Pierre Berger, Isabelle Van Biesen, Stéphanie Liebaert
Partner, Senior Associate, Associate - Baker & McKenzie
Directive 2015/2366 on payment services in the internal market (hereinafter PSD II) was published in the Official Journal on December 23, 2015 repealing Directive 2007/64/EC on payment services in the internal market (hereinafter PSD I). The principal aim of PSD I, adopted in 2007, was to regulate the payments industry and to enhance consumer protection. However, PSD I is not an accurate reflection of how some payment methods operate, and its application is not always clear. The European Commission was concerned that many payment service providers (hereinafter PSPs) have escaped regulation under the current PSD I and, also due to the rapid technological changes in this sector, proposed a second iteration of this legislation.
PSD II is part of the legislative package in the field of the EU payments framework, adopted by the European Commission on 24 July 2013, which also includes the new Regulation 2015/751 on interchange fees for card-based payment transactions (hereinafter the MIF Regulation).
PSD II covers both public law aspects, relating to the prudential supervision of PSPs, and private law aspects, relating to the rights and obligations related to the offering and use of payment services.
This new Directive entered into force twenty days after its publication, i.e., on 13 January 2016 and should be transposed into national law by all Member States two years after the date of entry into force, i.e., 13 January 2018.
This article provides a summarizing overview of the main changes under PSD II.
2. Scope of application
2.1 Extension of the scope
PSD I applies to all types of payment services carried out in EU currencies provided within the EU, to the extent that both the payer's PSP and the payee's PSP are, or the sole PSP in the payment transaction is, located in the EU ("both legs in the EU").
Under PSD II, the scope of application is extended to include:
- "one-leg transactions": PSD II applies as soon as one of either two PSPs is established in the EU;
- non-EU currency transactions: PSD II applies to those parts of the payment transaction carried out in the EU regardless of the currency used, where both the payer's PSP and the payee's PSP are, or the sole PSP in the payment transaction is, located in the EU, ;
- payments through telecom operators: the purchase of physical goods and services through a telecom operator falls within the scope of PSD II;
- third-party payment service providers (hereinafter TPPs): "new" players on the payment service market are covered by PSD II.
(b)Third-party payment service providers
The extension of the scope of application to TPPs is one of the most significant changes with regard to PSD I. TPPs are (i) payment initiation service providers; (ii) account information service providers; and (iii) issuers of payment instruments.
- A payment initiation service is defined as "a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider". Payment initiation service providers help to initiate a payment from the user account to the merchant account by creating a software “bridge” between these accounts, fill-in the information necessary for a transfer (amount of the transaction, account number, message) and inform the merchant once the transaction has been initiated. It is however unclear what exactly is meant by "initiating" a payment order, as PSD II does not define this concept.
- An account information services is defined as "an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider". Account information service providers provide services to allow consumers and businesses to have a global view on their financial situation, e.g., by enabling them to consolidate different current accounts, held with one or more banks, and to categorise their spending.
- Issuers of payment instruments already fell within the scope of PSD I, but the scope of application is now extended to payment instruments issued by payment service providers that do not manage the account of the payment service user.
The ratio of the extension of the scope to TPPs is to open up the EU payment market to companies offering consumer- or business-oriented payment services based on access to information from payment accounts.
PSD II enables TPPs to have better access to information on payment or bank accounts. However, TPPs will only be allowed to provide the services the payer decides to make use of. In order to provide these services, they will not receive full access to the payer's account. Payment initiation service providers and providers offering payment instruments will only be able to receive information from the payer's bank on the availability of the funds on the account - which boils down to a simple yes or no answer - before initiating the payment, with the explicit consent of the payer. Account information service providers will only receive the information explicitly consented by the payer and only to the extent the information is necessary for the service provided to the payer.
TPPs will be subject to different security and liability requirements as other payment service providers and will have to obtain a "light" license as payment institution in order to provide their services.
As regards the licensing requirement for these new players, a transitional regime is foreseen in Article 115.5 PSD II, whereby Member States must allow all legal persons providing payment initiation services and account information services before the date of entry into force of PSD II in their territories, to operate in accordance with the currently applicable regulatory framework, which is PSD I. Such existing providers will only be required to apply for authorisation under the PSD II regime as from the final transposition date of PSD II, i.e. two years after entry into force (13 January 2018). Legal persons who have not provided such services before the date of entry into force will have to apply for authorisation as from the moment PSD II is transposed in national legislation.
