revised payment services directive - a brief explanation
TRANSCRIPT
PSD2 BRIEFING
Disclaimer: The views expressed here are solely those of the author in his private capacity and do not in any way represent the views of the ECB, EBA or the European Parliament. The competent authorities have not approved, endorsed or embraced this publication. The counsel provided in the document may be used upon careful deliberation with necessary industrial specialists and experts 1 1
Revised Payment Services Directive (PSD2) gets established from
Dec, 2015 and will be implemented across banks in the next couple
of years. PSD2 will introduce measures that banks, payment service
providers, payment institutions and others will need to comply. It
not only discusses about compliance and regulatory standards, but
about market standards, competition from third party providers
and opportunity to open virtual trade routes outside the European
Union.
PSD2 works around the
collective information
gathered from experience
of various banks, payment
institutions and payment
service providers after
PSD1 became law. The
working principles of PSD2
revolves around one of the
following major topics.
Improve level playing
field for Payment
Service Providers –
Since the inception of
Payment Services Directive
in 2007, advancements in
technology and payment
industry have continued at
a rapid pace. New
innovations in payment
services has brought better
options for consumers and
merchants. PSD2 has
revised the role of payment
service providers to cope-
up with the changes in
market. Keeping in a
futuristic development
model, ample options are
provided for innovation
and progress. By improving
competition within the
domain, the European
Banking Association brings
in zests from the best of the
breed and steers banks to
self-evolve.
Safer and more secure
payment transactions –
Online data is being
subjected to multiple
scrutiny in order to avoid
hacks and leaks.
Developments in security &
cryptography standards,
guarantees better security
and safety procedures for
financial transactions. The
growth of virtual
currencies, de-centralised
settlement system and
block-chain technology has
provided means for better
structure in payment
transactions. Online
transactions has increased
manifold in the past 5 years
and the number of
interactions between
consumers, merchants and
banks on devices (mobile,
tablets, laptops etc.) has
amplified. To ensure the
audit and security of
transactions as well as to
maintain a low tolerance
towards data leakage – all
stakeholders must adopt
safer and more secure
payment transactions.
Consumer Protection –
PSD1 enabled payment
service providers to act as
intermediaries for various
banking services. PSD2
allows third party
providers in to the
payments arena for the
betterment of services.
EBA ensures that
consumers are not affected
due to any malpractice or
fraudulent nature of the
services offered by
PSD2 BRIEFING
2
different participants in the
program. Protection to
data-privacy laws and
consumer information has
to be maintained within the
ambit of regulation.
Stringent actions must be
put in place to ensure that
payment service providers,
account services payment
service providers, payment
initiation service providers
and payment institutions
do not expose critical
information.
Harmonise pricing –
the interchange card fee
and Payments Account
Directive (May, 2014)
ensures to achieve a level
playing field for pricing and
billing strategies, usage of
common terms, transfer of
accounts, opening new
accounts and charges are
transparent and common
across all member states in
the Union. PSD2 warrants
that these are continued in
practice for payment
transactions to improve
trade relations and money
flow within the member
states.
PSD2 enables cross-
currency transactions as
long as one of the parties in
the transaction is
registered within any
member state. Cross-
border trade and relative
positioning of Euro
currency in the world
payments market will
intensify. All the above
objectives shall lead to
efficient and more
integrated European
payments world.
Table 1 – Topics covered under Revised Payment Services Directive
HEADING DESCRIPTION # Articles
Title I Subject matter, scope and definition 4
Title II Payment service providers 33
Title III Transparency of conditions and information requirements for payment services 23
Title IV Rights and obligations in relation to the provision and use of payment services 43
Title V Delegated acts and regulatory technical standards 3
Title VI Final provisions 11
Recitals Total number of recitals based on which articles were developed 113
Annexure I Payment services that are referred in the directive 8
Annexure II Correlation table between PSD2 and PSD1 -
Title I – Subject matter, scope and definition
* When these bodies are not acting in their capacity as monetary authority or other public authorities
3
The directive establishes rules in accordance with which member states shall distinguish between
the different categories of payment service providers. The figure below represents the various
categories of payment service
providers in scope.
