Post on 09-Sep-2020
transcript
1
PSD 2THE NEW PAYMENT
SERVICES DIRECTIVE
Contents
1. Introduction ..............................................................................................................................................................................................................3
2. PSD 2 Background ......................................................................................................................................................................................4
2.1. PSD 2 Chronology ...........................................................................................................................................................5
3. A Summary of Changes .....................................................................................................................................................................6
3.1. Third party payment service providers .........................................................................................6
3.2. Exclusions from the scope ...............................................................................................................................7
3.2.1. Technical Service Providers ...............................................................................................7
3.2.2. Commercial Agents ....................................................................................................................7
3.2.3. Telecom Operators ........................................................................................................................7
3.2.4. Specific Payment Instruments of Limited Use ...............................8
3.3. Authorisation and registration ................................................................................................................8
3.4. Passporting ............................................................................................................................................................................9
3.5. Consumer protection ............................................................................................................................................10
3.5.1. Right to Information ..................................................................................................................10
3.5.2. Liability for Unauthorised Transactions ...................................................10
3.5.3. Unconditional Right to Refund ..............................................................................10
3.5.4. The Blocking of Funds on a Payment Account ..............................11
3.5.5. One-leg Transactions and All Currencies ................................................11
3.5.6. Alternative Dispute Resolution ...............................................................................11
3.6. Payment security and data protection ......................................................................................12
3.6.1. Strong Customer Authentication .........................................................................12
3.6.2. Dynamic Authentication Codes ............................................................................12
3.6.3. Operational and Security Risks ..............................................................................12
3.6.4. Security Incident Reporting .........................................................................................13
3.6.5. Access to Payment Accounts through PISP and AISP .....13
3.6.6. Personalised Security Credentials ......................................................................14
3.7. Liability ...........................................................................................................................................................................................15
3.8. Service charges ................................................................................................................................................................15
3.9. The Role of European Banking Authority .............................................................................16
3.9.1. EBA Guidelines and Draft Regulatory Technical Standards ....................................................................................................................................................................16
3.9.2. EBA Register........................................................................................................................................18
3.10. Transitional Period ...................................................................................................................................................18
3.10.1. General Approach ......................................................................................................................18
3.10.2. Authorised Payment Institutions .....................................................................19
3.10.3. Small Payment Institutions ........................................................................................19
3.10.4. Electronic Money Institutions ...............................................................................20
3.10.5. Payment Initiation and Account Information .............................20
4. Changes in More Detail ......................................................................................................................................................................21
4.1. Definitions .................................................................................................................................................................................21
4.1.1. Payment Services .............................................................................................................................21
4.1.2. Actors ...............................................................................................................................................................22
4.1.3. Payment Security and Data Protection .....................................................22
4.1.4. Other New and Modified Definitions .............................................................23
4.2. Exemption from the Scope .................................................................................................................24
4.2.1. Commercial Agency .................................................................................................................24
4.2.2. Technical Service Providers ..........................................................................................25
4.2.3. Specific Payment Instruments with Limited Use ......................25
4.2.4. Providers of Electronic Communications Networks ...........26
4.2.5. ATM Cash Withdrawals .....................................................................................................27
4.3. Authorisation and Registration ..........................................................................................................28
4.3.1. Additional Information to Accompany an Application for Authorisation / Registration...................................28
4.3.2. Qualifying Holding ...................................................................................................................30
4.3.3. Initial Capital ........................................................................................................................................31
4.3.4. Own Funds ..............................................................................................................................................31
4.3.5. Safeguarding Requirements......................................................................................32
4.3.6. Registered Office Requirements .........................................................................32
4.3.7. Other Allowable Activities .............................................................................................32
4.3.8. Exemptions ...........................................................................................................................................33
4.3.9. Public Register of Payment Institutions ................................................36
4.3.10. EBA’s Central Register .....................................................................................................36
4.4. Accounting and Statutory Audit .......................................................................................................37
4.5. Agents, Branches and Outsourcing ..............................................................................................37
4.6. Competent Authorities and Supervision .............................................................................39
4.7. Right of Establishment and Freedom to Provide Services .....................40
4.7.1. Supervision of PIs Operating on a Cross-border Basis.....43
4.7.2. Measures in Case of Non-compliance ........................................................44
4.8. Access to Payment Systems and Accounts Maintained with a Credit Institution ...................................................................................................................................46
4.9. Customer Protection .............................................................................................................................................47
4.9.1. Payment Service Users’ Right to Information .................................47
4.9.2. Applicable Charges .................................................................................................................50
4.9.3. Authorisation of Payment Transactions ..................................................51
4.9.4. Execution of Payment Transactions ..............................................................57
4.9.5. Consumer Rights .........................................................................................................................59
4.10. Liability.....................................................................................................................................................................................59
4.10.1. Payment Service Provider’s Liability for Unauthorised Payment Transactions ........................................................59
4.10.2. Payer’s Liability for Unauthorised Payment Transactions ....................................................................................................60
4.10.3. Refunds for Payment Transactions ...............................................................61
4.10.4. Incorrect Unique Identifier .........................................................................................62
4.10.5. Payment Service Provider’s Liability for Non-execution, Defective or Late Execution of Payment transactions .............................................................................................62
4.10.7. Right of Recourse .....................................................................................................................65
4.11. Data Protection ............................................................................................................................................................65
4.11.1. Personal Data Protection ................................................................................................65
4.11.2. Management of Operational and Security Risks ....................66
4.11.3. perational and Security Incident Reporting ....................................66
4.11.4. Strong Customer Authentication ....................................................................67
4.12. Alternative Dispute Resolution (ADR) Procedures ...........................................68
4.12.1. Complaints ............................................................................................................................................68
4.12.2. Competent Authorities ...................................................................................................69
4.12.3. Dispute Resolution ................................................................................................................70
4.12.4. ADR Procedures ...........................................................................................................................71
4.13. The Role of European Banking Authority (EBA) under PSD 2 ...........71
4.13.1. EBA’s Guidelines ............................................................................................................................72
4.13.2. Regulatory Technical Standards .......................................................................74
4.14. Impact of PSD 2 on Existing Industry Actors .............................................................78
4.14.1. Impact on Existing Payment Institutions ............................................79
4.14.2. Impact on Electronic Money Institutions ..........................................80
4.14.3. Impact on Existing Unregulated PISPs and AISPs ..............82
4.14.4. Impact on Account Servicing Payment
Service Providers ......................................................................................................................82
5. Next Steps ............................................................................................................................................................................................................82
5.1. Transposition .......................................................................................................................................................................82
5.2. EBA Guidelines and Regulatory Technical Standards ....................................83
7
1. Introduction
On 23 December 2015 the revised Payment Services Directive (EU) 2015/2366 (PSD 2)
was published in the Official Journal of the European Union after the formal adoption by
the European Parliament and the EU Council of Ministers. It came into force on 12 Janu-
ary 2016. From this date, Member States will have two years to introduce the necessary
changes in their national laws in order to comply with the new rules.
The PSD 2 updates and complements the EU rules put in place by the Payment Services
Directive 2007/64/EC, repeals and replaces it with effect from 13 January 2018. Until
then, the existing rules should be interpreted in line with PSD 2.
PSD 2 provisions related to new security measures will apply from 18 months after the
date of entry into force of the relevant regulatory technical standards to be developed
by the European Banking Authority (EBA) and submitted to the European Commission for
adoption by 13 January 2017.
The main objectives of the new Payment Services Directive are to:
• Contribute to a more integrated and efficient European payments market
• Improve the level playing field for payment service providers
(including new players)
• Make payments safer and more secure
• Protect consumers
• Encourage lower prices for payments
The revised legal framework on payment services is complemented by Regulation (EU)
2015/751 of the European Parliament and of the Council, which introduces, in particular,
rules on the charging of interchange fees for card-based transactions and aims to further
accelerate the achievement of an effective integrated market for card-based payments.
The Interchange Fee Regulation 2015/751 (IFR) entered into force on 9 June 2015.
8
2. PSD 2 Background
The first Payment Services Directive 2007/64/EC (PSD 1) was proposed by the European
Commission in December 2005 and adopted by the European Parliament and Council in
December 2007 to provide the legal foundation for the EU single market for payments
and establish safer and more innovative payment services across the EU.
PSD 1 brought substantial benefits to the payments market:
• easier access for new market entrants
• more competition between payment institutions and choice to consumers
• more transparency and information for consumers
• shorter execution times
• strengthened refund rights
• clearer liability of consumers and payment institutions
At the same time the lack of clear guidelines on how certain rules should be applied has
led to diverse interpretations of such rules by local regulators in Member States. In a
number of areas, such uncertainty has resulted in impaired consumer protection and
competitive distortions. This problem particularly concerns the Negative Scope provisions
of the Directive, e.g. the limited network / limited goods and services exclusion, or rules
of refund in the event of unauthorised debits from a payer’s account, which are currently
applied differently by Member States.
Furthermore, since 2007 when PSD 1 was adopted, the retail payments market has expe-
rienced significant technical innovation with rapid growth in the number of electronic and
mobile payments and the emergence of new types of payment services, such as payment
initiation and account information services. These developments in payment innovation
are not reflected in PSD 1. Many innovative payment products or services do not fall, en-
tirely or in large part, within the scope of Directive 2007/64/EC.
9
From the security perspective, risks related to electronic payments have also increased
considerably. In response to this challenge, the European Banking Authority (EBA) in close
co-operation with the European Central Bank (ECB) developed Guidelines on the Security
of Internet Payments. The final version of the guidelines was issued on 18 December 2014
and became applicable as of 1 August 2015. The EBA Guidelines on the Security of Internet
Payments set minimum security requirements for payment services providers across the
EU and will provide enhanced protection of EU consumers against payment fraud on the
Internet as an interim solution until the PSD 2 requirements start to apply in 2018 / 2019.
Taking account of these and other problems, the European Commission proposed, in July
2013, to review PSD 1 to close regulatory gaps, modernise it, encourage transparency, in-
novation and security in the single market and create a level playing field between differ-
ent payment service providers.
2.1. PSD 2 Chronology
24 Jul 2013 Publication of a proposal for a revised PSD2 by the European Commission
03 Apr 2014Approval by the European Parliament of the final report of its Economic
and Monetary Affairs Committee (ECON) on PSD 2 at its plenary session
05 Dec 2014 Approval by the Council of the EU of its final compromise text on PSD 2
09 Dec 2014 Debate in Council of the EU
06 Jan 2015 Approval of final compromise text by Council
05 May 2015Approval of the final version of the PSD2 by the Commission, the European
Parliament and the Council of the EU (the so-called «trilogue» process)
08 Oct 2015 Adoption by the European Parliament
16 Nov 2015 Adoption by the EU Council of Ministers
23 Dec 2015 Publication in the Official Journal of the European Union
12 Jan 2016 Coming into force
10
3. A Summary of Changes
The main changes in the new Payment Services Directive concern the following major areas:
• Third party payment service providers
• Exclusions from the scope
• Authorisation and registration
• Passporting
• Consumer protection
• Payment security and data protection
• Liability
• Service charges
• The role of European Banking Authority
• Transitional provisions
3.1. Third party payment service providers
PSD 2 introduces a new set of business models involving so called third party payment
service providers (TPPs). These include service providers offering payment services based on
access to payment accounts with account servicing payment service provider referred to as:
• payment initiation service providers and
• account information service providers
Payment initiation services providers typically help consumers to initiate online credit
transfers and inform the merchant immediately of the payment initiation, allowing for
the immediate dispatch of goods or immediate access to services purchased online. For
11
online payments, they constitute a true alternative to credit card payments as they offer
an easily accessible payment service, as the consumer only needs to possess an online
payment account. The payment initiation service provider must not hold at any time
the payer’s funds in connection with the provision of the payment initiation service.
Account information services allow consumers and businesses to have a global view on
their financial situation, for instance, by enabling consumers to consolidate the different
current accounts they may have with one or more banks and to categorise their spending
according to different typologies (food, energy, rent, leisure, etc.), thus helping them with
budgeting and financial planning.
The TPPs will have to follow the same rules as the traditional payment service providers:
registration, licensing and supervision by the competent authorities. In addition, new se-
curity requirements included in the text of the PSD 2 will oblige all payment service pro-
viders to step up the security around online payments.
3.2. Exclusions from the scope
3.2.1. Technical Service Providers
As mentioned above, payment initiation services and account information services have
been expressly excluded from the list of exempt services under the technical service
provider exclusion.
3.2.2. Commercial Agents
PSD 2 narrows the commercial agency exclusion to payment transactions from the payer to
the payee through a commercial agent acting on behalf of only the payer or only the payee.
3.2.3. Telecom Operators
Under the new rules, the exclusion for payments through telecom operators now covers
only payments made through telecom operators for the purchase of digital content such
12
as music, ringtones, digital newspapers, games, or applications that are downloaded on a
digital device or of electronic tickets or donations to charities. The exclusion only applies
to micro-payments, i.e. payments under a certain threshold (€50 per transaction; €300
per billing month).
The exemption will also only apply to payment services when provided in addition to elec-
tronic communications services for a subscriber to the network or service.
Telecom operators that engage in such an activity will have to notify to the competent
authorities, on an annual basis, that they comply with these limits. The activity will also be
listed in the public registers.
3.2.4. Specific Payment Instruments of Limited Use
PSD 2 requires that service providers carrying out either of the activities falling under the
limited network exclusion for which the total value of payment transactions executed
over the preceding 12 months exceeds the amount of EUR 1 million send a notification
to competent authorities, so that these can take a duly motivated decision on where the
activity does not qualify as a limited network and whether the network has to apply for a
licence as a payment institution.
