The revision of the Payment Services Directive aka PSD2 will change banking as we know it. It will increase competition and foster innovation, but with less than a year remaining until its start date, we look at what it actually means for incumbent payment services providers like traditional banks and disruptors such as FinTechs and the Tech Giants that quietly extend their activities into financial services.
What are Payment Services and why do they matter?
Payment Services are all activities that allow people to deposit or withdraw cash on or from a payment account, as well as the operation of that account, execute payment transactions like standing orders or direct debits both on payment accounts or by electronic means, issue and/or receive payment instructions, and execute money remittance (i.e. transfers of money by foreign workers to persons in their home country).
In short, it touches on a lot of the services we use banks for on a daily basis.
What is the Payment Services Directive?
At the end of 2007 the European Union introduced the so-called Payment Services Directive or by its full name “Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market”. The first Payment Services Directive entered into force on Christmas Day 2007 and its rules applied from 1 November 2009, by which date the member states of the EU had to implement the directive into national law.
While there were rules before the first Payment Services Directive that governed these services, the EU did not feel these were sufficiently harmonised across the EU’s internal market but rather fragmented across its then 27 member states. Therefore it produced a framework that was supposed to lay down rules for payment services such as credit transfers, direct debits and card payments across all member states. These rules included information requirements for payment services providers, as well as rights and obligations linked to the use of payment services. Following the introduction of the new framework payment services providers had to communicate certain information prior to the payment service such as fee structure, complaint procedures, and all charges payable in an easily understandable way. After the execution of a payment transaction, they have to provide to the payer information such as the reference of the payment transaction and of the payee, the payment amount, and the fees and commissions related to the transaction.
Why a revision of the Payment Services Directive?
The need to create a level playing field in light of the growing popularity of the Internet and mobile payments had already become apparent in the process of designing the first directive. Somewhat unfortunately, innovation overtook the work of the legislator, so that aspects that we now use constantly like online payments were not covered sufficiently. Also, differences in the implementation of the first directive across the EU’s member states and the further opening of payment services, in particular with a view to FinTechs, made a revision necessary. Thus, in 2013 the Commission proposed an amendment, which led to the second Payment Services Directive (“PSD2”) or with its full name Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market.
The directive aims to:
- make it easier and safer to use internet payment services;
- better protect consumers against fraud, abuse, and payment problems;
- promote innovative mobile and internet payment services;
- strengthen consumer rights;
- encourage lower prices for payments; and
- strengthen the role of the European Banking Authority (EBA) to coordinate supervisory authorities and draft technical standards.
When will this happen?
Like all EU directives the rules must be implemented into the national laws of the member states. This is due by 13 January 2018. At the same time the old rules set out by the first PSD are going be repealed as of that date. There will, however, secondary legislation, which will be discussed in more detail in the next paragraph, that is currently under development and is not likely to be in force before the second half of 2018. Even though this presents some uncertainty around certain aspects of PSD2 and its details, incumbents and newcomers to the Payment Services Industry must be ready for the implementation of the Directive in January next year.
What are the changes PSD2 is going to bring?
To begin with it’s important to recall the process of EU lawmaking in financial services (for more information on this process, read our article on this subject here), which is composed of primary legislation in the form of the Directive and secondary legislation, i.e. delegated acts in the form of Regulatory Technical Standards (RTS) and Guidelines. The latter define certain aspects in detail that the Directive has only touched upon along more general lines and which is to be drafted by the EBA. PSD2 has given the EBA a mandate to draft six technical standards, which once adopted by the European Commission become directly applicable, plus 5 Guidelines, which in itself is not binding, but will be once the national regulators transpose them into the law of the member states.
Since this process of secondary legislation is still ongoing, i.e the EBA has still to conclude consultation papers on 3 RTS and 1 set of Guidelines, while the other mandates have seen draft documents, which might be subject to amendments before submission to the Commission, we at this point cannot say with absolute certainty what the final rules will look like in some areas, but the picture is clear enough to give an overview of the key changes:
– Scope of Payments
Under the first PSD only payments inside the EU were covered. PSD2 extends a number of obligations to payments to and from third countries, where one of the payment service providers is located in the EU. These obligations are mostly in respect of the information provided.
The extension of the scope will also mean that the same rules will apply to payments that are made in a currency that is not denominated in Euro or another Member State’s currency. Therefore transaction in, for example, US dollar will be subject to these rules if the above requirements are met.
– Transparency of Costs and Conditions
The obligations regarding the provision of information on payments mentioned above impacts primarily banks and other payment service providers that are located in the EU. These financial services providers have to provide information and transparency on the costs and conditions of these international payments, at least in respect of their part of the transaction. They can also be held liable for their part of the payment transaction if something goes wrong that is attributable to them.
