Getting Ready for PSD2
The recast Payment Services Directive (PSD2) will have a dramatic effect on the EU's payment landscape, providing the framework for the evolution of the FinTech Industry and effecting changes for traditional payment institutions such as payment card businesses and operators of payment accounts. For new entrants it provides opportunities and for incumbent firms it will create challenges. In any event, PSD2 will apply and be of interest to a broad range of banks, card companies, money services businesses, outsourcing suppliers and mobile network operators.
Click here to view image
PSD2 will take effect from 13 January 2018. The European Banking Authority (EBA) is in the process of developing Regulatory Technical Standards (RTS) on passporting and on strong customer authentication and secure communication. These developments must be looked at together with the EU's Interchange Fee Regulation (IFR) which has introduced major changes for the European payment card industry.
This Briefing considers the principal changes and the issues that firms should consider to get ready for implementation of PSD2.
PSD2 - Key Changes
- More transactions will fall within scope, including through a new geographical ambit and its application to transactions in currencies other than the Euro.
- Implementing narrower exemptions and new notification obligations to regulators.
- Requirements relating to non-discriminatory access to payment systems and accounts.
- Creation of new regulated payment services of payment initiation and account information.
- Strengthened security requirements and strong customer authentication.
- New consumer protections.
PSD2 responds to a variety of developments that have arisen since 2007 when the current Directive was first adopted. Most markedly, there has been rapid technological change in the payments industry, which is in the vanguard of FinTech developments. Many customers are embracing new technology; the volume of online and mobile payments has increased significantly. According to a recent report byPayments UK, the proportion of payments in the UK made using cash has fallen from 64% in 2005, to 45% in 2015, with electronic payments surpassing cash payments for the first time, and cash is expected to reduce to 27% in 2025.
Technological innovation has facilitated the development of new types of services, which presently fall outside the regulatory framework. The new Directive will extend the scope of regulation to cover new services including payment initiation. As a quid pro quo of crossing the regulatory perimeter, operators of such services will be able to passport their activities across the EU, and avoid the current patchwork of Member State specific regulations. PSD2 will therefore simplify matters but at a price.
Click here to view image
he Commission also aims to increase competition in the payments sector by promoting non-discriminatory access to payment systems and accounts, as well as by recognising new services.
Consumer protection will be boosted through greater transparency of costs and protection from charges. It will also benefit from PSD2's extended geographical reach and the corresponding restrictions on current exemptions, which are intended to prevent their abuse and to achieve a more level playing field across the EU in terms of their application. Finally, in response to growing cyber crime and online fraud, PSD2 continues the trend towards enhancing the security around the making of payments.
Interchange Fee Regulation
PSD2 is closely linked to the Interchange Fee Regulation for card based payment transactions. The IFR aims to increase competition through new conduct of business rules, a cap on multilateral interchange fees and requiring the separation of scheme and processing activities. The cap applied from 9 December 2015 limits the level of interchange fee between acquirers and issuers that can be applied to credit or debit card transactions. Additionally, new conduct of business rules that apply from 9 June 2016 prohibit requirements, such as the "honour all cards rule," whereby card schemes or payment service providers oblige merchants to accept all cards of a particular brand. Even more far reaching, there are provisions which will bring about the separation of payment card schemes and processing entities and mandate their independence in terms of accounting, organisation and decision-making. The EBA has published draft RTS on the separation of scheme and processing but given the limited scope of the EBA's mandate, the RTS are light on detail. The new UK regulator, the Payment Systems Regulator, has published its own guidance on the IFR.
PSD2 has an extended geographical reach. The current directive only governs payments made wholly within the European Economic Area (i.e. where both legs take place in the EEA) in Euros or in the currency of a Member State (e.g. pound sterling). PSD2 will in contrast cover transactions in any currency and, additionally, even where only "one leg" is within the EEA. To the extent they do not already do so, money remittance services will need to give more information to customers. Increased transparency may result in more competitive cross-border services which due to limited investment in systems and processes, are still relatively expensive, slow and lack transparency. Some Member States (but not the UK) have unilaterally extended aspects of PSD protections to the EU-leg in respect of payments outside Europe.
At present, a payment transaction in U.S. dollars made by a payment service user (or customer) via payment service providers from London to Frankfurt will not fall within the ambit of the existing directive. Nor would a payment transaction (in any currency) between London and Hong Kong. The former transaction would fall outside the scope of the PSD as a U.S. dollar (non-euro / Member State) transaction and the latter on the basis that both legs were not within the EEA.