3.3. Authorisation and registration
The main changes here relate to the enhanced levels of payment security under PSD 2.
Entities that wish to be authorised as a payment institution will have to provide with their
application:
• a description of the procedure to monitor, handle and follow up a security incident
and security related customer complaints;
• a description of the process to file, monitor, track and restrict access to sensitive
payment data;
• a description of business continuity arrangements;
13
• a description of the principles and definitions applied for the collection of statisti-
cal data on performance, transactions and fraud and
• a security policy document
Specific capital requirements have been defined for third party service providers in
relation to their respective activities and the risks these represent. Payment initiation
service providers will have to hold its capital at no less than EUR 50 000 at all times.
Third party service providers are not subject to own fund requirements. However, they
need to hold a professional indemnity insurance covering the territories in which they
offer services.
Under PSD 2 Member States will continue to have an option to offer a lighter authorisa-
tion regime with the difference, that Member States making use of the option will be
allowed to decide to define a limit lower than EUR 3 million.
3.4. Passporting
To reinforce the investigative and supervisory powers of the host Member State, PSD 2
has introduced a more detailed passporting procedure. This procedure will ensure better
cooperation and information exchange between the national competent authorities.
PSD 2 clearly defines the information to be communicated to the competent authorities
where an authorised payment institution intends to provide payment services in another
Member State by engaging an agent or establishing a branch.
The payment institution will also have to notify to the competent authorities of the home
Member State the date from which it commences its activities through the agent or
branch in the relevant host Member State as well as any relevant change regarding the
required information pack, including additional agents, branches or entities to which ac-
tivities are outsourced in the host Member States in which it operates.
Furthermore, the host Member State can ask payment institutions operating with agents
and branches in its territory to regularly report on their activities. To that end, the pay-
14
ment institution can be requested to set up a central contact point in the host territory.
In emergency situations, requiring immediate action, the host Member State is allowed
to take precautionary measures with regard to the payment institution concerned, in
parallel to the host’s duties of cooperation with the home Member State to find a remedy.
3.5. Consumer protection
PSD 2 seeks to further enhance consumer rights and protect consumers against unfair
and misleading practices.
3.5.1. Right to Information
Under PSD 2, consumer right to information has been extended to include:
• information payment initiation service providers are required to provide for the
payment service users prior to and after the initiation of a payment order;
• information on the form of and procedure for giving consent to initiate a payment
order and withdrawal of such consent
• information on the rights related to the use of co-badged card-based payment
instruments and some others
3.5.2. Liability for Unauthorised Transactions
The liability rules in case of unauthorised transactions have been streamlined to en-
sure enhanced protection of the legitimate interests of payment users. Except in cases of
fraud or gross negligence by the payer, the maximum amount a payer could, under any
circumstances, be obliged to pay in the case of an unauthorised payment transaction has
been decreased from €150 to €50.
3.5.3. Unconditional Right to Refund
PSD 2 also provides a legislative basis to the unconditional refund right that already exists
15
for SEPA direct debit (i.e. direct debits in euro). In such cases, payers can request a refund
even in the case of a disputed payment transaction. For direct debits in currencies other
than euro, Member States may require that refund rights be more advantageous to payers.
3.5.4. The Blocking of Funds on a Payment Account
Where a payment transaction is initiated by or through the payee in the context of a card-
based payment transaction and the exact amount is not known in advance, the payee,
under PSD 2, will only be allowed to block funds on the account of the payer if the payer
has approved the exact amount that can be blocked. The payer’s bank will have to imme-
diately release the blocked funds after having received the information about the exact
amount and at the latest after having received the payment order.
3.5.5. One-leg Transactions and All Currencies
PSD 2 will apply to payment transactions in all currencies where only one of the payment
service providers is located within the Union (also known as one-leg-out transactions),
hence covering payment transactions to persons outside the EU as regards the EU part
of the transaction. PSD 2 extends a number of obligations, notably information obliga-
tions, to payments to and from third countries, where one of the payment service pro-
viders is located in the European Union. Banks and other payment service providers that
are located in the EU will have to provide information and transparency on the costs and
conditions of these international payments, e.g. the maximum execution time, at least
in respect of their part of the transaction. They can also be held liable for their part of the
payment transaction if something goes wrong that is attributable to them.
3.5.6. Alternative Dispute Resolution
On the dispute resolution side, the new Directive will oblige Member States to designate
competent authorities to handle complaints of payment service users and other
interested parties, such as consumer associations, concerning an alleged infringement
of the Directive. Payment service providers will have to put in place a complaints pro-
cedure for consumers that they can use before seeking out-of-court redress or before
launching court proceedings. The new rules will oblige payment service providers to an-
swer in written form to any complaint within 15 business days.
16
3.6. Payment security and data protection
3.6.1. Strong Customer Authentication
Payment service providers will be obliged to apply so-called strong customer authenti-
cation (SCA) when a payer initiates an electronic payment transaction. Strong customer
authentication is an authentication process that validates the identity of the user of a
payment service or of the payment transaction (more specifically, whether the use of a
payment instrument is authorised). More specifically, SCA must be applied in 3 cases:
• when the payer accesses its payment account online;
• when the payer initiates an electronic payment transaction;
• when the payer carries out any action through a remote channel which may imply
a risk of payment fraud or other abuses
Exemptions to the principle of strong customer authentication may be possible, taking
account of the risks involved, the value of transactions and the channels used for the
payment. Such exemptions could include low value payments at the point of sale, such as
mobile and contactless payments.
3.6.2. Dynamic Authentication Codes
For electronic remote payment transactions, such as online payments, the strong cus-
tomer authentication must include elements which dynamically link the transaction to
a specific amount and a specific payee, to further protect the user by minimising the
risks in case of mistakes or fraudulent attacks.
3.6.3. Operational and Security Risks
Payment service providers must establish a framework with appropriate mitigation mea-
sures and control mechanisms to manage the operational and security risks, relating to
the payment services they provide. As part of that framework, payment service providers
will have to establish and maintain effective incident management procedures, includ-
ing for the detection and classification of major operational and security incidents.
17
Payment service providers will have to provide to the competent authority on an annual
basis, or at shorter intervals as determined by the competent authority, an updated and
comprehensive assessment of the operational and security risks relating to the payment
services they provide and on the adequacy of the mitigation measures and control mech-
anisms implemented in response to those risks.
3.6.4. Security Incident Reporting
In the case of a major operational or security incident, payment service providers will
be required to immediately notify the competent authority in its home Member State.
Where the incident has or may have an impact on the financial interests of its payment
service users, the payment service provider will be obliged to immediately inform its
payment service users of the incident and of all measures that they can take to mitigate
the adverse effects of the incident.
3.6.5. Access to Payment Accounts through PISP and AISP
Under PSD 2, third party payment service providers (TPPs) are allowed access to and
the use of information on the availability of funds on a payment account held by a
consumer with another payment service provider. Account servicing payment service
providers will be required to allow access to their systems to TPPs.
For this purpose, PSD 2 provides for a common framework with clear conditions under
which these providers can access the financial information on behalf of their client.
Thus, TPPs’ access to the account of the payer will be restricted to the information they
need in order to provide their services. Those offering payment instruments or pay-
ment initiation services will only be able to receive information from the payer’s bank
on the availability of funds on the account (just yes or no answer) before initiating the
payment, while account information service providers will only receive the information
explicitly consented by the payer and only to the extent necessary for the service to be
provided to the payer.
Access to payment account in the case of payment initiation services will be subject to
certain conditions being met. Among them:
18
• the payment account of the payer must be accessible online at the time of the
request;
• the payer has given explicit consent to the account servicing payment service
provider to respond to requests from a specific payment service provider;
• the consent has been given before the first request for confirmation is made;
• the payment initiation service provider must ensure that the personalised secu-
rity credentials of the payment service user are not accessible to other parties
and that they are transmitted by the payment initiation service provider through
safe and efficient channels;
• every time a payment is initiated, the payment initiation service provider must
identify itself towards the account servicing payment service provider of the
payer and communicate with the account servicing payment service provider, the
payer and the payee in a secure way;
• the payment initiation service provider must not store sensitive payment data of
the payment service user;
• the payment initiation service provider must not request from the payment service
user any data other than those necessary to provide the payment initiation service
In the case of account information services the following conditions are added to the list
above:
• For each communication session, the account information service provider must
identify itself towards the account servicing payment service provider(s) of the pay-
ment service user and securely communicate with the account servicing payment
service provider(s) and the payment service user;
• The account information service provider must access only the information from
designated payment accounts and associated payment transactions;
• The account information service provider must not request sensitive payment data
linked to the payment accounts
3.6.6. Personalised Security Credentials
Payment service providers must have in place adequate security measures to protect the
confidentiality and integrity of payment service users’ personalised security credentials.
19
3.7. Liability
In the case where the payee or the payee’s payment service provider fails to accept
strong customer authentication, it will have to refund the financial damage caused to
the payer’s payment service provider. Where the payer’s payment service provider does
not require strong customer authentication, the payer shall not bear any financial loss-
es unless the payer has acted fraudulently.
PSD 2 also fully clarifies the liability issues between the bank servicing the account of the
payer and the payment initiation service. When a payment initiation service provider is
used by a payer to initiate a payment, it will be liable for any payment incidents within its
sphere. In particular, the bank of the payer will not be held liable for payment incidents
that can be traced back to the initiator.
3.8. Service charges
Under PSD 2, merchants will no longer be allowed to surcharge consumers for using
their debit or credit cards and for payment services based on the credit transfer or direct
debit. This will apply to domestic as well as cross-border payments.
If the payee applies a charge to steer the payer towards the use of a given payment in-
strument, such charges must not exceed the direct costs borne by the payee for the use
of the specific payment instrument.
The payer will only be obliged to pay such charges, if their full amount was made known
prior to the initiation of the payment transaction.
PSD 2 introduces a new rule concerning charges for termination of the framework con-
tract. Thus, termination of the framework contract must be free of charge for the pay-
ment service user except where the contract has been in force for less than 6 months.
Such charges, if any, must be appropriate and in line with costs.
20
3.9. The Role of European Banking Authority
Under PSD 2, the European Banking Authority (EBA) has been given a key role in:
• ensuring consistent application and interpretation of the Directive;
• increasing customer protection;
• enhancing transparency of the operation of payment institutions;
• improving cooperation and information exchange between competent authorities
of Member States
3.9.1. EBA Guidelines and Draft Regulatory Technical Standards
To fulfil this role, PSD 2 confers on the EBA the development of six regulatory technical
standards (RTS) and five sets of guidelines.
• The EBA is to issue guidelines on:
• the criteria on how to stipulate the minimum monetary amount of the professional
indemnity insurance or other comparable guarantee (addressed to the competent
authorities), by 13 January 2017;
• the information to be provided to the competent authorities in the application for
the authorisation of payment institutions, by 13 July 2017;
• the establishment, implementation and monitoring of the security measures in the
context of operational and security risks management, by 13 July 2017;
• on the classification of major operational or security incidents and on the content,
the format, including standard notification templates, and the procedures for no-
tifying such incidents (addressed to payment service providers), and on the crite-
ria on how to assess the relevance of the incident and the details of the incident
reports to be shared with other domestic authorities (addressed to the competent
authorities), by 13 January 2018; and
• on the complaints procedures, by 13 January 2018
The EBA is to develop and submit to the European Commission for adoption the following
draft RTS:
• draft RTS specifying:
21
° the requirements of the strong customer authentication;
° the exemptions from the requirement to apply strong customer authentication;
° the requirements for the protection of the confidentiality and integrity of
payment service users’ personalised security credentials;
° the requirements for common and secure open standards of communica-
tion for the purpose of identification, authentication, notification, and infor-
mation, as well as for the implementation of security measures, between
account servicing payment service providers, payment initiation service
providers, account information service providers, payers, payees and other
payment service providers, by 13 January 2017;
• draft RTS specifying the criteria to be applied when determining the circumstances
when the appointment of a central contact point is appropriate, and the functions
of those contact points, by 13 January 2017;
• draft RTS setting technical requirements on development, operation and mainte-
nance of the electronic central register and on access to the information contained
therein, by 13 January 2018;
• draft RTS specifying the framework for cooperation, and for the exchange of in-
formation, between competent authorities of the home and of the host Member
State regarding the application to exercise the right of establishment and freedom
to provide services, by 13 January 2018;
• draft RTS specifying the framework for cooperation, and for the exchange of infor-
mation, between the competent authorities of the home Member State and of the
host Member State and to monitor compliance with the provisions of the relevant
national law in the context of supervision of payment institutions operating on a
cross-border basis, by 13 January 2018
The EBA may also develop draft RTS specifying the information to be provided to the
competent authorities in the application for the authorisation of payment institutions, if it
deems this appropriate.
In preparation of the guidelines and the RTS, the EBA will conduct open public consulta-
tions by way of issuing Discussion and Consultation Papers to collect opinions of relevant
stakeholders, including those in the payment services market. The responses will be
assessed by the EBA before finalising the documents.
22
The European Commission will then have 3 months from the date of receipt of a draft
RTS to decide whether to endorse it, endorse it in part or reject it.
The EBA will also be responsible for reviewing and, if appropriate, updating the guidelines
and the regulatory technical standards on a regular basis.
3.9.2. EBA Register
In the context of transparency policy, the EBA will develop, operate and maintain an elec-
tronic central register that will contain the following information to be supplied by the
competent authorities:
• authorised payment institutions and their agents;
• natural and legal persons benefiting from an exemption from the authorisation
requirement and their agents; and
• other institutions that are entitled under national law to provide payment services
The register will be publicly available on the EBA’s website with access to and search for
the information listed free of charge.
