The revised Directive on Payment Services (PSD2) is the latest in a series of laws recently adopted by the EU in order to provide for modern, efficient, and cheap payment services and to enhance protection for European consumers and businesses. The European Commission welcomed adoption by the European Parliament of PSD2 on October 8th, 2015. The Directive was published in the Official Journal of the EU on 23rd December 2015. Therefore it came into force on 12th January 2016 and member states have 2 years (13th January 2018) to transpose.
Why update the Payment Services Directive?
The original Payment Services Directive adopted in 2007 (PSD) sought to harmonize and integrate retail payments across the European Union, enhancing security and protection of consumers as well as setting standards for the transfer of information and payments between various parties in the payment cycle.
Since then, significant technical innovations in electronic and mobile payments have prompted the need to update the legislation; specifically new types of payment services have evolved. As a result, PSDII is being drafted to address areas of legal uncertainty, potential security risks in the payment chain and a lack of consumer protection in certain areas. Its aim is to ensure that consumers, merchants and companies enjoy choice and transparency of payment services to fully benefit from the internal market.
There will be greater scrutiny of the security and data-protection measures adopted by payment service providers (‘PSPs’) as online and mobile payments become more prevalent and access to customer information between PSPs is opened up under the Access to Accounts provisions in PSDII (‘XS2A’). The Regulatory and Technical Standards (RTS) of this access will be defined by the European Banking Authority (EBA).
What are the key regulatory changes proposed in PSDII?
The PSDII expands the range of regulated payment services to include third party PSPs (or ‘TPPs’). TPPs include ‘account information (or ‘aggregator’) services’ - which allow customers a consolidated view of all their payment accounts with various account providers via a secure log-in, and ‘payment initiation services’ - which operate between the merchant and the customers (issuing) bank so as to initiate payment orders when requested by the consumer.
Other changes include widening scope, tightening of the exemptions from the application of PSD and enhancements to the rights of consumers, in respect of refunds, liability for unauthorised payments and the obligations of PSPs when securing customer data and authenticating payment transactions.
Prohibition of surcharging (additional charges for the right to pay e.g. with a card) whether the payment instrument is used in shops or online.
Key areas of impact
Widening of scope/narrowing of exemptions in respect of PSDII:
- PSDII brings 1-leg transactions into scope (i.e. EU element of outside Europe transactions or payment transactions where only one of the PSPs is located in the community) and all EU transactions, irrespective of currency.
- A wider range of payment providers and services will be captured under PSDII. New entrants will be faced with enhanced authorization requirements.
Allowing third party access (granted by the consumer) to existing consumer payment accounts to enable new payment service providers to offer the following services:
- To allow Payment Initiation Service Providers (PISPs) to obtain funding decisions for payments direct from consumer payment accounts. Typically operating between the merchant and consumers bank enabling cheaper electronic payments without the use of a credit card.
- To allow Account Information Service Providers (AISPs) to provide users with a consolidated view of all their products and accounts held across multiple providers.
- Authentication, security, and liability underpinning access will be subject to the European Banking Authority (EBA) standards and definitions.
Increased consumer protection / security / reporting:
- Enhanced consumer rights and effective complaints procedures - disputes /improper execution/ reductions in consumer liability and increased protection.
- Stronger customer authentication - Regulatory and Technical Standards (RTS) to be defined by EBA, likely to be a trade-off between inter-operability/flexibility, to allow for innovation and competition, security and end user-convenience authentication and communication.
- Increased security management and reporting requirements for PSP
- Stronger customer authentication – Regulatory and Technical Standards (RTS).
- Speed of change - Existing players will need to quickly formulate their approach to providing secure data access to third parties.
- Competition - Payment Initiation Services - New PSPs will significantly broaden the competitive landscape and drive down costs. Many already have the required technology / capabilities to meet PSDII, with innovation at the hearts of their business, large R&D budgets and existing loyal customer bases they pose real challenges to existing payment models.
- Competition - Account Information Services: Loss of customer screen time versus building customer insight.
- Technology - Major technological changes – account access and process secure transactions without discrimination to TTPs, technical interfaces and implementation of multifactor authentication processes.
- Operational - Increased scrutiny / reporting / challenge and cost of regulation. Increased operational and legal risk - assessment and adjustment of risk management processes and risk (assessment) processes.
- Compliance exercise versus strategic opportunity?
- Payment initiator services: Engagement with TPPs and aggregators.
- Services will be founded on payment security and data privacy; two areas in which existing players have a significant head start.
- Account Information services: existing players ideally placed to provide trusted solutions and build on existing customers relationships/ trust, providing more armour in the war to win and retain customers.
- Customer behavior analysis: access to richer data from customer transactions / opportunity for deeper understanding of customer behavior - allowing existing players to better serve their customers’ interests.
- Alternative payment instruments: ability to implement alternative payment instruments already seen across EU.
- Strategy - Re-shape / re-consider customer focused business models and re-define use of customer rich data.
- Alternative income streams over and above PSDII requirements – age / address verification.