Jurisdiction of the European Union

Legal Disclaimer: The material presented in this document is intended for general information purposes only and does not constitute legal advice or recommendation in any manner.

1. Introduction

On 23 December 2015 the revised Payment Services Directive (EU) 2015/2366 (PSD2) was published in the Official Journal of the European Union after the formal adoption by the European Parliament and the EU Council of Ministers. It came into force on 12 January 2016. From this date, Member States will have two years to introduce the necessary changes in their national laws in order to comply with the new rules.

The PSD 2 updates and complements the EU rules put in place by the Payment Services Directive 2007/64/EC, repeals and replaces it with effect from 13 January 2018. Until then, the existing rules should be interpreted in line with PSD 2.

We appreciate your visit to our site.

You can download a full version of the document in PDF (0.6 Mb)

Download PDF file

PSD 2 provisions related to new security measures will apply from 18 months after the date of entry into force of the relevant regulatory technical standards to be developed by the European Banking Authority (EBA) and submitted to the European Commission for adoption by 13 January 2017.

The main objectives of the new Payment Services Directive are to:

  • Contribute to a more integrated and efficient European payments market
  • Improve the level playing field for payment service providers (including new players)
  • Make payments safer and more secure
  • Protect consumers
  • Encourage lower prices for payments
  • The revised legal framework on payment services is complemented by Regulation (EU) 2015/751 of the European Parliament and of the Council, which introduces, in particular, rules on the charging of interchange fees for card-based transactions and aims to further accelerate the achievement of an effective integrated market for card-based payments. The Interchange Fee Regulation 2015/751 (IFR) entered into force on 9 June 2015.

    2. PSD 2 Background

    The first Payment Services Directive 2007/64/EC (PSD 1) was proposed by the European Commission in December 2005 and adopted by the European Parliament and Council in December 2007 to provide the legal foundation for the EU single market for payments and establish safer and more innovative payment services across the EU.

    PSD 1 brought substantial benefits to the payments market:

  • easier access for new market entrants
  • more competition between payment institutions and choice to consumers
  • more transparency and information for consumers
  • shorter execution times
  • strengthened refund rights
  • clearer liability of consumers and payment institutions
  • At the same time the lack of clear guidelines on how certain rules should be applied has led to diverse interpretations of such rules by local regulators in Member States. In a number of areas, such uncertainty has resulted in impaired consumer protection and competitive distortions. This problem particularly concerns the Negative Scope provisions of the Directive, e.g. the limited network / limited goods and services exclusion, or rules of refund in the event of unauthorised debits from a payer's account, which are currently applied differently by Member States.

    Furthermore, since 2007 when PSD 1 was adopted, the retail payments market has experienced significant technical innovation with rapid growth in the number of electronic and mobile payments and the emergence of new types of payment services, such as payment initiation and account information services. These developments in payment innovation are not reflected in PSD 1. Many innovative payment products or services do not fall, entirely or in large part, within the scope of Directive 2007/64/EC.

    From the security perspective, risks related to electronic payments have also increased considerably. In response to this challenge, the European Banking Authority (EBA) in close co-operation with the European Central Bank (ECB) developed Guidelines on the Security of Internet Payments. The final version of the guidelines was issued on 18 December 2014 and became applicable as of 1 August 2015. The EBA Guidelines on the Security of Internet Payments set minimum security requirements for payment services providers across the EU and will provide enhanced protection of EU consumers against payment fraud on the Internet as an interim solution until the PSD 2 requirements start to apply in 2018 / 2019.

    Taking account of these and other problems, the European Commission proposed, in July 2013, to review PSD 1 to close regulatory gaps, modernise it, encourage transparency, innovation and security in the single market and create a level playing field between different payment service providers.

    2.1. PSD 2 Chronology

    24 Jul 2013

    Publication of a proposal for a revised PSD2 by the European Commission

    03 Apr 2014

    Approval by the European Parliament of the final report of its Economic and Monetary Affairs Committee (ECON) on PSD 2 at its plenary session

    05 Dec 2014

    Approval by the Council of the EU of its final compromise text on PSD 2

    09 Dec 2014

    Debate in Council of the EU

    06 Jan 2015

    Approval of final compromise text by Council

    05 May 2015

    Approval of the final version of the PSD2 by the Commission, the European Parliament and the Council of the EU (the so-called "trilogue" process)

    08 Oct 2015

    Adoption by the European Parliament

    16 Nov 2015

    Adoption by the EU Council of Ministers

    23 Dec 2015

    Publication in the Official Journal of the European Union

    12 Jan 2016

    Coming into force

    3. A Summary of Changes

    The main changes in the new Payment Services Directive concern the following major areas:

  • Third party payment service providers
  • Exclusions from the scope
  • Authorisation and registration
  • Passporting
  • Consumer protection
  • Payment security and data protection
  • Liability
  • Service charges
  • The role of European Banking Authority
  • Transitional provisions
  • 3.1. Third party payment service providers

    PSD 2 introduces a new set of business models involving so called third party payment service providers (TPPs). These include service providers offering payment services based on access to payment accounts with account servicing payment service provider referred to as:

  • payment initiation service providers and
  • account information service providers
  • Payment initiation services providers typically help consumers to initiate online credit transfers and inform the merchant immediately of the payment initiation, allowing for the immediate dispatch of goods or immediate access to services purchased online. For online payments, they constitute a true alternative to credit card payments as they offer an easily accessible payment service, as the consumer only needs to possess an online payment account. The payment initiation service provider must not hold at any time the payer’s funds in connection with the provision of the payment initiation service.

    Account information services allow consumers and businesses to have a global view on their financial situation, for instance, by enabling consumers to consolidate the different current accounts they may have with one or more banks and to categorise their spending according to different typologies (food, energy, rent, leisure, etc.), thus helping them with budgeting and financial planning.

    The TPPs will have to follow the same rules as the traditional payment service providers: registration, licensing and supervision by the competent authorities. In addition, new security requirements included in the text of the PSD 2 will oblige all payment service providers to step up the security around online payments.

    3.2. Exclusions from the scope

    3.2.1. Technical Service Providers

    As mentioned above, payment initiation services and account information services have been expressly excluded from the list of exempt services under the technical service provider exclusion.

    3.2.2. Commercial Agents

    PSD 2 narrows the commercial agency exclusion to payment transactions from the payer to the payee through a commercial agent acting on behalf of only the payer or only the payee.

    3.2.3. Telecom Operators

    Under the new rules, the exclusion for payments through telecom operators now covers only payments made through telecom operators for the purchase of digital content such as music, ringtones, digital newspapers, games, or applications that are downloaded on a digital device or of electronic tickets or donations to charities. The exclusion only applies to micro-payments, i.e. payments under a certain threshold (€50 per transaction; €300 per billing month).

    The exemption will also only apply to payment services when provided in addition to electronic communications services for a subscriber to the network or service.

    Telecom operators that engage in such an activity will have to notify to the competent authorities, on an annual basis, that they comply with these limits. The activity will also be listed in the public registers.

    3.2.4. Specific Payment Instruments of Limited Use

    PSD 2 requires that service providers carrying out either of the activities falling under the limited network exclusion for which the total value of payment transactions executed over the preceding 12 months exceeds the amount of EUR 1 million send a notification to competent authorities, so that these can take a duly motivated decision on where the activity does not qualify as a limited network and whether the network has to apply for a licence as a payment institution.

    3.3. Authorisation and registration

    The main changes here relate to the enhanced levels of payment security under PSD 2. Entities that wish to be authorised as a payment institution will have to provide with their application:

  • a description of the procedure to monitor, handle and follow up a security incident and security related customer complaints;
  • a description of the process to file, monitor, track and restrict access to sensitive payment data;
  • a description of business continuity arrangements;
  • a description of the principles and definitions applied for the collection of statistical data on performance, transactions and fraud and
  • a security policy document
  • Specific capital requirements have been defined for third party service providers in relation to their respective activities and the risks these represent. Payment initiation service providers will have to hold its capital at no less than EUR 50 000 at all times. Third party service providers are not subject to own fund requirements. However, they need to hold a professional indemnity insurance covering the territories in which they offer services.

    Under PSD 2 Member States will continue to have an option to offer a lighter authorisation regime with the difference, that Member States making use of the option will be allowed to decide to define a limit lower than EUR 3 million.

    3.4. Passporting

    To reinforce the investigative and supervisory powers of the host Member State, PSD 2 has introduced a more detailed passporting procedure. This procedure will ensure better cooperation and information exchange between the national competent authorities.

    PSD 2 clearly defines the information to be communicated to the competent authorities where an authorised payment institution intends to provide payment services in another Member State by engaging an agent or establishing a branch.

    The payment institution will also have to notify to the competent authorities of the home Member State the date from which it commences its activities through the agent or branch in the relevant host Member State as well as any relevant change regarding the required information pack, including additional agents, branches or entities to which activities are outsourced in the host Member States in which it operates.

    Furthermore, the host Member State can ask payment institutions operating with agents and branches in its territory to regularly report on their activities. To that end, the payment institution can be requested to set up a central contact point in the host territory.

    In emergency situations, requiring immediate action, the host Member State is allowed to take precautionary measures with regard to the payment institution concerned, in parallel to the host's duties of cooperation with the home Member State to find a remedy.

    3.5. Consumer protection

    PSD 2 seeks to further enhance consumer rights and protect consumers against unfair and misleading practices.

    3.5.1. Right to Information

    Under PSD 2, consumer right to information has been extended to include:

  • information payment initiation service providers are required to provide for the payment service users prior to and after the initiation of a payment order;
  • information on the form of and procedure for giving consent to initiate a payment order and withdrawal of such consent
  • information on the rights related to the use of co-badged card-based payment instruments and some others
  • 3.5.2. Liability for Unauthorised Transactions

    The liability rules in case of unauthorised transactions have been streamlined to ensure enhanced protection of the legitimate interests of payment users. Except in cases of fraud or gross negligence by the payer, the maximum amount a payer could, under any circumstances, be obliged to pay in the case of an unauthorised payment transaction has been decreased from €150 to €50.

    3.5.3. Unconditional Right to Refund

    PSD 2 also provides a legislative basis to the unconditional refund right that already exists for SEPA direct debit (i.e. direct debits in euro). In such cases, payers can request a refund even in the case of a disputed payment transaction. For direct debits in currencies other than euro, Member States may require that refund rights be more advantageous to payers.

    3.5.4. The Blocking of Funds on a Payment Account

    Where a payment transaction is initiated by or through the payee in the context of a card-based payment transaction and the exact amount is not known in advance, the payee, under PSD 2, will only be allowed to block funds on the account of the payer if the payer has approved the exact amount that can be blocked. The payer's bank will have to immediately release the blocked funds after having received the information about the exact amount and at the latest after having received the payment order.

    3.5.5. One-leg Transactions and All Currencies

    PSD 2 will apply to payment transactions in all currencies where only one of the payment service providers is located within the Union (also known as one-leg-out transactions), hence covering payment transactions to persons outside the EU as regards the EU part of the transaction. PSD 2 extends a number of obligations, notably information obligations, to payments to and from third countries, where one of the payment service providers is located in the European Union. Banks and other payment service providers that are located in the EU will have to provide information and transparency on the costs and conditions of these international payments, e.g. the maximum execution time, at least in respect of their part of the transaction. They can also be held liable for their part of the payment transaction if something goes wrong that is attributable to them.

    3.5.6. Alternative Dispute Resolution

    On the dispute resolution side, the new Directive will oblige Member States to designate competent authorities to handle complaints of payment service users and other interested parties, such as consumer associations, concerning an alleged infringement of the Directive. Payment service providers will have to put in place a complaints procedure for consumers that they can use before seeking out-of-court redress or before launching court proceedings. The new rules will oblige payment service providers to answer in written form to any complaint within 15 business days.

    3.6. Payment security and data protection

    3.6.1. Strong Customer Authentication

    Payment service providers will be obliged to apply so-called strong customer authentication (SCA) when a payer initiates an electronic payment transaction. Strong customer authentication is an authentication process that validates the identity of the user of a payment service or of the payment transaction (more specifically, whether the use of a payment instrument is authorised). More specifically, SCA must be applied in 3 cases:

  • when the payer accesses its payment account online;
  • when the payer initiates an electronic payment transaction;
  • when the payer carries out any action through a remote channel which may imply a risk of payment fraud or other abuses
  • Exemptions to the principle of strong customer authentication may be possible, taking account of the risks involved, the value of transactions and the channels used for the payment. Such exemptions could include low value payments at the point of sale, such as mobile and contactless payments.

    3.6.2. Dynamic Authentication Codes

    For electronic remote payment transactions, such as online payments, the strong customer authentication must include elements which dynamically link the transaction to a specific amount and a specific payee, to further protect the user by minimising the risks in case of mistakes or fraudulent attacks.

    3.6.3. Operational and Security Risks

    Payment service providers must establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services they provide. As part of that framework, payment service providers will have to establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.

    Payment service providers will have to provide to the competent authority on an annual basis, or at shorter intervals as determined by the competent authority, an updated and comprehensive assessment of the operational and security risks relating to the payment services they provide and on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks.

    3.6.4. Security Incident Reporting

    In the case of a major operational or security incident, payment service providers will be required to immediately notify the competent authority in its home Member State.

    Where the incident has or may have an impact on the financial interests of its payment service users, the payment service provider will be obliged to immediately inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident.

    3.6.5. Access to Payment Accounts through PISP and AISP

    Under PSD 2, third party payment service providers (TPPs) are allowed access to and the use of information on the availability of funds on a payment account held by a consumer with another payment service provider. Account servicing payment service providers will be required to allow access to their systems to TPPs.

    For this purpose, PSD 2 provides for a common framework with clear conditions under which these providers can access the financial information on behalf of their client.

    Thus, TPPs' access to the account of the payer will be restricted to the information they need in order to provide their services. Those offering payment instruments or payment initiation services will only be able to receive information from the payer's bank on the availability of funds on the account (just yes or no answer) before initiating the payment, while account information service providers will only receive the information explicitly consented by the payer and only to the extent necessary for the service to be provided to the payer.