In future, both of the above examples will be subject to regulation, although there will be a reduced level of protection for customers in respect of information requirements and the obligations owed to them by payment service providers. In the first case, there would be no obligation on payment service providers to specify a maximum execution time, to refrain from deducting charges from the amount transferred or to ensure that the payee receives funds by the following business day or D+1. Where only part of the payment transaction is within the EEA (i.e. from London to Hong Kong), then the payment service provider will only be responsible for that "leg." In this regard, a further reduced level of obligations and protections will apply, for instance, over the provision of information, the imposition of charges, the timing of receipt of funds and liabilities towards customers for defective, late or non-execution. Current terms and conditions and service standards will require review.
The recast directive will scale back the existing exemptions from the need to obtain (full) regulatory authorisation. In the absence of a uniform approach to implementation, firms benefiting from an exemption as it applies in each Member State may achieve a competitive advantage over authorised providers that are regulated. The main exemptions and the changes are as follows:
Small payment institutions
Under the existing directive Member States may waive certain regulatory requirements for small payment institutions which, amongst other criteria have average monthly payment transactions not exceeding €3 million over the previous 12 months. According to the Commission while 15 Member States have offered this exemption it has only been relied on by firms in nine jurisdictions. These providers generally undertake low value remittances and retail foreign currency transaction except in Poland where it used to provide bill payment services.
PSD2, however, allows Member States that exercise this option to choose a lower threshold. In this event, firms currently using this exemption would either need to reduce their turnover, review their business model, or apply to become an authorised payments institution (with all that entails). In any event, they should monitor carefully their turnover lest they exceed the applicable threshold. Small payment institutions remain without a passport for payment services.
In general terms a payment transaction undertaken by an agent (including a commercial agent) that negotiates the sale of goods or services for another is not considered to be a payment service. This exemption has been used for many years by bill payment service providers, for example, to allow customers to pay utility bills. Recently, it has been used increasingly by operators of e-commerce platforms that facilitate the exchange of goods and services and likewise payment, in return for a fee.
Consequently, concerns have arisen that customers are being exposed to risks that payments regulation seeks to mitigate. The Commission considers that the exemption is too widely drawn, besides its uneven application across Member States. PSD2 seeks to control and limit its use by requiring firms to put in place a formal agreement to negotiate or conclude the sale or purchase of goods or services on behalf of either the payer or payee, but not both. In practice, in future, e-commerce platforms are most likely to choose to act on behalf of the payee as recipient of the payment. Such platforms will need to carefully review their business model to confirm whether they remain compliant and, if changes are necessary, whether they are feasible.
This is commonly used by retail chains (e.g. gift cards or loyalty bonus cards) for low value payments. The precise extent of this exemption has been unclear and despite attempts to restrict its availability, in PSD2 uncertainty remains, especially, over what is meant by "limited". In the UK cards market, some types of payment instruments might avail themselves of this exemption although other Member State regulators have taken a stricter approach. Again, the Commission considers that its use has gone significantly beyond what was originally envisaged, exposing users to security and operational risks. In this respect, confusion can arise on the part of consumers over instruments issued under this exemption and those falling within and benefiting from regulation. PSD2 therefore restricts its use to "instruments" in the following circumstances:
- where a payer acquires goods or services on the premises of the issuer or within a limited network of service providers under a direct commercial agreement with a professional issuer. The reference to a "direct" commercial agreement in the second limb suggests an absence of intermediaries between a provider and the issuer. The requirement for a "professional" issuer is new and undefined but suggests an entity which specialises in that activity.
- the purchase of a very limited range of goods or services. What is meant by "very" limited is unhelpfully not defined. Whether this is one, two, three or more is unclear.
- in a single Member State the purchasing of specific goods or services regulated by a public body for social or tax purposes. This use could encompass luncheon vouchers.There is also a new notification obligation (for the first two circumstances) if the value of payment transactions exceed €1 million over the preceding 12 months to allow national regulators to monitor the use of the exemption. National regulators will review whether the activities qualify for exemption. Firms may find that regulators require them to seek authorisation if they are to continue and, therefore, careful analysis of the nature of their services and monitoring their extent will be necessary.
