knowledge | 21 April 2016 |
Coming Soon - A New Regulatory Framework for Payment Service Providers
The revised Payment Services Directive 2015/2366 (“PSD2”) has entered into force and Member States have until 13 January 2018 to transpose it into national law. PSD2 introduces a number of key changes to the current regulatory framework for payment services as set out in Directive 2007/64 (“PSD”). Among other things, it brings into scope payment service providers (“PSPs”) that were previously unregulated and raises conduct of business standards in a number of important areas. PSD2 will have implications for all PSPs as well as for consumers.
PSD provides the legal foundation for the creation of an EU-wide single market for payments and for the Single European Payments Area. Its key objective is to make cross-border payments as easy, efficient and secure as domestic payments within a Member State. It also seeks to promote competition by opening up payment markets to new entrants.
In essence, PSD:
- creates a new EU-wide licensing regime for Payment Institutions (ie, PSPs that are not credit institutions or E-money issuers); and
- sets out conduct of business rules for all PSPs (including credit institutions and E-money issuers) covering both information requirements and the rights and obligations in relation to the provision and use of payment services. briefing PSD was transposed into Irish law by the European Communities (Payment Services) Regulations 2009.
Although PSD has brought about significant improvements in many areas, it suffers from a number of shortcomings resulting in a fragmented framework for payment services at national level. In particular, a number of payment-related activities are exempt from its scope and in some instances these exemptions have proved to be ambiguous and uncertain in their application. In addition, Member States have implemented some of the options set out in PSD in very different ways, giving rise to regulatory arbitrage, legal uncertainty, sub-optimum consumer protection and competitive distortions.
Moreover, since PSD’s adoption in 2007, payment services have been the subject of unprecedented development including, in particular, the rapid rise of electronic and mobile payments. This has in turn created challenges from a regulatory perspective as many new payment products or services do not fall wholly, or to a large extent, within PSD.
In July 2013, the European Commission published a legislative proposal for PSD2 as part of a legislative package. It also published its proposal for a Regulation on interchange fees for card-based payment transactions (the “Interchange Fee Regulation”), which has since come into force (see our related briefing here).
PSD2’s main objective is to promote better integration, more innovation and more competition in the EU’s payment services market. In achieving this objective, it makes a number of significant changes to the existing regulatory framework set out under PSD. In particular, PSD2 introduces new licensing requirements for third party payment service providers (“TPPs”). As compared with PSD, it also has a more extensive territorial scope, a revised list of exemptions, enhanced rules on the authorisation and supervision of payment institutions, and more stringent conduct of business requirements.
Third Party Payment Providers (TPPs)
PSD2’s coverage of TPPs is one of the most significant differences between it and PSD.
TPPs are service providers that, for example, allow consumers to make online payments without the need for a credit card by establishing a link between the payer and the online merchant via the payer’s online banking module. PSD2 requires TPPs to be authorised when providing Payment Initiation Services (“PIS”) or Account Information Services (“AIS”).
PIS are services to initiate a payment order at the request of the payment service user with respect to a payment account held at another PSP. Such services play a part in e-commerce payments by establishing a software bridge between the merchant’s website and the online banking platform of a payer’s bank in order to initiate a payment transaction. Instead of using a payment card to pay for the relevant goods or services, the payer can select a TPP to act as a medium between the payer and its online payment account. The TPP provides the merchant with immediate confirmation that the requisite funds are available and the payment has been initiated and, in turn, the merchant can immediately dispatch the goods/services.
For its part, AIS are online services to provide consolidated information on one or more payment accounts held by the payment service user with either another or other PSP(s). Essentially, the AIS acts as a data aggregator and provides the payment service user with an overall view of his or her financial situation at a particular point in time. AIS may also, for example, assist customers with budgeting by allowing them to analyse past transactions and spending habits.
Although TPPs must be authorised under PSD2, the relevant authorisation requirements are more lenient then those applicable to other PSPs. In particular, TPPs are not subject to ‘own funds’ requirements, if they exclusively offer PIS or AIS. Moreover, while PIS providers will need to hold at least €50,000 at the time of authorisation, AIS providers are not subject to initial capital requirements. TPPs are also subject to different security and liability requirements as compared to other PSPs.
PSD2 also ensures that TPPs will be able to access a customer’s account(s) once the relevant payment user has given his or her explicit consent and subject to complying with additional security obligations relating to such access. Account-holders cannot make access to and use of payment accounts dependent on any sort of contractual agreement.
Broadly, PSD only applies to intra-EEA payments involving euro or EEA Member State currencies. In contrast, PSD2 has a more extensive scope both as regards its geographical coverage and the currencies involved. Specifically, for the most part, the provisions on transparency and information requirements also apply in relation to payment transactions in currencies of third countries when one of the PSPs is located within the EEA, in respect of those parts of the payments transaction which are carried out in the EEA.
While most of the exemptions available under PSD remain unchanged, PSD2 updates, and in some instances, narrows several activities currently exempt from regulation under PSD. It has particular implications for the existing exemptions for commercial agents, limited networks, digital downloads, and independent ATMs.
Commercial agents: PSD exempts payment transactions from the payer to the payee through a commercial agent authorised to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee. PSD2 amends this exemption so that it only applies to a commercial agent that acts on behalf of either the payer or the payee, but not an agent that acts for both.
Limited networks: Payment services based on instruments used to acquire goods or services within a limited network of services providers are exempted under PSD. PSD2 restricts the scope of this exemption in a number of ways. For example, PSD exempts services based on instruments that can be used to acquire goods or services under a commercial agreement with the issuer for a limited range of goods or services. In contrast, for the PSD2 exemption to apply, the relevant instrument must be a “specific payment instrument” and the range of goods or services that can be acquired using that instrument must be “very” limited. PSD2 also requires service providers relying on the limited network exemption to notify its relevant competent authorities where the total value of payment transactions executed over the previous 12 months exceeds €1 million.