    Access to payment account in the case of payment initiation services will be subject to certain conditions being met. Among them:

  • the payment account of the payer must be accessible online at the time of the request;
  • the payer has given explicit consent to the account servicing payment service provider to respond to requests from a specific payment service provider;
  • the consent has been given before the first request for confirmation is made;
  • the payment initiation service provider must ensure that the personalised security credentials of the payment service user are not accessible to other parties and that they are transmitted by the payment initiation service provider through safe and efficient channels;
  • every time a payment is initiated, the payment initiation service provider must identify itself towards the account servicing payment service provider of the payer and communicate with the account servicing payment service provider, the payer and the payee in a secure way;
  • the payment initiation service provider must not store sensitive payment data of the payment service user;
  • the payment initiation service provider must not request from the payment service user any data other than those necessary to provide the payment initiation service
  • In the case of account information services the following conditions are added to the list above:

  • For each communication session, the account information service provider must identify itself towards the account servicing payment service provider(s) of the payment service user and securely communicate with the account servicing payment service provider(s) and the payment service user;
  • The account information service provider must access only the information from designated payment accounts and associated payment transactions;
  • The account information service provider must not request sensitive payment data linked to the payment accounts
  • 3.6.6. Personalised Security Credentials

    Payment service providers must have in place adequate security measures to protect the confidentiality and integrity of payment service users’ personalised security credentials.

    3.7. Liability

    In the case where the payee or the payee's payment service provider fails to accept strong customer authentication, it will have to refund the financial damage caused to the payer’s payment service provider. Where the payer’s payment service provider does not require strong customer authentication, the payer shall not bear any financial losses unless the payer has acted fraudulently.

    PSD 2 also fully clarifies the liability issues between the bank servicing the account of the payer and the payment initiation service. When a payment initiation service provider is used by a payer to initiate a payment, it will be liable for any payment incidents within its sphere. In particular, the bank of the payer will not be held liable for payment incidents that can be traced back to the initiator.

    3.8. Service charges

    Under PSD 2, merchants will no longer be allowed to surcharge consumers for using their debit or credit cards and for payment services based on the credit transfer or direct debit. This will apply to domestic as well as cross-border payments.

    If the payee applies a charge to steer the payer towards the use of a given payment instrument, such charges must not exceed the direct costs borne by the payee for the use of the specific payment instrument.

    The payer will only be obliged to pay such charges, if their full amount was made known prior to the initiation of the payment transaction.

    PSD 2 introduces a new rule concerning charges for termination of the framework contract. Thus, termination of the framework contract must be free of charge for the payment service user except where the contract has been in force for less than 6 months. Such charges, if any, must be appropriate and in line with costs.

    3.9. The Role of European Banking Authority

    Under PSD 2, the European Banking Authority (EBA) has been given a key role in:

  • ensuring consistent application and interpretation of the Directive;
  • increasing customer protection;
  • enhancing transparency of the operation of payment institutions;
  • improving cooperation and information exchange between competent authorities of Member States
  • 3.9.1. EBA Guidelines and Draft Regulatory Technical Standards

    To fulfil this role, PSD 2 confers on the EBA the development of six regulatory technical standards (RTS) and five sets of guidelines.

    The EBA is to issue guidelines on:

  • the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee (addressed to the competent authorities), by 13 January 2017;
  • the information to be provided to the competent authorities in the application for the authorisation of payment institutions, by 13 July 2017;
  • the establishment, implementation and monitoring of the security measures in the context of operational and security risks management, by 13 July 2017;
  • on the classification of major operational or security incidents and on the content, the format, including standard notification templates, and the procedures for notifying such incidents (addressed to payment service providers), and on the criteria on how to assess the relevance of the incident and the details of the incident reports to be shared with other domestic authorities (addressed to the competent authorities), by 13 January 2018; and
  • on the complaints procedures, by 13 January 2018
  • The EBA is to develop and submit to the European Commission for adoption the following draft RTS:

  • draft RTS specifying:

  • the requirements of the strong customer authentication;
  • the exemptions from the requirement to apply strong customer authentication;
  • the requirements for the protection of the confidentiality and integrity of payment service users’ personalised security credentials;
  • the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, as well as for the implementation of security measures, between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers, by 13 January 2017;
  • draft RTS specifying the criteria to be applied when determining the circumstances when the appointment of a central contact point is appropriate, and the functions of those contact points, by 13 January 2017;
  • draft RTS setting technical requirements on development, operation and maintenance of the electronic central register and on access to the information contained therein, by 13 January 2018;
  • draft RTS specifying the framework for cooperation, and for the exchange of information, between competent authorities of the home and of the host Member State regarding the application to exercise the right of establishment and freedom to provide services, by 13 January 2018;
  • draft RTS specifying the framework for cooperation, and for the exchange of information, between the competent authorities of the home Member State and of the host Member State and to monitor compliance with the provisions of the relevant national law in the context of supervision of payment institutions operating on a cross-border basis, by 13 January 2018
  • The EBA may also develop draft RTS specifying the information to be provided to the competent authorities in the application for the authorisation of payment institutions, if it deems this appropriate.

    In preparation of the guidelines and the RTS, the EBA will conduct open public consultations by way of issuing Discussion and Consultation Papers to collect opinions of relevant stakeholders, including those in the payment services market. The responses will be assessed by the EBA before finalising the documents.

    The European Commission will then have 3 months from the date of receipt of a draft RTS to decide whether to endorse it, endorse it in part or reject it.

    The EBA will also be responsible for reviewing and, if appropriate, updating the guidelines and the regulatory technical standards on a regular basis.

    3.9.2. EBA Register

    In the context of transparency policy, the EBA will develop, operate and maintain an electronic central register that will contain the following information to be supplied by the competent authorities:

  • authorised payment institutions and their agents;
  • natural and legal persons benefiting from an exemption from the authorisation requirement and their agents; and
  • other institutions that are entitled under national law to provide payment services
  • The register will be publicly available on the EBA's website with access to and search for the information listed free of charge.

    3.10. Transitional Period

    3.10.1. General Approach

    From the date of entry into force of PSD 2, the existing rules set out in PSD 1 should be interpreted in line with PSD 2. Member States are not allowed to adopt new measures contradicting the provisions of PSD 2.

    The EBA Guidelines on the Security of Internet Payments serve as an interim solution, until the application of the PSD 2 and its more comprehensive security requirements.

    When the EBA guidelines are applied by the competent authorities of the Member States, in the transitional period, they will be interpreted in so far as there is any scope to do so in line with the PSD 2 content and objectives. As a consequence, compliance with the EBA Guidelines on the Security of Internet Payments should not be used to justify obstructing or blocking the use of payment initiation or account information services.

    Pending the full application of PSD 2 rules, including the rules on the security of payments, and in accordance with PSD 2 text, “Member States, the Commission, the European Central Bank and the European Banking Authority, will guarantee fair competition in that market avoiding unjustifiable discrimination against any existing player on the market”.

    3.10.2. Authorised Payment Institutions

    Payment institutions authorised under PSD 1 by 13 January 2018 will be allowed to continue their activities without being required to seek authorisation under PSD 2 or to comply with the other relevant provisions of PSD 2 until 13 July 2018.

    Payment institutions authorised under PSD 1 will be required to submit all relevant information to the competent authorities in order for the competent authorities to assess, by 13 July 2018, whether these comply with the new requirements. Payment institutions that qualify will be granted authorisation and entered in the registers. Those that do not will be prohibited from providing payment services starting from 13 July 2018.

    Payment institutions that have been granted authorisation to provide payment services as referred to in point 7 of the Annex to PSD 1 will retain that authorisation for the provision of those payment services which are considered to be payment services as referred to in point 3 of the Annex I to PSD 2 where, by 13 January 2020, the competent authorities have the evidence that the requirements for initial capital and own funds under PDS 2 are complied with.

    Authorisation under PSD 2 may be granted automatically if the competent authorities already have evidence that the relevant PSD 2 requirements are complied with. The payment institutions will be informed accordingly before the authorisation is granted.

    3.10.3. Small Payment Institutions

    Small payment institutions registered under PSD 1 will be allowed to continue their activities until 13 January 2019 without being required to seek authorisation or to obtain an exemption under PSD 2, or to comply with the other relevant provisions of PSD 2. Where the competent authorities have evidence that the relevant PSD 2 requirements are complied with, the small payment institutions will be entered in the registers automatically with prior notification to this effect.

    Small payment institutions not authorised or exempted under PSD 2 by 13 January 2019 will be prohibited from providing payment services.

    3.10.4. Electronic Money Institutions

    By way of amendments to Directive 2009/110/EC (EMD) electronic money institutions that have, before 13 January 2018, taken up activities regulated by the EMD and PSD 1 in the Member State in which their head office is located will be allowed to continue those activities in that Member State or in another Member State without being required to seek authorisation or to comply with other relevant requirements until 13 July 2018.

    Electronic money institutions will be required to submit all relevant information to the competent authorities in order for the competent authorities to assess, by 13 July 2018, whether these electronic money institutions comply with the new requirements. Electronic money institutions that qualify will be granted authorisation and be entered in the registers. Those that do not will prohibited from providing payment services starting from 13 July 2018.

    3.10.5. Payment Initiation and Account Information

    PSD 2 provisions ensure that providers of payment initiation services and account information services that are already established in the market can continue to perform their activities. More specifically, PSD 2 introduces direct obligations on the Member States, requiring them to maintain the current status quo. They shall allow existing PISPs or AISPs in their territories to operate in accordance with the currently applicable regulatory framework.

    As the provision of payment initiation and account information services is a new payment service recognised in PSD 2, existing and new providers of such services would need to apply for authorisation under the PSD 2 regime from the date of application of the new Directive.

    Furthermore, because the new security measures of PSD 2 regarding strong customer authentication and standards for secure communication will become applicable later than other provisions, PISPs and AISPs that seek authorisation under PSD 2 are not required to submit proof of compliance with these security requirements until that later date. As provision of both types of services is dependent on the authentication procedures provided by banks, upgrades to the security requirements and procedures applied by banks need to be fully implemented by banks before the application of these measures is possible for the payment initiation and account information services. In case banks do not comply on time with the security requirements and standards for secure communication, they cannot use this noncompliance to hinder or obstruct the use of payment initiation and account information services.

    For details on these and other changes, see the relevant sections below.

    4. Changes in More Detail

    4.1. Definitions

    PSD 2 updates Article 4 (Definitions) by way of introducing a set of new terms and definitions to cover the recent developments in the payments market, modifying a number of existing ones and adding a few already defined in other relevant legislation. These are as follows.

    4.1.1. Payment Services
  • Payment initiation service means a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider (Art.4(15), PSD 2);
  • Account information service means an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider (Art.4(16), PSD 2);
  • Credit transfer means a payment service for crediting a payee’s payment account with a payment transaction or a series of payment transactions from a payer’s payment account by the payment service provider which holds the payer’s payment account, based on an instruction given by the payer (Art.4(24), PSD 2);
  • Acquiring of payment transactions means a payment service provided by a payment service provider contracting with a payee to accept and process payment transactions, which results in a transfer of funds to the payee (Art.4(44), PSD 2);
  • Issuing of payment instruments means a payment service by a payment service provider contracting to provide a payer with a payment instrument to initiate and process the payer’s payment transactions (Art.4(45), PSD 2)
  • 4.1.2. Actors
  • Account servicing payment service provider means a payment service provider providing and maintaining a payment account for a payer (Art.4(17), PSD 2);
  • Payment initiation service provider means a payment service provider pursuing business activities as referred to in point (7) of Annex I (of PSD 2), i.e. payment initiation services (Art.4(18), PSD 2);
  • Account information service provider means a payment service provider pursuing business activities as referred to in point (8) of Annex I (of PSD 2), i.e. account information services (Art.4(19), PSD 2)
  • 4.1.3. Payment Security and Data Protection
  • Authentication means a procedure which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the user’s personalised security credentials (Art.4(29), PSD 2 cf. Art.4(19), PSD 1);
  • Strong customer authentication means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data (Art.4(30), PSD 2);
  • Personalised security credentials means personalised features provided by the payment service provider to a payment service user for the purposes of authentication (Art.4(31), PSD 2);
  • Sensitive payment data means data, including personalised security credentials which can be used to carry out fraud. For the activities of payment initiation service providers and account information service providers, the name of the account owner and the account number do not constitute sensitive payment data (Art.4(32), PSD 2)
  • 4.1.4. Other New and Modified Definitions
  • Payment transaction means an act, initiated by the payer or on his behalf or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee (Art.4(5), PSD 2 cf. Art.4(5), PSD 1);
  • Remote payment transaction means a payment transaction initiated via internet or through a device that can be used for distance communication (Art.4(6), PSD 2);
  • The payment service user has been removed from the definition of a payment instrument as the only possible actor who can use it to initiate a payment order. The modified definition runs as follows. Payment instrument means a personalised device(s) and / or set of procedures agreed between the payment service user and the payment service provider and used by the payment service user in order to initiate a payment order (Art.4(14), PSD 2 cf. Art.4(23), PSD 1);
  • Group means a group of undertakings which are linked to each other by a relationship referred to in Article 22(1), (2) or (7) of Directive 2013/34/EU or undertakings as defined in Articles 4, 5, 6 and 7 of Commission Delegated Regulation (EU) No 241/2014 (1), which are linked to each other by a relationship referred to in Article 10(1) or in Article 113(6) or (7) of Regulation (EU) No 575/2013 (Art.4(40), PSD 2);
  • Electronic communications network means a network as defined in point (a) of Article 2 of Directive 2002/21/EC of the European Parliament and of the Council (Art.4(41), PSD 2), i.e. transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed;
  • Electronic communications service means a service as defined in point (c) of Article 2 of Directive 2002/21/EC (Art.4(42), PSD 2), i.e. a service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, but exclude services providing, or exercising editorial control over, content transmitted using electronic communications networks and services;
  • Digital content means goods or services which are produced and supplied in digital form, the use or consumption of which is restricted to a technical device and which do not include in any way the use or consumption of physical goods or services (Art.4(43), PSD 2);
  • The definition of own funds has been updated in line with point 118 of Article 4(1) of Regulation (EU) No 575/2013. The updated version runs as follows. Own funds means funds as defined in point 118 of Article 4(1) of Regulation (EU) No 575/2013, i.e. the sum of Tier 1 capital and Tier 2 capital, where at least 75 % of the Tier 1 capital is in the form of Common Equity Tier 1 capital as referred to in Article 50 of that Regulation and Tier 2 is equal to or less than one third of Tier 1 capital (Art.4(46), PSD 2);
  • Payment brand means any material or digital name, term, sign, symbol or combination of them, capable of denoting under which payment card scheme card-based payment transactions are carried out (Art.4(47), PSD 2);
  • Co-badging means the inclusion of two or more payment brands or payment applications of the same payment brand on the same payment instrument (Art.4(48), PSD 2)
  • 4.2. Exemption from the Scope

    PSD 2 makes an attempt to clarify a number of uncertainties in the Negative Scope of PSD 1. The negative scope article of PSD 1 is renamed “Exclusion” in PSD 2.