The directive also deals with
transparency of conditions,
information requirements, rights
and obligations of respective
payment service providers in
respect to the provision as a
business or occupation.
List of Payment Services
Services enabling cash to be placed on a payment account as
well as all the operations required for operating a payment
account.
Services enabling cash withdrawals from a payment account as
well as all the operations required for operating a payment
account.
Execution of payment transactions, including transfers of funds
on a payment account with the user’s payment service provider
or with another payment service provider:
a) execution of direct debits, including one-off direct debits;
b) execution of payment transactions through a payment card
or a similar device;
c) execution of credit transfers, including standing orders.
Execution of payment transactions where the funds are
covered by a credit line for a payment service user:
a) execution of direct debits, including one-off direct debits;
b) execution of payment transactions through a payment card
or a similar device;
c) execution of credit transfers, including standing orders.
Issuing of payment instruments and/or acquiring of payment
transactions.
Money remittance.
Payment initiation services
Account information services
PSD2
Credit Institutions
Electronic Money Institutions
Post Office Giro Institutions
*ECB & National CentralBanksPayment Institutions
*Member states orlocal/regional authorities
Direct Cash Payments
cash to cash currency exchange
Authorised commercial agent for sale/purchase
of goods from either only payee
or payer
Vouchers, Drafts
and TC
Physical transport of banknotes or
coins
cash collection and delivery
within non-profit or charitable organisation
Paper based
money orders
Services where commission is
provided as cash by payee to payer
Fig 2 – List of services excluded from directive
Fig 1 – List of parties involved in the directive
Title II – Payment Service Providers
4
Title II explains about various rules and obligations a payment institution must adhere to. It also
delegates responsibility to competent authorities and member states wherever applicable like
granting/withdrawal of authorisation, safeguarding and maintenance of requirements and
record-keeping. Member states have the responsibility to ensure that Payment service providers
meet a certain Level of Assurance (LoA) by means of initial capital based on the type of
payment service they would like to provide. PSPs could avail the services of agents, branches or
entities to whom they can outsource their services. The EBA is directed to maintain a register
where all PSPs must be
authorised. This register will be
available online and can be
observed across all member
states.
The sections under this title lays
out different principles on which
PSPs should act and apportion
their tasks. It allows PSPs to
challenge competent authorities
by the right to apply to courts and
settlement of any disagreements
of competent authorities of
different member states. The
articles defined under this title
further goes on to explain the
access rights of a payment
institution and credit institution.
The services granted or accessed
by member state or competent
authorities must maintain a level
of discrimination and should be without prejudice to the services offered. It also advices enhanced
co-operation between competent authorities of all member states. The Regulatory Technical
Standards (RTS) and Implementing Technical Standards (ITS) for the register will be finalised by
the EBA by July 2017 and shall enter-in to-force 18 months from then. There are set of RTS which
shall be released by EBA at various timelines in the near future (a detailed list is available at
official website).
Key Points to Remember
PSPs must maintain initial capital depending on
the type of payment services offered
Member states must appoint competent
authorities for various safeguarding purpose
Payment institutions and payment service
providers must adhere to certain guidelines to be
authorised and provide their services
EBA will release a web-register where details of all
authorised PSPs will be maintained. This shall be
accessible across all member states of the Union
PSPs can operate in a member state other than
the home member state where they have been
authorised, but will have to provide information to
competent authorities of the member state
Title III – Transparency of conditions and information
requirements for Payment Services
5
The 2 major topics that are deliberated under this title are ‘single payment transactions’ and
‘framework contracts’ and any payment transactions that are enclosed by them. Provisions to
microenterprises are applied the same way as it is applicable to a consumer. Whenever any
payment is made, the currency in which transaction is done is agreed with both the payer and
payee. Currency conversion will apply exchange rates are to be supplied before initiation of the
payment. Similarly any charges or breakdown of charge (if applicable) shall also be informed to
the payer and payee before initiation of the transaction. Any discounts offered on a particular
payment instrument shall be disclosed to the payer thereof prior to the initiation of the payment
transaction. There are some derogation to information requirements for certain low-value
payment instruments and electronic money (less than €30).