This is relevant to providers of electronic communications networks or electronic communications services such as mobile phone operators. In tightening this exemption, PSD2 aims to address the fact that the exemption has been used to cover a very broad range of services which permit users to make purchases of goods, services and products through their mobile phone. The exemption is for digital content and voice-based services, for example, ringtones, music, games, videos or apps provided to subscribers. These must be purchased by a digital device (i.e. a mobile phone), alongside the electronic communication services and charged to the same bill.
The principal risk relating to this exemption under the PSD was its failure to prevent operators from using it for payments for real goods and services, on occasion though the distribution of vouchers. PSD2 now specifically refers to digital content and voice-based services although one concession is its extension to charitable donations and payments for the purchase of tickets.
Again, to control potential risks to customers, the value of any single payment will be limited to €50 and, cumulatively, to not more than €300 per month. Operators will also need to provide national regulators with an audit opinion on an annual basis certifying that their activity does not exceed these monetary limits.
Automated teller machines
This applies where automated teller machines (ATMs) are operated independently from payment services providers that offer payment accounts. The Commission considers that the exemption has helped to improve the coverage of ATMs across the EU, especially in more rural areas where historically there has been less provision. In this light, the exemption will be maintained, but in future ATM operators will have to comply with the transparency provisions in PSD2 so that customers will receive information on withdrawal charges.
Access to payment systems and accounts
PSD2 provides that access to both payment systems and to payment accounts should be on an objective, non-discriminatory and proportionate basis. Moreover, rules on access may not go beyond what is necessary to safeguard against specific risks such as settlement risk, operational risk and business risk and to protect the financial and operational stability of the payment system. Restrictions on participating in other payment systems and rules which discriminate between payment service providers are prohibited. Payment systems made up exclusively of payment service providers belonging to the same group, such as true three-party schemes, however, are excluded from this requirement on the basis that they provide competition to or cater for parts of the market that are under-served.
For payment accounts, the degree of access must be sufficient to allow firms to provide payment services in an unhindered and efficient manner. Access to payment accounts may only be denied by an account provider to other service providers on the basis of objective evidence-based reasons concerning unauthorised or fraudulent use.
New payment services
In the context of mandating access on an objective, non-discriminatory and proportionate basis, PSD2 gives regulatory recognition to two new types of payment services that join the existing services listed in the recast directive:
- payment initiation services; and
- account information services.
|Payment initiation service A payment initiation service is a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider.||Account information service An account information service is an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider.|
While such services already exist, as the PSD is silent, their legal and regulatory basis is at best unclear. These services are one of the key developments of the recast directive and have led to concerns by payment account providers about the possible loss of revenue to security of access, data privacy and liability. Non-bank digital entrants into the payments market, including technology giants and small start-up businesses, may win significant market share from traditional banks which may face the loss of a more profitable parts of their businesses. Customers are becoming ever more accustomed to faster and easier payments and, potentially, will go elsewhere if providers do not respond. Other factors include changing consumer preferences and increasing, costly regulation.
Payment initiation services
A customer will have the right to use a payment initiation service where their account is accessible online. In the context of consumers and retailers, such a service offers the potential for cheaper payment transactions without the use of a credit or debit card allowing payment directly from a customer's account.
Customer consent to the transaction is given through the payment initiation service which will use the customers' identity and security information to access the account. Moreover, the account provider must allow the payment initiation service to rely upon its authentication procedures. Access is not dependent on a contract as the basis for providing the service is set out in the recast directive. For example, it allocates liability between the account provider and the payment initiation service, each bearing responsibility for their respective parts of the transaction. Under PSD2, in the case of an unauthorised payment, it will be the account provider which must reimburse its customer before seeking compensation from the payment initiation service.
Account information services
Consumers will be able to access and view all their accounts through a single gateway and login. Currently, the use by customers of these services is often contrary to the terms and conditions of their account providers. Given that this service does not involve payment transactions, in contrast to payment initiation services, it is subject to a reduced authorisation and supervisory regime.
Security of Payments
As the recitals to PSD2 explain, in recent years the security risks relating to electronic payments have increased. In part, this is because of the increasing technical complexity, the ever growing volume of electronic payments and the development of new types of payment services. PSD2 places responsibility for security risks on payment service providers and aims to mitigate them through a clear and harmonised regulatory framework.