    4.2.1. Commercial Agency

    The new version of Article 3(b) restricts the commercial agency exclusion to only commercial agents acting on behalf of either the payer or the payee. The exclusion will no longer apply to agents acting for both.

    Article 3(b) now runs as follows. The Directive does not apply to payment transactions from the payer to the payee through a commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of only the payer or only the payee.

    4.2.2. Technical Service Providers

    PSD 2 expressly brings under regulation payment initiation services and account information services by amending Article 3(j) as follows. The Directive does not apply to services provided by technical service providers, which support the provision of payment services, without them entering at any time into possession of the funds to be transferred, including processing and storage of data, trust and privacy protection services, data and entity authentication, information technology (IT) and communication network provision, provision and maintenance of terminals and devices used for payment services, with the exclusion of payment initiation services and account information services.

    4.2.3. Specific Payment Instruments with Limited Use

    In PSD 2, the “limited network” exclusion has been made more specific. In order to qualify for the revised “limited network” exclusion a payment instrument offered by the issuer to a user must meet one of the conditions set out in Article 3(k).

    The new text of Article 3(k) is as follows. The Directive does not apply to services based on specific payment instruments that can be used only in a limited way, that meet one of the following conditions:

  • instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a professional issuer;
  • instruments which can be used only to acquire a very limited range of goods or services;
  • instruments valid only in a single Member State provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer
  • Besides, Article 37(2) of PSD 2 provides that service providers carrying out either of the following activities:

  • offering instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a professional issuer;
  • offering instruments which can be used only to acquire a very limited range of goods or services
  • or carrying out both activities, for which the total value of payment transactions executed over the preceding 12 months exceeds the amount of EUR 1 million, send a notification to competent authorities containing a description of the services offered, specifying under which exclusion the activity is considered to be carried out.

    On the basis of that notification, the competent authority will take a duly motivated decision on the basis of criteria referred to in point (k) of Article 3 where the activity does not qualify as a limited network, and inform the service provider accordingly.

    Under Article 37(4), competent authorities will be obliged to inform EBA of the services notified, stating the relevant exclusion.

    The description of the activity notified will be made publicly available in the public register of the relevant home Member State as well as in the central register maintained by the EBA (Article 37(5)).

    4.2.4. Providers of Electronic Communications Networks

    More clarity has been added to the telecommunication / IT operator exclusion in PSD 2. According to the revised point (l) of Article 3, PSD 2 does not apply to payment transactions by a provider of electronic communications networks or services provided in addition to electronic communications services for a subscriber to the network or service:

  • for purchase of digital content and voice-based services, regardless of the device used for the purchase or consumption of the digital content and charged to the related bill; or
  • performed from or via an electronic device and charged to the related bill within the framework of a charitable activity or for the purchase of tickets
  • provided that the value of any single payment transaction does not exceed EUR 50 and:

  • the cumulative value of payment transactions for an individual subscriber does not exceed EUR 300 per month, or
  • where a subscriber pre-funds its account with the provider of the electronic communications network or service, the cumulative value of payment transactions does not exceed EUR 300 per month
  • Article 37(3) provides that service providers carrying out one of the above-mentioned activities (point (l) of Article 3) will be obliged to send a notification to competent authorities and provide competent authorities with an annual audit opinion, testifying that the activity complies with the set limits.

    Under Article 37(4), competent authorities will be obliged to inform EBA of the services notified, stating the relevant exclusion.

    The description of the activity notified will be made publicly available in the public register of the relevant home Member State as well as in the central register maintained by the EBA (Article 37(5)).

    4.2.5. ATM Cash Withdrawals

    The exclusion regarding ATM operators which are not a party to the framework contract with the customer withdrawing money from a payment account has been revised to add the obligation by the ATM operator to provide the customer with the information on any withdrawal charges payable by the customer and, where a currency conversion service is offered at an ATM, all charges as well as the exchange rate to be applied to the transaction (Articles 45, 48, 49 and 59) before carrying out the withdrawal as well as on receipt of the cash at the end of the transaction after withdrawal (point (o) of Article 3).

    4.3. Authorisation and Registration

    PSD 2 brings a set of amendments to the existing rules on the authorisation and registration of payment institutions and introduces requirements for the new players such as payment initiation services and account information services.

    Undertakings that intend to provide payment initiation services will have to apply for authorisation, while those that intend to provide account information services will have to get registered with the competent authorities.

    4.3.1. Additional Information to Accompany an Application for Authorisation / Registration

    In addition to the information pack, which must accompany an application for authorisation provided for in PSD 1, payment institutions applying for authorisation under PSD 2 will have to submit to the competent authorities the following (points (f), (g), (h), (i), (j) of Article 5 (1)):

  • a description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints, including an incidents reporting mechanism which takes account of the notification obligations of the payment institution laid down in Article 96 (Incident reporting);
  • a description of the process in place to file, monitor, track and restrict access to sensitive payment data;
  • a description of business continuity arrangements including a clear identification of the critical operations, effective contingency plans and a procedure to regularly test and review the adequacy and efficiency of such plans;
  • a description of the principles and definitions applied for the collection of statistical data on performance, transactions and fraud;
  • a security policy document, including a detailed risk assessment in relation to its payment services and a description of security control and mitigation measures taken to adequately protect payment service users against the risks identified, including fraud and illegal use of sensitive and personal data
  • The security control and mitigation measures must indicate how they ensure a high level of technical security and data protection, including for the software and IT systems used by the applicant or the undertakings to which it outsources the whole or part of its operations. Those measures must also include the management of operational and security risks (Article 95(1)), taking into account EBA’s guidelines on security measures when in place by 13 July 2017 (Article 95(3)).

    If the applicant intends to use agents and branches in their payment business, in addition to a description of the intended use of agents and branches they will also have to submit a description of off-site and on-site checks that they will have to perform on their agents and branches at least annually, according to point (l) of Article 5(1).

    Under Article 5(2), undertakings that apply for authorisation to provide payment initiation services are required, as a condition of their authorisation, to hold a professional indemnity insurance, covering the territories in which they offer services, or some other comparable guarantee against liability to ensure that they can cover their liabilities as specified in Articles 73 (Payment Service Provider’s Liability for Unauthorised Payment Transactions), 89 (Payment Service Providers’ Liability for Non-execution, Defective or Late Execution of Payment Transactions), 90 (Liability in the case of Payment Initiation Services for Non-execution, Defective or Late Execution of Payment Transactions) and 92 (Right of Recourse).

    Undertakings that apply for registration to provide account information services are required, as a condition of their registration, to hold a professional indemnity insurance, covering the territories in which they offer services, or some other comparable guarantee against their liability vis-à-vis the account servicing payment service provider or the payment service user resulting from non-authorised or fraudulent access to or non-authorised or fraudulent use of payment account information (Article 5(3)).

    For applicants applying under PSD 2, the European Banking Authority (EBA) is expected to issue by 13 July 2017 guidelines concerning the information to be provided to the competent authorities in the application for the authorisation of payment institutions (Article 5(5)).

    In this context, the EBA will also be required, under Article 5(4) to issue by 13 January 2017 guidelines, addressed to the competent authorities, on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee referred to in paragraphs 2 and 3 of Article 5 mentioned above. For more details, see the section on EBA's role under PSD 2 below.

    4.3.2. Qualifying Holding

    PSD 2 introduces a separate article setting forth rules on the control of the shareholding.

    Under Article 6(1), any natural or legal person who has taken a decision to acquire or to further increase, directly or indirectly, a qualifying holding in a payment institution, as a result of which the proportion of the capital or of the voting rights held would reach or exceed 20 %, 30 % or 50 %, or so that the payment institution would become its subsidiary, must inform the competent authorities of that payment institution in writing of their intention in advance. The same applies to any natural or legal person who has taken a decision to dispose, directly or indirectly, of a qualifying holding, or to reduce its qualifying holding so that the proportion of the capital or of the voting rights held would fall below 20 %, 30 % or 50 %, or so that the payment institution would cease to be its subsidiary.

    The proposed acquirer of a qualifying holding will have to supply to the competent authority information indicating the size of the intended holding as well as other information required by the competent authority to carry out the prudential assessment in accordance with Article 23 of Directive 2013/36/EU (Article 6(2)).

    Article 6(3) requires that, where the influence exercised by a proposed acquirer of a qualifying holding is likely to operate to the detriment of the prudent and sound management of the payment institution, the competent authorities at the national level will have to express their opposition or take other appropriate measures to bring that situation to an end. Such measures may include injunctions, penalties against directors or the persons responsible for the management, or the suspension of the exercise of the voting rights attached to the shares held by the shareholders or members of the payment institution in question. Similar measures will apply to natural or legal persons who fail to comply with the obligation to notify the competent authority in advance.

    If a holding is acquired despite the opposition of the competent authorities, Article 6(4) requires Member States, regardless of any other penalty to be adopted, to provide for the exercise of the corresponding voting rights to be suspended, the nullity of votes cast or the possibility of annulling those votes.

    4.3.3. Initial Capital

    The revised payment services directive extends the list of allowable initial capital items. The updated version of the Article provides that initial capital of a payment institution must comprise one or more of the following items referred to in Article 26(1) (a) to (e) of Regulation (EU) No 575/2013:

  • capital instruments, provided certain conditions are met (for details see Articles 28 and Article 29 of the Regulation);
  • share premium accounts related to the instruments referred to in the bullet point above;
  • retained earnings;
  • accumulated other comprehensive income;
  • other reserves
  • The retained earnings, accumulated other comprehensive income and other reserves items will only be recognised for this purpose where they are available to the institution for unrestricted and immediate use to cover risks or losses as soon as these occur (2nd paragraph of Article 26(1) of Regulation (EU) No 575/2013).

    4.3.3.1. Initial Capital Requirements for Payment Initiation Service Providers

    PSD 2 lays down the initial capital requirement for payment initiation service providers. According to point (b) of Article 7, payment institutions providing payment initiation services must hold, at any time, initial capital of no less than EUR 50 000.

    4.3.4. Own Funds

    Paragraph 3 of the Own Funds article concerning payment institutions included in the consolidated supervision of the parent credit institution has been updated to include references to relevant provisions of the recent prudential supervision legislation, i.e. Directive 2013/36/EU and Regulation (EU) No 575/2013, in particular Article 7.

    Article 9(1) of PSD 2 exempts payment institutions offering only payment initiation services or account information services, or both from the obligation to meet specific own funds requirements.

    4.3.5. Safeguarding Requirements

    The revised safeguarding requirements concern payment institutions which provide payments services listed in Annexe I to PSD 2 except for payment initiation services and account information services. According to Article 10(1) payment initiation service providers and account information service providers are exempt from the safeguarding requirements.

    Article 10 of PSD 2 makes no mention of being engaged in other business activities at the same time as providing payment services as a condition for being subject to safeguarding requirements as it was in Article 9(1) of PSD 1. In PSD 1, it was at the discretion of Member States or their competent authorities whether to require a payment institution which is not engaged in other business activities to comply with the safeguarding requirements or not.

    The option provided under PSD 1 for Member States or their competent authorities to limit the safeguarding requirements to funds of those payment service users whose funds individually exceed a threshold of EUR 600 has also been removed. The new version of the Article emphasises that all funds which have been received from the payment service users or through another payment service provider for the execution of payment transactions must be safeguarded.

    4.3.6. Registered Office Requirements

    Under Article 11(3) of PSD 2, a payment institution which, under the national law of its home Member State is required to have a registered office, must have its head office in the same Member State as its registered office and must carry out at least part of its payment service business there.

    4.3.7. Other Allowable Activities

    There are only minor changes to the PSD 2 Article 18 on the activities payment institutions are entitled to engage in apart from the provision of payment services.

    Thus, the 3rd paragraph of Article 18 brings the meaning of a ‘deposit’ or ‘other repayable funds’ in line with Article 9 of Directive 2013/36/EU and the meaning of ‘electronic money’ in line with point (2) of Article 2 of Directive 2009/110/EC removing the references to the repealed Directives 2006/48/EC and 2000/46/EC respectively.

    The updated article emphasises that all the conditions mentioned in the 4th paragraph must be met in order for a payment institution to grant credit related to the provision of payment services as referred to in point (4) or (5) of Annexe I, i.e. execution of payment transactions where the funds are covered by a credit line for a payment service user and issuing of payment instruments and / or acquiring of payment transactions. The conditions themselves remained the same.

    Under paragraph 6, PSD 2 will apply without prejudice to Directive 2008/48/EC on credit agreements for consumers, which replaced Council Directive 87/102/EEC, other relevant European Union law or national measures regarding conditions for granting credit to consumers not harmonised by the Directive that comply with the European Union law.

    4.3.8. Exemptions

    In PSD 2, Section 4 of Title II on exemption of payment institutions from certain requirements concerning the authorisation, use of agents, branches and outside service providers, and supervision has received a new title. The old one ‘Waiver’ has been replaced with ‘Exemption’.

    Article 32 sets out conditions under which Member States or their competent authorities may exempt natural or legal persons providing payment services specified in points (1) to (6) of Annexe I from the application of all or part of the procedure and conditions set out in Sections 1, 2 and 3 of the 1st Chapter of Title II, with the exception of Articles 14 (Registration in the Home Member State), 15 (EBA Register), 22 (Designation of Competent Authorities), 24 (Professional Secrecy), 25 (Right to Apply to the Courts) and 26 (Exchange of Information).

    The most important change here is that under PSD 2 the limit on the monthly average value of payment transactions executed by a payment service provider within the preceding 12 months as a condition of exemption will be set by Member States at their discretion with the mandatory ceiling remaining at EUR 3 million per month.