– New Payment Services
Following its mandate to foster innovation, PSD2 will introduce new forms of payment services, in particular Third Party Providers (TPPs) such as Payment Initiation Services Providers (or PISP) and Account Information Service Providers (or AISP).
Payment Initiation Services allow consumers to pay via simple credit transfer for their online purchases, while providing merchants with the assurance that the payment has been initiated so that goods can be released or services provided without delay.
Account Information Service Providers on the other hand make it possible for a payment service user to have an overview of their financial situation at any time, allowing users to better manage their personal finances. While these services already exist, they are currently not regulated on EU level and PSD2 aims to make their services available to a wider audience.
– Exemptions
The revision also brings several changes to existing exemptions and defines new ones:
– Commercial Agents: The exclusion from the first PSD for Commercial Agents ended up to be handled very differently across EU member states. Therefore, PSD2 redefined the exclusion, so that it should apply when agents act only on behalf of the payer or only on behalf of the payee, regardless of whether or not they are in possession of client funds. Where agents act on behalf of both the payer and the payee (such as certain e-commerce platform), they should be excluded only if they do not, at any time enter into possession or control of client funds.
– ATMs: Previously operators of independent cash machines or ATMs were entirely exempted from the scope of the first PSD. Following the revision an extension still applies for cash withdrawal services offered by means of ATM by providers, acting on behalf of one or more card issuers, which are not a party to the framework contract with the customer withdrawing money from a payment account. However, this is only on condition that those providers do not conduct other payment services as outlined in an annex to PSD2. And even then, shall the customer be provided with certain information as defined across PSD2 on any withdrawal charges before carrying out the withdrawal as well as on receipt of the cash at the end of the transaction after withdrawal.
– Telecommunications: an exemption from the scope of the PSD2 applies for telecommunication providers in two cases: (1) for purchase of digital content and voice-based services, regardless of the device used for the purchase or consumption of the digital content and charged to the related bill; or (2) performed from or via an electronic device and charged to the related bill within the framework of a charitable activity or for the purchase of tickets. However, in any case the value of any single payment transaction must not exceed EUR 50 and the cumulative value of payment transactions for an individual subscriber does not exceed EUR 300 per month, or where a subscriber pre-funds its account with the provider of the electronic communications network or service, the cumulative value of payment transactions does not exceed EUR 300 per month.
– Limited Networks: The original PSD included an exemption for services based on instruments that can be used to acquire goods or services only in the premises used by the issuer or under a commercial agreement with the issuer either within a limited network of service providers or for a limited range of goods or services. The directive did not sufficiently define what it meant by Limited Network, so PSD2 narrows the exemption down to three use case: (1) instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a professional issuer; (2) instruments which can be used only to acquire a very limited range of goods or services; or (3) instruments valid only in a single Member State provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer.
– Stronger Customer Authentication
One of the key drivers for PSD2 is the focus on payment security and stronger customer authentication as it’s a major issue for many payment users and notably consumers when paying via the Internet. According to the Directive all payment service providers, including banks, payment institutions or third party providers (TPPs), will need to prove that they have certain security measures in place ensuring safe and secure payments. In practical terms, this means that Member States must ensure that a payment service provider applies strong customer authentication where the payer accesses its payment account online; initiates an electronic payment transaction; or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. What is clear in respect of SCA is that it will require an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.
Everything beyond this is a little less certain and has caused a few issues as drafting of the detailed requirements is one of the tasks delegated to the EBA, which has received significant push back form the payments industry on its proposals.
Following an initial discussion paper in 2015, the EBA in August 2016 published a consultation paper draft RTS that dealt with several aspects strong customer authentication (SCA) and common and secure communication under PSD2, in particular:
- specifying the requirements of SCA,
- the exemptions from the application of strong customer authentication,
- the requirements with which security measures have to comply in order to protect the confidentiality and the integrity of the payment service users’ (PSU) personalised security credentials, and
- the requirements for common and secure open standards of communication between account servicing payment service providers (ASPSP), Payment Initiation Services (PIS) providers, Account Information Services (AIS) providers, payers, payees and other payment service providers.
While the consultation closed in October 2016, the actual publication of the final draft has been delayed several times due to criticism and the need to rework certain areas in light of the received feedback. The EBA this week confirmed though that it will succumb to at least some of the suggestions in its final version, which should be published in the not too distant future. (Update: Shortly after publishing this article, the EBA has actually published the RTS – for more information see here)
This concludes the summary of the coming changes and the first part of our analysis of the PSD2 and the risk and opportunities for Traditional Banks, FinTechs and Tech Giants. Part 2 looks at the specific impact on those three groups, both positive and negative, and what they should consider.