2.2 Negative scope
The "negative scope", which exempts a number of payment (related) activities from the scope of application, provided for in the current PSD I, is clarified and updated:
- the "commercial agent" exemption: restricted to commercial agents who act on behalf of either the payer or the payee, and not to those who act for both;
- the "limited network" exemption: payment service providers must notify their intention to the regulator and submit a request for recognition as a limited network, where the volume of transactions exceeds 1 million EUR per month;
- the "digital content or telecom" exemption: payments made trough telecom operators for purchase of digital services such as music and digital newspapers downloaded on a digital device or of electronic tickets or donation to charities are exempted when they fall below the threshold of 50 EUR per transaction and 300 EUR per billing month; operators must notify their compliance with these limits to the regulator;
- the "technical service provider" exemption: payment initiation service providers and account information service providers are explicitly excluded from this exemption.
3. Information obligations
The information policy under PSD II remains almost unchanged. A new element is that, under PSD II, the framework contract should include a provision that the payer may require the information on his executed payment transactions to be provided or made available periodically, and at least once a month, free of charge. The inclusion of this provision in contracts with payees is not mandatory. However, Member States are allowed to go even further, by obliging payment service providers to provide this information to payees as well.
4. Obligations relating to the use and offering of payment services
4.1 Blocking of payment instruments
PSD I obliges PSPs to safeguard the security features of the payment instrument and to make sure that the payment instrument can be blocked 24/7. In Belgium this service is provided by "Card Stop", which currently charges 30 eurocent per minute for a telephone call. Under PSD II, the blocking of payment instruments will have to be provided free of charge. This new provision will most likely have a negative financial impact on most PSPs.
The flexibility under PSD I, allowing merchants to request from the payer a surcharge, with the qualifier that Member States may forbid or limit any such surcharging for their territory, has led to extreme heterogeneity in the market. Thirteen Member States have made use of the option to prohibit surcharges. The different regimes in place create problems and confusion for merchants and consumers alike, notably when selling or purchasing goods and services cross-border via the internet.
Under PSD II:
- surcharging will still be allowed for payment cards that are not regulated by the MIF Regulation (but strictly limited to the costs borne by the payee);
- surcharging is no longer allowed for payment cards falling under the MIF Regulation, which will represent more than 95% of the consumer card market.
Such provision is directly linked to the capping of interchange fees for debit and credit card transactions under the MIF Regulation.
4.3 Liability regime
(a) PSP's liability for unauthorized payment transactions
PSD I provides that a PSP, after a prima facie investigation of fraud by the payer, needs to repay the payer immediately the amount of an unauthorized payment transaction (such as the withdrawal of cash with a stolen bank card or a falsified credit card by criminals). In other words, save for the case where the client is acting fraudulently, the PSP will always bear the risk of unauthorized payment transactions.
Currently, the payer shall bear the losses relating to any unauthorized payment transactions, up to a maximum of 150 EUR, resulting from the use of a lost or stolen payment instrument. No losses shall be borne by the payer from the moment he notified the loss of his payment instrument. If the payer acted fraudulently or failed to fulfil his own obligations intentionally or grossly negligently, he will bear all the losses.
Under PSD II, the amount for which the payment service user can be held liable is decreased from 150 EUR to 50 EUR. Furthermore, the PSP will even have to bear the financial consequences in case of gross negligence of the client where the PSP failed to use a so-called "strong customer authentication" when executing the contested payment transaction. "Strong customer authentication" means "an authentication based on the use of two or more elements categorised as knowledge (something only the user knows, e.g. a PIN or password), possession (something only the user possesses, e.g. the card or an authentication code generating device) and inherence (something the user is, e.g. the user of a fingerprint or voice recognition) that are independent, in that the breach of one does not comprise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data".
The European Banking Authority (hereinafter EBA) will provide further guidance on this notion in a later stage. It remains to be seen whether the current bank card with pin code is sufficient to qualify as "strong customer authentication". It is intended that this "strong customer authentication" needs to take place with every payment transaction. EBA will also be able to provide exemptions based on the risk/amount/recurrence/payment channel involved in the payment service.
Moreover, when an unauthorized payment transaction takes places through a TPP, the payer shall also obtain financial rectification from the account servicing PSP. The account servicing PSP can obtain a financial compensation from the TPP, which is ought to be solvent given its statute as a regulated PSP.
When crediting an account after an unauthorized payment transaction occurred, the credit value date for the payer’s payment account shall be no later than the date the amount had been debited. This provision is introduced in order to ensure that the client will not suffer any financial loss. This principle is in fact applicable to all types of incorrectly executed payment transactions.
