WHAT is it?
The second Payments Services Directive (PSD2) represents a significant evolution of the regulation applying to the European payments industry and has been drafted to take account of the ever-increasing pace of technological development in this area. It aims to build on the provisions of the first PSD, maintaining much of the regime as-is whilst widening the scope and extent of the rules with the aim of providing increased security and opening up the industry to technological innovation.
Most of the granular requirements of PSD2 apply to European banks, who will now be required to open up their IT infrastructure to allow third-party Payment Service Providers (PSPs) access to their proprietary payment systems.
WHO will it affect?
All existing PSPs will be affected. This includes banks, building societies, credit card issuers, e-money institutions, and other types of payments institution such as money remitters (except certain types of firm which will benefit from an exclusion, as we have outlined below).
The legislation will also affect providers of payment accounts which can be accessed online (e.g. current accounts or e-money accounts) which are not regulated already. A number of new types of firm will also come under the scope of the legislation – see below for more details.
WHEN does it come into force?
PSD2 was introduced on December the 23rd, 2015; the Directive dictates that all Member states implement this piece of regulation into national law by January the 13th, 2018. The UK has drafted and passed the Payment Services Regulation, which transposes the PSD2 provisions into national law
WHAT are the key focus areas?
PSD2 retains the same benefits that PSD introduced into the European market, such as improved economies of scale, enhanced competition and greater transparency, however it also aims to improve customer protection and security, and make the single market fit for technological developments.
Changes in territorial scope since the PSD
PSD currently only applies if the PSP of both the payer and payee are located within the EEA and the transaction is in euro, sterling or another non-euro Member state currency (except value dating and immediate availability provisions which apply to ‘one-leg out’ transactions)
PSD2 will apply to ‘one-leg out’ transactions and all currencies, whether in Euro or no, meaning the legislation will apply in all instances where payments are being made or received in the EEA – even if the counterparty is located in a third country.
Exclusions from PSD2
Not all providers of payment service are caught under PSD2. Certain types of firm can benefit from exemptions, meaning they will not have to be FCA-authorised as a PSP and do not have to comply with the specific provisions in PSD2.
All firms benefiting from this exclusion must provide the FCA with description of their activities and an annual audit opinion that their customer’s transactions fall within the limits of the exclusion.
A full list of exclusions and activities that are not considered payment services under PSD2 can be found in Part 2 of the UK Payment Services Regulations 2017.
New regulated services.
PSD2 is set to bring two new types of firm under the scope of regulation for the first time: Account Information Service Providers (AISPs) and Payment Information Service Providers (PISPs).
Account Information Service Providers are defined as operators of “an online service which provides consolidated information on payment accounts held by a payment service user with payment service providers”. These services, which are often used by users to keep an eye on their finances and allow third parties such as investment advisors to check how much they are saving, already exist in the UK. PSD2 will bring AISPs within the scope of regulation, ensuring that they can receive access to payment accounts and comply with regulations to ensure security for users.
PISPs are operators of “an online service which accesses a user’s payment account to initiate a transfer of funds on their behalf with the user’s consent and authentication”. These represent an alternative to paying online using a credit or debit card. These services are not widely used for online payments in the UK, but are popular in other European countries. Again, PSD2 brings these firms within the scope of regulation for the first time.
The FCA has made clear that AISPs which provide account information only will not have to undergo Part IV authorisation with the FCA, but will be subject to a light-touch registration regime and will be exempt from many of the specific provisions applicable to regulated PSPs, such as capital requirements.
However PISPs must seek full authorisation from the FCA and will be subject to an initial €50,000 regulatory capital minimum (which may be higher if the PISP intends to provide other kinds of payment service.
Authorisation and registration requirements for new and existing firms
Prospective PSPs applying under Payment Service Regulation (PSR) and e-money institutions applying under Electronic Money Regulation (EMR) will have to provide additional information to what they already provide, which includes information about:
Existing payment and e-money institutions are allowed to operate with their current authorisation before the 12th of July; firms that wish to continue offering their service after the 12th of July 2018 need to provide the above information before the 13th of April 2018.
In case of small PSPs, these firms must re-apply and provide all relevant information before the 13th of October 2018 if they wish to carry on their activities after this date they.