Payment services providers must have a security policy document which includes a detailed risk assessment and a description of their security control and mitigation procedures. They should also establish a framework to manage operational and security risks relating to their payment services. In doing so there must be effective incident management procedures, which include the detection and classification of major operational and security incidents. Reporting must take place to national regulators on an annual, if not more frequent basis. The EBA is tasked with issuing guidelines on security measures to national regulators and firms over the steps required to comply, including the certification process. Currently, these are likely to be available by mid 2017.
Firms will also have to report major operational or security incidents to their national regulator. Perhaps more problematic is the requirement to notify customers where it may impact their financial interests without undue delay and the steps they can take to mitigate any adverse effects. Quite how firms should interpret the impact to customers' financial interests is unclear. Moreover in terms of remedial action, in extreme cases, this might include the unpalatable option of closing a service.
Strong customer authentication
All payment services providers will need to increase online transaction security. Strong customer authentication must be used which is defined as a means of authentication based on the use of two or more elements:
- Knowledge - something only the user known (e.g., a password or PIN)
- Possession - something only the user holds (e.g., a card or a token)
- Inherence - something only the issuer is (e.g., a finger print or voice recognition)
Firms must use strong customer authentication where customers access a payment account online and initiate an electronic payment transaction in respect of "any action, through a remote channel which may imply a risk of payment fraud or other abuses." Moreover, some remote payment transactions, that include payments over the internet, will have to "dynamically link" the transaction to a specific amount and to a specific payee. Although technical standards will provide exemptions for low value payments at the point of sale, such as contactless and mobile payments, firms may find implementing the requirements of strong customer authentication challenging and may encounter customer resistance. Where a firm fails to use strong customer authentication the payer will not bear any financial loss unless they have acted fraudulently.
Detailed requirements in respect of encryption will be provided in RTS on strong customer authentication and secure communication to be drafted by the EBA. Unfortunately, these are not expected to apply until autumn 2018, some six months after PSD2 takes effect although a draft text should be available in 2016. In the meantime, there are the European Central Banks's recommendations for the security of payment account services and mobile payments and the EBA's guidelines on the security of internet payments. As for the latter, the FCA has said that they will not require firms to follow them ahead of PSD2 transposition. Where, however, firms carry out cross-border payment transactions they may wish to adopt the EBA's guidelines earlier bearing in mind that national regulators in other Member States may have asked their firms to follow them.
New consumer protections
In addition to the geographical extension of regulation and the narrowing of exemptions, customer rights are further strengthened under PSD2. The following are particularly relevant:
- customer liability in the case of third party fraud (e.g. arising from a lost, stolen or misappropriated payment instrument) will be reduced to a maximum of €50 compared to €150;
- customers will have an unconditional right to a refund for a SEPA direct debit. While this is already available in the UK and some Member Stares via direct debut guarantee schemes this will now be put on a legal basis;
- customers will have to agree before sums in their accounts are "blocked" by payees (e.g. deposits taken by car hire companies) to ensure funds are available when payment becomes due;
- customer complaints must receive a substantive and comprehensive reply within 15 business days of receipt except in exceptional situations where a maximum of 35 business days applies (currently a maximum of 8 weeks for UK financial services firms). Member States may introduce stricter rules; and
- in most cases customers may only be surcharged by a payee for the direct cost of using a credit or debit card.
PSD2 also clarifies that a customer may reject proposed changes to a framework contract (e.g. the terms and conditions governing a bank account) at any time before they take effect and can terminate the agreement at any time up to that point. A customer's right to terminate extends to all agreements, not only those which have lasted over 12 months. While customers may be charged for termination where the contract has been in force for less than 6 months this is limited to any costs actually incurred.
Business customers may continue to opt out of various of the protections available under PSD2, for example, the prohibition on charging for information required to be provided under the regulations.
Firm should be planning for implementation of PSD2 on 13 January 2018. Amongst matters they should consider are:
- the expanded geographical scope and narrowed exemptions mean that firms which are not regulated now may need to become authorised payment institutions or revise their business model;
- reviewing systems and procedures to identify how their business is impacted and what changes are required, for example to, IT, documentation (terms and conditions), processes and staff training;
- if relevant, the impact on their business from the creation of payment initiation and account information services;
- whether their security measures in respect of payments transactions are compliant; and
- the opportunities to develop their business in a changing regulatory and technological environment such as the growth in data capture from electronic payments.