    A separate article on account information service providers has been added to the Exemption section of PSD 2. Thus, Article 33 provides that natural or legal persons providing only the account information services will be exempt from the application of the procedure and conditions related to the authorisation and the use of agents, branches and outside suppliers (Sections 1 and 2 of Title II of PSD 2), with a number of exceptions, which are as follows:

  • Undertakings applying for registration under PSD 2 will be required to submit the following information to support their applications (points (a), (b), (e) to (h), (j), (l), (n), (p) and (q) of Article 5(1)):
  • a programme of operations setting out in particular the type of payment services envisaged;
  • a business plan including a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly;
  • a description of the applicant’s governance arrangements and internal control mechanisms, including administrative, risk management and accounting procedures, which demonstrates that those governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate;
  • a description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints, including an incidents reporting mechanism which takes account of the notification obligations of the payment institution laid down in Article 96;
  • a description of the process in place to file, monitor, track and restrict access to sensitive payment data;
  • a description of business continuity arrangements including a clear identification of the critical operations, effective contingency plans and a procedure to regularly test and review the adequacy and efficiency of such plans;
  • a security policy document, including a detailed risk assessment in relation to its payment services and a description of security control and mitigation measures taken to adequately protect payment service users against the risks identified, including fraud and illegal use of sensitive and personal data;
  • a description of the applicant’s structural organisation, including, where applicable, a description of the intended use of agents and branches and of the off-site and on-site checks that the applicant undertakes to perform on them at least annually, as well as a description of outsourcing arrangements, and of its participation in a national or international payment system;
  • the identity of directors and persons responsible for the management of the payment institution and, where relevant, persons responsible for the management of the payment services activities of the payment institution, as well as evidence that they are of good repute and possess appropriate knowledge and experience to perform payment services as determined by the home Member State of the payment institution;
  • the applicant’s legal status and articles of association;
  • the address of the applicant’s head office
  • Undertakings that apply for registration to provide account information services will be required, as a condition of their registration, to hold a professional indemnity insurance covering the territories in which they offer services, or some other comparable guarantee against their liability vis-à-vis the account servicing payment service provider or the payment service user resulting from non-authorised or fraudulent access to or non-authorised or fraudulent use of payment account information (Article 5(3));
  • Registered account information service providers will be entered in the public register of their respective home Member State and the central register of EBA (Articles 14 and 15);
  • Section 3 of Title II concerning supervision will apply to account information service providers with the exception of Article 23(3)
  • Account information service providers will be treated as payment institutions, save that Titles III (Transparency of Conditions and Information Requirements for Payment Services) and IV (Rights and Obligations in relation to the Provision and Use of Payment Services) will not apply to them, with the exception of Articles 41 (Burden of Proof on Information Requirements), 45 (Information and Conditions in respect of Single Payment Transactions) and 52 (Information and Conditions in respect of Framework Contracts) where applicable, and of Articles 67 (Rules on Access to and Use of Payment Account Information in the case of Account Information Services), 69 (Obligations of the Payment Service User in relation to Payment Instruments and Personalised Security Credentials), 95 (Management of Operational and Security Risks), 96 (Incident Reporting), 97 (Authentication) and 98 (Regulatory Technical Standards on Authentication and Communication).

    Member States will be obliged to notify the European Commission of their intention to apply an exemption pursuant to Article 32 by 13 January 2018.

    4.3.9. Public Register of Payment Institutions

    Account information service providers and their agents have been added to the list of payment institutions that must appear on the public register of their home Member State. Account information service providers will be listed in the register separately from authorised payment institutions.

    According to the 2nd subparagraph of Article 14(1), branches of payment institutions will have to be entered in the register of the home Member State if these branches provide services in a Member State other than their home Member State.

    PSD 2 requires that the register be updated without delay rather than on a regular basis as it is put in PSD 1.

    The new Directive also introduces obligations for competent authorities to enter in the public register any withdrawal of authorisation and any withdrawal of an exemption and to notify the European Banking Authority (EBA) of the reasons for each such withdrawal.

    4.3.10. EBA’s Central Register

    Article 15 of PSD 2 mandates the European Banking Authority (EBA) to develop, operate and maintain an electronic, central register. The register will contain information from public registers maintained by Member States. Under Article 15(2) competent authorities of Member States will be obliged to notify EBA without delay of the information entered in their respective public registers.

    EBA will be required to develop draft regulatory technical standards setting technical requirements on development, operation and maintenance of the electronic central register and on access to the information contained therein. Those draft regulatory technical standards are to be submitted to the European Commission for adoption by 13 January 2018 (Article 15(4)).

    The details and structure of the information to be notified by competent authorities to EBA, including the common format and model in which this information is to be provided, will be laid down in the relevant draft implementing technical standards to be developed by EBA and submitted by 13 July 2017 to the European Commission for adoption.

    Competent authorities will be responsible for the accuracy of the information to be supplied and for keeping that information up-to-date, while EBA will be responsible for the accurate presentation of that information. The modification of the information will only be possible by the competent authority and EBA. The EBA register will be publicly available on EBA's website and offer easy access to and easy search for the information listed free of charge.

    4.4. Accounting and Statutory Audit

    Article 17(1) updates the list of Directives to apply to payment institutions in the context of accounting and statutory audit. Thus, Directive 2013/34/EU of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings replaces in PSD 2 the repealed Directives 78/660/EEC and Directives 83/349/EEC.

    Article 17(4) provides that the obligations established in Article 63 of Directive 2013/36/EU must apply mutatis mutandis to the statutory auditors or audit firms of payment institutions in respect of payment services activities.

    4.5. Agents, Branches and Outsourcing

    Under PSD 2, a payment institution which intends to provide payment services through an agent will be obliged to communicate the following information to the competent authorities in its home Member State (Article 19(1)):

  • the name and address of the agent;
  • a description of the internal control mechanisms that will be used by the agent in order to comply with the obligations in relation to money laundering and terrorist financing under Directive (EU) 2015/849, to be updated without delay in the event of material changes to the particulars communicated at the initial notification;
  • the identity of directors and persons responsible for the management of the agent to be used in the provision of payment services and, for agents other than payment service providers, evidence that they are fit and proper persons;
  • the payment services of the payment institution for which the agent is mandated; and
  • where applicable, the unique identification code or number of the agent
  • Article 19(2) clearly defines the time frame for a reply by the competent authority and the moment the agent may start providing payment services. Thus, the competent authority of the home Member State must communicate to the payment institution whether the agent has been entered in the public register of the home Member State within 2 months of receipt of the required information. The agent may commence providing payment services upon entry in the register.

    If competent authorities consider that the information provided to them is incorrect, under PSD 2 they will be obliged to take further action to verify the information before listing the agent in the register (Article 19(3)). Under PSD 1, taking further action to verify information about the agent is at the discretion of the competent authorities.

    If, after taking action to verify the information, the competent authorities are not satisfied that the information provided to them is correct and refuse to list the agent in the register, they will be obliged to inform the payment institution without undue delay (Article 19(4)).

    Payment institution wishing to provide payment services in another Member State by engaging an agent or establishing a branch will be required to follow the procedures set out in Article 28 (Application to Exercise the Right of Establishment and Freedom to Provide Services). The obligation of the competent authorities of the home Member State to inform the competent authorities of the host Member State of their intention to register the agent and take their opinion into account has been removed (Article 19(5)).

    According to Article 14(1), branches of payment institutions will be entered in the public register of the home Member State if those branches provide services in a Member State other than their home Member State.

    IT systems are now expressly mentioned among important operational functions, which may be outsourced. Outsourcing of important operational functions must not impair the ability of the competent authorities to monitor and retrace the payment institution’s compliance with all of the obligations laid down in PSD 2 (Article 19(6)).

    Article 19(8) of PSD 2 imposes on payment institutions an obligation to communicate to the competent authorities of their home Member State without undue delay any change regarding the use of entities to which activities are outsourced and agents, including additional agents.

    4.6. Competent Authorities and Supervision

    To ensure continued compliance with the provisions of Title II on payment service providers, the competent authorities are entitled to require the payment institution to provide any information needed to monitor such compliance. The difference with PSD 1 is that under PSD 2 the competent authorities will have to specify the purpose of the request and the time limit by which the information is to be provided (point (a) of Article 23(1)).

    In PSD 2 the European Banking Authority (EBA) in its capacity of contributing to the consistent and coherent functioning of supervising mechanisms is added to the list of bodies the competent authorities of different Member States are obliged to co-operate and exchange information with (Article 26(1), point (d) of Article 26(2)).

    PSD 2 introduces a new article on settlement of disagreements between competent authorities of different Member States. Article 27 provides that where a competent authority of a Member State considers that, in a particular matter, cross-border cooperation with competent authorities of another Member State in the context of information exchange, exercise by a payment institution of the right of establishment and freedom to provide services, supervision and measures for non-compliance (Articles 26, 28, 29, 30, 31) does not comply with the relevant provisions of PSD 2, it may refer the matter to EBA and request its assistance in accordance with Article 19 (Settlement of Disagreements between Competent Authorities in Cross-border Situations) of Regulation (EU) No 1093/2010.

    If the assistance of EBA has been requested, EBA will take a decision without undue delay in accordance with Article 19(3) of Regulation (EU) No 1093/2010. EBA may also assist the competent authorities in reaching an agreement on its own initiative. In either case, the competent authorities involved will have to defer their decisions pending resolution of EBA (Article 27(2)).

    4.7. Right of Establishment and Freedom to Provide Services

    Under PSD 1, an authorised payment institution wishing to provide payment services for the first time in a Member State other than its home Member State is only obliged to inform the competent authorities in its home Member State accordingly. In PSD 2, Article 28(1) clearly defines what information a payment institution will have to communicate to the competent authorities of its home Member State, which is as follows:

  • the name, the address and, where applicable, the authorisation number of the payment institution;
  • the Member State(s) in which it intends to operate;
  • the payment service(s) to be provided;
  • where the payment institution intends to make use of an agent, the following information about the agent has to be submitted:
  • the name and address of the agent;
  • a description of the internal control mechanisms that will be used by the agent in order to comply with the obligations in relation to money laundering and terrorist financing under Directive (EU) 2015/849, to be updated without delay in the event of material changes to the particulars communicated at the initial notification;
  • the identity of directors and persons responsible for the management of the agent to be used in the provision of payment services and, for agents other than payment service providers, evidence that they are fit and proper persons;
  • the payment services of the payment institution for which the agent is mandated; and
  • where applicable, the unique identification code or number of the agent
  • where the payment institution intends to make use of a branch, the following information about the branch has to be submitted:
  • a business plan including a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly;
  • a description of governance arrangements and internal control mechanisms, including administrative, risk management and accounting procedures, which demonstrates that those governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate
  • with regard to the payment service business in the host Member State, a description of the organisational structure of the branch and the identity of those responsible for the management of the branch.

    Where the payment institution intends to outsource operational functions of payment services to other entities in the host Member State, it will have to inform the competent authorities of its home Member State about such intention.

    Article 28 (paragraphs 2 and 3) outlines the procedure to be followed and time limits to be observed by the competent authorities of the Member States involved. Thus, within 1 month of receipt of all of the required information the competent authorities of the home Member State are obliged to send it to the competent authorities of the host Member State. The competent authorities of the host Member State will have one month to assess that information and respond. Where the competent authorities of the home Member State do not agree with the assessment of the competent authorities of the host Member State, they will be obliged to provide the latter with the reasons for their decision.

    If the assessment of the competent authorities of the home Member State in particular in light of the information received from the competent authorities of the host Member State, is not favourable, the competent authority of the home Member State will be obliged to refuse to register the agent or branch or withdraw the registration if already made.

    Within 3 months of receipt of the required information from the payment institution the competent authorities of the home Member State will be obliged to communicate their decision to the competent authorities of the host Member State and to the payment institution.

    The agent or branch may commence its activities in the relevant host Member State upon entry in the public register of the home Member State.

    Under Article 28(3) the payment institution will have an obligation to notify to the competent authorities of the home Member State the date from which it commences its activities through the agent or branch in the relevant host Member State with the competent authorities of the home Member State to inform the competent authorities of the host Member State accordingly.

    The payment institution will also be obliged to communicate to the competent authorities of the home Member State without undue delay any relevant change regarding the required information, including additional agents, branches or entities to which activities are outsourced in the host Member States in which it operates. The above-mentioned procedure will apply (Article 28(4)).

    Details on the co-operation between competent authorities of Member States and the exchange of information in connection with the application of a payment institution to exercise their right of establishment and freedom to provide services will be set forth in relevant regulatory technical standards (RTS) to be developed by EBA. Draft RTS are to be submitted to the European Commission for endorsement by 13 January 2018. Those draft regulatory technical standards will specify the framework for cooperation and for the exchange of information between competent authorities of the home and of the host Member States, the method, means and details of cooperation in the notification of payment institutions operating on a cross-border basis and, in particular, the scope and treatment of information to be submitted, including common terminology and standard notification templates to ensure a consistent and efficient notification process (Article 28(5)).

    4.7.1. Supervision of PIs Operating on a Cross-border Basis

    In PSD 2 the supervision of payment institutions exercising the right of establishment and freedom to provide services makes a separate article. The existing provisions of PSD 1 have been extended to enhance compliance.

    Thus, for information and statistical purposes and in order to monitor compliance with national law transposing Titles III (Transparency of Conditions and Information Requirements for Payment Services) and IV (Rights and Obligations in relation to the Provision and Use of Payment Services) of PSD 2 the competent authorities of host Member States may require payment institutions having agents or branches within their territories to report to them periodically on the activities carried out in their territories. Such agents and branches will be subject to professional secrecy requirements (Article 29(2)).

    Under Article 29(4), Member States may require payment institutions operating on their territory through agents and whose head office is situated in another Member State to appoint a central contact point in their territory to ensure adequate communication and information reporting on compliance with relevant provisions of PSD 2 and to facilitate supervision by competent authorities of home Member State and host Member States, including by providing competent authorities with documents and information on request.

    The criteria to be applied when determining the circumstances when the appointment of a central contact point is appropriate, and the functions of those contact points will be set out in relevant regulatory technical standards to be developed by EBA and submitted to the European Commission for adoption by 13 January 2017 (Article 29(5)).

    In particular, those draft regulatory technical standards will have to take account of:

  • the total volume and value of transactions carried out by the payment institution in host Member States;
  • the type of payment services provided; and
  • the total number of agents established in the host Member State
  • Article 29(6) requires that EBA develop draft regulatory technical standards specifying the framework for cooperation, and for the exchange of information, between the competent authorities of the home Member State and of the host Member State under Title II Payment Service Providers of PSD 2 and to monitor compliance with the provisions of national law transposing Titles III (Transparency of Conditions and Information Requirements for Payment Services) and IV (Rights and Obligations in relation to the Provision and Use of Payment Services). The draft regulatory technical standards will specify the method, means and details of cooperation in the supervision of payment institutions operating on a cross-border basis and, in particular, the scope and treatment of information to be exchanged, to ensure consistent and efficient supervision of payment institutions exercising cross-border provision of payment services. Those draft regulatory technical standards will also specify the means and details of any reporting requested by host Member States from payment institutions on the payment business activities carried out in their territories in accordance with paragraph 2 of Article 29 (see above), including the frequency of such reporting. The draft RTS are to be submitted to the European Commission for adoption by 13 January 2018.

