PSD2 was transposed into Irish law by the European Union (Payment Services) Regulations 2018 (the 2018 Regulations).
PSD1 came into force in Ireland in 2009 and set out rules on electronic payments, such as mobile and online payments, electronic credit transfers, direct debits and debit and visa card payments. Given the substantial progress made since 2009 in the use of technology for accessing financial services, PSD2 was introduced to update and bolster the rules set out in PSD1 and to make internet payments easier and safer.
PSD2 is also broader in scope than PSD1. It introduces two new categories of payment service providers that require authorisation, namely payment initiation service providers or “PISPs” and account information service providers or “AISPs”. PISPs help consumers make online credit transfers. They also inform sellers of goods or services immediately when an online payment has been initiated by a consumer. This allows for the immediate dispatch of goods or immediate access to services purchased online. AISPs allow bank customers to have a global view of their financial situation by enabling consumers to consolidate the different current accounts they may have and to divide their spending into different categories.
As a result of the broader scope of PSD2, the new regulatory regime for payment services can apply to financial institutions, retailers, tech companies, gaming, gambling and social media entities. The regime can also potentially extend to any firm involved in financial transactions or accessing financial information.
Main points of the 2018 Regulations:
- Greater access to bank accounts and account information: Where instructed by their customers to do so, Irish banks will be required to provide a wide range of third-party service providers with access to customer data. Where a bank denies a PISP or an AISP access to a customer’s payment account or their account information, the bank must immediately submit a “Denial of Service” report to the Central Bank, setting out the reasons for the denial.
- Ban on surcharges: Under PSD2, surcharges for consumer debit and credit card payments are prohibited, both in shops and online.
- Reduced customer liability: The customer’s liability for non-authorised payments, which was previously €75, has been reduced to €50, and customers have an unconditional right to a refund in euro for non-authorised direct debits.
- Firms already authorised under PSD1: In light of the transitional provisions in PSD2, firms authorised under PSD1 have six months from 13 January 2018 in which to submit their application for authorisation under PSD2. They can continue to provide payment services during that time. If firms wish to be in a position to continue providing payment services after 13 July 2018, their application for authorisation under PSD2 should be submitted no later than 13 April 2018. The Central Bank assessment process will take approximately three months. Firms authorised under PSD1 that fail to obtain an authorisation under PSD2 by 13 July 2018 will not be allowed to provide payment services in Ireland after that date.
- Limited Network Exclusion: This exemption is being narrowed and applies to services based on specific payment instruments that can be used in a limited way, subject to certain conditions. It also applies to instruments that can be used to acquire a very limited range of goods or services. Examples of services that potentially fall within the scope of the Limited Network Exclusion include providers of gift cards, fuel cards or shopping centre cards. Payment service providers relying on the Limited Network Exclusion must notify the Central Bank where the total value of payment transactions exceeds €1m in any 12 month period. The notification will have to be submitted annually unless the total value of payment transactions falls below €1 million and should that happen, the entity must inform the Central Bank of that fact.
- Reporting: Under the 2018 Regulations, firms will have to submit various reports to the Central Bank. These include operational reports, denial of service reports, and major incident reports. A major incident, according to the relevant European Banking Authority Guidelines, is a singular event or a series of linked events unplanned by the payment service provider which has or will probably have an adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services.
The 2018 Regulations change the payment services landscape in Ireland for established banks, new entrants to the market and FinTech companies. The primary aim of the legislation is to promote transparency and competition and it is hoped that this will ultimately benefit customers. In addition to these significant opportunities, the 2018 Regulations also present challenges for firms in the form of new reporting obligations, the narrowing of exemptions and exclusions from the requirement to hold a licence and, for existing firms, the need to enter into the Central Bank authorisations process again in order to be authorised under PSD2.