Framework contract
contains the terms and
conditions and any other
information along with
their consequences, that
the payer and payee
must be aware for using
the payment service. The
contract should be
provided to the user, well
in advance and in a
language and format that
is easily understandable
to all participants
involved. All contractual
obligations on the usage
of a payment instrument
or conducting a payment
transaction should be
clearly laid out
transparently. PSPs
must provide their
geographical address
and details of relevant
supervisory authorities
and registry. It must also
outline the main
characteristics of the
services offered and
must contain the form
and procedure of
consent, to initiate a
payment order and for
execution/withdrawal
of a transaction. All
parties must also agree
to the language, means
of communication and
frequency, (including
the technical
requirements of the
user’s equipment and
software) that shall be
used for notification.
Procedures for
compensation must
also be clearly defined
according to the ADR
procedures defined
under title IV or any
national law. Changes
to interest rates and
exchange rates can be
applied without any
Key Points to Remember
PISPs must provide reference
of transaction to the payer’s
ASPSP
Unique transaction reference,
transaction amount, exchange
rate (if applicable), charges
and breakdown of charges (if
applicable) and date of the
transaction will be
communicated during various
stages of the payment order or
payment transaction
When not covered as part of
framework contract all these
information must be provided
before initiation of payment
transaction and immediately
after execution of transaction
Access to accounts are
enabled through API (XS2A)
Title III – Transparency of conditions and information
requirements for Payment Services
6
notification. Any other
amendment to the
framework contract should
be notified to the partakers
involved.
Single payment
transactions advocates
on the information to be
provided to a user, on
individual payment
transactions, that are not
covered under any
framework contract
defined above. It appoints
member states to ensure
that such information is
available at each stage of
the payment transactions
like ‘before initiation’,
‘after initiation’, ‘on receipt
of payment order’, ‘after
execution of payment
transaction’ etc. Needless
to say ASPSPs, payer,
payee, PISPs and PSPs will
have to adhere to the terms
and conditions of the
payment service offered.
Title IV – Right and obligations in relation to the provision
and use of Payment Services
7
The procedure and obligations to capture information during authorisation and execution of a
payment transaction or the payment order is discussed in detail under this title. It also debates in
detail about data protection, operational and security risks, authentication protocols and ADR
procedures that need to be adopted during settlement of disputes. PSPs cannot charge users for
fulfilling its information obligations or corrective & preventive measures. Wherever charges are
applicable, it must be in line
with the actual costs involved. In
cases of low-value payments
(less than €30), some
obligations can be exempted.
A payment transaction will be
considered ‘authorised’ only if
the payer provides consent to
execute the payment
transaction. ASPSPs shall
confirm on the availability of
funds upon request, if the
payer’s account is accessible
online and if payer has given
explicit consent to respond to
such requests from a specific
PSP. However, ASPSPs shall not
block funds on the payer’s
payment account. PISPs can
initiate a transaction for the
payer to ASPSP, and shall never
hold the payer’s funds in
connection with the provision of
the service. They shall not
tamper with the data and use the
data for other business purpose
without the explicit consent or
authorisation of the user. PSPs can block or limit the amount usage on a payment instrument, but
should communicate justifiable reasons to the user while doing so. Furthermore, they shall
unblock or replace the payment instrument if the reason for blocking, no longer exists.
Unauthorised or incorrectly executed transactions shall be rectified if user notifies to the PSP and
no later than 13months of the debit date. It is the responsibility of the PSP to provide evidence of
Key Points to Remember
Authorisation and execution rules are applicable to
all stakeholders involved in the payment supply
chain
Member states must appoint competent
authorities for ensuring that PSPs have adequate
and effective procedures to address data
protection, operational and security concerns
PSPs or PISPs or ASPSPs are liable to compensate
the financial loss of payer in any event of
unauthorised transaction if proved.
Payer must notify PSP without any undue delay if
any unauthorised or fraudulent transaction is
executed
Personal data can be consumed during investigation
to prevent transaction fraud.
All stakeholders must follow strong customer
authentication and secure communication
standards
EBA along with ECB shall release set of guidelines
that must be adopted.
