Payment Services Directive

Last updated

The Revised Payment Services Directive (PSD2, Directive (EU) 2015/2366, [1] which replaced the Payment Services Directive (PSD), Directive 2007/64/EC [2] ) is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). The PSD's purpose was to increase pan-European competition and participation in the payments industry also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations of payment providers and users. [3] The key objectives of the PSD2 directive are creating a more integrated European payments market, making payments more secure and protecting consumers. [4]

Contents

Overview

The SEPA (Single Euro Payments Area) is a self-regulatory initiative by the European banking sector represented in the European Payments Council, which defines the harmonization of payment products, infrastructures and technical standards (Rulebooks for credit transfer/direct debit, BIC, IBAN, ISO 20022 XML message format, EMV chip cards/terminals). The PSD provides the legal framework within which all payment service providers must operate.

The PSD's purpose in regard to the payments industry was to increase pan-European competition with participation also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users. [3] The PSD's purpose in regard to consumers was to increase customer rights, guarantee faster payments (no later than next day since 1 January 2012), describe refund rights, and give clearer information on payments. [5] Although the PSD was a maximum harmonisation directive, certain elements allowed for different options by individual countries. [6]

The final adopted text of PSD went into force 25 December 2007 and was transposed into national legislation by all EU and EEA member states by 1 November 2009. [2] [7]

Technical overview

The PSD contained two main sections:

  1. The "market rules" described which type of organisations could provide payment services. Next to credit institutions (i.e. banks) and certain authorities (e.g. central banks, government bodies), the PSD mentioned electronic money institutions (EMI), created by the E-Money Directive in 2000, and created the new category of "payment institutions" (PI) with its own prudential regime rules. Organisations that are neither credit institutions nor EMIs could apply for an authorisation as a payment institution if they met certain capital and risk management requirements. The application could be made in any EU country where they are established and they could then "passport" their payment services into all other EU member states without additional PI requirements.
  2. The "business conduct rules" specified what transparency of information payment service institutions needed to provide, including any charges, exchange rates, transaction references and maximum execution time. It stipulated the rights and obligations for both payment service providers and users, how to authorise and execute transactions, liability in case of unauthorised use of payment instruments, refunds on payments, payment orders, and value dating of payments.

Each country had to designate a "competent authority" for prudential supervision of the PIs and to monitor compliance with business conduct rules, as transposed into national legislation. [8]

Updates

The PSD was updated in 2009 (EC Regulation 924/2009) and 2012 (EU Regulation 260/2012). An implementation report from 2013 found the PSD facilitated "provision of uniform payment services across the EU" and reduced legal and production costs for many payment service providers and that "the expected benefits have not yet been fully realised". The same report found the 2009 update "to be functioning well. For example, charges for €100 transfers followed a further downward trend to €0.50 euro-area average for transfers initiated online and remained low, at €3.10 for transfers initiated at the bank counter". [9]

In October 2021 the EBA launched a public consultation on the amendment of its Regulatory Technical Standards (RTS) on strong customer authentication and secure communication (SCA&CSC) under the Payment Services Directive (PSD2) with regard to 90-day exemption from SCA for account access. [10] In the UK, the FCA published PS 21/19 [11] (“policy statement”) for “Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual” . This document proposed a number of modifications including to Article 10 of the UK- RTS, by replacing the requirement for the PSU to re-authenticate with their ASPSP every 90 days to allow AISP access with the requirement for the PSU to reconfirm their consent with their AISP directly.

Remaining issues

  1. The PSD only applied to payments within the European Economic Area, but not to transactions to or from third countries.
  2. PSD exemptions related to payment activities left users unprotected.
  3. The PSD option for merchants to charge a fee or give a rebate, combined with the option for countries to limit this, led to "extreme heterogeneity in the market".
  4. So-called "third party payment service providers" emerged, which facilitated online shopping by offering low cost payments on the Internet by using the customers' home online banking application with their agreement, and informing merchants that the money is on its way. Other "account information services" offer consolidated information on different accounts of a payments service user. Harmonisation of refund rules regarding direct debits, a reduction of the scope of the "simplified regime" for so-called "small payment institutions" and addressing security, access to information on payment accounts or data privacy with possible licensing and supervision were proposed. [9]

Revised Directive on Payment Services (PSD2)

On 8 October 2015, the European Parliament adopted the European Commission proposal to create safer and more innovative European payments (PSD2, Directive (EU) 2015/2366). The current rules aim to better protect consumers when they pay online, promote the development and use of innovative online and mobile payments such as through open banking, and make cross-border European payment services safer. [12]

Then-Commissioner Jonathan Hill, responsible for Financial Stability, Financial Services and Capital Markets Union, said, "This legislation is a step towards a digital single market; it will benefit consumers and businesses, and help the economy grow." [12]

On 16 November 2015, the Council of the European Union passed PSD2. Member states then had two years to incorporate the directive into their national laws and regulations. [13] On 27 November 2017, Commission delegated Regulation (EU) 2018/389 supplemented PSD2 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication. [14]

The EU and many banks pushed this development with the new Payments Service Directive 2 (PSD2), which came into force on 13 January 2018. Banks then adapted to these changes which opened many technical challenges, but also many strategic opportunities, such as collaborating with fintech providers, for the future. [15]

An important element of PSD2 is the requirement for strong customer authentication on the majority of electronic payments.

