On 12 January 2016, the EU Directive on Payment Services in the Internal Market (EU 2015/2366) (known as PSD2) came into force, replacing the existing Payment Services Directive as the main framework of rules on payment services in the EU.
Much of the commentary on PSD2 has focused on how it:
- imposes more stringent customer authentication obligations on payment service providers (PSPs); and
- requires PSPs to make it easier for customers to obtain payment initiation and account information services from third parties (Third Party Payment Services Providers or TPPs).
But PSD2 also introduces other important changes to which banks and other PSPs will need to adapt before it is implemented in the member state(s) in which they operate (which must be by 13 January 2018).
Scope of payments subject to PSD2
The current EU payment services rules only apply to a payment if it is in the currency of an EU member state and if both the payer's PSP and payee's PSP are in the EU. By contrast, PSD2 will apply to payments in any currency where either PSP is in the EU.
A PSP receiving a payment within the scope of PSD2 will have to "value date" it and make the payment amount available to the customer on the business day the payment is credited to the customer’s account. This rule is only disapplied if the payment requires the payee PSP to carry out a currency conversion involving a non-EU member state currency. For example, the rule would apply if a UK bank received a payment in US dollars which it was to credit to the customer’s account in US dollars, but not if the bank was converting the US dollar payment into euro or sterling.
PSD2 will reduce the liability of a customer following an unauthorised transaction. Customers will not be liable for an unauthorised transaction where:
- the loss, theft or misappropriation of the payment instrument was not detectable by the customer; or
- the PSP has not put "strong customer authentication" procedures in place.
The cap on customer liability in other instances will be EUR 50 (lower than currently set in the UK).
PSPs will also have to make refunds for unauthorised payment transactions by no later than the end of the next business day following customer notification of the unauthorised transaction.
In light of the new rules on TPPs, banks may wish to consider:
- obtaining express customer authorisation to deny access to a payment account by a TPP if the bank suspects it of attempting unauthorised or fraudulent access;
- excluding liability for losses arising from failures attributable to TPPs. For example, where a TPP initiates a payment, that TPP should be liable for the payment services it manages, including for compliance with the relevant authentication, recording and technical aspects.
Banks will have to satisfy themselves that the TPPs approaching them for access are authorised to carry on TPP activities and that the customer has expressly consented to receiving services from those TPPs.
If funds have been credited to the wrong account as a result of the customer providing an incorrect unique identifier, a PSP will have to provide the customer with all information relevant to enable it to recover the payment.
PSD2 requires a PSP to reply to a customer complaint within 15 business days of receipt of the complaint. In exceptional circumstances beyond the PSP's control, this can be a holding reply, provided the PSP gives a substantive response within 35 business days. It remains to be seen whether the UK’s implementation of this requirement will result in two different time limit rules being applied. Under current UK rules there is a single eight-week limit.
Banks acting as TPPs
Banks may also capitalise on the opportunities for TPPs introduced by PSD2 by rolling out payment initiation or account access services themselves (e.g. via wallets). This could arguably help mitigate the loss of interchange fee revenue likely to result from increased competition from other providers of payment initiation services. Banks must, however, ensure that the framework contracts for the provision of these services are compliant with the customer protection provisions of PSD2, which will also apply to TPPs.
Review and notification of contractual changes to customers
PSD2 retains the key building blocks of customer protection from the first Payment Services Directive. However, it also introduces changes that will impact on the contractual terms PSPs agree with their customers, as well as on related fee schedules, and policies and procedures.
A consultation by HM Treasury on the draft UK implementing regulations is imminent. Once the new UK Regulations are published, banks and other PSPs in the UK should take the opportunity to review all payment account documentation for compliance with the new regime. They must notify their existing customers of any amendments to their terms and conditions at least two months before the date they come into effect. Given the 13 January 2018 deadline for implementation, Brexit will not offer any relief from compliance.
Law stated as at 6 December 2016.