The European Parliament has now adopted a European Commission proposal for a revised Directive on Payment Services (PSD2) to replace the original Directive from 2007. It is expected to enter into force in December 2015 (after formal adoption and publication in the EU’s Official Journal), after which Member States will have two years to introduce the necessary changes in their national laws in order to comply with the new rules.
What’s driving the change?
The accompanying press releases focus on the core objectives of: enhancing competition; encouraging the Digital Single Market; reducing fraud through increased security; and reducing fees. Antonio Tajani, MEP rapporteur and Vice-president of the European Parliament, put it succinctly:
“The EU payment services market remains fragmented and expensive, costing €130 billion, or over 1% of EU GDP, a year. The EU economy cannot afford these costs, if it wants to be globally competitive“, adding that “The new regulatory framework will reduce costs, improve the security of payments and facilitate the emergence of new players and innovative new mobile and internet payment methods“.
So is PSD2 evolutionary or revolutionary?
It’s both: some changes are evolutionary, building on the foundations of the original PSD:
- extending its scope to include all currencies (not just Member State currencies), so-called “one-leg out” transactions and certain activities previously excluded;
- enhancing consumer rights in numerous areas, like reducing the liability for non-authorised payments, introducing an unconditional (“no questions asked“) refund right for direct debits in euro and introducing a prohibition on surcharging whereby a merchant raises additional charges for the right to pay with a certain card (e.g. a credit card); and
- introducing strict security requirements for the initiation and processing of electronic payments, with an obligation on payment service providers to apply ‘strong customer authentication’ when a payer accesses his payment account online, initiates an electronic payment transaction and carries out certain other actions.
But it is also revolutionary: it opens up the EU payments market to providers of so-called “payment initiation services” and “account information services“, i.e. companies offering consumer or business-oriented payment and information services which are based on access to the user’s payment account. This access enables the third party to initiate a payment from the user’s account or to gather information and provide consolidated information back to the user. These are referred to as third party providers (TPPs), to distinguish them from the account servicing payment service providers (Account Servicing PSPs).
How will this open up competition?
The European Commission has referred to banks (the vast majority of Account Servicing PSPs) as ‘gatekeepers’ to accounts held with them, both in terms of access to funds and information. PSD2 will force Account Servicing PSPs to accept a user’s request to use TPPs, as Account Servicing PSPs can deny a TPP access only for objectively justified and substantiated security reasons. This is designed to safeguard against banks blocking the market for new payment services. So, TPPs are being encouraged into the market through this European measure and while they will need to be authorised (not least to ensure that they adhere to minimum security requirements), this also gives them the right to provide their services throughout Europe under passporting rights.
How does PSD2 encourage TPPs?
PSD2 sets out a framework – both legally and operationally – around this tri-partite relationship between the user, his/her Account Servicing PSP and the new TPP in terms of the rights of the user and obligations of the Account Servicing PSP and Payment Initiation Services / Account Information Services TPP and the modus operandi between the Account Servicing PSP and the TPP:
- the user’s rights include: the right to use a TPP where payment account is accessible online; and to seek compensation from his Account Servicing PSP for unauthorised payment transactions (though the Account Servicing PSP may have a remedy against the Payment Initiation Services TPP);
- the Payment Initiation Services TPP’s obligations include to: act only within the payment service user’s explicit consent; authenticate itself towards Account Servicing PSP every session; not modify the transaction; nor hold the payer’s funds; and
- the Account Servicing PSP’s freedom is restricted in various way, for example, it cannot insist on a contractual relationship with the TPP and cannot discriminate between a user initiated payment and one initiated on the user’s behalf by a TPP.
There still remain some unanswered questions, not least as to the basis on which Account Servicing PSPs and TPPs should interact. In this respect, the European Banking Authority has been tasked with developing some regulatory technical standards. This aspect also interacts with the UK Government’s Open API for Banking initiative.
So, what’s next?
After more than two years in its development (the first proposals for PSD2 were published in July 2013), the adoption of this text now provides real certainty. This in turn enables a detailed review of PSD2, its ramifications and opportunities. As a minimum, existing providers will need to assess its impact on their systems, processes and legal documentation; however, with all the market disruption and the convergence of card transactions and funds transfers, it should also be seen as a real opportunity to consider afresh the strategic aspects and the whole European single market, both digital and payments.