3.10. Transitional Period
3.10.1. General Approach
From the date of entry into force of PSD 2, the existing rules set out in PSD 1 should be
interpreted in line with PSD 2. Member States are not allowed to adopt new measures
contradicting the provisions of PSD 2.
The EBA Guidelines on the Security of Internet Payments serve as an interim solution,
until the application of the PSD 2 and its more comprehensive security requirements.
When the EBA guidelines are applied by the competent authorities of the Member States,
in the transitional period, they will be interpreted in so far as there is any scope to do so
23
in line with the PSD 2 content and objectives. As a consequence, compliance with the EBA
Guidelines on the Security of Internet Payments should not be used to justify obstructing
or blocking the use of payment initiation or account information services.
Pending the full application of PSD 2 rules, including the rules on the security of payments,
and in accordance with PSD 2 text, “Member States, the Commission, the European Central
Bank and the European Banking Authority, will guarantee fair competition in that market
avoiding unjustifiable discrimination against any existing player on the market”.
3.10.2. Authorised Payment Institutions
Payment institutions authorised under PSD 1 by 13 January 2018 will be allowed to
continue their activities without being required to seek authorisation under PSD 2 or to
comply with the other relevant provisions of PSD 2 until 13 July 2018.
Payment institutions authorised under PSD 1 will be required to submit all relevant infor-
mation to the competent authorities in order for the competent authorities to assess, by
13 July 2018, whether these comply with the new requirements. Payment institutions that
qualify will be granted authorisation and entered in the registers. Those that do not will
be prohibited from providing payment services starting from 13 July 2018.
Payment institutions that have been granted authorisation to provide payment services
as referred to in point 7 of the Annex to PSD 1 will retain that authorisation for the
provision of those payment services which are considered to be payment services as
referred to in point 3 of the Annex I to PSD 2 where, by 13 January 2020, the competent
authorities have the evidence that the requirements for initial capital and own funds un-
der PDS 2 are complied with.
Authorisation under PSD 2 may be granted automatically if the competent authorities
already have evidence that the relevant PSD 2 requirements are complied with. The pay-
ment institutions will be informed accordingly before the authorisation is granted.
3.10.3. Small Payment Institutions
Small payment institutions registered under PSD 1 will be allowed to continue their
activities until 13 January 2019 without being required to seek authorisation or to
24
obtain an exemption under PSD 2, or to comply with the other relevant provisions of PSD
2. Where the competent authorities have evidence that the relevant PSD 2 requirements
are complied with, the small payment institutions will be entered in the registers auto-
matically with prior notification to this effect.
Small payment institutions not authorised or exempted under PSD 2 by 13 January 2019
will be prohibited from providing payment services.
3.10.4. Electronic Money Institutions
By way of amendments to Directive 2009/110/EC (EMD) electronic money institutions that
have, before 13 January 2018, taken up activities regulated by the EMD and PSD 1 in the
Member State in which their head office is located will be allowed to continue those ac-
tivities in that Member State or in another Member State without being required to seek
authorisation or to comply with other relevant requirements until 13 July 2018.
Electronic money institutions will be required to submit all relevant information to the
competent authorities in order for the competent authorities to assess, by 13 July 2018,
whether these electronic money institutions comply with the new requirements. Elec-
tronic money institutions that qualify will be granted authorisation and be entered in the
registers. Those that do not will prohibited from providing payment services starting from
13 July 2018.
3.10.5. Payment Initiation and Account Information
PSD 2 provisions ensure that providers of payment initiation services and account infor-
mation services that are already established in the market can continue to perform their
activities. More specifically, PSD 2 introduces direct obligations on the Member States,
requiring them to maintain the current status quo. They shall allow existing PISPs or
AISPs in their territories to operate in accordance with the currently applicable regulatory
framework.
As the provision of payment initiation and account information services is a new payment
service recognised in PSD 2, existing and new providers of such services would need to
apply for authorisation under the PSD 2 regime from the date of application of the new
Directive.
25
Furthermore, because the new security measures of PSD 2 regarding strong customer
authentication and standards for secure communication will become applicable later
than other provisions, PISPs and AISPs that seek authorisation under PSD 2 are not
required to submit proof of compliance with these security requirements until that
later date. As provision of both types of services is dependent on the authentication
procedures provided by banks, upgrades to the security requirements and procedures
applied by banks need to be fully implemented by banks before the application of these
measures is possible for the payment initiation and account information services. In case
banks do not comply on time with the security requirements and standards for se-
cure communication, they cannot use this noncompliance to hinder or obstruct the use
of payment initiation and account information services.
For details on these and other changes, see the relevant sections below.
4. Changes in More Detail
4.1. Definitions
PSD 2 updates Article 4 (Definitions) by way of introducing a set of new terms and definitions
to cover the recent developments in the payments market, modifying a number of existing
ones and adding a few already defined in other relevant legislation. These are as follows.
4.1.1. Payment Services
• Payment initiation service means a service to initiate a payment order at the
request of the payment service user with respect to a payment account held at
another payment service provider (Art.4(15), PSD 2);
• Account information service means an online service to provide consolidated
26
information on one or more payment accounts held by the payment service user
with either another payment service provider or with more than one payment ser-
vice provider (Art.4(16), PSD 2);
• Credit transfer means a payment service for crediting a payee’s payment account
with a payment transaction or a series of payment transactions from a payer’s pay-
ment account by the payment service provider which holds the payer’s payment
account, based on an instruction given by the payer (Art.4(24), PSD 2);
• Acquiring of payment transactions means a payment service provided by a
payment service provider contracting with a payee to accept and process payment
transactions, which results in a transfer of funds to the payee (Art.4(44), PSD 2);
• Issuing of payment instruments means a payment service by a payment service
provider contracting to provide a payer with a payment instrument to initiate and
process the payer’s payment transactions (Art.4(45), PSD 2)
4.1.2. Actors
• Account servicing payment service provider means a payment service provider
providing and maintaining a payment account for a payer (Art.4(17), PSD 2);
• Payment initiation service provider means a payment service provider pursu-
ing business activities as referred to in point (7) of Annex I (of PSD 2), i.e. payment
initiation services (Art.4(18), PSD 2);
• Account information service provider means a payment service provider pursu-
ing business activities as referred to in point (8) of Annex I (of PSD 2), i.e. account
information services (Art.4(19), PSD 2)
4.1.3. Payment Security and Data Protection
• Authentication means a procedure which allows the payment service provider to
verify the identity of a payment service user or the validity of the use of a specific
payment instrument, including the use of the user’s personalised security creden-
tials (Art.4(29), PSD 2 cf. Art.4(19), PSD 1);
• Strong customer authentication means an authentication based on the use of
two or more elements categorised as knowledge (something only the user knows),
possession (something only the user possesses) and inherence (something the
user is) that are independent, in that the breach of one does not compromise the
reliability of the others, and is designed in such a way as to protect the confidenti-
27
ality of the authentication data (Art.4(30), PSD 2);
• Personalised security credentials means personalised features provided by the
payment service provider to a payment service user for the purposes of authenti-
cation (Art.4(31), PSD 2);
• Sensitive payment data means data, including personalised security credentials
which can be used to carry out fraud. For the activities of payment initiation service
providers and account information service providers, the name of the account owner
and the account number do not constitute sensitive payment data (Art.4(32), PSD 2)
4.1.4. Other New and Modified Definitions
• Payment transaction means an act, initiated by the payer or on his behalf or by the
payee, of placing, transferring or withdrawing funds, irrespective of any underlying
obligations between the payer and the payee (Art.4(5), PSD 2 cf. Art.4(5), PSD 1);
• Remote payment transaction means a payment transaction initiated via internet
or through a device that can be used for distance communication (Art.4(6), PSD 2);
• The payment service user has been removed from the definition of a payment in-
strument as the only possible actor who can use it to initiate a payment order. The
modified definition runs as follows. Payment instrument means a personalised
device(s) and / or set of procedures agreed between the payment service user
and the payment service provider and used in order to initiate a payment order
(Art.4(14), PSD 2 cf. Art.4(23), PSD 1);
• Group means a group of undertakings which are linked to each other by a relation-
ship referred to in Article 22(1), (2) or (7) of Directive 2013/34/EU or undertakings
as defined in Articles 4, 5, 6 and 7 of Commission Delegated Regulation (EU) No
241/2014 (1), which are linked to each other by a relationship referred to in Article
10(1) or in Article 113(6) or (7) of Regulation (EU) No 575/2013 (Art.4(40), PSD 2);
• Electronic communications network means a network as defined in point (a) of
Article 2 of Directive 2002/21/EC of the European Parliament and of the Council
(Art.4(41), PSD 2), i.e. transmission systems and, where applicable, switching or
routing equipment and other resources which permit the conveyance of signals by
wire, by radio, by optical or by other electromagnetic means, including satellite net-
works, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial
networks, electricity cable systems, to the extent that they are used for the pur-
pose of transmitting signals, networks used for radio and television broadcasting,
and cable television networks, irrespective of the type of information conveyed;
28
• Electronic communications service means a service as defined in point (c) of
Article 2 of Directive 2002/21/EC (Art.4(42), PSD 2), i.e. a service normally provid-
ed for remuneration which consists wholly or mainly in the conveyance of signals
on electronic communications networks, including telecommunications services
and transmission services in networks used for broadcasting, but exclude services
providing, or exercising editorial control over, content transmitted using electronic
communications networks and services;
• Digital content means goods or services which are produced and supplied in
digital form, the use or consumption of which is restricted to a technical device
and which do not include in any way the use or consumption of physical goods or
services (Art.4(43), PSD 2);
• The definition of own funds has been updated in line with point 118 of Article
4(1) of Regulation (EU) No 575/2013. The updated version runs as follows. Own
funds means funds as defined in point 118 of Article 4(1) of Regulation (EU) No
575/2013, i.e. the sum of Tier 1 capital and Tier 2 capital, where at least 75 % of
the Tier 1 capital is in the form of Common Equity Tier 1 capital as referred to in
Article 50 of that Regulation and Tier 2 is equal to or less than one third of Tier 1
capital (Art.4(46), PSD 2);
• Payment brand means any material or digital name, term, sign, symbol or com-
bination of them, capable of denoting under which payment card scheme card-
based payment transactions are carried out (Art.4(47), PSD 2);
• Co-badging means the inclusion of two or more payment brands or payment applica-
tions of the same payment brand on the same payment instrument (Art.4(48), PSD 2)
4.2. Exemption from the Scope
PSD 2 makes an attempt to clarify a number of uncertainties in the Negative Scope of
PSD 1. The negative scope article of PSD 1 is renamed “Exclusion” in PSD 2.
4.2.1. Commercial Agency
The new version of Article 3(b) restricts the commercial agency exclusion to only commer-
29
cial agents acting on behalf of either the payer or the payee. The exclusion will no longer
apply to agents acting for both.
Article 3(b) now runs as follows. The Directive does not apply to payment transactions
from the payer to the payee through a commercial agent authorised via an agreement
to negotiate or conclude the sale or purchase of goods or services on behalf of only the
payer or only the payee.
4.2.2. Technical Service Providers
PSD 2 expressly brings under regulation payment initiation services and account informa-
tion services by amending Article 3(j) as follows. The Directive does not apply to services
provided by technical service providers, which support the provision of payment ser-
vices, without them entering at any time into possession of the funds to be transferred,
including processing and storage of data, trust and privacy protection services, data and
entity authentication, information technology (IT) and communication network provision,
provision and maintenance of terminals and devices used for payment services, with the
exclusion of payment initiation services and account information services.
4.2.3. Specific Payment Instruments with Limited Use
In PSD 2, the “limited network” exclusion has been made more specific. In order to qualify
for the revised “limited network” exclusion a payment instrument offered by the issuer to
a user must meet one of the conditions set out in Article 3(k).
The new text of Article 3(k) is as follows. The Directive does not apply to services based
on specific payment instruments that can be used only in a limited way, that meet
one of the following conditions:
• instruments allowing the holder to acquire goods or services only in the premis-
es of the issuer or within a limited network of service providers under direct
commercial agreement with a professional issuer;
• instruments which can be used only to acquire a very limited range of goods or
services;
• instruments valid only in a single Member State provided at the request of an
undertaking or a public sector entity and regulated by a national or regional public
30
authority for specific social or tax purposes to acquire specific goods or services
from suppliers having a commercial agreement with the issuer
Besides, Article 37(2) of PSD 2 provides that service providers carrying out either of the
following activities:
• offering instruments allowing the holder to acquire goods or services only in the
premises of the issuer or within a limited network of service providers under direct
commercial agreement with a professional issuer;
• offering instruments which can be used only to acquire a very limited range of
goods or services
or carrying out both activities, for which the total value of payment transactions ex-
ecuted over the preceding 12 months exceeds the amount of EUR 1 million, send
a notification to competent authorities containing a description of the services offered,
specifying under which exclusion the activity is considered to be carried out.
On the basis of that notification, the competent authority will take a duly motivated deci-
sion on the basis of criteria referred to in point (k) of Article 3 where the activity does not
qualify as a limited network, and inform the service provider accordingly.
Under Article 37(4), competent authorities will be obliged to inform EBA of the services
notified, stating the relevant exclusion.
The description of the activity notified will be made publicly available in the public
register of the relevant home Member State as well as in the central register maintained
by the EBA (Article 37(5)).