    4.7.2. Measures in Case of Non-compliance

    PSD 2 introduces an article on measures to be taken by competent authorities of Member States in cases of non-compliance by payment institutions with provisions of PSD 2 (Titles II, III and IV).

    Article 30(1) requires that where the competent authority of the host Member State ascertains that a payment institution having agents or branches in its territory does not comply with Title II (Payment Service Providers) or with national law transposing Title III (Transparency of Conditions and Information Requirements for Payment Services) or Title IV (Rights and Obligations in relation to the Provision and Use of Payment Services), the competent authority of the host Member State inform the competent authority of the home Member State without delay.

    The competent authority of the home Member State, after having evaluated the information received will be required to take, without undue delay, all appropriate measures to ensure that the payment institution concerned puts an end to its irregular situation. The competent authority of the home Member State will be obliged to communicate those measures without delay to the competent authority of the host Member State and to the competent authorities of any other Member State concerned.

    In emergency situations, where immediate action is necessary to address a serious threat to the collective interests of the payment service users in the host Member State, the competent authorities of the host Member State may, in parallel to the cross-border cooperation between competent authorities and pending measures by the competent authorities of the home Member State, take precautionary measures (Article 30(2)).

    Article 30(3) provides that any such precautionary measures must be appropriate and proportionate to their purpose to protect against a serious threat to the collective interests of the payment service users in the host Member State. They must not result in a preference for payment service users of the payment institution in the host Member State over payment service users of the payment institution in other Member States. Precautionary measures must be temporary and must be terminated when the serious threats identified are addressed, including with the assistance of or in cooperation with the home Member State’s competent authorities or with EBA.

    Article 30(4) requires that the competent authorities of the host Member State, where compatible with the emergency situation, inform the competent authorities of the home Member State and those of any other Member State concerned, the Commission and EBA in advance and in any case without undue delay, of the precautionary measures taken and of their justification.

    Article 31(1) obliges the competent authorities taking measures which involve penalties or restrictions on the exercise of the freedom to provide services or the right of establishment to properly justify such measures and communicate them to the payment institution concerned.

    The supervision or monitoring of the compliance with the requirements of anti-money laundering laws will be carried out by the competent authorities in accordance with Directive (EU) 2015/849 on the Prevention of the Use of the Financial System for the Purposes of Money Laundering or Terrorist Financing and Regulation (EU) 2015/847 on Information Accompanying Transfers of Funds.

    4.8 Access to Payment Systems and Accounts Maintained with a Credit Institution

    Provisions concerning access to payment systems have not changed much in PSD 2.

    Article 35(2) defining cases to which the general access rules set out in Article 35(1) do not apply now contains a clarification of point (a) of Article 35(2) on payment system designated under Directive 98/26/EC which requires a participant in a designated system that allows an authorised or registered payment service provider that is not a participant in the system to pass transfer orders through the system to give, when requested, the same opportunity to other authorised or registered payment service providers in line with the principle of objective, non-discriminatory and proportionate access to payment systems referred to in Article 35(1). In the case of rejection, the participant will have to provide the requesting payment service provider with full reasons for any such rejection.

    One of the most important changes to the industry rules is introduced by Article 36 on access to accounts maintained with a credit institution. The article obliges Member States to ensure that payment institutions have access to credit institutions’ payment accounts services on an objective, non-discriminatory and proportionate basis. Such access must be sufficiently extensive as to allow payment institutions to provide payment services in an unhindered and efficient manner. In the case of rejection, the credit institution will have to provide the competent authority with duly motivated reasons for any such rejection.

    4.9. Customer Protection

    One of the main objectives of the revised Payment Services Directive (PSD 2) is to ensure enhanced customer protection. The following changes to the rules have been introduced for this purpose.

    4.9.1. Payment Service Users’ Right to Information

    The existing general rules on the transparency of conditions and availability of information set out in Articles 30 to 34 of Chapter 1 of Title III of PSD 1 have not changed much in PSD 2 (Articles 38 to 42). The most important changes in Title III concern specific areas such as single payment transactions, framework contracts, currency conversion and charges.

    4.9.1.1. Single Payment Transactions

    Point (a) of Article 45 on information and conditions with regard to single payment transactions puts a specific emphasis on the initiation of a payment order and requires the payment service provider to provide for the payment service user a specification of the information or unique identifier to be supplied by the payment service user in order for a payment order to be properly initiated or executed.

    In addition, Article 45(2) specifies what information payment initiation service providers must provide the payer with, or make available to the payer, prior to initiation, in a clear and comprehensive manner. This information must comprise the following elements:

  • the name of the payment initiation service provider, the geographical address of its head office and, where applicable, the geographical address of its agent or branch established in the Member State where the payment service is offered, and any other contact details, including electronic mail address, relevant for communication with the payment initiation service provider; and
  • the contact details of the competent authority
  • Article 46 has been added to PSD 2 to specify information to be provided for the payer and payee after the initiation of a payment order. It requires that in addition to the information and conditions specified in Article 45, where a payment order is initiated through a payment initiation service provider, the payment initiation service provider, immediately after initiation, provide or make available all of the following data to the payer and, where applicable, the payee:

  • confirmation of the successful initiation of the payment order with the payer’s account servicing payment service provider;
  • a reference enabling the payer and the payee to identify the payment transaction and, where appropriate, the payee to identify the payer, and any information transferred with the payment transaction;
  • the amount of the payment transaction;
  • where applicable, the amount of any charges payable to the payment initiation service provider for the transaction, and where applicable a breakdown of the amounts of such charges
  • Article 47 requires that a payment initiation service provider through which a payment order is initiated make available to the payer’s account servicing payment service provider the reference of the payment transaction.

    4.9.1.2. Framework Contracts

    Point (b) of Article 52(2) on information and conditions to be provided to the payment service user in connection with framework contracts specifically mentions the initiation of a payment order and requires the payment service provider to provide for the payment service user a specification of the information or unique identifier that has to be supplied by the payment service user in order for a payment order to be properly initiated or executed.

    A requirement to provide for the payment service user the form of and procedure for giving consent to initiate a payment order has been added to the existing requirements to provide the form of and procedure for giving consent to execute a payment transaction and withdrawal of such consent (point (c) of Article 52(2)).

    Point (g) has been added to the article on information and conditions to be provided to the payment service user in connection with framework contracts (Article 52(2)), which requires that, in the case of co-badged, card-based payment instruments, payment service providers provide for the payment service user information on the payment service user’s rights under Article 8 (Co-badging and Choice of Payment Brand or Payment Application) of Regulation (EU) 2015/751 on interchange fees for card-based payment transactions.

    Article 52(3) adds a clarification regarding the information to be provided to payment service user with regard to charges payable to the payment service provider. Thus, point (a) of Article 52(3) requires that the payment service user be provided with information on all charges payable by the payment service user to the payment service provider including those connected to the manner in and frequency with which information under PSD 2 is provided or made available.

    A new point has been introduced into Article 52(5) on information and conditions regarding safeguards and corrective measures. Thus, point (b) of Article 52(5) requires that the payment service user be provided with information on the secure procedure for notification of the payment service user by the payment service provider in the event of suspected or actual fraud or security threats.

    The existing requirement to provide the payment service user with information on how and within what period of time the payment service user is expected to notify the payment service provider of any unauthorised or incorrectly executed payment transaction has been extended in PSD 2 to include any unauthorised or incorrectly initiated payment transaction (point (e) of Article 52(5)).

    In addition to the existing requirement to inform the payment service user of the liability of the payment service provider for correct execution of payment transactions, point (f) of Article 52(5) requires that the payment service user be informed of the liability of the payment service provider for the correct initiation of payment transactions.

    Article 54(1) of PSD 2 on changes in conditions of the framework contract now states that the payment service user can accept or reject the proposed changes before the date of their proposed date of entry into force.

    Under PSD 2 (Article 55(2)) the termination of a framework contract will be free of charge for the payment service user after 6 months of the date of its entry into force rather than after the expiry of 12 months as it is now under PSD 1.

    Article 57(2) introduces a requirement for a framework contract to include a condition that the payer may require the information listed in Article 57(1), such as the reference and the amount of the payment transaction, the amount of any related charges, the exchange rate and the debit value date or the date of receipt of the payment order, to be provided or made available periodically, at least once a month, free of charge.

    4.9.1.3. Information Requirements where Currency Conversion is Involved

    Under Article 59(2) of PSD 2 the party offering the currency conversion service prior to the initiation of the payment transaction will also be obliged to disclose to the payer all charges as well as the exchange rate to be used for converting the payment transaction when that currency conversion service is offered at an ATM. Under PSD 1 the obligation only concerns cases where the currency conversion service is offered at the point of sale or by the payee (Article 49(2) of PSD 1).

    4.9.1.4. Information on Additional Charges

    Article 60(2) of PSD 2 adds a clarification concerning “a payment service provider or a third party”, which may request a charge for the use of a given payment instrument, as it is put in PSD 1. "A third party" in PSD 1 has been replaced with "another party involved in the transaction" in PSD 2.

    PSD 2 introduces a new rule, which obliges the payer to pay the charges for the use of a given payment instrument requested by the payee, the payment service provider or another party involved in the transaction only if their full amount has been made known to the payer prior to the initiation of the payment transaction (Article 60(3)).

    4.9.2. Applicable Charges

    PSD 2 contains revised rules on the allocation of applicable charges between the payer and the payee and requesting charges or offering reductions by the payee for the use of a particular payment instrument (Article 62(2,3,4)).

    4.9.2.1. Allocation of Charges

    The existing rule on the allocation of applicable charges for payment transactions have been revised as follows. Article 62(2) of PSD 2 requires that for payment transactions provided within the European Union, where both the payer’s and the payee’s payment service providers are, or the sole payment service provider in the payment transaction is, located in the EU, the payee pay the charges levied by his payment service provider, and the payer pay the charges levied by his payment service provider. In PSD 1, the rule only concerns payment transactions that do not involve any currency conversion (Article 52(2) of PSD 1).

    4.9.2.2. Surcharges

    Under Article 62(3) the payee is allowed, in addition to requesting from the payer a charge or offering a reduction provided for in PSD 1, to use other ways to steer the payer towards the use of a particular payment instrument. Any charges applied by the payee must not exceed the direct costs borne by the payee.

    In any case, the payee must not request charges for the use of payment instruments for which interchange fees are regulated under Chapter II of Regulation (EU) 2015/751 on Interchange Fees for Card-based Payment Transactions and for those payment services to which Regulation (EU) No 260/2012 Establishing Technical and Business Requirements for Credit Transfers and Direct Debits in Euro applies.

    The provision of PSD 1 (Article 52(3)) concerning the right of Member States to forbid or limit the right of the payee to request charges given the need to encourage competition and promote the use of efficient payment instruments has been removed.

    4.9.3. Authorisation of Payment Transactions
    4.9.3.1. Consent to Execute a Payment Transaction

    Article 64(2) has been extended to include consent to execute a payment transaction given by the payer via the payee or the payment initiation service provider.

    4.9.3.2. Confirmation of the Availability of Funds

    PSD 2 introduces Article 65 "Confirmation on the Availability of Funds". The new article obliges an account servicing payment service provider, upon the request of a payment service provider issuing card-based payment instruments, to immediately confirm whether an amount necessary for the execution of a card-based payment transaction is available on the payment account of the payer, provided that all of the following conditions are met:

  • the payment account of the payer is accessible online at the time of the request;
  • the payer has given explicit consent to the account servicing payment service provider to respond to requests from a specific payment service provider to confirm that the amount corresponding to a certain card-based payment transaction is available on the payer’s payment account;
  • the consent has been given before the first request for confirmation is made
  • The payment service provider may request the confirmation where all of the following conditions are met:

  • the payer has given explicit consent to the payment service provider to request the confirmation;
  • the payer has initiated the card-based payment transaction for the amount in question using a card based payment instrument issued by the payment service provider;
  • the payment service provider authenticates itself towards the account servicing payment service provider before each confirmation request, and securely communicates with the account servicing payment service provider in accordance with point (d) of Article 98(1)
  • Such confirmation will consist only in a simple ‘yes’ or ‘no’ answer and not in a statement of the account balance. That answer must not be stored or used for purposes other than for the execution of the card-based payment transaction.

    The confirmation will not allow for the account servicing payment service provider to block funds on the payer’s payment account.

    Article 65(5) will allow the payer to request the account servicing payment service provider to communicate to the payer the identification of the payment service provider and the answer provided.

    Article 65 will not apply to payment transactions initiated through card-based payment instruments on which electronic money is stored.

    4.9.3.3. Access to Payment Account

    Article 66 introduces rules on access to payment account in the case of payment initiation services.

    According to paragraph 1, the right to make use of a payment initiation service provider only applies where the payment account is accessible online.

    Article 66(2) sets out rules to be followed by payment initiation service providers. Thus, the payment initiation service provider must:

  • not hold at any time the payer’s funds in connection with the provision of the payment initiation service;
  • ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that they are transmitted by the payment initiation service provider through safe and efficient channels;
  • ensure that any other information about the payment service user, obtained when providing payment initiation services, is only provided to the payee and only with the payment service user’s explicit consent;
  • every time a payment is initiated, identify itself towards the account servicing payment service provider of the payer and communicate with the account servicing payment service provider, the payer and the payee in a secure way;
  • not store sensitive payment data of the payment service user;
  • not request from the payment service user any data other than those necessary to provide the payment initiation service;
  • not use, access or store any data for purposes other than for the provision of the payment initiation service as explicitly requested by the payer;
  • not modify the amount, the payee or any other feature of the transaction
  • When the payer gives its explicit consent for a payment to be executed, the account servicing payment service provider will be obliged to perform the following actions in order to ensure the payer’s right to use the payment initiation service:

  • communicate securely with payment initiation service providers in accordance with point (d) of Article 98(1) of PSD 2;
  • immediately after receipt of the payment order from a payment initiation service provider, provide or make available all information on the initiation of the payment transaction and all information accessible to the account servicing payment service provider regarding the execution of the payment transaction to the payment initiation service provider;
  • treat payment orders transmitted through the services of a payment initiation service provider without any discrimination other than for objective reasons, in particular in terms of timing, priority or charges vis-à-vis payment orders transmitted directly by the payer
  • Article 66(5) requires that the provision of payment initiation services be not dependent on the existence of a contractual relationship between the payment initiation service providers and the account servicing payment service providers for that purpose.

    Rules on access to and use of payment account information in the case of account information services are provided in Article 67.

