This is an abstract from a longer article published in German on www.juris.de
Background: development of a pan-European instant payment scheme
In June 2015 the Euro Payments Retail Board (ERPB) invited the European Payments Council (EPC) to develop a pan-European instant payment scheme, intended to make transferred funds available to the recipient within a few seconds. The scheme is based on the EPC’s current SEPA credit transfer (SCT) scheme and will be called SCTinst. It was endorsed by the ERPB in November 2015, and on this basis is anticipated to be finalised in November 2016 and
implemented by November 2017. SCTinst is expected to provide interesting opportunities in both eCommerce as well as at Points of Sale (POS).
SCTinst is likely to be offered by so-called Third Party Payment Service Providers (TPPs). As such, two scenarios are possible: (1) the TPP may divert a payer from an online shop to the online banking portal of the customer’s custodian bank where the payer enters all relevant payment data himself/herself (Scenario 1); or (2) the TPP receives from the payer all relevant payment data and forwards it to custodian bank of the payer (Scenario 2).
Under the First Payment Services Directive (PSD1), which is currently in force, TPPs do not require authorisation in Germany by the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin). In the case of internet payments, where a payer enters all data himself/herself (such as Scenario 1), banks are required to perform “strong customer authentication” pursuant to German “MaSi” regulation (Mindestanforderungen an die Sicherheit von Internetzahlungen). Strong customer authentication is a process intended to verify the identity of a customer based on two or more elements from the categories of knowledge, possession and inherence. Under MaSi, strong customer authentication is not required if the payment is initiated by a TPP (Scenario 2) or through a mobile app.
PSD2, which will replace PSD1 and MaSi as of 13 January 2018, will require providers of so-called “payment initiation services” to hold an authorisation by BaFin. In Scenario 1 the payer has done all that is necessary in order to trigger his/her account servicing payment service provider to execute the payment transaction, which, in the case of a credit transfer, is usually the case with the confirmation of all relevant data, including the transaction authentication number (TAN), by the payer. Scenario 1 will therefore not fall within the definition of “payment initiation service” (since it is the payer himself/herself who initiates the payment transaction rather than the TPP) and no BaFin authorisation will be required. PSD2 does, however, require a strong customer authentication in the case of online access to a payment account and the initiation of an electronic payment service. Both eCommerce and POS transactions within Scenario 1 will fall within the scope of strong authentication, unless the transaction falls within one of the exemptions.
Scenario 2 will, however, fall within the scope of a payment initiation service. As a consequence, a TPP in Scenario 2 will require authorisation by BaFin. For the initiation of the payment transaction, strong customer authentication is generally required under PSD2; however, the duty to perform such strong customer authentication lies with the account servicing payment service provider, not the payment initiation service provider. Typically, the payment initiation service provider receives the payer’s information required for the authentication process and forwards it to the account servicing payment service provider.
In conclusion, a TPP in Scenario 2 would require authorisation by BaFin for both eCommerce and POS transactions; strong customer authentication will need to be performed in both cases, but only by the account servicing payment service provider, not the TPP.