Understanding PSD2: Key Points to Know About the Upcoming Regime1
New directive disrupts the EU payments regulatory regime. A series of Client Alerts will follow ongoing developments related to PSD2.
• By expanding the accessibility of customer account information, PSD2 allows third-party developers to build payment service infrastructures around the platforms of financial institutions.
• On February 23, 2017, EBA published the final draft Regulatory Technical Standards on strong customer authentication and common and secure communication, an important step toward the development of PSD2-compliant technological solutions.
• This first Client Alert provides a summary of the key aspects of the PSD2 to introduce the topic.
Latham will produce a series of Client Alerts to provide an overview of the key points of the upcoming regime introduced by the second Payment Services Directive (PSD2). 2 The upcoming regime was developed in light of the recent adoption of the final draft Regulatory Technical Standards on strong customer authentication and secure communication (RTS) by the European Banking Authority (EBA). 3
This first Client Alert summarizes the key innovations and features of the PSD2 to introduce the topic and to clarify the development and implementation of this new regulatory regime. 4
PSD2 allows third-party developers to build payment service infrastructures around the platforms of financial institutions. To achieve this result, banks will need to provide certain third parties with access to client account information, mainly via open APIs (Application Programming Interfaces). This new approach in the banking industry, also known as “open banking,” was introduced in the market in the wake of the disruptive appearance of non-bank players providing payment services in an industry typically dominated by financial institutions. Their success in challenging the market status quo from a competition law perspective was also a factor that boosted the adoption of PSD2.
Notably, while the idea of allowing payment initiation service providers to access customers’ payment accounts and requiring banks to make customer information available to third parties will undoubtedly ease customers’ experience with safe payment services, the approach risks burdening banks, which will still bear the costs of maintaining payments accounts, but could be rendered into simple utilities. On the other hand, as observers and commentators have noted, banks could embrace the new opportunity to enhance their offerings to customers.
In detail, PSD2 has broadened the scope of the EU payments regulatory regime, which now extends to so-called “payment initiation service providers” (PISPs) and “account information service providers” (AISPs). Increases in territorial scope also extend the transparency rules of PSD2 to payment transactions in which one party is not in the European Union or in the European Economic Area (also known as “one-leg-out,” or OLO transactions).5 Significant changes have also been made to the ”limited network” and ”added value” exemptions that existed in the first Payment Services Directive (PSD1). 6 As for the controversial issue of the commercial agent exemption, consideration n. 11 of PSD2 tries to clarify that such exclusion should apply when agents act only on behalf of the payer or only on behalf of the payee, regardless of whether or not the agents are in possession of clients’ funds. In particular, in the event these agents act as intermediaries on behalf of both the payer and the payee — such as certain online marketplace and e-commerce platforms — the agents should be excluded from the application of the Directive only if they do not, at any time, enter into possession or control of clients’ funds. However, since the issue is addressed only in a consideration of the Directive and not in the regulatory provision itself, many fear that Member States might not take the issue into account.
In light of the increased attention the new actors of the payment services industry are receiving from regulators, the revisited framework introduces two new forms of payment services under Annex 1: the PISP7 and the AISP8 (also called third-party payments providers, hereinafter collectively the TPPs).9 In general terms, the payment initiation services provider is a third party acting between the payee and its online bank account by prompting the payment in favor of a third-party beneficiary. The account information provider is a third party that organizes and supplies information to users based on their bank account (or accounts) through an online platform after their bank grants the third party online access. Such access is strictly limited, however, to the organization and rationalization of the information on the bank account, and does not grant any operational right to the account information provider.
The general rules have also increased the information obligations of the payment service providers in order to obtain authorization to operate from the competent authority. A new requirement was brought with the provision of a register to be held by the EBA.10 In regards to competent authorities and supervision, the EBA has been mandated to draft the guidelines that will regulate the exercise of the freedom of establishment, as well as the provision of services.11 The new directive has also introduced notification duties for the application of the exemptions.12 Furthermore, the transparency of terms and conditions as well as the information requirements are now also applied to the TPPs.13
In respect to payment initiation services, the banks and other payment service providers will grant access to their customers’ accounts to facilitate transactions.14 This rule, the so-called “open access” rule or “XS2A,” is one of the most important aspects of PSD2 because it will induce banks to allow access via APIs to their customer accounts upon the customers’ authorization. At the same time, the initiation service providers are burdened with increased security obligations and liabilities in case of unauthorized or defective execution of payment transactions.15 In particular, PSD2 provides new stricter requirements relating to customer authentication. 16 However, pursuant to the final draft of the RTS such requirements will not apply to, inter alia, “low risk transactions” for payments under €500 and to “unattended terminals” used for transport or parking fares. 17
In relation to account information services, the new framework requires payment service providers to grant access to the accounts managed on behalf of a customer if the customer has given “explicit consent” to the PISP.18 Account information services providers are also subject to the new security obligations.
In the context of the section relating to rights and obligations, the regime for allocating the liability between a TPP and other payment service providers19 merits attention. The new debated liability regime provides that in the case of an unauthorized payment made through an initiation payment provider, the account servicing payment service provider ( ASPSP) 20 will be liable to reimburse the user, but then the ASPSP will have a remedy against the TPP.
Finally, the new rules also include transparency obligations over account services and charges, reporting obligations and complaint procedures for consumers.
Under these new rules, the consumers will theoretically benefit from receiving economic benefits, increased consumer rights and stronger payment security.21
The next Client Alert in this series will discuss the main criticisms arising from the more problematic provisions of PSD2, including inter alia, those regarding security and authentications, 22 and the related new provisions contained in the final RTS; the liability regime in case of unauthorized or defective payments; and the rules for OLO transactions.