    The right of the payment service user to make use of services enabling access to account information only applies where the payment account is accessible online.

    According to Article 67(2), the account information service provider must:

  • provide services only where based on the payment service user’s explicit consent;
  • ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that when they are transmitted by the account information service provider, this is done through safe and efficient channels;
  • for each communication session, identify itself towards the account servicing payment service provider(s) of the payment service user and securely communicate with the account servicing payment service provider(s) and the payment service user, in accordance with point (d) of Article 98(1);
  • access only the information from designated payment accounts and associated payment transactions;
  • not request sensitive payment data linked to the payment accounts;
  • not use, access or store any data for purposes other than for performing the account information service explicitly requested by the payment service user, in accordance with data protection rules
  • In relation to payment accounts, the account servicing payment service provider will be obliged to:

  • communicate securely with the account information service providers in accordance with point (d) of Article 98(1); and
  • treat data requests transmitted through the services of an account information service provider without any discrimination for other than objective reasons
  • Article 67(4) requires that the provision of account information services be not dependent on the existence of a contractual relationship between the account information service providers and the account servicing payment service providers for that purpose.

    An account servicing payment service provider may deny an account information service provider or a payment initiation service provider access to a payment account for objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account by that account information service provider or that payment initiation service provider, including the unauthorised or fraudulent initiation of a payment transaction (Article 68(5)).

    In such cases the account servicing payment service provider must inform the payer that access to the payment account is denied and the reasons therefor in the form agreed. That information must, where possible, be given to the payer before access is denied and at the latest immediately thereafter, unless providing such information would compromise objectively justified security reasons or is prohibited by other relevant European Union or national law.

    The last subparagraph of Article 68(5) obliges the account servicing payment service provider to allow access to the payment account once the reasons for denying access no longer exist.

    Article 68(6) requires that the account servicing payment service provider immediately report such cases relating to the account information service provider or the payment initiation service provider to the competent authority, setting out relevant details of the case and the reasons for taking action, so that the competent authority can assess the case and take appropriate measures, if necessary.

    4.9.3.4. Obligations of the Payment Service Provider in relation to Payment Instruments

    A new subparagraph has been added to the article concerning obligations of the payment service provider in relation to payment instruments. Thus, the new point (d) of Article 70(1) obliges the payment service provider issuing a payment instrument to provide the payment service user with an option to make a notification of the loss, theft, misappropriation or unauthorised use of the payment instrument free of charge and to charge, if at all, only replacement costs directly attributed to the payment instrument.

    4.9.3.5. Rectification of Unauthorised or Incorrectly Executed Payment Transactions

    Paragraph 2 has been added to Article 71 on notification and rectification of unauthorised or incorrectly executed payment transactions to cover cases where a payment initiation service provider is involved. Thus, Article 71(2) states that where a payment initiation service provider is involved, the payment service user will obtain rectification of an unauthorised or incorrectly executed payment transaction from the account servicing payment service provider pursuant to rules set out in Article 71(1) and without prejudice to Articles 73(2) and 89(1) on the liability of the payment service provider for unauthorised payment transactions, non-execution, defective or late execution of payment transactions.

    4.9.3.6. Evidence on Authentication of Payment Transactions

    A subparagraph on the payment initiation service has been to the article concerning evidence on authentication and execution of payment transactions. Thus, the second subparagraph of Article 72(1) states that if the payment transaction is initiated through a payment initiation service provider, the burden shall be on the payment initiation service provider to prove that within its sphere of competence, the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment service of which it is in charge.

    Where a payment service user denies having authorised an executed payment transaction, Article 72(2) obliges the payment service provider, including, where appropriate, the payment initiation service provider, to provide supporting evidence to prove fraud or gross negligence on part of the payment service user.

    4.9.3.7. Payment transactions where the transaction amount is not known in advance

    Another new rule introduced by PSD 2 concerns payment transactions where the transaction amount is not known in advance. According to Article 75(1), where a payment transaction is initiated by or through the payee in the context of a card-based payment transaction and the exact amount is not known at the moment when the payer gives consent to execute the payment transaction, the payer’s payment service provider may block funds on the payer’s payment account only if the payer has given consent to the exact amount of the funds to be blocked.

    The payer’s payment service provider will be obliged to release the funds without undue delay after receipt of the information about the exact amount of the payment transaction and at the latest immediately after receipt of the payment order.

    4.9.4. Execution of Payment Transactions

    Changes in PSD 2 concerning rules on execution of payment orders are as follows.

    4.9.4.1. Receipt of Payment Orders

    Article 78(1) of PSD 2 offers a shorter definition of the time of receipt of the payment order. The new version is as follows. The time of receipt is when the payment order is received by the payer’s payment service provider. The second subparagraph of this Article prohibits the debiting of the payer’s account before receipt of the payment order.

    4.9.4.2. Refusal of Payment Orders

    Article 79(1) provides that where the payment service provider refuses to initiate a payment transaction, the same rules will apply as in cases where the payment service provider refuses to execute a payment order, i.e. the refusal and, if possible, the reasons for it and the procedure for correcting any factual mistakes that led to the refusal must be notified to the payment service user, unless prohibited by other relevant European Union or national law.

    The third subparagraph of the Article provides that the framework contract may include a condition that the payment service provider may charge a reasonable fee for such a refusal if the refusal is objectively justified.

    Paragraph 2 prohibiting refusal to execute an authorised payment order has been revised in PSD 2 as follows. Where all of the conditions set out in the payer’s framework contract are met, the payer’s account servicing payment service provider must not refuse to execute an authorised payment order irrespective of whether the payment order is initiated by a payer, including through a payment initiation service provider, or by or through a payee, unless prohibited by other relevant Union or national law (Article 79(2)).

    4.9.4.3. Irrevocability of a Payment Order

    Article 80(2) now covers cases involving payment initiation service providers. Thus, where the payment transaction is initiated by a payment initiation service provider or by or through the payee, the payer must not revoke the payment order after giving consent to the payment initiation service provider to initiate the payment transaction or after giving consent to execute the payment transaction to the payee.

    4.9.4.4. Availability of Funds

    A new paragraph has been added to the Article on value date and availability of funds. It sets out conditions under which the funds received by the payee's payment service provider must be made immediately available to the payee. Thus, Article 87(2) provides that the payment service provider of the payee must ensure that the amount of the payment transaction is at the payee’s disposal immediately after that amount is credited to the payee’s payment service provider’s account where, on the part of the payee’s payment service provider, there is:

  • no currency conversion; or
  • a currency conversion between the euro and a Member State currency or between two Member State currencies
  • This obligation will also apply to payments within one payment service provider.

    4.9.5. Consumer Rights

    Article 106 on obligation to inform consumers of their rights provides that by 13 January 2018, the European Commission will produce a user-friendly electronic leaflet, listing in a clear and easily comprehensible manner, the rights of consumers under PSD 2 and related European Union law, and inform Member States, European associations of payment service providers and European consumer associations of the publication of the leaflet.

    The European Commission, EBA and the competent authorities will be obliged each to ensure that the leaflet is made available in an easily accessible manner on their respective websites.

    Payment service providers will be obliged to ensure that the leaflet is made available in an easily accessible manner on their websites, if existing, and on paper at their branches, their agents and the entities to which their activities are outsourced.

    Article 106(4) prohibits payment service providers from charging their clients for making available this information.

    In respect of persons with disabilities, the information on consumer rights will have to be provided using appropriate alternative means, allowing the information to be made available in an accessible format (Article 106(5)).

    4.10. Liability

    4.10.1. Payment Service Provider’s Liability for Unauthorised Payment Transactions

    Article 73(1) sets a clear time limit for the payer’s payment service provider to refund the payer for unauthorised payment transaction and conditions under which the refund may be refused. Thus, in the case of an unauthorised payment transaction the payer’s payment service provider refunds the payer the amount of the unauthorised payment transaction immediately, and in any event no later than by the end of the following business day, after noting or being notified of the transaction, except where the payer’s payment service provider has reasonable grounds for suspecting fraud and communicates those grounds to the relevant national authority in writing. Where applicable, the payer’s payment service provider will have to restore the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place. This will also ensure that the credit value date for the payer’s payment account will be no later than the date the amount had been debited.

    A new paragraph has been added to Article 73 to cover situations involving payment transactions initiated through a payment initiation service provider. Article 73(2) provides that where the payment transaction is initiated through a payment initiation service provider, the account servicing payment service provider will be obliged to refund immediately, and in any event no later than by the end of the following business day the amount of the unauthorised payment transaction and, where applicable, restore the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.

    If the payment initiation service provider is liable for the unauthorised payment transaction, it will be obliged to immediately compensate the account servicing payment service provider at its request for the losses incurred or sums paid as a result of the refund to the payer, including the amount of the unauthorised payment transaction. The burden will be on the payment initiation service provider to prove that, within its sphere of competence, the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment service of which it is in charge.

    Under Article 73(3) further financial compensation may now be sought in accordance with the law applicable to the contract concluded between the payer and the payment initiation service provider as well.

    4.10.2. Payer’s Liability for Unauthorised Payment Transactions

    Article 74(1) of PSD 2 reduces the liability of the payer for losses relating to any unauthorised payment transactions resulting from the use of a lost or stolen payment instrument or from the misappropriation of a payment instrument to a maximum of EUR 50.

    This will not apply if:

  • the loss, theft or misappropriation of a payment instrument was not detectable to the payer prior to a payment, except where the payer has acted fraudulently; or
  • the loss was caused by acts or lack of action of an employee, agent or branch of a payment service provider or of an entity to which its activities were outsourced
  • Article 74(2) introduces a new rule relating to liability in cases where strong customer authentication is not applied. Thus, where the payer’s payment service provider does not require strong customer authentication, the payer will not bear any financial losses unless the payer has acted fraudulently. Where the payee or the payment service provider of the payee fails to accept strong customer authentication, it will be obliged to refund the financial damage caused to the payer’s payment service provider.

    4.10.3. Refunds for Payment Transactions

    The first subparagraph of Article 76(1) provides that a payer will be entitled to a refund from the payment service provider of an authorised payment transaction which was initiated by or through a payee and which has already been executed, if both of the following conditions are met:

  • the authorisation did not specify the exact amount of the payment transaction when the authorisation was made;
  • the amount of the payment transaction exceeded the amount the payer could reasonably have expected taking into account the previous spending pattern, the conditions in the framework contract and relevant circumstances of the case
  • The second subparagraph imposes the burden of proving such conditions are met on the payer.

    The credit value date for the payer’s payment account will have to be no later than the date the amount was debited.

    In addition, the forth subparagraph of the Article provides that for direct debits the payer has an unconditional right to a refund within 10 business days of the time the request for the refund is received by the payment service provider. This provision has replaced the rule set out in PSD 1, which allows the payer and his payment service provider to agree in the framework contract that for direct debits the payer is entitled to a refund from his payment service provider even though the conditions for refund are not met.

    Paragraph 4 added to Article 76 allows Member States to require that for direct debits in currencies other than euro, their payment service providers offer more favourable refund rights in accordance with their direct debit schemes provided that they are more advantageous to the payer (Article 76(4)).

    4.10.4. Incorrect Unique Identifier

    Paragraph 3 of the article on liability for non-execution or defective execution of a payment transaction in the case of incorrect unique identifier has been extended in PSD 2 to include the obligation of the payee’s payment service provider to cooperate with the payer’s payment service provider in its efforts to recover the funds involved in the payment transaction by communicating to the payer’s payment service provider all relevant information for the collection of funds. It also obliges the payer’s payment service provider, in the event that such collection of funds is not possible, to provide to the payer, upon written request, all information available to the payer’s payment service provider and relevant to the payer in order for the payer to file a legal claim to recover the funds (Article 88(3)).

    4.10.5. Payment Service Provider’s Liability for Non-execution, Defective or Late Execution of Payment transactions

    In the context of payment service provider’s liability for non-execution, defective or late execution of payment transactions PSD 2 provides clarification on refund credit value date and makes the payment transaction tracing by the payer’s payment service provider free of charge for the payer.

    4.10.5.1. Credit Value Date

    Article 89(1) of PSD 2 establishes credit value date rules relating to refunds in cases of non-execution, defective or late execution of payment transactions.

    Thus, where the payer’s payment service provider is liable for non-execution or defective execution of a payment transaction, it will be obliged to refund to the payer the amount of the non-executed or defective payment transaction with the credit value date for the payer’s payment account being no later than the date on which the amount was debited.

    Where the payee’s payment service provider is liable for non-execution or defective execution of a payment transaction, it will be obliged to immediately place the amount of the payment transaction at the payee’s disposal and, where applicable, credit the corresponding amount to the payee’s payment account with the credit value date for the payee’s payment account being no later than the date on which the amount would have been value dated, had the transaction been executed correctly.

    Where a payment transaction is executed late, the payee’s payment service provider will be obliged to ensure, upon the request of the payer’s payment service provider acting on behalf of the payer, that the credit value date for the payee’s payment account is no later than the date the amount would have been value dated had the transaction been executed correctly.

    Where a payment order is initiated by or through the payee and in the case of a late transmission of the payment order by the payee’s payment service provider, the amount will have to be value dated on the payee’s payment account no later than the date the amount would have been value dated had the transaction been correctly executed (Article 89(2)).

    Where the payee’s payment service provider is liable to the payee for incorrect handling of the payment transaction, it must ensure that the amount of the payment transaction is at the payee’s disposal immediately after that amount is credited to the payee’s payment service provider’s account. The amount will have to be value dated on the payee’s payment account no later than the date the amount would have been value dated had the transaction been correctly executed.

    Where the payer’s payment service provider is liable to the payer for a payment order initiated by or through the payee, the refund credit value date for the payer’s payment account shall be no later than the date the amount was debited. The obligation of refund will not apply to the payer’s payment service provider where the payer’s payment service provider proves that the payee’s payment service provider has received the amount of the payment transaction, even if execution of payment transaction is merely delayed. If so, the payee’s payment service provider will be obliged to value date the amount on the payee’s payment account no later than the date the amount would have been value dated had it been executed correctly.

    In addition, payment service providers will be liable to their respective payment service users for any charges for which they are responsible, and for any interest to which the payment service user is subject as a consequence of non- execution or defective, including late, execution of the payment transaction.

    4.10.5.2. Tracing

    The seventh subparagraph of Article 89(1) requires that in the case of a non-executed or defectively executed payment transaction where the payment order is initiated by the payer, the payer’s payment service provider, regardless of its liability for non-execution, defective or late execution of the payment transaction, make immediate efforts to trace the payment transaction and notify the payer of the outcome free of charge for the payer.

