The Payment Services Directive 2007/64/EC (“PSD I”), is a fundamental piece of payments-related legislation in Europe, primarily aimed at creating and regulating a single market for payments across Europe. The Second Payment Services Directive 2015/2366 (“PSD II”) entered into force in January 2016 to repeal and replace PSD I and was recently transposed by the Member States into national laws on 13 January 2018.

PSD II is a significant evolution of existing regulation for the payments industry and requires payment service providers (PSPs) to make a significant number of changes to existing operations. The following is a brief outline of the salient changes introduced by PSD II.

Extension of scope

In an effort to incorporate new and emerging payment services and technologies, PSD II brings a new category of payment service providers within its scope: Third Party Payment Providers (“TPPs”). A TPP is a PSP which does not hold customer payment accounts. Under PSD II there are two types of TPPs, namely Account Information Service Providers (“AISPs”) and Payment Initiation Service Providers (“PISPs”). AISPs offer aggregation services related to payment accounts held by a payment service customer with payment service providers whilst PISPs access a customer’s payment account to initiate the transfer of funds on their behalf.

In addition to this, the application of PSD II (unlike PSD I) is not restricted solely to euro payments and does not require the PSPs of both the payer and the payee to be situated within the EU/EEA for a payment transaction to fall within its scope. Under PSD II only one of the PSPs needs to be located within the EU/EEA and payments may be made in all currencies.

Enhanced security measures

PSD II focuses on implementing enhanced security and risk management arrangements for electronic payments. This is a key issue for many payment users and notably consumers when paying via the internet. In fact, all PSPs will need to prove that they have certain security measures in place ensuring safe and secure payments. The PSP will have to carry out an assessment of the operational and security risks and the measures taken on a yearly basis. Examples of newly adopted security measures include the requirement for all debit cards to have a chip and pin making debit cards with just a magnetic strip a thing of the past as well as the requirement to comply with ‘strong customer authentication’ requirements at different stages of the payment transaction.

With the aim of further safeguarding customers’ rights, PSD II has reduced the amount payable by a payer in an unauthorized payment scenario from €150 to €50 (subject to exceptions in the case of fraud or gross negligence of the payer). The customer will also benefit from a 13-month refund right for unauthorized transactions which shall also include payments made through third-parties.

‘Surcharge’ prohibition

A key aspect of PSDII for merchants is the introduction of a prohibition on surcharges in connection with card payments in the vast majority of cases (including all popular consumer debit and credit cards), both online and in shops. PSD II allows member states to prohibit or limit the right of the payee to request charges taking into account the need to encourage competition and promote the use of efficient payment instruments. In this spirit, the Central Bank of Malta (CBM) responsible for implementing the substantive parts of PSD in Malta through the CBM Directive No 1 on ‘The Provision and Use of Payment Services’, published the final text of the revised CBM Directive on the 9th January 2018 which text explicitly prohibits surcharging on all electronic payment instruments.

The next steps for implementation of PSD II under Maltese law will involve the publication of a consultation paper in the coming months by the Malta Financial Services Authority in relation to proposed changes to the relevant financial institutions rulebook to implement licensing and ongoing regulatory requirements introduced by PSD II.