A second change under PSD II with regard to the liability regime in case of unauthorized payment transactions relates to the so-called "refunds" of payment transactions initiated by the beneficiary. PSD I states that - even if the transaction was authorized - the payer can ask financial recovery if (i) the exact amount of the payment transaction was not specified, and (ii) if the amount of the payment transaction was higher than the user could expect, in light of his previous spending pattern, the conditions in the framework contract and all other relevant circumstances the case may be.
PSD II provides that these two conditions are no longer of relevance for direct debits. In case of a direct debit, a payer has an unconditional right to a refund by his PSP.
5. Authorisation and supervision
5.1 Authorisation requirements
The requirements to obtain an authorisation to provide payment services remain largely the same under PSD II.
There are two main changes:
- Entities wishing to be authorised shall provide with their application a security policy document and description of their security incident management procedures, contingency procedures, etc.;
- there are specific initial capital requirements for TPPs in relation to their activities and risks these represent; TPPs are not subject to own fund requirements, but need to hold a professional indemnity insurance.
5.2 Small payment institutions
The current option for Member States to put in place a "lighter regime" for entities with an average volume of monthly payment transactions below 3 million EUR is still applicable under PSD II. The difference is that Member States making use of this option may decide to define a lower threshold. Payment institutions having obtained a "waiver" under PSD I may thus need to re-assess their status under PSD II.
5.3 Cross-border supervision
PSD II introduces a more detailed passporting procedure to reinforce the investigative and supervisory powers of the "host" Member State, i.e. the Member State where a payment institution intends to provide payment services. A host Member State can ask a payment institution operating via agents or branches in its territory to regularly report on its activities (e.g., require the PSP to set up a central contact point in the host territory). The host Member State can also take certain precautionary measures in emergency situations, in parallel with its cooperation duties with the "home" Member State, i.e. the Member State where the payment institution has obtained the required authorisation. EBA is expected to draft regulatory technical standards on this cooperation and information exchange between the host and the home Member State.
6. Miscellaneous amendments
6.1 Safeguarding requirements
Currently, a payment institution engaged in other business activities than payment services has to ensure that (i) the funds received for the execution of a payment transaction are not commingled with the funds of other persons than payment service users; and (ii) that they are safeguarded from claims of other creditors of the payment institution. The payment institution can also opt to protect these funds by an insurance policy (or comparable guarantee).
These safeguarding requirements remain largely the same under PSD II, but the current possibility for Member States to limit safeguarding requirements to funds of payment service users whose funds individually exceed 600 EUR, is removed. TPPs are not subject to safeguarding requirements under PSD II.
6.2 Security measures
In line with the proposal for a Directive on network and information security, PSD II addresses security aspects and aspects of authentication. As mentioned under title 3.3(a) above, PSD II introduces the notion of "strong customer authentication". Also, security requirements for remote transactions are stricter, requiring a dynamic link to the amount of the transaction and the account of the payee. These changes contribute to reducing the risk of fraud for new and more traditional means of payment, especially online payments, and to protecting the confidentiality of the financial (incl. personal) data of payment service users.
Please note that these security measures will only enter into force eighteen months after the adoption of EBA standards by the European Commission.
6.3 Sanctions and dispute settlement
PSD II requires Member States to align their administrative sanctions, to ensure that the appropriate administrative measures and sanctions are in place for breaches of PSD II provisions and to ensure that these sanctions are duly applied.
The requirements for out-of-court complaints and redress procedures for the settlement of disputes between payment service users and PSPs as well as the appropriate penalties, are updated, e.g.:
- competent authorities cannot be PSPs (with the exception of the national central banks);
- PSPs are required to apply effective complaint resolution procedures in every Member State where they offer payment services and in the Member States' official language (another language is possible if agreed upon);
- PSPs shall make every possible effort to reply to complaints on paper (or on another durable medium if agreed upon), at the latest within fifteen business days of receipt of the complaint, and in exceptional cases within a maximum of thirty-five business days;
- payment service users need to be informed of at least one competent alternative dispute resolution entity by their PSP in a clear, comprehensive and easily accessible way on the PSP 's website, branch and in its terms and conditions;
- Member States are required to lay down effective, proportionate and dissuasive penalties;
- Member States have to allow their competent authorities to disclose administrative penalties, unless this seriously jeopardises the financial markets or causes disproportionate damage to the parties involved.
Contact Baker & McKenzie: Pierre Berger. Tel: + 32 (0)3 213 40 40 Pierre.Berger@bakermckenzie.com