Another important element of the directive is the demand for common and secure communication (CSC). eIDAS-defined qualified certificates for are demanded for website authentication and electronic seals used for communication between financial services players. The technical specification ETSI TS 119 495 defines a standard for implementing these requirements.

PSD2 went into full effect on 14 September 2019, but due to delays in the implementation, the European Banking Authority allowed for a time extension of the strong customer authentication (SCA) until 31 December 2020. [16] [17]

Key dates

Privacy concerns

Privacy First, a privacy organisation, criticised the open banking elements of the new legislation, claiming it focuses too much on improving competition and innovation while the privacy interests of account holders are overlooked. [19]

See also

Related Research Articles

<span class="mw-page-title-main">Markets in Financial Instruments Directive 2014</span> European Union law

Markets in Financial Instruments Directive 2014, commonly known as MiFID 2, is a legal act of the European Union (EU). Together with Regulation No 600/2014 it provides a legal framework for securities markets, investment intermediaries, in addition to trading venues. The directive provides harmonised regulation for investment services of the member states of the European Economic Area — the EU member states plus Iceland, Norway and Liechtenstein. Its main objectives are to increase competition and investor protection, as well as level the playing field for market participants in investment services. It repeals Directive 2004/39/EC.

Chargeback fraud, also known as friendly fraud, cyber shoplifting, or liar-buyer fraud, occurs when a consumer makes an online shopping purchase with their own credit card, and then requests a chargeback from the issuing bank after receiving the purchased goods or services. Once approved, the chargeback cancels the financial transaction, and the consumer receives a refund of the money they spent. Dependent on the payment method used, the merchant can be accountable when a chargeback occurs.

The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. They were overturned on October 6, 2015, by the European Court of Justice (ECJ), which enabled some US companies to comply with privacy laws protecting European Union and Swiss citizens. US companies storing customer data could self-certify that they adhered to 7 principles, to comply with the EU Data Protection Directive and with Swiss requirements. The US Department of Commerce developed privacy frameworks in conjunction with both the European Union and the Federal Data Protection and Information Commissioner of Switzerland.

<span class="mw-page-title-main">Single Euro Payments Area</span> System for money transfers within the European Union area

The Single Euro Payments Area (SEPA) is a payment integration initiative of the European Union for simplification of bank transfers denominated in Euros. As of 2020, there were 36 members in SEPA, consisting of the 27 member states of the European Union, the four member states of the European Free Trade Association, and the United Kingdom. Some microstates participate in the technical schemes: Andorra, Monaco, San Marino, and Vatican City.

<span class="mw-page-title-main">Freedom of Establishment and Freedom to Provide Services in the European Union</span> European Union ideologies

The Freedom to Provide Services or sometimes referred to as free movement of services along with the Freedom of Establishment form the core of the European Union's functioning. With the free movement of workers, citizens, goods and capital, they constitute fundamental rights that give companies and citizens the right to provide services without restrictions in any member country of the EU regardless of nationality and jurisdiction.

<span class="mw-page-title-main">Capital Requirements Directives</span>

The Capital Requirements Directives (CRD) for the financial services industry have introduced a supervisory framework in the European Union which reflects the Basel II and Basel III rules on capital measurement and capital standards.

The Telecoms Package was the review of the European Union Telecommunications Framework from 2007 – 2009. The objective of the review was to update the EU Telecoms Framework of 2002 and to create a common set of regulations for the telecoms industry across all 27 EU member states. The review consisted of a package of directives addressing the regulation of service provision, access, interconnection, users' contractual rights and users' privacy, as well as a regulation creating a new European regulatory body (BEREC).

Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU, but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement, and many contactless card payments do not use a second authentication factor.

In financial services, open banking allows for financial data to be shared between banks and third-party service providers through the use of application programming interfaces (APIs). Traditionally, banks have kept customer financial data within their own closed systems. Open banking allows customers to share their financial information securely and electronically with other authorized organizations, such as fintech companies, payment providers, lenders, and other banks.

<span class="mw-page-title-main">Digital Single Market</span>

On 6 May 2015, the European Commission, led at the time by Jean-Claude Juncker, established the Digital Single Market strategy, intended to remove virtual borders, boost digital connectivity, and make it easier for consumers to access cross-border online content across the European Union. The Digital Single Market, which is one of the Commission's 10 political priorities, aims to fit the EU's single market for the digital age, moving from 28 national digital markets to a single one, and then opening up digital services to all citizens and strengthen business competitiveness in the digital economy. In other words, the Digital Single Market is a market characterized by ensuring the free movement of people, services and capital and allowing individuals and businesses to seamlessly access and engage in online activities irrespective of their nationality or place of residence. Fair competition conditions and a high level of protection of personal and consumer data are applied.

eIDAS EU electronic identification regulation

eIDAS is an EU regulation with the stated purpose of governing "electronic identification and trust services for electronic transactions". It passed in 2014 and its provisions came into effect between 2016 and 2018.