    In the case of a non-executed or defectively executed payment transaction where the payment order is initiated by or through the payee, the payee’s payment service provider will be obliged, regardless of its liability, on request, to make immediate efforts to trace the payment transaction and notify the payee of the outcome free of charge for the payee (Article 89(2)).

    4.10.6. Liability in the case of Payment Initiation Services

    A new article has been added to PSD 2 concerning the liability in the case of payment initiation services for non-execution, defective or late execution of payment transactions.

    Thus, according to Article 90(1), where a payment order is initiated by the payer through a payment initiation service provider, the account servicing payment service provider will be obliged to refund to the payer the amount of the non-executed or defective payment transaction and, where applicable, restore the debited payment account to the state in which it would have been had the defective payment transaction not taken place.

    The burden will be on the payment initiation service provider to prove that the payment order was received by the payer’s account servicing payment service provider and that within its sphere of competence the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the non-execution, defective or late execution of the transaction.

    Article 90(2) provides that if the payment initiation service provider is liable for the non-execution, defective or late execution of the payment transaction, it will be obliged to immediately compensate the account servicing payment service provider at its request for the losses incurred or sums paid as a result of the refund to the payer.

    4.10.7. Right of Recourse

    Where the liability of a payment service provider for unauthorised payment transactions and for non-execution, defective or late execution of payment transactions is attributable to another payment service provider or to an intermediary, that payment service provider or intermediary will be obliged to compensate the first payment service provider for any losses incurred or sums paid under Articles 73 and 89. That includes compensation where any of the payment service providers fail to use strong customer authentication.

    4.11. Data Protection

    PSD 2 introduces a large portion of new rules on personal data protection, operational and security risks and authentication.

    4.11.1. Personal Data Protection

    Article 94(1) of PSD 2 requires that the provision of information to individuals about the processing of personal data and the processing of such personal data and any other processing of personal data by payment systems and payment service providers for the purposes of PSD 2 be carried out in accordance with Directive 95/46/EC, the national rules which transpose Directive 95/46/EC and with Regulation (EC) No 45/2001.

    According to a new paragraph added to this article the explicit consent of the payment service user is required in order for payment service providers to be permitted to access, process and retain personal data necessary for the provision of their payment services (Article 94(2)).

    4.11.2. Management of Operational and Security Risks

    Article 95(1) obliges payment service providers to establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services they provide. As part of that framework, payment service providers are required to establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.

    Payment service providers will have to provide to the competent authority on an annual basis, or at shorter intervals as determined by the competent authority, an updated and comprehensive assessment of the operational and security risks relating to the payment services they provide and on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks (Article 95(2)).

    EBA is expected to issue, by 13 July 2017, guidelines with regard to the establishment, implementation and monitoring of the security measures, including certification processes where relevant (Article 95(3)).

    4.11.3. Operational and Security Incident Reporting

    The first paragraph of Article 96 on incident reporting requires that in the case of a major operational or security incident, payment service providers, without undue delay, notify the competent authority in the home Member State of the payment service provider.

    Where the incident has or may have an impact on the financial interests of its payment service users, the payment service provider must, without undue delay, inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident.

    Upon receipt of the notification, the competent authority of the home Member State will be obliged to provide, without undue delay, the relevant details of the incident to EBA and to the ECB. That competent authority will, after assessing the relevance of the incident to relevant authorities of that Member State, notify them accordingly.

    EBA and the ECB will, in cooperation with the competent authority of the home Member State, assess the relevance of the incident to other relevant EU and national authorities and notify them accordingly. The ECB will notify the members of the European System of Central Banks on issues relevant to the payment system.

    On the basis of that notification, the competent authorities will be required, where appropriate, to take all of the necessary measures to protect the immediate safety of the financial system (Article 96(2)).

    Under Article 96(6), payment service providers will also be required to provide, at least on an annual basis, statistical data on fraud relating to different means of payment to their competent authorities. The competent authorities will then pass on such data in an aggregated form to the EBA and the ECB.

    Under Article 96(3), EBA is to issue by 13 January 2018, guidelines addressed to payment service providers on the classification of major operational and security incidents, and on the content, the format, including standard notification templates, and the procedures for notifying such incidents; and guidelines addressed to competent authorities on the criteria on how to assess the relevance of the incident and the details of the incident reports to be shared with other domestic authorities.

    4.11.4. Strong Customer Authentication

    Article 97(1) defines cases where strong customer authentication must be applied by the payment service provider. Thus, a payment service provider will have to apply strong customer authentication where the payer:

  • accesses its payment account online;
  • initiates an electronic payment transaction;
  • carries out any action through a remote channel which may imply a risk of payment fraud or other abuses
  • With regard to the initiation of electronic payment transactions, for electronic remote payment transactions, payment service providers will be required to apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee (Article 97(2)).

    In the context of strong customer authentication payment service providers will have to have in place adequate security measures to protect the confidentiality and integrity of payment service users’ personalised security credentials (Article 97(3)).

    Paragraphs 2 and 3 also apply where payments are initiated through a payment initiation service provider.

    Paragraphs 1 and 3 also apply when the information is requested through an account information service provider.

    The account servicing payment service provider will have to allow the payment initiation service provider and the account information service provider to rely on the authentication procedures provided by the account servicing payment service provider to the payment service user in accordance with paragraphs 1 and 3 and, where the payment initiation service provider is involved, in accordance with paragraphs 1, 2 and 3 (Article 97(5)).

    Requirements of the strong customer authentication, exemptions from the application of these requirements, requirements for the confidentiality and the integrity of the payment service users’ personalised security credentials and requirements for common and secure open standards of communication between the industry actors will be defined by the EBA in draft regulatory technical standards (RTS) by 13 January 2017 (for more information on EBA's role under PSD 2, see the relevant section below).

    4.12. Alternative Dispute Resolution (ADR) Procedures

    PSD 2 has significantly extended the provisions regarding the settlement of disputes.

    4.12.1. Complaints

    Article 99(1) of PSD 2 provides that payment service users may complain about payment service providers’ alleged infringements of PSD 2 rather than provisions of national law implementing the provisions of PSD 1.

    4.12.2. Competent Authorities

    Member States will be required to designate competent authorities to ensure and monitor effective compliance with PSD 2. Those competent authorities will be responsible for taking all appropriate measures to ensure such compliance (Article 100(1)).

    They will be either:

  • competent authorities within the meaning of Article 4(2) of Regulation (EU) No 1093/2010; or
  • bodies recognised by national law or by public authorities expressly empowered for that purpose by national law
  • They must not be payment service providers, with the exception of national central banks.

    The authorities will possess all powers and adequate resources necessary for the performance of their duties. Where more than one competent authority is empowered to ensure and monitor effective compliance with PSD 2, Member States will be required to ensure that those authorities collaborate closely so that they can discharge their respective duties effectively (Article 100(2)).

    The competent authorities will exercise their powers in accordance with national law either:

  • directly under their own authority or under the supervision of the judicial authorities; or
  • by application to courts which are competent to grant the necessary decision, including, where appropriate, by appeal, if the application to grant the necessary decision is not successful
  • Member States are required to notify the European Commission of the designated competent authorities as soon as possible and in any event by 13 January 2018, including of any division of duties of those authorities. Any subsequent change concerning the designation and respective competences of those authorities will have to be notified to the European Commission immediately (Article 100(5)).

    Article 100(6) provides for guidelines on the complaints procedures addressed to the competent authorities to be issued by the EBA by 13 January 2018.

    4.12.3. Dispute Resolution

    Article 101(1) requires that payment service providers put in place and apply adequate and effective complaint resolution procedures for the settlement of complaints of payment service users concerning the rights and obligations arising under PSD 2 and be responsible for monitoring their performance in that regard.

    Those procedures must be applied in every Member State where the payment service provider offers the payment services and must be available in an official language of the relevant Member State or in another language if agreed between the payment service provider and the payment service user.

    Article 101(2) establishes rules to be followed by payment service providers when dealing with complaints. Thus, payment service providers will be required to make every possible effort to reply, on paper or, if agreed between payment service provider and payment service user, on another durable medium, to the payment service users’ complaints.

    Such a reply must address all points raised, within an adequate timeframe and at the latest within 15 business days of receipt of the complaint. In exceptional situations, if the answer cannot be given within 15 business days for reasons beyond the control of the payment service provider, it will be required to send a holding reply, clearly indicating the reasons for a delay in answering to the complaint and specifying the deadline by which the payment service user will receive the final reply. In any event, the deadline for receiving the final reply must not exceed 35 business days.

    Member States are allowed to introduce or maintain rules on dispute resolution procedures that are more advantageous to the payment service user than those mentioned above. Where they do so, those rules will apply.

    The payment service provider will have to inform the payment service user about at least one alternative dispute resolution (ADR) entity which is competent to deal with disputes concerning the rights and obligations arising under PSD 2 (Article 101(3)).

    The information about competent ADR entities must be mentioned in a clear, comprehensive and easily accessible way on the website of the payment service provider, where one exists, at the branch, and in the general terms and conditions of the contract between the payment service provider and the payment service user. It must specify how further information on the ADR entity concerned and on the conditions for using it can be accessed (Article 101(4)).

    4.12.4. ADR Procedures

    Member States are required to ensure that adequate, independent, impartial, transparent and effective ADR procedures for the settlement of disputes between payment service users and payment service providers concerning the rights and obligations arising under PSD 2 are established according to the relevant national and European Union law in accordance with Directive 2013/11/EU of the European Parliament and the Council on alternative dispute resolution for consumer disputes, using existing competent bodies where appropriate. Member States must ensure that ADR procedures are applicable to payment service providers and that they also cover the activities of appointed representatives.

    Member States will ensure that the bodies mentioned above cooperate effectively for the resolution of cross-border disputes concerning the rights and obligations arising under PSD 2.

    Competent authorities will be allowed to disclose to the public any administrative penalty that is imposed for infringement of the measures adopted in the transposition of PSD 2, unless such disclosure would seriously jeopardise the financial markets or cause disproportionate damage to the parties involved.

    4.13. The Role of European Banking Authority (EBA) under PSD 2

    Under PSD 2, a key role has been given to the European Banking Authority (EBA) in:

  • ensuring consistent application of PSD 2;
  • guaranteeing fair competition in the payments market;
  • promoting cooperation, including the sharing of information, in the area of operational and security risks associated with payment services among the competent authorities;
  • increasing customer protection;
  • enhancing transparency of the operation of payment institutions;
  • resolving disputes between competent authorities in the context of cross-border cooperation
  • In order to fulfil this role, the EBA has been given the responsibility for the development, operation and maintenance of an electronic central register of payment service providers, for the elaboration of guidelines and preparation of draft regulatory technical standards on the relevant aspects of PSD 2. These will be key to achieving goals of PSD 2.

    4.13.1. EBA’s Guidelines

    The EBA is empowered by Reg. (EU) No 1093/2010 to issue guidelines and recommendations addressed to competent authorities or financial institutions with a view to establishing consistent, efficient and effective supervisory practices within the European System of Financial Supervision (ESFS), and to ensuring the common, uniform and consistent application of the European Union law.

    Article 16(3) of Reg. (EU) No 1093/2010 obliges the competent authorities and financial institutions to make every effort to comply with those guidelines and recommendations.

    Under PSD 2, EBA is to issue the following guidelines addressed to payment service providers.

    In the context of authorisation of payment institutions (Article 5), EBA is to issue by 13 July 2017 guidelines concerning the information to be provided to the competent authorities in the application for the authorisation of payment institutions (Article 5(5)). EBA will be required to review those guidelines on a regular basis and in any event at least every 3 years.

    In the context of operational and security risks (Article 95), EBA is to issue by 13 January 2018 guidelines on the classification of major operational and security incidents and on the content, the format, including standard notification templates, and the procedures for notifying such incidents (Article 96(3)). EBA will be required to review these guidelines on a regular basis and in any event at least every 2 years.

    Article 96(5) requires that, while issuing and reviewing these guidelines, EBA take into account standards and / or specifications developed and published by the European Union Agency for Network and Information Security for sectors pursuing activities other than payment service provision.

    EBA is to issue the following guidelines addressed to competent authorities.

    In the context of authorisation of payment institutions (Article 5), EBA is to issue by 13 January 2017 guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee referred to in paragraphs 2 and 3 of Article 5 of PSD 2 (Article 5(4)).

    In developing these guidelines EBA will take account of the following:

  • the risk profile of the undertaking;
  • whether the undertaking provides other payment services listed in Annex I to PSD 2 or is engaged in other business;
  • the size of the activity:
    • for undertakings that apply for authorisation to provide payment initiation services, the value of the transactions initiated;
    • for undertakings that apply for registration to provide account information services, the number of clients that make use of the payment service;
  • the specific characteristics of comparable guarantees and the criteria for their implementation
  • EBA will be required to review those guidelines on a regular basis.

    In the context of operational and security risks (Article 95), EBA is to issue by 13 July 2017 guidelines with regard to the establishment, implementation and monitoring of the security measures, including certification processes where relevant (Article 95(3)). EBA will be required to review these guidelines on a regular basis and in any event at least every 2 years.

    EBA will also issue by 13 January 2018 guidelines on the criteria on how to assess the relevance of the incident and the details of the incident reports to be shared with other domestic authorities (Article 96(3)). EBA will be required to review the guidelines on a regular basis and in any event at least every 2 years.

    In the context of dispute resolution, EBA is to issue by 13 January 2018 guidelines on the complaints procedures to be taken into consideration to ensure compliance with PSD 2. EBA will be required to update these guidelines on a regular basis, as appropriate (Article 100(6)).

    4.13.2. Regulatory Technical Standards

    According to Article 10 of Reg. (EU) No 1093/2010, where the European Parliament and the Council delegate power to the European Commission to adopt regulatory technical standards by means of delegated acts in order to ensure consistent harmonisation in the areas specifically set out in the legislative acts, the EBA may develop draft regulatory technical standards (RTS). The draft standards will then have to be submitted to the European Commission for endorsement. Within 3 months of receipt of a draft regulatory technical standard, the European Commission is required to decide whether to endorse it.

    Regulatory technical standards are technical in nature, do not imply strategic decisions or policy choices, and their content is delimited by the legislative acts on which they are based.

    The purpose of regulatory technical standards to be developed under PSD 2 is to ensure a level playing field and adequate protection of consumers in the payment services industry across the European Union.

    The EBA is to develop a set of draft regulatory technical standards on a number of crucial aspects of PSD 2.

