My piece for Ogier Leman on the EU's proposal to replace existing directives on e-money and payment services is
.
As reported last July, the EU has been reviewing the way it regulates payment services. That process has now resulted in a proposal for a new legislative approach: a directly applicable Regulation (PSR3) governing how payment services must operate and a Directive (PSD3) governing the licensing and supervision of payment service providers, which will need to be transposed into local law. There is also a proposal to regulate the sharing of financial data, which we'll cover separately. The differences in approach are broadly summarised below for information purposes. It is not yet fully clear when the proposed legislation will be finalised or take effect. If you require legal advice on the potential impact, please let us know.
How does the EU regulated payment services now?
Payment services are currently regulated under a single Payment Services Directive (PSD2) that is applied by local legislation in each Member State. Electronic money issuers are regulated partly under the second Electronic Money Directive (EMD2), also implemented in each Member State, and their services must also comply with PSD2. These are 'maximum harmonisation' directives, meaning that Member States may only deviate when regulating within their scope to the extent they are expressly permitted to do so.
Has PSD2 been successful?
PSD2 has helped with fraud prevention, via the Strong Customer Authentication (SCA); and has improved efficiency, transparency, competition and choice for customers.
Problems remain, however:
- an imbalance between bank and non-bank PSPs (e.g. in terms of direct access to key payment systems);
- limited uptake of payment initiation and account information services (‘open banking’ or OB);
- many services remain national rather than cross-border;
- anticipated cost reductions have not fully materialised;
- consumers are still at risk of fraud and lack confidence;
- open banking needs work;
- local regulators have inconsistent powers and obligations;
- a fragmented internal market for payments results in “forum shopping”.
As a result, the EU has four main objectives in relation to payment services:
1. Strengthen user protection and confidence in payments;
2. Improve the competitiveness of open banking services;
3. Improve enforcement and implementation in Member States;
4. Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs.
The EU plans to meet these objectives through a directly applicable Regulation and a Directive that must be implemented in each Member State.
Specific proposals - New Regulations (PSR3)
Scope and definitions
PSR3 won't change the list of payment services in PSD2 and leaves the exclusions largely unchanged (although there are potential issues relating to the commercial agent's exclusion, given the addition that the agreement appointing the agent must give the payer or payee "a real margin to negotiate with the commercial agent or conclude the sale or purchase of goods or services"). There is also an addition to the group company exclusion to also allow for one company to collect funds from others within the group to pay them away to a third party PSP.
There are more definitions and clarifications of certain terms (new definitions of Merchant Initiated Transactions (MITs) and of Mail Orders or Telephone Orders (MOTOs)).
There's an attempt to differentiate between ‘initiation of a payment transaction’ and ‘remote initiation of a payment transaction’.
PSP Access to Payment Systems/Accounts
Payment system operators must grant access to PSPs on proportionate, objective and non-discriminatory grounds.
Rules concerning PSP rights to account with a credit institution are reinforced (given the importance for them to have a bank account to obtain their license) for institutions and their agents and distributors.
Transparency of conditions and information requirements
Member states will no longer be able to flex the limits for exempting low-value payment instruments and e-money from certain information requirements.
Customers must be given notice of Alternative Dispute Resolution procedures in contract terms that apply to single payment transactions.
PSPs must unambiguously identify the payee, including any commercial trade name in payment account statements.
Where payment services are offered jointly with supporting technical services any termination fees that apply to the technical services must also be in the payment services contract.
There are additional information requirements for domestic ATM withdrawals.
PSPs must provide customers sending money from the EU to non-EU countries with the estimated time funds will be received by payee's PSPs; and the estimated currency conversion charges must be expressed in the same way as for credit transfers within the EU (a percentage mark-up over the latest available euro foreign exchange reference rates issued by the ECB).
Rights and obligations
The prohibition on surcharging customers for using certain consumer payment methods extended to credit transfers and direct debits in all currencies of the EU (though member states - and the UK - have implemented such bans with differing scope in any event).
The rules for merchant-initiated transactions (MITs) and direct debits will have the same consumer protection, such as refund rights.
Open banking (account information services and payment initiation services)
Key changes here include:
- a dedicated interface for open banking data access;
- removing the requirement on account servicing PSPs (ASPSPs) to maintain a ‘fallback’ interface.
- ASPSPs must offer customers a “dashboard” allowing the withdrawal of data access from any given open banking provider.
- confirmation on the availability of funds has been removed as a stand-alone open banking service, due to lack of demand.
Authorisation of payment transactions and 'push payment' fraud
A payee's PSP must, on request, provide the customer with a service that checks that the unique identifier of the payee matches the name of the payee as provided by the payer, notifying the payer's PSP of any discrepancy, so it can alert the payer. Under SEPA, a similar provision is proposed for discrepancies between the name and unique identifier of a payee for instant credit transfers denominated in euro.
For consistency, the new provision will also apply to ordinary credit transfers in all currencies of the Union and instant credit transfers in currencies which are not in euro.
The notification must be given before the payer finalises the payment order and before the PSP executes the credit transfer. The user remains free to decide whether to submit the payment order for a credit transfer in all cases.
PSPs must not unilaterally increase the spending limits on payment instruments.
Where funds are blocked on a payment instrument for payment transactions where the amount isn't known in advance, the amount blocked must be proportionate to the amount reasonably expected at the time of blocking; and the payee must inform the blocking PSP of the exact amount of the payment transaction immediately after delivery of the service or goods to the payer.