Title IV – Right and obligations in relation to the provision
and use of Payment Services
8
authentication and execution of payment transaction. If PISPs were involved then they are held
responsible. Information exchange must happen cordially between PSP and PISP. The payer is
liable to bear the loss up to a maximum of €50 in case of an unauthorised transaction. Within 10
business days of receiving a request for a refund, PSP shall either refund the full amount or
provide a justification to refuse the refund.
Funds can only be debited only after successful execution of a payment transaction. Receipt of
payment orders must be communicated immediately to the concerned participants involved in
the transaction. ASPSPs cannot revoke a transaction for which consent has been already provided
for initiation request. Fund transfers between Payer’s ASPSP, PSPs, PISPs and Payee’s ASPSP
must be immediate and without delay. Funds must be available within the end of next business
day and should be effective to the value-date of the payment transaction. It is the responsibility of
the PSP to communicate the unique reference identifier specification to the user. All
communications between parties must be secure and adhere to strong customer
authentication rules mandated by EBA. In cases where such procedures are not in place, the
PSP shall be liable for financial losses arising out of security breach. Wherever applicable, the
payer’s account shall be restored, as if the debit transaction has not happened in case of an
unauthorised or incorrect or late execution or non-execution of a transaction. Processing of
personal data shall be permitted by member states when necessary to safeguard the prevention,
investigation and detection of payment fraud.
Member states are delegated with the authority to ensure that payment service providers establish
and maintain appropriate risk mitigation measures, have in place effective incident management
procedures including the detection and classification of major operational and security incidents.
EBA in close cooperation with ECB shall issue guidelines with regard to the establishment,
implementation and monitoring of the security measures, including certification
processes by the 13th of July, 2017. These guidelines will be reviewed in any event at least
every 2 years. PSPs must ensure that competent authorities must be notified of a major
operational or security incident without undue delay.
Authentication may be applied whenever the payer (a) accesses its payment account online; (b)
initiates an electronic payment transaction; (c) carries out any action through a remote channel.
EBA shall issue technical standards which shall ensure that strong customer authentication is
established and that all communication within various parties are secure. They shall advice
member states to adopt common and open standards for API development which will be used to
communicate with each payment player.
Title V – Delegated acts and regulatory technical
standards
9
This title provides information about the powers of delegation and the scope of delegated tasks.
It also expresses the control of delegates by the Commission and procedures to revoke or grant
tasks. One of the key objectives of PSD2 is to ensure protection of consumer rights and measures
are taken, in order to accommodate it. There will be 5 RTS and 1 ITS which will be issued by EBA,
after close consultation with various stakeholders and the cooperation of ECB in the near future.
The power to adopt delegated acts is conferred on the Commission for an undetermined
period of time from 12th of January, 2016. The power can be revoked by the European Parliament
or by the Council. The decision to revoke delegation shall not affect the validity of any delegated
acts already in force.
The Commission shall provide a user-friendly electronic leaflet, listing in a clear and easily
comprehensible manner about ‘consumer rights under PSD2’ by 13th of January, 2018. PSPs
must ensure that the leaflet is available on their respective websites in an easily accessible manner.
Title VI – Final provisions
Various amendments to already circulated Directives in the previous years are mentioned. Any
change in the clauses or national law or Union law shall be communicated to the Commission.
Conclusion
Disclaimer: The views expressed here are solely those of the author in his private capacity and do not in any way represent the views of the ECB, EBA or the European Parliament. The competent authorities have not approved, endorsed or embraced this publication. The counsel provided in the document may be used upon careful deliberation with necessary industrial specialists and experts
Author: Nivin P 10
The Revised Payment Service Directive promotes harmonised pricing among all member states
and prepares a level playing field for increased competition. It sets the stage for mergers,
acquisitions and collaborations with niche industry specialists and banks. Banks can provide more
value-added services through API’s or through networking with third party providers to improve
their line of sight in the business world and expand their geographical footprint. The Directive
does not compromise on consumer rights and security measures and articulates necessary
stakeholders to adopt advanced technological solutions. It endorses open-market principles,
transparency, and efficiency of services and coerces banks to think beyond the traditional thought
process and embrace change for the betterment of financial industry as a whole.