4.2.4. Providers of Electronic Communications Networks
More clarity has been added to the telecommunication / IT operator exclusion in PSD 2. Ac-
cording to the revised point (l) of Article 3, PSD 2 does not apply to payment transactions
by a provider of electronic communications networks or services provided in addition
to electronic communications services for a subscriber to the network or service:
• for purchase of digital content and voice-based services, regardless of the device used
for the purchase or consumption of the digital content and charged to the related bill; or
31
• performed from or via an electronic device and charged to the related bill within
the framework of a charitable activity or for the purchase of tickets
provided that the value of any single payment transaction does not exceed EUR 50 and:
• the cumulative value of payment transactions for an individual subscriber does
not exceed EUR 300 per month, or
• where a subscriber pre-funds its account with the provider of the electronic
communications network or service, the cumulative value of payment transactions
does not exceed EUR 300 per month
Article 37(3) provides that service providers carrying out one of the above-mentioned
activities (point (l) of Article 3) will be obliged to send a notification to competent authori-
ties and provide competent authorities with an annual audit opinion, testifying that the
activity complies with the set limits.
Under Article 37(4), competent authorities will be obliged to inform EBA of the services
notified, stating the relevant exclusion.
The description of the activity notified will be made publicly available in the public
register of the relevant home Member State as well as in the central register maintained
by the EBA (Article 37(5)).
4.2.5. ATM Cash Withdrawals
The exclusion regarding ATM operators which are not a party to the framework con-
tract with the customer withdrawing money from a payment account has been revised
to add the obligation by the ATM operator to provide the customer with the informa-
tion on any withdrawal charges payable by the customer and, where a currency
conversion service is offered at an ATM, all charges as well as the exchange rate to be
applied to the transaction (Articles 45, 48, 49 and 59) before carrying out the withdraw-
al as well as on receipt of the cash at the end of the transaction after withdrawal (point
(o) of Article 3).
32
4.3. Authorisation and Registration
PSD 2 brings a set of amendments to the existing rules on the authorisation and regis-
tration of payment institutions and introduces requirements for the new players such as
payment initiation services and account information services.
Undertakings that intend to provide payment initiation services will have to apply for
authorisation, while those that intend to provide account information services will
have to get registered with the competent authorities.
4.3.1. Additional Information to Accompany an Application for Authorisation / Registration
In addition to the information pack, which must accompany an application for authorisa-
tion provided for in PSD 1, payment institutions applying for authorisation under PSD 2
will have to submit to the competent authorities the following (points (f), (g), (h), (i), (j) of
Article 5 (1)):
• a description of the procedure in place to monitor, handle and follow up a secu-
rity incident and security related customer complaints, including an incidents
reporting mechanism which takes account of the notification obligations of the
payment institution laid down in Article 96 (Incident reporting);
• a description of the process in place to file, monitor, track and restrict access to
sensitive payment data;
• a description of business continuity arrangements including a clear identifi-
cation of the critical operations, effective contingency plans and a procedure to
regularly test and review the adequacy and efficiency of such plans;
• a description of the principles and definitions applied for the collection of sta-
tistical data on performance, transactions and fraud;
• a security policy document, including a detailed risk assessment in relation to its
payment services and a description of security control and mitigation measures
taken to adequately protect payment service users against the risks identified,
including fraud and illegal use of sensitive and personal data
33
The security control and mitigation measures must indicate how they ensure a high level
of technical security and data protection, including for the software and IT systems
used by the applicant or the undertakings to which it outsources the whole or part of its
operations. Those measures must also include the management of operational and secu-
rity risks (Article 95(1)), taking into account EBA’s guidelines on security measures when
in place by 13 July 2017 (Article 95(3)).
If the applicant intends to use agents and branches in their payment business, in ad-
dition to a description of the intended use of agents and branches they will also have to
submit a description of off-site and on-site checks that they will have to perform on
their agents and branches at least annually, according to point (l) of Article 5(1).
Under Article 5(2), undertakings that apply for authorisation to provide payment initi-
ation services are required, as a condition of their authorisation, to hold a professional
indemnity insurance, covering the territories in which they offer services, or some other
comparable guarantee against liability to ensure that they can cover their liabilities as
specified in Articles 73 (Payment Service Provider’s Liability for Unauthorised Payment
Transactions), 89 (Payment Service Providers’ Liability for Non-execution, Defective or
Late Execution of Payment Transactions), 90 (Liability in the case of Payment Initiation
Services for Non-execution, Defective or Late Execution of Payment Transactions) and 92
(Right of Recourse).
Undertakings that apply for registration to provide account information services are
required, as a condition of their registration, to hold a professional indemnity insur-
ance, covering the territories in which they offer services, or some other comparable
guarantee against their liability vis-à-vis the account servicing payment service pro-
vider or the payment service user resulting from non-authorised or fraudulent access
to or non-authorised or fraudulent use of payment account information (Article 5(3)).
For applicants applying under PSD 2, the European Banking Authority (EBA) is expect-
ed to issue by 13 July 2017 guidelines concerning the information to be provided to
the competent authorities in the application for the authorisation of payment institu-
tions (Article 5(5)).
In this context, the EBA will also be required, under Article 5(4) to issue by 13 January
2017 guidelines, addressed to the competent authorities, on the criteria on how to
34
stipulate the minimum monetary amount of the professional indemnity insurance
or other comparable guarantee referred to in paragraphs 2 and 3 of Article 5 men-
tioned above. For more details, see the section on EBA’s role under PSD 2 below.
4.3.2. Qualifying Holding
PSD 2 introduces a separate article setting forth rules on the control of the shareholding.
Under Article 6(1), any natural or legal person who has taken a decision to acquire or
to further increase, directly or indirectly, a qualifying holding in a payment institution,
as a result of which the proportion of the capital or of the voting rights held would reach
or exceed 20 %, 30 % or 50 %, or so that the payment institution would become its sub-
sidiary, must inform the competent authorities of that payment institution in writing
of their intention in advance. The same applies to any natural or legal person who has
taken a decision to dispose, directly or indirectly, of a qualifying holding, or to reduce its
qualifying holding so that the proportion of the capital or of the voting rights held would
fall below 20 %, 30 % or 50 %, or so that the payment institution would cease to be its
subsidiary.
The proposed acquirer of a qualifying holding will have to supply to the competent au-
thority information indicating the size of the intended holding as well as other infor-
mation required by the competent authority to carry out the prudential assessment in
accordance with Article 23 of Directive 2013/36/EU (Article 6(2)).
Article 6(3) requires that, where the influence exercised by a proposed acquirer of a qual-
ifying holding is likely to operate to the detriment of the prudent and sound manage-
ment of the payment institution, the competent authorities at the national level will have to
express their opposition or take other appropriate measures to bring that situation to
an end. Such measures may include injunctions, penalties against directors or the per-
sons responsible for the management, or the suspension of the exercise of the voting
rights attached to the shares held by the shareholders or members of the payment institu-
tion in question. Similar measures will apply to natural or legal persons who fail to comply
with the obligation to notify the competent authority in advance.
If a holding is acquired despite the opposition of the competent authorities, Article 6(4)
requires Member States, regardless of any other penalty to be adopted, to provide for
35
the exercise of the corresponding voting rights to be suspended, the nullity of votes cast
or the possibility of annulling those votes.
4.3.3. Initial Capital
The revised payment services directive extends the list of allowable initial capital items.
The updated version of the Article provides that initial capital of a payment institution
must comprise one or more of the following items referred to in Article 26(1) (a) to (e) of
Regulation (EU) No 575/2013:
• capital instruments, provided certain conditions are met (for details see Articles 28
and Article 29 of the Regulation);
• share premium accounts related to the instruments referred to in the bullet
point above;
• retained earnings;
• accumulated other comprehensive income;
• other reserves
The retained earnings, accumulated other comprehensive income and other reserves
items will only be recognised for this purpose where they are available to the institution
for unrestricted and immediate use to cover risks or losses as soon as these occur (2nd
paragraph of Article 26(1) of Regulation (EU) No 575/2013).
4.3.3.1. Initial Capital Requirements for Payment Initiation Service Providers
PSD 2 lays down the initial capital requirement for payment initiation service providers.
According to point (b) of Article 7, payment institutions providing payment initiation ser-
vices must hold, at any time, initial capital of no less than EUR 50 000.
4.3.4. Own Funds
Paragraph 3 of the Own Funds article concerning payment institutions included in the
consolidated supervision of the parent credit institution has been updated to include ref-
erences to relevant provisions of the recent prudential supervision legislation, i.e. Direc-
tive 2013/36/EU and Regulation (EU) No 575/2013, in particular Article 7.
36
Article 9(1) of PSD 2 exempts payment institutions offering only payment initiation
services or account information services, or both from the obligation to meet specific
own funds requirements.
4.3.5. Safeguarding Requirements
The revised safeguarding requirements concern payment institutions which provide
payments services listed in Annexe I to PSD 2 except for payment initiation services
and account information services. According to Article 10(1) payment initiation service
providers and account information service providers are exempt from the safeguarding
requirements.
Article 10 of PSD 2 makes no mention of being engaged in other business activities at the
same time as providing payment services as a condition for being subject to safeguarding
requirements as it was in Article 9(1) of PSD 1. In PSD 1, it was at the discretion of Member
States or their competent authorities whether to require a payment institution which is not
engaged in other business activities to comply with the safeguarding requirements or not.
The option provided under PSD 1 for Member States or their competent authorities
to limit the safeguarding requirements to funds of those payment service users whose
funds individually exceed a threshold of EUR 600 has also been removed. The new ver-
sion of the Article emphasises that all funds which have been received from the payment
service users or through another payment service provider for the execution of payment
transactions must be safeguarded.
4.3.6. Registered Office Requirements
Under Article 11(3) of PSD 2, a payment institution which, under the national law of its
home Member State is required to have a registered office, must have its head office in
the same Member State as its registered office and must carry out at least part of its
payment service business there.
4.3.7. Other Allowable Activities
There are only minor changes to the PSD 2 Article 18 on the activities payment institu-
tions are entitled to engage in apart from the provision of payment services.
37
Thus, the 3rd paragraph of Article 18 brings the meaning of a ‘deposit’ or ‘other repay-
able funds’ in line with Article 9 of Directive 2013/36/EU and the meaning of ‘electronic
money’ in line with point (2) of Article 2 of Directive 2009/110/EC removing the referenc-
es to the repealed Directives 2006/48/EC and 2000/46/EC respectively.
The updated article emphasises that all the conditions mentioned in the 4th paragraph
must be met in order for a payment institution to grant credit related to the provision of
payment services as referred to in point (4) or (5) of Annexe I, i.e. execution of payment
transactions where the funds are covered by a credit line for a payment service user and
issuing of payment instruments and / or acquiring of payment transactions. The condi-
tions themselves remained the same.
Under paragraph 6, PSD 2 will apply without prejudice to Directive 2008/48/EC on credit
agreements for consumers, which replaced Council Directive 87/102/EEC, other relevant
European Union law or national measures regarding conditions for granting credit to con-
sumers not harmonised by the Directive that comply with the European Union law.
4.3.8. Exemptions
In PSD 2, Section 4 of Title II on exemption of payment institutions from certain require-
ments concerning the authorisation, use of agents, branches and outside service provid-
ers, and supervision has received a new title. The old one ‘Waiver’ has been replaced with
‘Exemption’.
Article 32 sets out conditions under which Member States or their competent authorities
may exempt natural or legal persons providing payment services specified in points
(1) to (6) of Annexe I from the application of all or part of the procedure and conditions
set out in Sections 1, 2 and 3 of the 1st Chapter of Title II, with the exception of Articles 14
(Registration in the Home Member State), 15 (EBA Register), 22 (Designation of Compe-
tent Authorities), 24 (Professional Secrecy), 25 (Right to Apply to the Courts) and 26 (Ex-
change of Information).
The most important change here is that under PSD 2 the limit on the monthly average
value of payment transactions executed by a payment service provider within the pre-
ceding 12 months as a condition of exemption will be set by Member States at their
discretion with the mandatory ceiling remaining at EUR 3 million per month.
38
A separate article on account information service providers has been added to the
Exemption section of PSD 2. Thus, Article 33 provides that natural or legal persons pro-
viding only the account information services will be exempt from the application of
the procedure and conditions related to the authorisation and the use of agents,
branches and outside suppliers (Sections 1 and 2 of Title II of PSD 2), with a number of
exceptions, which are as follows:
• Undertakings applying for registration under PSD 2 will be required to submit the
following information to support their applications (points (a), (b), (e) to (h), (j), (l),
(n), (p) and (q) of Article 5(1)):
° a programme of operations setting out in particular the type of payment
services envisaged;
° a business plan including a forecast budget calculation for the first 3 financial
years which demonstrates that the applicant is able to employ the appropriate
and proportionate systems, resources and procedures to operate soundly;
° a description of the applicant’s governance arrangements and internal con-
trol mechanisms, including administrative, risk management and accounting
procedures, which demonstrates that those governance arrangements,
control mechanisms and procedures are proportionate, appropriate, sound
and adequate;
° a description of the procedure in place to monitor, handle and follow up
a security incident and security related customer complaints, including an
incidents reporting mechanism which takes account of the notification obli-
gations of the payment institution laid down in Article 96;
° a description of the process in place to file, monitor, track and restrict ac-
cess to sensitive payment data;
° a description of business continuity arrangements including a clear identi-
fication of the critical operations, effective contingency plans and a proce-
dure to regularly test and review the adequacy and efficiency of such plans;
° a security policy document, including a detailed risk assessment in relation to
its payment services and a description of security control and mitigation mea-
sures taken to adequately protect payment service users against the risks
identified, including fraud and illegal use of sensitive and personal data;
° a description of the applicant’s structural organisation, including, where
39
applicable, a description of the intended use of agents and branches and of
the off-site and on-site checks that the applicant undertakes to perform on
them at least annually, as well as a description of outsourcing arrangements,
and of its participation in a national or international payment system;
° the identity of directors and persons responsible for the management of
the payment institution and, where relevant, persons responsible for the
management of the payment services activities of the payment institution,
as well as evidence that they are of good repute and possess appropriate
knowledge and experience to perform payment services as determined by
the home Member State of the payment institution;
° the applicant’s legal status and articles of association;
° the address of the applicant’s head office
• Undertakings that apply for registration to provide account information services
will be required, as a condition of their registration, to hold a professional indem-
nity insurance covering the territories in which they offer services, or some other
comparable guarantee against their liability vis-à-vis the account servicing pay-
ment service provider or the payment service user resulting from non-authorised
or fraudulent access to or non-authorised or fraudulent use of payment account
information (Article 5(3));
• Registered account information service providers will be entered in the public
register of their respective home Member State and the central register of EBA
(Articles 14 and 15);
• Section 3 of Title II concerning supervision will apply to account information service
providers with the exception of Article 23(3)
Account information service providers will be treated as payment institutions, save that
Titles III (Transparency of Conditions and Information Requirements for Payment Services)
and IV (Rights and Obligations in relation to the Provision and Use of Payment Services)
will not apply to them, with the exception of Articles 41 (Burden of Proof on Information
Requirements), 45 (Information and Conditions in respect of Single Payment Transac-
tions) and 52 (Information and Conditions in respect of Framework Contracts) where ap-
plicable, and of Articles 67 (Rules on Access to and Use of Payment Account Information
in the case of Account Information Services), 69 (Obligations of the Payment Service User
in relation to Payment Instruments and Personalised Security Credentials), 95 (Manage-
ment of Operational and Security Risks), 96 (Incident Reporting), 97 (Authentication) and
40
98 (Regulatory Technical Standards on Authentication and Communication).