    In the context of authorisation of payment institutions, Article 5(6) provides that EBA, taking into account experience acquired in the application of the relevant guidelines, may develop draft regulatory technical standards specifying the information to be provided to the competent authorities in the application for the authorisation of payment institutions, including the requirements for:

  • a programme of operations;
  • a business plan;
  • evidence that the payment institution holds initial capital;
  • a description of the applicant’s governance arrangements and internal control mechanisms;
  • a description of the process in place to file, monitor, track and restrict access to sensitive payment data;
  • a description of business continuity arrangements;
  • a description of the principles and definitions applied for the collection of statistical data on performance, transactions and fraud; and
  • a security policy document
  • Then, the draft regulatory technical standards will have to be submitted to the European Commission for adoption.

    For the purpose of developing, operating and maintaining the electronic central register, Article 15(4) requires that EBA develop draft regulatory technical standards setting technical requirements on development, operation and maintenance of the electronic central register and on access to the information contained therein. The technical requirements must ensure that modification of the information is only possible by the competent authority and EBA. EBA is to submit these draft regulatory technical standards to the European Commission for endorsement by 13 January 2018.

    In the same context, EBA is required to develop draft implementing technical standards on the details and structure of the information to be notified by the competent authorities to EBA, including the common format and model in which this information is to be provided. EBA is to submit those draft implementing technical standards to the European Commission for endorsement by 13 July 2017.

    In the context of exercising the right of establishment and freedom to provide services by payment service providers, EBA is to develop draft regulatory technical standards specifying the framework for cooperation, and for the exchange of information, between competent authorities of the home and of the host Member State. Those draft regulatory technical standards will specify the method, means and details of cooperation in the notification of payment institutions operating on a cross-border basis and, in particular, the scope and treatment of information to be submitted, including common terminology and standard notification templates to ensure a consistent and efficient notification process. EBA is to submit those draft regulatory technical standards to the European Commission for adoption by 13 January 2018 (Article 28(5)).

    In the context of supervision of payment institutions exercising the right of establishment and freedom to provide services, Article 29(5) requires that EBA develop draft regulatory technical standards specifying the criteria to be applied when determining, in accordance with the principle of proportionality, the circumstances when the appointment of a central contact point is appropriate, and the functions of those contact points.

    Those draft regulatory technical standards must, in particular, take account of:

  • the total volume and value of transactions carried out by the payment institution in host Member States;
  • the type of payment services provided; and
  • the total number of agents established in the host Member State
  • EBA is to submit those draft regulatory technical standards to the European Commission for adoption by 13 January 2017.

    In addition, EBA will develop draft regulatory technical standards specifying the framework for cooperation, and for the exchange of information, between the competent authorities of the home Member State and of the host Member State in accordance with Title II (Payment Service Providers) and to monitor compliance with the provisions of national law transposing Titles III (Transparency of Conditions and Information Requirements for Payment Services) and IV (Rights and Obligations in relation to the Provision and Use of Payment Services).

    The draft regulatory technical standards will specify the method, means and details of cooperation in the supervision of payment institutions operating on a cross-border basis and, in particular, the scope and treatment of information to be exchanged, to ensure consistent and efficient supervision of payment institutions exercising cross-border provision of payment services. Those draft regulatory technical standards will also specify the means and details of any reporting requested by host Member States from payment institutions on the payment business activities carried out in their territories, including the frequency of such reporting (Article 29(6)).

    EBA is to submit those draft regulatory technical standards to the European Commission for adoption by 13 January 2018.

    In the context of management of operational and security risks, Article 95(4) provides that EBA, taking into account experience acquired in the application of the guidelines on the establishment, implementation and monitoring of the security measures, will be obliged, where requested to do so by the European Commission as appropriate, to develop draft regulatory technical standards on the criteria and on the conditions for establishment, and monitoring, of security measures.

    In the context of authentication and communication, Article 98(1) requires that EBA develop draft regulatory technical standards addressed to payment service providers specifying:

  • the requirements of the strong customer authentication;
  • the exemptions from the application of those requirements based on the criteria set out in Article 98(3);
  • the requirements with which security measures have to comply in order to protect the confidentiality and the integrity of the payment service users’ personalised security credentials; and
  • the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, as well as for the implementation of security measures, between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers
  • These draft regulatory technical standards will be developed by EBA in order to:

  • ensure an appropriate level of security for payment service users and payment service providers, through the adoption of effective and risk-based requirements;
  • ensure the safety of payment service users’ funds and personal data;
  • secure and maintain fair competition among all payment service providers;
  • ensure technology and business-model neutrality;
  • allow for the development of user-friendly, accessible and innovative means of payment
  • EBA is to submit these draft regulatory technical standards to the European Commission for endorsement by 13 January 2017.

    EBA will be required to review and, if appropriate, update the regulatory technical standards on a regular basis in order, inter alia, to take account of innovation and technological developments.

    When developing regulatory technical standards on authentication and communication, EBA will systematically assess and take into account the privacy dimension, in order to identify the risks associated with each of the technical options available and the remedies that could be put in place to minimise threats to data protection.

    In general, when developing guidelines, draft regulatory technical standards and draft implementing technical standards, EBA will be required to ensure that it consults all relevant stakeholders, including those in the payment services market, reflecting all interests involved. If necessary for getting a proper balance of views, EBA will make a particular effort to obtain the views of relevant non-bank actors. EBA will pay particular attention to the fact that the standards to be applied are to allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services.

    The regulatory technical standards are adopted by means of regulations or decisions. They are published in the Official Journal of the European Union and enter into force on the date stated therein.

    4.14. Impact of PSD 2 on Existing Industry Actors

    Until 13 January 2018, the date when PSD 2 comes into effect, the payment market players will have to follow the rules set out in Article 109 (Transitional Provision) of PSD 2.

    4.14.1. Impact on Existing Payment Institutions
    4.14.1.1. Authorised Payment Institutions

    Article 109(1) allows payment institutions that have taken up activities in accordance with the national law transposing Directive 2007/64/EC (PSD 1) by 13 January 2018, to continue those activities in accordance with the requirements provided for in Directive 2007/64/EC without being required to seek authorisation in accordance with Article 5 of Directive (EU) 2015/2366 (PSD 2) or to comply with the other provisions of Title II (Payment Service Providers) of PSD 2 until 13 July 2018.

    Such payment institutions will be required to submit all relevant information to their competent authorities in order to allow the latter to assess, by 13 July 2018, whether those payment institutions comply with the requirements of Title II (Payment Service Providers) of PSD 2 and, if not, which measures need to be taken in order to ensure compliance or whether a withdrawal of authorisation is appropriate.

    Payment institutions which upon verification by the competent authorities comply with the new requirements will be granted authorisation and entered in the registers. Where those payment institutions do not comply by 13 July 2018, they will be prohibited from providing payment services.

    Payment institutions may automatically be granted authorisation and entered in the registers, if the competent authorities already have evidence that the requirements of Articles 5 (Applications for Authorisation) and 11 (Granting of Authorisation) are complied with. The competent authorities will inform the payment institutions concerned before the authorisation is granted.

    Article 109(5) provides that payment institutions that have been granted authorisation to provide payment services as referred to in point (7) of the Annex to PSD 1 will retain that authorisation for the provision of those payment services which are considered to be payment services as referred to in point (3) of the Annex I to PSD 2 where, by 13 January 2020, the competent authorities have the evidence that the requirements of point (c) of Article 7 (Initial Capital) and Article 9 (Calculation of Own Funds) of PSD 2 are complied with.

    4.14.1.2. Registered / Small Payment Institutions

    According to Article 109(3), natural or legal persons who benefited from the waiver / exemption under Article 26 of PSD 1 (registered / small payment institutions) before 13 January 2018, and pursued payment services activities within the meaning of PSD 1, will be allowed to continue those activities within the Member State concerned in accordance with Directive 2007/64/EC, until 13 January 2019 without being required to seek authorisation under PSD 2, or to obtain an exemption pursuant to Article 32 of PSD 2, or to comply with the other provisions of Title II of PSD 2.

    Any such person who has not, by 13 January 2019, been authorised or exempted under PSD 2 will be prohibited from providing payment services.

    Natural and legal persons benefiting from an exemption under PSD 1 may be allowed to be deemed to benefit from an exemption under PSD 2 and automatically entered in the registers where the competent authorities have evidence that the requirements of Article 32 of PSD 2 are complied with. The competent authorities will inform the payment institutions concerned.

    4.14.2. Impact on Electronic Money Institutions

    PSD 2 introduces a number of amendments to Directive 2009/110/EC on the taking up, pursuit and prudential supervision of the business of electronic money institutions (EMD) by means of Article 111.

    Thus, amended Article 3(1) of EMD provides that Article 5 (Applications for Authorisation), Articles 11 to 17 (Granting of Authorisation; Communication of the Decision; Withdrawal of Authorisation; Registration in the Home Member State; EBA Register; Maintenance of Authorisation; Accounting and Statutory Audit), Article 19(5) and (6) on the use of agents, branches or entities to which activities are outsourced and Articles 20 to 31 (Liability; Record-keeping; Designation of Competent Authorities; Supervision; Professional Secrecy; Right to Apply to the Courts; Exchange of Information; Settlement of Disagreements between Competent Authorities of Different Member States; Application to Exercise the Right of Establishment and Freedom to Provide Services; Supervision of Payment Institutions Exercising the Right of Establishment and Freedom to Provide Services; Measures in case of Non-compliance, including Precautionary Measures; Reasons and Communication) of PSD 2, including the delegated acts adopted under Article 15(4), Article 28(5) and Article 29(7) thereof, will apply to electronic money institutions mutatis mutandis.

    According to amended by PSD 2 Article 3(4) of EMD, electronic money institutions will be allowed to distribute and redeem electronic money through natural or legal persons which act on their behalf. Where the electronic money institution distributes electronic money in another Member State by engaging such a natural or legal person, Articles 27 to 31 of PSD 2 (Settlement of Disagreements between Competent Authorities of Different Member States; Application to Exercise the Right of Establishment and Freedom to Provide Services; Supervision of Payment Institutions Exercising the Right of Establishment and Freedom to Provide Services; Measures in case of Non-compliance, including Precautionary Measures; Reasons and Communication), with exception of Article 29(4) and (5), including the delegated acts adopted in accordance with Article 28(5) and Article 29(7) thereof, will apply mutatis mutandis to such electronic money institution.

    Electronic money institutions will be allowed to provide payment services referred to in point (a) of Article 6(1) of EMD through agents subject to the conditions laid down in Article 19 (Use of agents, branches or entities to which activities are outsourced) of PSD 2 (Article 3(5) of EMD as amended by Article 111 of PSD 2).

    Article 111 of PSD 2 also adds a new paragraph to Article 18 of EMD. Thus, paragraph 4 allows electronic money institutions that have, before 13 January 2018, taken up activities in accordance with EMD and with PSD 1 in the Member State in which their head office is located to continue those activities in that Member State or in another Member State without being required to seek authorisation in accordance with Article 3 of EMD or to comply with other requirements laid down or referred to in Title II (Requirements for the Taking up, Pursuit and Prudential Supervision of the Business of Electronic Money Institutions) of EMD until 13 July 2018.

    Electronic money institutions will be required to submit all relevant information to the competent authorities in order to allow the later to assess, by 13 July 2018, whether those electronic money institutions comply with the new requirements, and, if not, which measures need to be taken in order to ensure compliance or whether a withdrawal of authorisation is appropriate.

    Electronic money institutions, which upon verification by the competent authorities, comply with the requirements of Title II will be granted authorisation and entered in the register. Where those electronic money institutions do not comply with the requirements of Title II by 13 July 2018 they will be prohibited from issuing electronic money.

    4.14.3. Impact on Existing Unregulated PISPs and AISPs

    Legal persons that have performed in their territories, before 12 January 2016, activities of payment initiation service providers and account information service providers within the meaning of PSD 2, will not be forbidden to continue to perform the same activities in their territories during the transitional period referred to in paragraphs 2 and 4 of Article 115 in accordance with the currently applicable regulatory framework (Article 115(5)).

    4.14.4. Impact on Account Servicing Payment Service Providers

    Until individual account servicing payment service providers comply with the regulatory technical standards on security measures, they must not abuse their non-compliance to block or obstruct the use of payment initiation and account information services for the accounts that they are servicing (Article 115(6)).

    5. Next Steps

    5.1. Transposition

    The current Payment Services Directive (Directive 2007/64/EC) will be repealed from 13 January 2018.

    Member States are required to adopt and publish the measures necessary to comply with PSD 2 by 13 January 2018 and apply those measures from 13 January 2018 (Article 115(1) and (2)).

    Member States must ensure the application of the security measures referred to in:

  • Article 65 (Confirmation on the Availability of Funds);
  • Article 66 (Rules on Access to Payment Account in the case of Payment Initiation Services);
  • Article 67 (Rules on Access to and Use of Payment Account Information in the case of Account Information Services), and
  • Article 97 (Authentication)
  • from 18 months after the date of entry into force of the regulatory technical standards referred to in Article 98.

    5.2. EBA Guidelines and Regulatory Technical Standards

    To fulfil its mandate under PSD 2 and Interchange Fee Regulation (IFR) to develop requirements that will harmonise regulatory and supervisory practices in the field of payment services across the EU, the EBA launched the preparation process before the official publications of the revised Payment Services Directive by issuing Discussion and Consultation Papers to collect views and responses of the parties concerned.

    The Directive confers on the EBA the development of six technical standards and five sets of guidelines.

    The EBA has already launched a discussion on draft regulatory technical standards on strong customer authentication and secure communication and two consultations – one on draft technical standards on the framework for cooperation and exchange of information between competent authorities for passporting under PSD 2 and the other on draft technical standards on the separation of payment card schemes and processing entities under Article 7(6) of the Interchange Fee Regulation (IFR).

    The RTS on strong customer authentication and secure communication, on which the EBA has issued a Discussion Paper, is key to achieving the objective of the PSD 2 of enhancing consumer protection, promoting innovation and improving the security of payment services across the European Union.

    The EBA will assess the views received on the identified issues and on the potential clarifications suggested, and use them as input for the development of the draft RTS, which it will publish in summer 2016, for a consultation period of three months.

    The final draft RTS on the framework for cooperation and exchange of information between competent authorities for passporting and on separation of payment card schemes and processing entities are expected to be published in Q2 of 2016.

    Then the draft RTS are to be submitted to the European Commission, which will have 3 months to adopt them.

    ADVAPAY follows closely the latest developments in the payments industry and will keep you updated. Stay with us for more information.