiation service providers (PISP) and account information service providers (AISP). Instead of initiating the payment directly with their bank, the payer initiates the payment via the PISP, which in turn passes the instruction to the bank. The AISP can provide its client with consolidated information from multiple payment accounts.
- Operators of client cards or another payment instrument for limited use should assess whether they still can make use of the so-called “limited network exemption” under PSDII, as this is stricter defined.
- Security is a key element of PSDII. There are new security requirements covering account access and electronic payments.
- PSDII introduces a number of changes intended to harmonise the approach to passporting of a license across the EU and ensure adequate levels of control.
- The legislative proposal introduces further conduct of business rules such as in relation to non-permitted payment transactions and unintended transactions and the use of ‘surcharges’ for payment transactions.
- Holders of a qualifying holding in a payment service provider are required to have a declaration of no objection of the Dutch Central Bank. For existing payment service providers it is already possible to request such declaration of no-objection.
Data protection aspects
Further rules will be introduced in a (to be published) governmental decree on the required permission of the client for access to their personal data to payment service providers. The legislative proposal has been changed on a few points on the basis of the advice of the Dutch Data Protection Authority to look into the concurrence with the General Data Protection Regulation (GDPR), which will enter into force on 25 May 2018, and the supervision on data protection when providing payment services. Furthermore, in its advice the Dutch Data Protection Authority notes that it will provide further advice on the use of personal data in relation to PSDII.
Click here for the PSDII implementation legislative documents (in Dutch).