Member States will be obliged to notify the European Commission of their intention to
apply an exemption pursuant to Article 32 by 13 January 2018.
4.3.9. Public Register of Payment Institutions
Account information service providers and their agents have been added to the list of
payment institutions that must appear on the public register of their home Member
State. Account information service providers will be listed in the register separately from
authorised payment institutions.
According to the 2nd subparagraph of Article 14(1), branches of payment institutions will
have to be entered in the register of the home Member State if these branches provide
services in a Member State other than their home Member State.
PSD 2 requires that the register be updated without delay rather than on a regular ba-
sis as it is put in PSD 1.
The new Directive also introduces obligations for competent authorities to enter in the pub-
lic register any withdrawal of authorisation and any withdrawal of an exemption and
to notify the European Banking Authority (EBA) of the reasons for each such withdrawal.
4.3.10. EBA’s Central Register
Article 15 of PSD 2 mandates the European Banking Authority (EBA) to develop, operate
and maintain an electronic, central register. The register will contain information from
public registers maintained by Member States. Under Article 15(2) competent authorities
of Member States will be obliged to notify EBA without delay of the information entered in
their respective public registers.
EBA will be required to develop draft regulatory technical standards setting technical
requirements on development, operation and maintenance of the electronic central reg-
ister and on access to the information contained therein. Those draft regulatory technical
standards are to be submitted to the European Commission for adoption by 13 January
2018 (Article 15(4)).
41
The details and structure of the information to be notified by competent authorities to
EBA, including the common format and model in which this information is to be provided,
will be laid down in the relevant draft implementing technical standards to be devel-
oped by EBA and submitted by 13 July 2017 to the European Commission for adoption.
Competent authorities will be responsible for the accuracy of the information to be sup-
plied and for keeping that information up-to-date, while EBA will be responsible for the
accurate presentation of that information. The modification of the information will only be
possible by the competent authority and EBA.
The EBA register will be publicly available on EBA’s website and offer easy access to and
easy search for the information listed free of charge.
4.4. Accounting and Statutory Audit
Article 17(1) updates the list of Directives to apply to payment institutions in the context
of accounting and statutory audit. Thus, Directive 2013/34/EU of 26 June 2013 on the
annual financial statements, consolidated financial statements and related reports of
certain types of undertakings replaces in PSD 2 the repealed Directives 78/660/EEC and
Directives 83/349/EEC.
Article 17(4) provides that the obligations established in Article 63 of Directive 2013/36/
EU must apply mutatis mutandis to the statutory auditors or audit firms of payment insti-
tutions in respect of payment services activities.
4.5. Agents, Branches and Outsourcing
Under PSD 2, a payment institution which intends to provide payment services through
an agent will be obliged to communicate the following information to the competent au-
42
thorities in its home Member State (Article 19(1)):
• the name and address of the agent;
• a description of the internal control mechanisms that will be used by the agent
in order to comply with the obligations in relation to money laundering and ter-
rorist financing under Directive (EU) 2015/849, to be updated without delay in
the event of material changes to the particulars communicated at the initial
notification;
• the identity of directors and persons responsible for the management of the agent
to be used in the provision of payment services and, for agents other than pay-
ment service providers, evidence that they are fit and proper persons;
• the payment services of the payment institution for which the agent is man-
dated; and
• where applicable, the unique identification code or number of the agent
Article 19(2) clearly defines the time frame for a reply by the competent authority and the
moment the agent may start providing payment services. Thus, the competent author-
ity of the home Member State must communicate to the payment institution whether
the agent has been entered in the public register of the home Member State within 2
months of receipt of the required information. The agent may commence providing
payment services upon entry in the register.
If competent authorities consider that the information provided to them is incorrect,
under PSD 2 they will be obliged to take further action to verify the information before
listing the agent in the register (Article 19(3)). Under PSD 1, taking further action to verify
information about the agent is at the discretion of the competent authorities.
If, after taking action to verify the information, the competent authorities are not satis-
fied that the information provided to them is correct and refuse to list the agent in the
register, they will be obliged to inform the payment institution without undue delay
(Article 19(4)).
Payment institution wishing to provide payment services in another Member State by
engaging an agent or establishing a branch will be required to follow the procedures set
out in Article 28 (Application to Exercise the Right of Establishment and Freedom to Pro-
vide Services). The obligation of the competent authorities of the home Member State to
43
inform the competent authorities of the host Member State of their intention to register
the agent and take their opinion into account has been removed (Article 19(5)).
According to Article 14(1), branches of payment institutions will be entered in the pub-
lic register of the home Member State if those branches provide services in a Member
State other than their home Member State.
IT systems are now expressly mentioned among important operational functions, which
may be outsourced. Outsourcing of important operational functions must not impair
the ability of the competent authorities to monitor and retrace the payment institution’s
compliance with all of the obligations laid down in PSD 2 (Article 19(6)).
Article 19(8) of PSD 2 imposes on payment institutions an obligation to communicate
to the competent authorities of their home Member State without undue delay any
change regarding the use of entities to which activities are outsourced and agents,
including additional agents.
4.6. Competent Authorities and Supervision
To ensure continued compliance with the provisions of Title II on payment service provid-
ers, the competent authorities are entitled to require the payment institution to provide any
information needed to monitor such compliance. The difference with PSD 1 is that under
PSD 2 the competent authorities will have to specify the purpose of the request and
the time limit by which the information is to be provided (point (a) of Article 23(1)).
In PSD 2 the European Banking Authority (EBA) in its capacity of contributing to the
consistent and coherent functioning of supervising mechanisms is added to the list of
bodies the competent authorities of different Member States are obliged to co-operate
and exchange information with (Article 26(1), point (d) of Article 26(2)).
PSD 2 introduces a new article on settlement of disagreements between competent
authorities of different Member States. Article 27 provides that where a competent
44
authority of a Member State considers that, in a particular matter, cross-border cooper-
ation with competent authorities of another Member State in the context of information
exchange, exercise by a payment institution of the right of establishment and freedom to
provide services, supervision and measures for non-compliance (Articles 26, 28, 29, 30,
31) does not comply with the relevant provisions of PSD 2, it may refer the matter to
EBA and request its assistance in accordance with Article 19 (Settlement of Disagree-
ments between Competent Authorities in Cross-border Situations) of Regulation (EU) No
1093/2010.
If the assistance of EBA has been requested, EBA will take a decision without undue delay
in accordance with Article 19(3) of Regulation (EU) No 1093/2010. EBA may also assist the
competent authorities in reaching an agreement on its own initiative. In either case, the
competent authorities involved will have to defer their decisions pending resolution
of EBA (Article 27(2)).
4.7. Right of Establishment and Freedom to Provide Services
Under PSD 1, an authorised payment institution wishing to provide payment services
for the first time in a Member State other than its home Member State is only obliged to
inform the competent authorities in its home Member State accordingly. In PSD 2, Article
28(1) clearly defines what information a payment institution will have to communicate to
the competent authorities of its home Member State, which is as follows:
• the name, the address and, where applicable, the authorisation number of the
payment institution;
• the Member State(s) in which it intends to operate;
• the payment service(s) to be provided;
• where the payment institution intends to make use of an agent, the following infor-
mation about the agent has to be submitted:
° the name and address of the agent;
45
° a description of the internal control mechanisms that will be used by the
agent in order to comply with the obligations in relation to money launder-
ing and terrorist financing under Directive (EU) 2015/849, to be updated
without delay in the event of material changes to the particulars communi-
cated at the initial notification;
° the identity of directors and persons responsible for the management of
the agent to be used in the provision of payment services and, for agents
other than payment service providers, evidence that they are fit and proper
persons;
° the payment services of the payment institution for which the agent is man-
dated; and
° where applicable, the unique identification code or number of the agent
• where the payment institution intends to make use of a branch, the following in-
formation about the branch has to be submitted:
° a business plan including a forecast budget calculation for the first 3 finan-
cial years which demonstrates that the applicant is able to employ the ap-
propriate and proportionate systems, resources and procedures to operate
soundly;
° a description of governance arrangements and internal control mecha-
nisms, including administrative, risk management and accounting proce-
dures, which demonstrates that those governance arrangements, control
mechanisms and procedures are proportionate, appropriate, sound and
adequate
• with regard to the payment service business in the host Member State, a descrip-
tion of the organisational structure of the branch and the identity of those respon-
sible for the management of the branch.
Where the payment institution intends to outsource operational functions of payment
services to other entities in the host Member State, it will have to inform the competent
authorities of its home Member State about such intention.
Article 28 (paragraphs 2 and 3) outlines the procedure to be followed and time limits to
be observed by the competent authorities of the Member States involved. Thus, with-
in 1 month of receipt of all of the required information the competent authorities of
the home Member State are obliged to send it to the competent authorities of the host
46
Member State. The competent authorities of the host Member State will have one month
to assess that information and respond. Where the competent authorities of the home
Member State do not agree with the assessment of the competent authorities of
the host Member State, they will be obliged to provide the latter with the reasons for
their decision.
If the assessment of the competent authorities of the home Member State in par-
ticular in light of the information received from the competent authorities of the host
Member State, is not favourable, the competent authority of the home Member State
will be obliged to refuse to register the agent or branch or withdraw the registration
if already made.
Within 3 months of receipt of the required information from the payment institution
the competent authorities of the home Member State will be obliged to communicate
their decision to the competent authorities of the host Member State and to the pay-
ment institution.
The agent or branch may commence its activities in the relevant host Member State
upon entry in the public register of the home Member State.
Under Article 28(3) the payment institution will have an obligation to notify to the com-
petent authorities of the home Member State the date from which it commences its
activities through the agent or branch in the relevant host Member State with the
competent authorities of the home Member State to inform the competent authorities of
the host Member State accordingly.
The payment institution will also be obliged to communicate to the competent author-
ities of the home Member State without undue delay any relevant change regarding
the required information, including additional agents, branches or entities to which
activities are outsourced in the host Member States in which it operates. The above-men-
tioned procedure will apply (Article 28(4)).
Details on the co-operation between competent authorities of Member States and the
exchange of information in connection with the application of a payment institution
to exercise their right of establishment and freedom to provide services will be set
forth in relevant regulatory technical standards (RTS) to be developed by EBA. Draft
47
RTS are to be submitted to the European Commission for endorsement by 13 January
2018. Those draft regulatory technical standards will specify the framework for cooper-
ation and for the exchange of information between competent authorities of the home
and of the host Member States, the method, means and details of cooperation in the no-
tification of payment institutions operating on a cross-border basis and, in particular, the
scope and treatment of information to be submitted, including common terminology and
standard notification templates to ensure a consistent and efficient notification process
(Article 28(5)).
4.7.1. Supervision of PIs Operating on a Cross-border Basis
In PSD 2 the supervision of payment institutions exercising the right of establishment and
freedom to provide services makes a separate article. The existing provisions of PSD 1
have been extended to enhance compliance.
Thus, for information and statistical purposes and in order to monitor compliance
with national law transposing Titles III (Transparency of Conditions and Information Re-
quirements for Payment Services) and IV (Rights and Obligations in relation to the Provi-
sion and Use of Payment Services) of PSD 2 the competent authorities of host Member
States may require payment institutions having agents or branches within their territo-
ries to report to them periodically on the activities carried out in their territories. Such
agents and branches will be subject to professional secrecy requirements (Article 29(2)).
Under Article 29(4), Member States may require payment institutions operating on
their territory through agents and whose head office is situated in another Member
State to appoint a central contact point in their territory to ensure adequate com-
munication and information reporting on compliance with relevant provisions of PSD
2 and to facilitate supervision by competent authorities of home Member State and
host Member States, including by providing competent authorities with documents and
information on request.
The criteria to be applied when determining the circumstances when the appointment
of a central contact point is appropriate, and the functions of those contact points
will be set out in relevant regulatory technical standards to be developed by EBA and
submitted to the European Commission for adoption by 13 January 2017 (Article 29(5)).