A PSP can only refuse to refund an unauthorised payment transaction for which it is liable where it has reasonable grounds for suspecting fraud by the payer, in which case the PSP must provide the justification and indicate the bodies to which the payer may complain.
A payer's PSP will be liable for the full amount of a credit transfer where the PSP has failed to notify the payer of a detected discrepancy between the unique identifier and the name of the payee provided by the payer.
A PSP will be liable where a consumer has been manipulated into authorising a payment transaction by a third party pretending to be an employee of the consumer’s PSP using lies or deception.
An obligation for electronic communications services providers to cooperate with PSPs is introduced, with a view to preventing such fraud. Where the liability is attributable to the payee's PSP, it must refund the financial damage incurred by the payer's PSP.
Strong Customer Authentication (SCA)
Technical service providers and operators of payment schemes will be liable where they fail to support SCA.
A payer shall not bear any financial losses where either their PSP or the payee's PSP applies any of the exemptions from the need for SCA (e.g. for up to 5 contactless transactions).
PSPs must have transaction monitoring mechanisms for the application of SCA and to improve the prevention and detection of fraudulent transactions. The monitoring must take into account the customer's normal use of the personalised security credentials, including environmental and behavioural characteristics related to the customer's location, time of transaction, device being used, spending habits and the online store where the purchase is carried out.
PSPs may exchange personal data, like unique identifiers of a payee, subject to information sharing arrangements, subject to a data protection impact assessment and, where necessary, prior consultation with the local regulator.
SCA is needed for MITs at set-up of the mandate, but not for subsequent MITs.
Only the non-digital initiation of a payment transaction can escape the SCA obligations, so some MOTO transactions could be caught. But payment transactions based on paper-based payment orders, mail orders or telephone orders placed by the payer should still be subjected to security standards and checks by the payer's PSP to prevent circumvention of SCA requirements.
The scope of SCA exemption for direct debits has been narrowed; while a new obligation requires SCA where a mandate is placed through a remote channel with the direct involvement of a PSP.
SCA is only required for account information services on the occasion of the first data access; but must be applied , at least every 180 days where customers access aggregated account data on the AISP’s domain.
Provisions have been added to improve the accessibility of SCA, including for persons with disabilities, older persons, persons with low digital skills and those who don't have access to digital channels or a smartphone.
There is a provision requiring payment service providers and technical service providers to enter into outsourcing agreements in cases where the latter provide and verify the elements of SCA (note that such outsourcing agreements, if regarded as 'critical or important' must include certain provisions under EBA guidelines).
Execution of payment transactions
In cases where a payment initiation service provider (PISP) provides an incorrect unique identifier of a payee, the PISP is liable for the amount of the transaction.
Data protection
A new provision defines the substantial public interest for which processing special categories of personal data could be necessary in this context.
Product intervention powers of the European Banking Authority
The EBA may temporarily ban the sale of certain payment products that present certain risks on the basis of specific criteria.
Transition
Basically, the PSR3 will apply 18 months and 20 days after publication in the Official Journal.
Specific Proposals - New Directive (PSD3)
Scope and definitions
The new Directive repeals EMD2 and integrates E-money institutions (EMIs) as a sub-category of payment institutions (PIs).
PSD3 contains provisions relating to cash withdrawal services provided by retailers (without a purchase) or by independent ATM deployers will.
PSD3 governs access to the offer of payment services and electronic money services by PIs but not by credit institutions (banks).
Licensing and supervision of PSPs
The procedures for application for authorisation vs registration and controls on ownership are mostly unchanged but consistent for all types of PI (including ex-EMIs) and a winding-up plan ('living will') must be submitted on application.
PISPs/AISPs may hold initial capital instead of a professional indemnity insurance (which can be hard to obtain).
Requirements for initial capital are updated for inflation since 2015 (except for PISPs): €150,000 for most PIs and €400,000 for those issuing e-money. Ongoing capital ('own funds') calculations remain the same (even for ex-EMIs).
Safeguarding rules for PIs are unchanged (and apply to e-money issuers) except for the extra option of safeguarding in an account of a central bank (at the CB's discretion); and PSPs must endeavour to avoid concentration risk (with EBA regulatory technical standards on risk management of safeguarded funds).
There are more detailed provisions on internal governance, including EBA guidelines.
Provisions regarding agents, branches and outsourcing are unchanged, but with a new definition of e-money 'distributors' and related provisions aligned with those applicable to agents.
Provisions on cross-border provision of services by PIs, and the supervision of such services are broadly unchanged except for specific provisions where three Member States are involved (where the PI is established in one state, has an agent in another which provides services in a third Member State on a cross-border basis).
Cash Withdrawals
There's an exemption from PI licensing for operators of retail stores that offer voluntary cash withdrawal services without a purchase on their premises up to EUR 50 (to avoid unfair competition with ATM deployers).
Distributors of cash via ATMs who do not service payment accounts (“independent ATM deployers”) only need to register rather than be fully licensed as PIs.
Transition arrangements
Existing licenses for PIs and EMIs are “grandfathered” for 30 months after PSD3 enters into force (i.e. one year after the deadline for Member States to transpose the directive into local law on condition that they apply for a license under PSD3 no more than 24 months after entry into force).
PSD3 is a full harmonisation directive. The deadline for Member States to transpose it will be 18 months after entry into force. A review report must be presented 5 years after the entry into force, looking specifically at the possible extension to 'payment systems' (which are regulated by the UK, for example) and 'technical services', as well as the impact of the safeguarding rules on deposit guarantee schemes.
The differences in approach are broadly summarised for information purposes. If you require legal advice on the potential impact, please let us know.