The information on how to provide the FCA with above-listed documents, the process of seeking authorisation will be provided by the FCA after the implementation or regulation by the Treasury on the FCA website’s authorisation page.
Passporting under PSD2.
Under PSD2, the firms with agents in another Member state may need to provide “Central Contact Point” (the PSD2 confers an option on host Member States to require those PIs and EMIs to appoint a central contact point in their territory. The objective of such a contact point is to ensure adequate communication and information reporting in the host Member State in accordance with PSD2 and to facilitate the supervision by the competent authorities of the home and host Member State) within that state if they have passported under the ‘right of establishment’.
They might also have to provide periodical reports to the host state.
The FCA will publish information on when the firms that want to passport should apply at a later date.
Key changes introduced under PSD2 to improve consumer protection:
Under PSD2, the payer’s liability for unauthorised transactions is capped to €50. Payers will, however, be liable in cases of fraud, gross negligence or failing to notify their PSP without unnecessary delay on becoming aware of the loss.
Under PSD2 PSPs are the ones responsible for accuracy and timeliness of payments, it also states that payers are entitled to claims for refunds through their Account Servicing Payment Services Provider (ASPSP), whether or not there are other PSPs involved in a transaction. These ‘other’ PSPs will be liable to the payer’s ASPSP.
Each PSP’s liability is limited to their area of competence.
Payers have a maximum of 13 moths to inform their PSP about an incorrect transaction.
In case a payer has provided the PSP with the wrong ID, the payee’s PSP is now required to ‘cooperate’ in order to recover losses.
PSPs must give full response to complaints within 15 days. If there are exceptional circumstances, this time limit is extended to 35 days and the firms must send the payer a holding letter in the meantime.
This is also known as two-factor authentication. Payment service users will need to use SCA whenever they access their accounts online, make an electronic payment or carry out any actions, which carry risk of fraud or abuse.
The two elements of SCA are:
These elements must be independent from one another so that one of them being breached doesn’t compromise the integrity of another.
The EBA is responsible for developing technical standards for SCA.
Reporting under PSD2.
Statistical data on fraud should be sent by the PSPs through competent authorities to the EBA and ECB every year at least.
PSPs must send an updated assessment of the operational and security risks and information about effectiveness of the mitigation and control methods they employ to the competent authorities every year.
Member states may require PSPs that have agents or branches in their territories to report to them on their activities in their territories.
PSPs must notify EBA and ECB (and any other relevant Member State authorities) through informing competent authorities of any major operational or security incident as soon as they become aware.
Existing PSPs and EMIs: Re-authorisation and re-registration requirements
There is additional information that existing PSPs must provide the FCA if they wish to continue providing payment services in the future. The information to provide is set out above and in the Payment Services Regulation 2017.
Existing PIs and EMIs should also notify the FCA if there are any changes to information they have already provided that is relevant to the conditions under which they were originally authorised.
Deadline to provide the new information: 13th of April 2018 (for authorised PIs, EMIs and small EMIs to continue operating after the 13th of July 2018)
Deadline to provide the new information: 13th of October 2018 (for small PIs to continue operating after 13th of January 2019)
Applications can be made starting 13th of October 2017. More information on the application/information process can be found on this page.
Please note: there is no right to appeal if an existing PI or EMI fails to provide additional information
Any applications for authorisation and registration under PSRs 2009 which are still in progress will be treated as applications under PSRS 2017 and the FCA will notify such businesses should any additional information be required from such firms.
If these firms receive authorisation or registration between the 13th of October 2017 and 13th of January 2018, they will need to provide the additional information by the 13th of April 2018.
It is envisaged that holders of existing passporting permissions will not have to change these or re-apply for new permissions following the implementation of PSD2. The FCA has provided more information on this page and at chapter 6 of its draft Payment Services and Electronic Money approach document.
WHAT do firms need to do to comply?
WHAT can we do to help?
The FinTech Compliance team have considerable expertise in payment services regulation and have successfully authorised many payment services and e-money firms in the past. We are intimately familiar with the requirements of PSD2 and we can assist with all aspects of the notification, authorisation and implementation process for affected firms. In particular, we can help with:
Please do not hesitate to contact us to via telephone at +44 (0) 207 100 4058, or visit our Contact page on our website if you require more information on PSD2 or you would like to engage our assistance.