48
In particular, those draft regulatory technical standards will have to take account of:
• the total volume and value of transactions carried out by the payment institution
in host Member States;
• the type of payment services provided; and
• the total number of agents established in the host Member State
Article 29(6) requires that EBA develop draft regulatory technical standards specifying
the framework for cooperation, and for the exchange of information, between the
competent authorities of the home Member State and of the host Member State under
Title II Payment Service Providers of PSD 2 and to monitor compliance with the provi-
sions of national law transposing Titles III (Transparency of Conditions and Information
Requirements for Payment Services) and IV (Rights and Obligations in relation to the Pro-
vision and Use of Payment Services). The draft regulatory technical standards will specify
the method, means and details of cooperation in the supervision of payment in-
stitutions operating on a cross-border basis and, in particular, the scope and treat-
ment of information to be exchanged, to ensure consistent and efficient supervision of
payment institutions exercising cross-border provision of payment services. Those draft
regulatory technical standards will also specify the means and details of any reporting
requested by host Member States from payment institutions on the payment business
activities carried out in their territories in accordance with paragraph 2 of Article 29 (see
above), including the frequency of such reporting. The draft RTS are to be submitted to
the European Commission for adoption by 13 January 2018.
4.7.2. Measures in Case of Non-compliance
PSD 2 introduces an article on measures to be taken by competent authorities of Mem-
ber States in cases of non-compliance by payment institutions with provisions of PSD 2
(Titles II, III and IV).
Article 30(1) requires that where the competent authority of the host Member State ascertains
that a payment institution having agents or branches in its territory does not comply
with Title II (Payment Service Providers) or with national law transposing Title III (Transparency of
Conditions and Information Requirements for Payment Services) or Title IV (Rights and Obliga-
tions in relation to the Provision and Use of Payment Services), the competent authority of the
host Member State inform the competent authority of the home Member State without delay.
49
The competent authority of the home Member State, after having evaluated the infor-
mation received will be required to take, without undue delay, all appropriate measures
to ensure that the payment institution concerned puts an end to its irregular situation.
The competent authority of the home Member State will be obliged to communicate
those measures without delay to the competent authority of the host Member State
and to the competent authorities of any other Member State concerned.
In emergency situations, where immediate action is necessary to address a serious
threat to the collective interests of the payment service users in the host Member State,
the competent authorities of the host Member State may, in parallel to the cross-bor-
der cooperation between competent authorities and pending measures by the compe-
tent authorities of the home Member State, take precautionary measures (Article 30(2)).
Article 30(3) provides that any such precautionary measures must be appropriate and
proportionate to their purpose to protect against a serious threat to the collective in-
terests of the payment service users in the host Member State. They must not result in
a preference for payment service users of the payment institution in the host Member
State over payment service users of the payment institution in other Member States.
Precautionary measures must be temporary and must be terminated when the serious
threats identified are addressed, including with the assistance of or in cooperation with
the home Member State’s competent authorities or with EBA.
Article 30(4) requires that the competent authorities of the host Member State, where
compatible with the emergency situation, inform the competent authorities of the home
Member State and those of any other Member State concerned, the Commission and
EBA in advance and in any case without undue delay, of the precautionary measures
taken and of their justification.
Article 31(1) obliges the competent authorities taking measures which involve penalties
or restrictions on the exercise of the freedom to provide services or the right of establish-
ment to properly justify such measures and communicate them to the payment institu-
tion concerned.
The supervision or monitoring of the compliance with the requirements of an-
ti-money laundering laws will be carried out by the competent authorities in accor-
dance with Directive (EU) 2015/849 on the Prevention of the Use of the Financial Sys-
50
tem for the Purposes of Money Laundering or Terrorist Financing and Regulation (EU)
2015/847 on Information Accompanying Transfers of Funds.
4.8. Access to Payment Systems and Accounts Maintained with a Credit Institution
Provisions concerning access to payment systems have not changed much in PSD 2.
Article 35(2) defining cases to which the general access rules set out in Article 35(1) do not
apply now contains a clarification of point (a) of Article 35(2) on payment system designated
under Directive 98/26/EC which requires a participant in a designated system that allows
an authorised or registered payment service provider that is not a participant in the system
to pass transfer orders through the system to give, when requested, the same opportu-
nity to other authorised or registered payment service providers in line with the princi-
ple of objective, non-discriminatory and proportionate access to payment systems
referred to in Article 35(1). In the case of rejection, the participant will have to provide the
requesting payment service provider with full reasons for any such rejection.
One of the most important changes to the industry rules is introduced by Article 36 on
access to accounts maintained with a credit institution. The article obliges Member
States to ensure that payment institutions have access to credit institutions’ pay-
ment accounts services on an objective, non-discriminatory and proportionate basis.
Such access must be sufficiently extensive as to allow payment institutions to provide
payment services in an unhindered and efficient manner. In the case of rejection, the
credit institution will have to provide the competent authority with duly motivated rea-
sons for any such rejection.
51
4.9. Customer Protection
One of the main objectives of the revised Payment Services Directive (PSD 2) is to ensure
enhanced customer protection. The following changes to the rules have been introduced
for this purpose.
4.9.1. Payment Service Users’ Right to Information
The existing general rules on the transparency of conditions and availability of in-
formation set out in Articles 30 to 34 of Chapter 1 of Title III of PSD 1 have not changed
much in PSD 2 (Articles 38 to 42). The most important changes in Title III concern specific
areas such as single payment transactions, framework contracts, currency conversion
and charges.
4.9.1.1. Single Payment Transactions
Point (a) of Article 45 on information and conditions with regard to single payment trans-
actions puts a specific emphasis on the initiation of a payment order and requires
the payment service provider to provide for the payment service user a specification of
the information or unique identifier to be supplied by the payment service user in
order for a payment order to be properly initiated or executed.
In addition, Article 45(2) specifies what information payment initiation service provid-
ers must provide the payer with, or make available to the payer, prior to initiation, in
a clear and comprehensive manner. This information must comprise the following ele-
ments:
• the name of the payment initiation service provider, the geographical address
of its head office and, where applicable, the geographical address of its agent or
branch established in the Member State where the payment service is offered, and
any other contact details, including electronic mail address, relevant for communi-
cation with the payment initiation service provider; and
• the contact details of the competent authority
Article 46 has been added to PSD 2 to specify information to be provided for the payer
52
and payee after the initiation of a payment order. It requires that in addition to the
information and conditions specified in Article 45, where a payment order is initiated
through a payment initiation service provider, the payment initiation service provider,
immediately after initiation, provide or make available all of the following data to the pay-
er and, where applicable, the payee:
• confirmation of the successful initiation of the payment order with the payer’s ac-
count servicing payment service provider;
• a reference enabling the payer and the payee to identify the payment transac-
tion and, where appropriate, the payee to identify the payer, and any information
transferred with the payment transaction;
• the amount of the payment transaction;
• where applicable, the amount of any charges payable to the payment initiation
service provider for the transaction, and where applicable a breakdown of the
amounts of such charges
Article 47 requires that a payment initiation service provider through which a payment
order is initiated make available to the payer’s account servicing payment service provider
the reference of the payment transaction.
4.9.1.2. Framework Contracts
Point (b) of Article 52(2) on information and conditions to be provided to the payment service
user in connection with framework contracts specifically mentions the initiation of a pay-
ment order and requires the payment service provider to provide for the payment service
user a specification of the information or unique identifier that has to be supplied by
the payment service user in order for a payment order to be properly initiated or executed.
A requirement to provide for the payment service user the form of and procedure
for giving consent to initiate a payment order has been added to the existing require-
ments to provide the form of and procedure for giving consent to execute a payment
transaction and withdrawal of such consent (point (c) of Article 52(2)).
Point (g) has been added to the article on information and conditions to be provided to the
payment service user in connection with framework contracts (Article 52(2)), which requires
that, in the case of co-badged, card-based payment instruments, payment service pro-
53
viders provide for the payment service user information on the payment service user’s
rights under Article 8 (Co-badging and Choice of Payment Brand or Payment Application) of
Regulation (EU) 2015/751 on interchange fees for card-based payment transactions.
Article 52(3) adds a clarification regarding the information to be provided to payment
service user with regard to charges payable to the payment service provider. Thus, point
(a) of Article 52(3) requires that the payment service user be provided with information on
all charges payable by the payment service user to the payment service provider includ-
ing those connected to the manner in and frequency with which information under
PSD 2 is provided or made available.
A new point has been introduced into Article 52(5) on information and conditions regard-
ing safeguards and corrective measures. Thus, point (b) of Article 52(5) requires that the
payment service user be provided with information on the secure procedure for noti-
fication of the payment service user by the payment service provider in the event of
suspected or actual fraud or security threats.
The existing requirement to provide the payment service user with information on how
and within what period of time the payment service user is expected to notify the pay-
ment service provider of any unauthorised or incorrectly executed payment transaction
has been extended in PSD 2 to include any unauthorised or incorrectly initiated pay-
ment transaction (point (e) of Article 52(5)).
In addition to the existing requirement to inform the payment service user of the liability
of the payment service provider for correct execution of payment transactions, point (f)
of Article 52(5) requires that the payment service user be informed of the liability of the
payment service provider for the correct initiation of payment transactions.
Article 54(1) of PSD 2 on changes in conditions of the framework contract now states that
the payment service user can accept or reject the proposed changes before the date of
their proposed date of entry into force.
Under PSD 2 (Article 55(2)) the termination of a framework contract will be free of
charge for the payment service user after 6 months of the date of its entry into force
rather than after the expiry of 12 months as it is now under PSD 1.
54
Article 57(2) introduces a requirement for a framework contract to include a condition
that the payer may require the information listed in Article 57(1), such as the refer-
ence and the amount of the payment transaction, the amount of any related charges, the
exchange rate and the debit value date or the date of receipt of the payment order, to be
provided or made available periodically, at least once a month, free of charge.
4.9.1.3. Information Requirements where Currency Conversion is Involved
Under Article 59(2) of PSD 2 the party offering the currency conversion service prior
to the initiation of the payment transaction will also be obliged to disclose to the payer all
charges as well as the exchange rate to be used for converting the payment transaction
when that currency conversion service is offered at an ATM. Under PSD 1 the obliga-
tion only concerns cases where the currency conversion service is offered at the point of
sale or by the payee (Article 49(2) of PSD 1).
4.9.1.4. Information on Additional Charges
Article 60(2) of PSD 2 adds a clarification concerning “a payment service provider or a
third party”, which may request a charge for the use of a given payment instrument, as it
is put in PSD 1. “A third party” in PSD 1 has been replaced with “another party involved
in the transaction” in PSD 2.
PSD 2 introduces a new rule, which obliges the payer to pay the charges for the use of a
given payment instrument requested by the payee, the payment service provider or an-
other party involved in the transaction only if their full amount has been made known
to the payer prior to the initiation of the payment transaction (Article 60(3)).
4.9.2. Applicable Charges
PSD 2 contains revised rules on the allocation of applicable charges between the payer
and the payee and requesting charges or offering reductions by the payee for the use of
a particular payment instrument (Article 62(2,3,4)).
4.9.2.1. Allocation of Charges
The existing rule on the allocation of applicable charges for payment transactions have
55
been revised as follows. Article 62(2) of PSD 2 requires that for payment transactions pro-
vided within the European Union, where both the payer’s and the payee’s payment service
providers are, or the sole payment service provider in the payment transaction is, located
in the EU, the payee pay the charges levied by his payment service provider, and the payer
pay the charges levied by his payment service provider. In PSD 1, the rule only concerns
payment transactions that do not involve any currency conversion (Article 52(2) of PSD 1).
4.9.2.2. Surcharges
Under Article 62(3) the payee is allowed, in addition to requesting from the payer a
charge or offering a reduction provided for in PSD 1, to use other ways to steer the
payer towards the use of a particular payment instrument. Any charges applied by
the payee must not exceed the direct costs borne by the payee.
In any case, the payee must not request charges for the use of payment instruments for
which interchange fees are regulated under Chapter II of Regulation (EU) 2015/751 on
Interchange Fees for Card-based Payment Transactions and for those payment services
to which Regulation (EU) No 260/2012 Establishing Technical and Business Requirements
for Credit Transfers and Direct Debits in Euro applies.
The provision of PSD 1 (Article 52(3)) concerning the right of Member States to forbid or
limit the right of the payee to request charges given the need to encourage competition
and promote the use of efficient payment instruments has been removed.
4.9.3. Authorisation of Payment Transactions
4.9.3.1. Consent to Execute a Payment Transaction
Article 64(2) has been extended to include consent to execute a payment transaction
given by the payer via the payee or the payment initiation service provider.
4.9.3.2. Confirmation of the Availability of Funds
PSD 2 introduces Article 65 “Confirmation on the Availability of Funds”. The new article
obliges an account servicing payment service provider, upon the request of a pay-
ment service provider issuing card-based payment instruments, to immediately confirm
56
whether an amount necessary for the execution of a card-based payment transac-
tion is available on the payment account of the payer, provided that all of the follow-
ing conditions are met:
• the payment account of the payer is accessible online at the time of the request;
• the payer has given explicit consent to the account servicing payment service
provider to respond to requests from a specific payment service provider to
confirm that the amount corresponding to a certain card-based payment transac-
tion is available on the payer’s payment account;
• the consent has been given before the first request for confirmation is made
The payment service provider may request the confirmation where all of the following
conditions are met:
• the payer has given explicit consent to the payment service provider to re-
quest the confirmation;
• the payer has initiated the card-based payment transaction for the amount in ques-
tion using a card based payment instrument issued by the payment service provider;
• the payment service provider authenticates itself towards the account servicing
payment service provider before each confirmation request, and securely com-
municates with the account servicing payment service provider in accordance
with point (d) of Article 98(1)
Such confirmation will consist only in a simple ‘yes’ or ‘no’ answer and not in a statement
of the account balance. That answer must not be stored or used for purposes other than
for the execution of the card-based payment transaction.
