The Spanish Government opens a public consultation period on the future Royal Decree that will develop the new Spanish Payment Services Law

Amidst the transposition of the second Payment Services Directive, a public consultation was recently opened with a view to providing a responsive text adapted to the needs of previous and new stakeholders in the legislation that would transpose the Directive.

On 13 January 2018 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market ("PSD2") entered into force, and Spain has yet to transpose its contents. PSD2 aims at strengthening the security requirements that must be fulfilled to make e-payments, as well as to raise competitiveness, which may mean a shift in the current business model for the payment services providers, as seen in the XIII Bank Sector Meeting. In order to receive an appropriate feedback from the stakeholders, the public consultation -previous to the transposition- was published on 26 March and was open up until 10 April. Due to either the financial institutions economic status or the increase of the number of players in this sector, stakeholders have had a great deal to contribute to this public consultation and their needs must not be overlooked.

The Royal Decree intends to address the following matters:

• Creation requirements and conditions under which the payment institutions will work.
• Payment services provider capital requirements; cross-border activity; customer service procedurals; and penalty regime adaptations.
• Payment operations via electronic devices; on the control over significant shareholding and influence over these entities; limitations on payment accounts; and provisions on the legal regime of electronic money institutions.
• Enhancement of the security measures and risk mitigation to protect payment services users, namely against fraud and unlawful use of sensitive and personal data of users.

Nevertheless, aside from the aforementioned material aspects, the Royal Decree would also establish provisions on some PSD2 transversal matters. First of all, it will be interesting to see how the regulation will develop the new security measures, particularly in light of the guidelines and policies adopted at EU level on Strong Customer Authentication and the regulatory technical standards. Secondly, the Royal Decree will also include specifications on third party payment providers that fall within the Directive's scope to duly regulate their activities.

Starting with the latter, PSD2 now recognises third party payment services providers (TPPs). Until now, TPPs had faced significant barriers when offering their solutions across the EU due to security and secrecy concerns raised by some PSPs. PSD2 seeks to deal with these concerns by bringing TPPs within the scope of regulation and promoting competition with traditional payment services providers by facilitating their operation. There would now be two new payment services to be covered by the activities of TPPs: Payment Initiation Services (PIS) and Account Information Services (AIS). PIS would be a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another PSP. AIS would be an online service to provide consolidated information on one or more payment accounts held by the payment service user with another PSP or with more than one PSP.

It must be noted that the subject matter of the public consultation would be answering two core questions about which Member States are given leeway for legislative action:

• Exemption regulated in article 32 of the PSD2 pursuant to which certain entities are exempted totally or partially from the procedure and conditions for the authorisation based on their transaction volume.
• Setting the thresholds and conditions under which the exception foreseen for low-value payment instruments and e-money in relation to compliance with some obligations in the provision of payment services may be applied (article 63.2 of the PSD2).

The appearance of new players in the market has been one of the biggest controversies so far, mainly because the new set of rules requires information to be shared by the traditional financial institutions with the "newcomers". This has attracted a great deal of attention from experts in neighbouring fields, such as data protection.

The Spanish Government's initiative to give a voice to these stakeholders in order to find a regulatory balance that equally benefits all parts can deliver hugely positive results. This would entail a more carefully crafted level playing field, which can help reduce the costs in the digital payments services for the end consumer.

Another key focus of the Directive that would be regulated by the Royal Decree is e-payment security, as it introduces new requirements relating to operational and security risks. These new security requirements are likely to require payment service providers to update their procedures, particularly in relation to authentication. PSD2 requires a strong customer authentication when the payer wants to access his/her payment account online, initiate an electronic payment or transaction or carry out any action through a remote channel that may imply a risk of payment fraud or other abuses. This strong customer authentication would consist in the use of two or more elements (which result in an authorisation code) categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent elements, so that the breach of one does not compromise the reliability of the others.

In conclusion, there are high hopes for the deliveries of this public consultation that hopefully will soon be available for analysis and conclusions.