The Mortgage Credit Directive (MCD) is a body of European legislation for the regulation of first- and second charge mortgages and consumer buy-to-let (CBTL) lending. It was originally adopted by the European Commission on 4 February 2014 and Member states had to transpose the regulations in their national law by March 2016. The European Commission is currently planning to propose amendments to the directive in Q1 2024.

A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are qualified certificate authorities required in the European Union and in Switzerland in the context of regulated electronic signing procedures.

<span class="mw-page-title-main">Banking as a service</span>

Banking as a service (BaaS) is the provision of banking products to non-bank third parties through APIs.

Auka is a Norwegian, VC-backed financial technology company. Its PSD2 compliant technology platform enables banks to issue white label mobile payments products to their private and merchant customers.

<span class="mw-page-title-main">Qualified website authentication certificate</span>

A qualified website authentication certificate is a qualified digital certificate under the trust services defined in the European Union eIDAS Regulation.

The Net Neutrality Regulation 2015 is a Regulation in EU law where article 3(3) lays down measures concerning open internet access.

The development of neobanks in Europe is a trend in the European financial landscape beginning in the 2010s. Neobanks are a type of digital-only bank that offer financial services primarily through mobile and web applications, with little or no reliance on physical branches. The trend was driven by advancements in technology, changing consumer preferences, and supportive regulatory frameworks. Neobanks provide a range of services, including personal accounts, loans, and payment services, with a focus on user-friendly interfaces, low fees, and innovative features. In 2022, European neobank market have generated over 570B transactions.

The Central Electronic System of Payments (CESOP) regime is an automatic exchange of information regime being introduced in the European Union from 1 January 2024. The rules were introduced by Council Directive 2020/284, amending the EU's Value-added tax Directive.

References

  1. Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (Text with EEA relevance), vol. OJ L, 23 December 2015, retrieved 12 July 2020
  2. 1 2 "Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC". Official Journal of the European Union. 5 December 2007. Retrieved 2 August 2014.
  3. 1 2 "Payment services (PSD 1) - Directive 2007/64/EC". European Commission. Retrieved 13 February 2017.
  4. "Authorised Payment Institution | Payments | Licensing & Compliance". BCC UK. Retrieved 26 May 2020.
  5. "The Payment Services Directive – What it means for Consumers" (PDF). European Commission. Archived from the original (PDF) on 30 May 2013. Retrieved 20 March 2014.
  6. "Directive on Payment Services (PSD) – Member States' options". EC.Europa.eu. European Commission. Archived from the original on 27 February 2015. Retrieved 27 February 2015.
  7. "Payment Services". EC.Europa.eu. European Commission . Retrieved 13 February 2017.
  8. "Competent authorities for the authorisation and supervision of payment institutions (Article 20)" (PDF). EC.Europa.eu. Archived from the original (PDF) on 27 February 2015. Retrieved 27 February 2015.
  9. 1 2 3 "Report from the Commission to the European Parliament and the Council on the application of Directive 2007/64/EC on payment services in the internal market and on Regulation (EC) No 924/2009 on cross-border payments in the Community". Eur-lex.europa.eu. 24 July 2013. Retrieved 27 February 2015.
  10. "EBA consults on the amendment to its technical standards on strong customer authentication and secure communication in relation to the 90-day exemption for account access" (Press release). European Commission. 28 October 2021. Retrieved 1 February 2021.
  11. 1 2 "PS21/19: Changes to the SCA-RTS and to guidance in the Approach Document and the Perimeter Guidance Manual" (Press release). The Financial Conduct Authority. 29 November 2021. Retrieved 1 February 2021.
  12. 1 2 "European Parliament adopts European Commission proposal to create safer and more innovative European payments" (Press release). European Commission. 8 October 2015. Retrieved 4 May 2016.
  13. 1 2 "Electronic payment services: Council adopts updated rules" (Press release). Council of the EU. 16 November 2015. Retrieved 16 November 2015.
  14. "COMMISSION DELEGATED REGULATION (EU) 2018/389". 27 November 2017.
  15. "Capitalizing on the potential benefits of open banking". McKinsey . Retrieved 21 September 2019.
  16. "strong customer authentication (SCA) Enforcement Date : Stripe: Help & Support" . Retrieved 21 September 2019.
  17. "EBA publishes an Opinion on the elements of strong customer authentication under PSD2" (Press release). European Banking Authority. Retrieved 21 September 2019.
  18. Jones, Brendan (23 October 2018). "The Implications and Requirements of PSD2 open banking for Programme Managers". Finextra.
  19. "European PSD2 legislation puts privacy under pressure. Privacy First demands PSD2 opt-out register". www.privacyfirst.eu. Retrieved 26 May 2020.

Further reading