The confirmation will not allow for the account servicing payment service provider to
block funds on the payer’s payment account.
Article 65(5) will allow the payer to request the account servicing payment service provid-
er to communicate to the payer the identification of the payment service provider
and the answer provided.
Article 65 will not apply to payment transactions initiated through card-based payment
instruments on which electronic money is stored.
57
4.9.3.3. Access to Payment Account
Article 66 introduces rules on access to payment account in the case of payment
initiation services.
According to paragraph 1, the right to make use of a payment initiation service provider
only applies where the payment account is accessible online.
Article 66(2) sets out rules to be followed by payment initiation service providers. Thus,
the payment initiation service provider must:
• not hold at any time the payer’s funds in connection with the provision of the
payment initiation service;
• ensure that the personalised security credentials of the payment service user
are not, with the exception of the user and the issuer of the personalised securi-
ty credentials, accessible to other parties and that they are transmitted by the
payment initiation service provider through safe and efficient channels;
• ensure that any other information about the payment service user, obtained
when providing payment initiation services, is only provided to the payee and
only with the payment service user’s explicit consent;
• every time a payment is initiated, identify itself towards the account servicing
payment service provider of the payer and communicate with the account ser-
vicing payment service provider, the payer and the payee in a secure way;
• not store sensitive payment data of the payment service user;
• not request from the payment service user any data other than those neces-
sary to provide the payment initiation service;
• not use, access or store any data for purposes other than for the provision
of the payment initiation service as explicitly requested by the payer;
• not modify the amount, the payee or any other feature of the transaction
When the payer gives its explicit consent for a payment to be executed, the account
servicing payment service provider will be obliged to perform the following actions in
order to ensure the payer’s right to use the payment initiation service:
• communicate securely with payment initiation service providers in accordance
with point (d) of Article 98(1) of PSD 2;
58
• immediately after receipt of the payment order from a payment initiation service
provider, provide or make available all information on the initiation of the
payment transaction and all information accessible to the account servicing
payment service provider regarding the execution of the payment transac-
tion to the payment initiation service provider;
• treat payment orders transmitted through the services of a payment initiation
service provider without any discrimination other than for objective reasons, in
particular in terms of timing, priority or charges vis-à-vis payment orders transmit-
ted directly by the payer
Article 66(5) requires that the provision of payment initiation services be not dependent
on the existence of a contractual relationship between the payment initiation service
providers and the account servicing payment service providers for that purpose.
Rules on access to and use of payment account information in the case of account
information services are provided in Article 67.
The right of the payment service user to make use of services enabling access to account
information only applies where the payment account is accessible online.
According to Article 67(2), the account information service provider must:
• provide services only where based on the payment service user’s explicit consent;
• ensure that the personalised security credentials of the payment service user
are not, with the exception of the user and the issuer of the personalised security
credentials, accessible to other parties and that when they are transmitted by
the account information service provider, this is done through safe and efficient
channels;
• for each communication session, identify itself towards the account servicing
payment service provider(s) of the payment service user and securely commu-
nicate with the account servicing payment service provider(s) and the payment
service user, in accordance with point (d) of Article 98(1);
• access only the information from designated payment accounts and associated
payment transactions;
• not request sensitive payment data linked to the payment accounts;
59
• not use, access or store any data for purposes other than for performing the
account information service explicitly requested by the payment service user, in
accordance with data protection rules
In relation to payment accounts, the account servicing payment service provider will
be obliged to:
• communicate securely with the account information service providers in accor-
dance with point (d) of Article 98(1); and
• treat data requests transmitted through the services of an account information
service provider without any discrimination for other than objective reasons
Article 67(4) requires that the provision of account information services be not depen-
dent on the existence of a contractual relationship between the account information
service providers and the account servicing payment service providers for that purpose.
An account servicing payment service provider may deny an account information ser-
vice provider or a payment initiation service provider access to a payment account
for objectively justified and duly evidenced reasons relating to unauthorised or fraudu-
lent access to the payment account by that account information service provider or that
payment initiation service provider, including the unauthorised or fraudulent initiation of
a payment transaction (Article 68(5)).
In such cases the account servicing payment service provider must inform the payer
that access to the payment account is denied and the reasons therefor in the form
agreed. That information must, where possible, be given to the payer before access is
denied and at the latest immediately thereafter, unless providing such information would
compromise objectively justified security reasons or is prohibited by other relevant Euro-
pean Union or national law.
The last subparagraph of Article 68(5) obliges the account servicing payment service pro-
vider to allow access to the payment account once the reasons for denying access no
longer exist.
Article 68(6) requires that the account servicing payment service provider immediately
report such cases relating to the account information service provider or the payment
initiation service provider to the competent authority, setting out relevant details of the
60
case and the reasons for taking action, so that the competent authority can assess the
case and take appropriate measures, if necessary.
4.9.3.4. Obligations of the Payment Service Provider in relation to Payment
Instruments
A new subparagraph has been added to the article concerning obligations of the pay-
ment service provider in relation to payment instruments. Thus, the new point (d) of Ar-
ticle 70(1) obliges the payment service provider issuing a payment instrument to provide
the payment service user with an option to make a notification of the loss, theft, mis-
appropriation or unauthorised use of the payment instrument free of charge and
to charge, if at all, only replacement costs directly attributed to the payment instrument.
4.9.3.5. Rectification of Unauthorised or Incorrectly Executed Payment Transactions
Paragraph 2 has been added to Article 71 on notification and rectification of unautho-
rised or incorrectly executed payment transactions to cover cases where a payment
initiation service provider is involved. Thus, Article 71(2) states that where a payment ini-
tiation service provider is involved, the payment service user will obtain rectification
of an unauthorised or incorrectly executed payment transaction from the account
servicing payment service provider pursuant to rules set out in Article 71(1) and with-
out prejudice to Articles 73(2) and 89(1) on the liability of the payment service provider
for unauthorised payment transactions, non-execution, defective or late execution of
payment transactions.
4.9.3.6. Evidence on Authentication of Payment Transactions
A subparagraph on the payment initiation service has been to the article concerning
evidence on authentication and execution of payment transactions. Thus, the second
subparagraph of Article 72(1) states that if the payment transaction is initiated through a
payment initiation service provider, the burden shall be on the payment initiation service
provider to prove that within its sphere of competence, the payment transaction was
authenticated, accurately recorded and not affected by a technical breakdown or other
deficiency linked to the payment service of which it is in charge.
Where a payment service user denies having authorised an executed payment transac-
61
tion, Article 72(2) obliges the payment service provider, including, where appropriate,
the payment initiation service provider, to provide supporting evidence to prove fraud
or gross negligence on part of the payment service user.
4.9.3.7. Payment transactions where the transaction amount is not known in
advance
Another new rule introduced by PSD 2 concerns payment transactions where the
transaction amount is not known in advance. According to Article 75(1), where a pay-
ment transaction is initiated by or through the payee in the context of a card-based pay-
ment transaction and the exact amount is not known at the moment when the payer
gives consent to execute the payment transaction, the payer’s payment service provider
may block funds on the payer’s payment account only if the payer has given consent to
the exact amount of the funds to be blocked.
The payer’s payment service provider will be obliged to release the funds without un-
due delay after receipt of the information about the exact amount of the payment
transaction and at the latest immediately after receipt of the payment order.
4.9.4. Execution of Payment Transactions
Changes in PSD 2 concerning rules on execution of payment orders are as follows.
4.9.4.1. Receipt of Payment Orders
Article 78(1) of PSD 2 offers a shorter definition of the time of receipt of the payment
order. The new version is as follows. The time of receipt is when the payment order is
received by the payer’s payment service provider. The second subparagraph of this Article
prohibits the debiting of the payer’s account before receipt of the payment order.
4.9.4.2. Refusal of Payment Orders
Article 79(1) provides that where the payment service provider refuses to initiate a pay-
ment transaction, the same rules will apply as in cases where the payment service pro-
vider refuses to execute a payment order, i.e. the refusal and, if possible, the reasons for
it and the procedure for correcting any factual mistakes that led to the refusal must be
62
notified to the payment service user, unless prohibited by other relevant European Union
or national law.
The third subparagraph of the Article provides that the framework contract may include
a condition that the payment service provider may charge a reasonable fee for such a
refusal if the refusal is objectively justified.
Paragraph 2 prohibiting refusal to execute an authorised payment order has been revised
in PSD 2 as follows. Where all of the conditions set out in the payer’s framework contract
are met, the payer’s account servicing payment service provider must not refuse to ex-
ecute an authorised payment order irrespective of whether the payment order is initiated
by a payer, including through a payment initiation service provider, or by or through a
payee, unless prohibited by other relevant Union or national law (Article 79(2)).
4.9.4.3. Irrevocability of a Payment Order
Article 80(2) now covers cases involving payment initiation service providers. Thus, where
the payment transaction is initiated by a payment initiation service provider or by or
through the payee, the payer must not revoke the payment order after giving consent
to the payment initiation service provider to initiate the payment transaction or
after giving consent to execute the payment transaction to the payee.
4.9.4.4. Availability of Funds
A new paragraph has been added to the Article on value date and availability of funds. It
sets out conditions under which the funds received by the payee’s payment service pro-
vider must be made immediately available to the payee. Thus, Article 87(2) provides that
the payment service provider of the payee must ensure that the amount of the payment
transaction is at the payee’s disposal immediately after that amount is credited to the
payee’s payment service provider’s account where, on the part of the payee’s payment
service provider, there is:
• no currency conversion; or
• a currency conversion between the euro and a Member State currency or be-
tween two Member State currencies
This obligation will also apply to payments within one payment service provider.
63
4.9.5. Consumer Rights
Article 106 on obligation to inform consumers of their rights provides that by 13 January
2018, the European Commission will produce a user-friendly electronic leaflet, listing in
a clear and easily comprehensible manner, the rights of consumers under PSD 2 and
related European Union law, and inform Member States, European associations of payment
service providers and European consumer associations of the publication of the leaflet.
The European Commission, EBA and the competent authorities will be obliged each to
ensure that the leaflet is made available in an easily accessible manner on their respec-
tive websites.
Payment service providers will be obliged to ensure that the leaflet is made available
in an easily accessible manner on their websites, if existing, and on paper at their
branches, their agents and the entities to which their activities are outsourced.
Article 106(4) prohibits payment service providers from charging their clients for making
available this information.
In respect of persons with disabilities, the information on consumer rights will have to be
provided using appropriate alternative means, allowing the information to be made avail-
able in an accessible format (Article 106(5)).
4.10. Liability
4.10.1. Payment Service Provider’s Liability for Unauthorised Payment Transactions
Article 73(1) sets a clear time limit for the payer’s payment service provider to refund
the payer for unauthorised payment transaction and conditions under which the refund
may be refused. Thus, in the case of an unauthorised payment transaction the payer’s
payment service provider refunds the payer the amount of the unauthorised payment
transaction immediately, and in any event no later than by the end of the following
64
business day, after noting or being notified of the transaction, except where the pay-
er’s payment service provider has reasonable grounds for suspecting fraud and
communicates those grounds to the relevant national authority in writing. Where
applicable, the payer’s payment service provider will have to restore the debited payment
account to the state in which it would have been had the unauthorised payment transac-
tion not taken place. This will also ensure that the credit value date for the payer’s pay-
ment account will be no later than the date the amount had been debited.
A new paragraph has been added to Article 73 to cover situations involving payment
transactions initiated through a payment initiation service provider. Article 73(2) provides
that where the payment transaction is initiated through a payment initiation service pro-
vider, the account servicing payment service provider will be obliged to refund im-
mediately, and in any event no later than by the end of the following business day
the amount of the unauthorised payment transaction and, where applicable, restore
the debited payment account to the state in which it would have been had the unautho-
rised payment transaction not taken place.
If the payment initiation service provider is liable for the unauthorised payment trans-
action, it will be obliged to immediately compensate the account servicing payment
service provider at its request for the losses incurred or sums paid as a result of
the refund to the payer, including the amount of the unauthorised payment transac-
tion. The burden will be on the payment initiation service provider to prove that,
within its sphere of competence, the payment transaction was authenticated, accurately
recorded and not affected by a technical breakdown or other deficiency linked to the pay-
ment service of which it is in charge.
Under Article 73(3) further financial compensation may now be sought in accordance with
the law applicable to the contract concluded between the payer and the payment initia-
tion service provider as well.
4.10.2. Payer’s Liability for Unauthorised Payment Transactions
Article 74(1) of PSD 2 reduces the liability of the payer for losses relating to any
unauthorised payment transactions resulting from the use of a lost or stolen payment
instrument or from the misappropriation of a payment instrument to a maximum of
EUR 50.
65
This will not apply if:
• the loss, theft or misappropriation of a payment instrument was not detectable to
the payer prior to a payment, except where the payer has acted fraudulently; or
• the loss was caused by acts or lack of action of an employee, agent or branch of a
payment service provider or of an entity to which its activities were outsourced
Article 74(2) introduces a new rule relating to liability in cases where strong custom-
er authentication is not applied. Thus, where the payer’s payment service provider
does not require strong customer authentication, the payer will not bear any financial
losses unless the payer has acted fraudulently. Where the payee or the payment service
provider of the payee fails to accept strong customer authentication, it will be obliged to
refund the financial damage caused to the payer’s payment service provider.