Digital downloads: PSD exempts payment transactions for certain goods or services that are executed though a telecommunication, digital or IT device provider unless the relevant operator acts only as an intermediary between the payment service user and the supplier of the goods and services. Under PSD2, this exemption only applies to payment transactions by a provider of electronic communications networks or services that are provided in addition to electronic communication services for a subscriber to the network or service and which fall below €50 per individual transaction and a cumulative value of €300 per billing month. Service providers relying on this exemption must notify the relevant competent authorities and provide them with an annual audit opinion, testifying that the activity complies with the above thresholds.
Independent ATMs: Whereas PSD2 maintains the existing exemption for automated teller machine services offered by independent ATMs, it requires such service providers to provide certain information on withdrawal charges both before carrying out the withdrawal as well as on receipt of the cash at the end of the transaction after withdrawal.
Conduct of Business Requirements
PSD2 affects existing conduct of business requirements in a number of ways, including changes in the rules relating to surcharges, the liability of payment users, and operational and security risks.
Under PSD, Member States have an option as to whether to allow or prohibit surcharging in their territory. This has become a source of confusion for consumers, particular in the e-commerce and cross-border context, as there is more or less an even split between those Member States that allow surcharging and those that prohibit it. In addition, in certain instances the level of surcharges imposed far exceeds the costs borne by the merchant for the use of a specific payment instrument.
Traditionally, surcharging by merchants who accept card payments has been used as a way of off-setting the costs of interchange fees passed on to them by their banks. However, the Interchange Fee Regulation caps interchange fees on in-scope credit and debit card transactions at 0.3% and 0.2% respectively. In tandem, PSD2 prohibits surcharging for such transactions. While surcharging is still allowed for payment cards that are not regulated by the Interchange Fee Regulation, any charge applied must not exceed the direct costs borne by the payee for the use of the specific payment instrument.
PSD2 introduces a number of changes to the liability regime for improperly executed or unauthorised transactions. In particular:
- the maximum liability that can be imposed on a payer when not at fault for a lost, stolen or misappropriated payment instrument is €50, as compared to €150 under PSD;
- where a payment transaction is executed late, the payer may decide that the amount is to be value dated on the payee’s account by the date it should have been received, instead of receiving a refund;
- the terms governing a customer’s use of a payment instrument must be “objective, non-discriminatory and proportionate”; and
- where a PSP fails to use “strong customer authentication” when executing a payment transaction, it will have to bear the financial consequences of any loss relating from any unauthorised payment transactions, even in cases of the client’s gross negligence.
PSD2 subjects all PSPs to a range of new security requirements for the initiation and processing of electronic payments, and the protection of customers’ financial data. In particular, it requires PSPs to apply strong customer authentication including where the payer accesses its payment account online or initiates an electronic payment transaction.
Strong customer authentication is an authentication process that validates customer identity based on the use of two or more elements categorised as knowledge (something only the user knows, eg a password or a PIN), possession (something only the user possesses, eg the card or an authentication code generating device) and inherence (something the user “is”, eg the use of a fingerprint or voice recognition).
The provisions on strong customer authentication will not enter into effect until 18 months after the date of entry into force of the related regulatory technical standards. The EBA issued a discussion paper on these standards shortly before Christmas. In the meantime it is worth noting that strong customer authentication is already a requirement under the European Banking Authority’s Guidelines on the Security of Internet Payments.
Comment and Next Steps
PSD2 includes a wide range of new requirements affecting both firms regulated under the existing legislative payment services framework and those which are currently unregulated but will need to become regulated once PSD2 is transposed into national laws. Existing PSPs should review their business models against the new requirements and update those models if necessary. A currently unregulated firm will need to prepare for regulation, including taking the measures necessary to ensure that it fulfils applicable authorisation requirements. This includes not only TPPs but also firms currently falling within the scope of one of the PSD exemptions which will no longer fall within the relevant exemption under PSD2.
As mentioned, Member States must transpose PSD2 into national law by 13 January 2018. However, PSD2 provides for some transitional arrangements, including, in particular:
- existing payment institutions have until 13 July 2018 to either seek authorisation under PSD2 or to confirm that they comply with the applicable requirements; and
- entities which benefit from a waiver under PSD before 13 January 2018 have until 13 January 2019 to obtain a waiver or to become authorised under PSD2 - under PSD, entities with an average volume of monthly payment transactions below €3 million can benefit from a lighter authorisation regime, if their Member State of establishment makes use of that option.
Significantly, PSPs do not need to wait for PSD2’s transposition for positive change in the payments sphere. On 1 March 2016, Mr Colm Kincaid, Head of Consumer Protection: Policy and Authorisations at the Central Bank of Ireland announced measures to streamline and improve the authorisation process for PSPs. Under the new “Gatekeeper Model”, applicants no longer need to submit a pre-application submission and the pre-application meeting is also optional. The Central Bank will also confirm its assessment of the application within under three and a half months of submission, excluding time taken for the applicant to respond to any additional queries.
- Regulation 345/2013 of 17 April 2013 on European Venture Capital Funds, OJ L 115/1 (25 April 2013)
- Regulation 346/2013 of 17 April 2013 on European Social Entrepreneurship Funds, OJ L 115/18 (25 April 2013)
- Regulation 2015/760 of 29 April 2015 on European Long-term Investment Funds, OJ L 123/98 (19 May 2015)
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.