With the development of technological aspects not covered by the original Payment Services Directive (“PSD I”), the Second Payment Services Directive – Directive (EU) 2015/2366 (“PSD II”) was introduced in order to enforce greater consumer protection. Technological changes that prompted the enactment of PSD II include changes in e-commerce, increase in use of internet and mobile payments and the growth in the use of multiple payment service providers.
With the rules having come into force on January 13, 2018 within the European Union (the “EU”) and the European Economic Area (the “EEA”), questions have been raised as to what the amendments to the PSD I shall entail.
The entry into force of PSD II implemented the following changes to the industry:
(i) Extension of the scope of payment instruments, services and activities
The scope of the PSD II has been extended to cover a number of areas that were not previously covered in PSD I, including card, internet and mobile payments. Payments made through a telephone operator for both physical goods and services shall also be covered.
However, PSD II provides a narrower exclusion, which applies only to payments which are (1) under a certain threshold (i.e., EUR 50 per transaction or EUR 300 per month) and (2) made through telecom operators for the purchase of certain digital services (i.e., music or digital newspapers) downloaded on to digital devices or for electronic tickets or donations to charities.
PSD II introduces regulation for a number of new services for customer experience, including card less withdrawal, instant peer-to-peer (“P2P”) Payments, advanced applications and decoupled cards.
PSD II repeals the exemptions set forth in PSD I concerning independent cash machines. Cash withdrawals from ATMs of independent providers shall now fall under the scope. Other banking products are now recognised as payment services under PSD II including merchant acquisition services, money transfer or money transmission services.
(ii) Extension to apply to all currencies
Contrary to PSD I, PSD II shall apply to all euro and non-euro denominated transactions where the payment service provider (“PSP”) of the payer and the PSP of the payee are both located in the EU.
(iii) Introduction of payment services by third parties
To regulate new services in the area of internet payments that emerged after the enactment of PSD I, PSD II aims to regulate third party providers (“TPPs”) who provide specific payment solutions to customers.
The new services include payment initiation service (“PIS”) and account information services
(“AIS”). The former enables customers to initiate a payment from their user account to a merchant account via authorised TPPs to whom financial institutions will be obliged to open their account interfaces whereas the former provides consolidated information on payment accounts held by a payment service user where the user may use for financial planning. TPPs that provide payment initiation services are Payment Initiation Service Providers (“PISP”) where Account information Service Providers (“AISPs”) provide account information services. In order to continue to operate, the PSD II requires that PISPs and AISPs be registered as payment institutions in order to continue to provide payment services if they are not already authorised.
Customers may use both PIS or AIS if (1) the payment account is accessible online and (2) the customer has given their explicit consent to use.
PSPs will now be required to allow customers to give TPPs access to their personal accounts and PSPs shall no longer be capable of restricting use of account integration services. The requirement shall impose certain operational modifications that PSPs need to make, including (1) transferring information to TPPs about availability of funds for the transaction, (2) responses for data requests must be performed without discrimination unless for “objective reasons,” and (3) operational and technological measures to identify and authenticate status of TPPs and accept instructions from TPPs. In order for PISPs and AISPs to provide services to customers, PISPs and AISPs must
enforce consumer protection conditions (e.g., consumer authentication).
(iv) Extension of scope to include “one leg out” transaction
The European Banking Authority (the “EBA”) has defined one leg out transactions as transactions where the issuer or acquirer of the payment is located outside of the EU and the acquirer or issuer is a PSP inside of the EU and regulated by the EBA. With the entry into force of the PSD II, the PSD II shall apply to all payments received by an EEA domiciled PSP, regardless of the currency of which the transaction is denominated or where the issuer is located (i.e., one leg or two leg transactions).
The scope no longer applies only to transactions in EEA currencies.
(v) Measures to enforce consumer protection
Measures to enforce consumer protection which have been introduced by the PSD II include the following:
a. Authentication: Both PSPs and TPPs will also need to ensure strong customer authentication in circumstances where the customer (1) accesses payment account online, (2) initiates an electronic payment transaction, and (3) carries out any action remotely which carries a risk of payment fraud and other abuses.
b. Pre-authorisation of card payments: Pre-authorisations with card payments are transactions in which the final amount is unknown at the time of the charge. Under the new PSD II, the PSP will only be allowed to block the exact amount of funds for which the consumer has approved for payment.
c. Unconditional refund right: Consumers shall have an unconditional refund right for a period of eight (8) weeks from the date when the funds were debited. These measures reflect the rules under Single Euro Payments (“SEPA”) core direct debit scheme. Member states may have the right to impose even more favourable terms for non-euro direct debit schemes.
d. Ban on surcharging: Surcharging shall be banned for payment instruments (e., cards) covered in SEPA.
e. Complaint-handling procedures: PSPs will have adequate complaint handling procedures and shall be required to respond to payment complaints within fifteen (15) business days of receipt in exception to certain circumstances where the PSP replies within thirty-five (35) business days with an explanation for the delay.
f. Fund checking: PSD II provides a new method of checking the availability of funds for certain cards where the consumer may receive confirmation of the availability of funds in case of a payment transaction request through online platforms that use card-based payment tools.
g. Unauthorised payment scenario: In exception to cases of fraud or gross negligence by the payer, PSD II reduces the maximum penalty to be paid by the payer for unauthorised amounts from one hundred and fifty euros (EUR 150) to fifty euros (EUR 50).
h. Security policy document: For authorisation as a payment institution, payment institutions must submit to the competent authority a security policy document describing the security measures implemented to protect customers against fraud and illegal use of personal data as well as a detailed risk assessment.
i. Designation of competent authorities: Member states shall be required to designate all responsibilities for compliance and complaints handling in relation to PSD II to a competent authority.
j. Notification to customers: Major operational or security incidents, as defined in the PSD II, that affect the financial interests of customers shall be informed to the customer by PSPs without undue delay. PSPs shall also be required to advise on measures to mitigate undue consequences on the client.
(vi) Registration requirement for PSP and the establishment of the Central Electronic Register
In furtherance of regulating payment institutions that have been registered, PSD II imposes rules concerning the contents and maintenance of both national registers and a new EBA register. The EBA shall be required to operate and maintain a publicly available electronic central register containing information derived from the registers in each member state, including the payment services for which each payment institution is authorised.
(vii) Greater oversight of payment institutions
To facilitate supervision, PSD II requires home member states to introduce more detailed passporting procedures to ensure better communication between national competent authorities (e.g., the notification that a payment institution wishes to passport in another member state must occur within one month).
PSPs will be required to report to their respective national competent authority the adequacy of control and mitigation measures as well as statistical data on fraud relating to different means of payment.
In addition to reporting to customers whose financial interests have been compromised, PSPs will be required to notify competent authorities, without undue delay, of any major operational or security incident ( as defined in the PSD II) within four (4) hours of the incident.
(viii) Authorisation requirements
In order to operate as TPPs, PSD II imposes operational and security requirements, including the obligation to maintain certain capital requirements and professional indemnity insurance depending on whether it is an AISP or a PISP.
(ix) Capital requirements for PSPs
The PSD II implements specific capital requirements for third party service providers in accordance with their respective activities and risks.