4.10.3. Refunds for Payment Transactions
The first subparagraph of Article 76(1) provides that a payer will be entitled to a refund
from the payment service provider of an authorised payment transaction which was initi-
ated by or through a payee and which has already been executed, if both of the follow-
ing conditions are met:
• the authorisation did not specify the exact amount of the payment transaction
when the authorisation was made;
• the amount of the payment transaction exceeded the amount the payer could
reasonably have expected taking into account the previous spending pattern, the
conditions in the framework contract and relevant circumstances of the case
The second subparagraph imposes the burden of proving such conditions are met on the
payer.
The credit value date for the payer’s payment account will have to be no later than the
date the amount was debited.
In addition, the forth subparagraph of the Article provides that for direct debits the
payer has an unconditional right to a refund within 10 business days of the time the
request for the refund is received by the payment service provider. This provision has re-
placed the rule set out in PSD 1, which allows the payer and his payment service provider
66
to agree in the framework contract that for direct debits the payer is entitled to a refund
from his payment service provider even though the conditions for refund are not met.
Paragraph 4 added to Article 76 allows Member States to require that for direct debits
in currencies other than euro, their payment service providers offer more favourable
refund rights in accordance with their direct debit schemes provided that they are more
advantageous to the payer (Article 76(4)).
4.10.4. Incorrect Unique Identifier
Paragraph 3 of the article on liability for non-execution or defective execution of a pay-
ment transaction in the case of incorrect unique identifier has been extended in PSD 2
to include the obligation of the payee’s payment service provider to cooperate with
the payer’s payment service provider in its efforts to recover the funds involved in
the payment transaction by communicating to the payer’s payment service provider all
relevant information for the collection of funds. It also obliges the payer’s payment service
provider, in the event that such collection of funds is not possible, to provide to the payer,
upon written request, all information available to the payer’s payment service provider
and relevant to the payer in order for the payer to file a legal claim to recover the funds
(Article 88(3)).
4.10.5. Payment Service Provider’s Liability for Non-execution, Defective or Late Execution of Payment transactions
In the context of payment service provider’s liability for non-execution, defective or late
execution of payment transactions PSD 2 provides clarification on refund credit value
date and makes the payment transaction tracing by the payer’s payment service provider
free of charge for the payer.
4.10.5.1. Credit Value Date
Article 89(1) of PSD 2 establishes credit value date rules relating to refunds in cases of
non-execution, defective or late execution of payment transactions.
Thus, where the payer’s payment service provider is liable for non-execution or defective ex-
ecution of a payment transaction, it will be obliged to refund to the payer the amount of the
67
non-executed or defective payment transaction with the credit value date for the payer’s
payment account being no later than the date on which the amount was debited.
Where the payee’s payment service provider is liable for non-execution or defective
execution of a payment transaction, it will be obliged to immediately place the amount of
the payment transaction at the payee’s disposal and, where applicable, credit the corre-
sponding amount to the payee’s payment account with the credit value date for the
payee’s payment account being no later than the date on which the amount would
have been value dated, had the transaction been executed correctly.
Where a payment transaction is executed late, the payee’s payment service provider will
be obliged to ensure, upon the request of the payer’s payment service provider acting on
behalf of the payer, that the credit value date for the payee’s payment account is no
later than the date the amount would have been value dated had the transaction
been executed correctly.
Where a payment order is initiated by or through the payee and in the case of a late
transmission of the payment order by the payee’s payment service provider, the amount
will have to be value dated on the payee’s payment account no later than the date
the amount would have been value dated had the transaction been correctly exe-
cuted (Article 89(2)).
Where the payee’s payment service provider is liable to the payee for incorrect handling
of the payment transaction, it must ensure that the amount of the payment transaction is
at the payee’s disposal immediately after that amount is credited to the payee’s payment
service provider’s account. The amount will have to be value dated on the payee’s pay-
ment account no later than the date the amount would have been value dated had the
transaction been correctly executed.
Where the payer’s payment service provider is liable to the payer for a payment order
initiated by or through the payee, the refund credit value date for the payer’s payment
account shall be no later than the date the amount was debited. The obligation of refund
will not apply to the payer’s payment service provider where the payer’s payment service
provider proves that the payee’s payment service provider has received the amount of
the payment transaction, even if execution of payment transaction is merely delayed. If
so, the payee’s payment service provider will be obliged to value date the amount on the
68
payee’s payment account no later than the date the amount would have been value dat-
ed had it been executed correctly.
In addition, payment service providers will be liable to their respective payment service
users for any charges for which they are responsible, and for any interest to which the
payment service user is subject as a consequence of non- execution or defective, includ-
ing late, execution of the payment transaction.
4.10.5.2. Tracing
The seventh subparagraph of Article 89(1) requires that in the case of a non-executed
or defectively executed payment transaction where the payment order is initiated by the
payer, the payer’s payment service provider, regardless of its liability for non-execution,
defective or late execution of the payment transaction, make immediate efforts to trace the
payment transaction and notify the payer of the outcome free of charge for the payer.
In the case of a non-executed or defectively executed payment transaction where the
payment order is initiated by or through the payee, the payee’s payment service provider
will be obliged, regardless of its liability, on request, to make immediate efforts to trace
the payment transaction and notify the payee of the outcome free of charge for the
payee (Article 89(2)).
4.10.6. Liability in the case of Payment Initiation Services
A new article has been added to PSD 2 concerning the liability in the case of payment initi-
ation services for non-execution, defective or late execution of payment transactions.
Thus, according to Article 90(1), where a payment order is initiated by the payer through a
payment initiation service provider, the account servicing payment service provider will
be obliged to refund to the payer the amount of the non-executed or defective pay-
ment transaction and, where applicable, restore the debited payment account to the state
in which it would have been had the defective payment transaction not taken place.
The burden will be on the payment initiation service provider to prove that the pay-
ment order was received by the payer’s account servicing payment service provider and
that within its sphere of competence the payment transaction was authenticated, accu-
69
rately recorded and not affected by a technical breakdown or other deficiency linked to
the non-execution, defective or late execution of the transaction.
Article 90(2) provides that if the payment initiation service provider is liable for the
non-execution, defective or late execution of the payment transaction, it will be obliged
to immediately compensate the account servicing payment service provider at its
request for the losses incurred or sums paid as a result of the refund to the payer.
4.10.7. Right of Recourse
Where the liability of a payment service provider for unauthorised payment transactions
and for non-execution, defective or late execution of payment transactions is attributable to
another payment service provider or to an intermediary, that payment service provider or
intermediary will be obliged to compensate the first payment service provider for any losses
incurred or sums paid under Articles 73 and 89. That includes compensation where any of
the payment service providers fail to use strong customer authentication.
4.11. Data Protection
PSD 2 introduces a large portion of new rules on personal data protection, operational
and security risks and authentication.
4.11.1. Personal Data Protection
Article 94(1) of PSD 2 requires that the provision of information to individuals about the
processing of personal data and the processing of such personal data and any other
processing of personal data by payment systems and payment service providers for the
purposes of PSD 2 be carried out in accordance with Directive 95/46/EC, the national
rules which transpose Directive 95/46/EC and with Regulation (EC) No 45/2001.
According to a new paragraph added to this article the explicit consent of the payment ser-
vice user is required in order for payment service providers to be permitted to access, process
and retain personal data necessary for the provision of their payment services (Article 94(2)).
70
4.11.2. Management of Operational and Security Risks
Article 95(1) obliges payment service providers to establish a framework with appropri-
ate mitigation measures and control mechanisms to manage the operational and
security risks, relating to the payment services they provide. As part of that frame-
work, payment service providers are required to establish and maintain effective inci-
dent management procedures, including for the detection and classification of major
operational and security incidents.
Payment service providers will have to provide to the competent authority on an annual
basis, or at shorter intervals as determined by the competent authority, an updated and
comprehensive assessment of the operational and security risks relating to the
payment services they provide and on the adequacy of the mitigation measures
and control mechanisms implemented in response to those risks (Article 95(2)).
EBA is expected to issue, by 13 July 2017, guidelines with regard to the establishment,
implementation and monitoring of the security measures, including certification pro-
cesses where relevant (Article 95(3)).
4.11.3. perational and Security Incident Reporting
The first paragraph of Article 96 on incident reporting requires that in the case of a ma-
jor operational or security incident, payment service providers, without undue delay,
notify the competent authority in the home Member State of the payment service
provider.
Where the incident has or may have an impact on the financial interests of its pay-
ment service users, the payment service provider must, without undue delay, inform
its payment service users of the incident and of all measures that they can take to
mitigate the adverse effects of the incident.
Upon receipt of the notification, the competent authority of the home Member State will
be obliged to provide, without undue delay, the relevant details of the incident to EBA and
to the ECB. That competent authority will, after assessing the relevance of the incident to
relevant authorities of that Member State, notify them accordingly.
71
EBA and the ECB will, in cooperation with the competent authority of the home Member
State, assess the relevance of the incident to other relevant EU and national authorities
and notify them accordingly. The ECB will notify the members of the European System of
Central Banks on issues relevant to the payment system.
On the basis of that notification, the competent authorities will be required, where appro-
priate, to take all of the necessary measures to protect the immediate safety of the finan-
cial system (Article 96(2)).
Under Article 96(6), payment service providers will also be required to provide, at least on
an annual basis, statistical data on fraud relating to different means of payment to
their competent authorities. The competent authorities will then pass on such data in an
aggregated form to the EBA and the ECB.
Under Article 96(3), EBA is to issue by 13 January 2018, guidelines addressed to payment
service providers on the classification of major operational and security incidents,
and on the content, the format, including standard notification templates, and the proce-
dures for notifying such incidents; and guidelines addressed to competent authorities on
the criteria on how to assess the relevance of the incident and the details of the incident
reports to be shared with other domestic authorities.
4.11.4. Strong Customer Authentication
Article 97(1) defines cases where strong customer authentication must be applied by
the payment service provider. Thus, a payment service provider will have to apply strong
customer authentication where the payer:
• accesses its payment account online;
• initiates an electronic payment transaction;
• carries out any action through a remote channel which may imply a risk of pay-
ment fraud or other abuses
With regard to the initiation of electronic payment transactions, for electronic remote
payment transactions, payment service providers will be required to apply strong custom-
er authentication that includes elements which dynamically link the transaction to a
specific amount and a specific payee (Article 97(2)).
72
In the context of strong customer authentication payment service providers will have to
have in place adequate security measures to protect the confidentiality and integri-
ty of payment service users’ personalised security credentials (Article 97(3)).
Paragraphs 2 and 3 also apply where payments are initiated through a payment initia-
tion service provider.
Paragraphs 1 and 3 also apply when the information is requested through an account
information service provider.
The account servicing payment service provider will have to allow the payment initiation
service provider and the account information service provider to rely on the authentica-
tion procedures provided by the account servicing payment service provider to the pay-
ment service user in accordance with paragraphs 1 and 3 and, where the payment initia-
tion service provider is involved, in accordance with paragraphs 1, 2 and 3 (Article 97(5)).
Requirements of the strong customer authentication, exemptions from the application
of these requirements, requirements for the confidentiality and the integrity of the pay-
ment service users’ personalised security credentials and requirements for common and
secure open standards of communication between the industry actors will be defined
by the EBA in draft regulatory technical standards (RTS) by 13 January 2017 (for more
information on EBA’s role under PSD 2, see the relevant section below).
4.12. Alternative Dispute Resolution (ADR) Procedures
PSD 2 has significantly extended the provisions regarding the settlement of disputes.
4.12.1. Complaints
Article 99(1) of PSD 2 provides that payment service users may complain about payment
service providers’ alleged infringements of PSD 2 rather than provisions of national law
implementing the provisions of PSD 1.
73
4.12.2. Competent Authorities
Member States will be required to designate competent authorities to ensure and
monitor effective compliance with PSD 2. Those competent authorities will be respon-
sible for taking all appropriate measures to ensure such compliance (Article 100(1)).
They will be either:
• competent authorities within the meaning of Article 4(2) of Regulation (EU) No
1093/2010; or
• bodies recognised by national law or by public authorities expressly empowered
for that purpose by national law
They must not be payment service providers, with the exception of national central banks.
The authorities will possess all powers and adequate resources necessary for the per-
formance of their duties. Where more than one competent authority is empowered to
ensure and monitor effective compliance with PSD 2, Member States will be required to
ensure that those authorities collaborate closely so that they can discharge their respec-
tive duties effectively (Article 100(2)).
The competent authorities will exercise their powers in accordance with national law either:
• directly under their own authority or under the supervision of the judicial authori-
ties; or
• by application to courts which are competent to grant the necessary decision,
including, where appropriate, by appeal, if the application to grant the necessary
decision is not successful
Member States are required to notify the European Commission of the designated com-
petent authorities as soon as possible and in any event by 13 January 2018, including of
any division of duties of those authorities. Any subsequent change concerning the des-
ignation and respective competences of those authorities will have to be notified to the
European Commission immediately (Article 100(5)).
Article 100(6) provides for guidelines on the complaints procedures addressed to the
competent authorities to be issued by the EBA by 13 January 2018.
74
4.12.3. Dispute Resolution
Article 101(1) requires that payment service providers put in place and apply adequate
and effective complaint resolution procedures for the settlement of complaints of
payment service users concerning the rights and obligations arising under PSD 2 and be
responsible for monitoring their performance in that regard.
Those procedures must be applied in every Member State where the payment service
provider offers the payment services and must be available in an official language of
the relevant Member State or in another language if agreed between the payment ser-
vice provider and the payment service user.
Article 101(2) establishes rules to be followed by payment service providers when dealing
with complaints. Thus, payment service providers will be required to make every possible
effort to reply, on paper or, if agreed between payment service provider and payment
service user, on another durable medium, to the payment service users’ complaints.
Such a reply must address all points raised, within an adequate timeframe and at the
latest within 15 business days of receipt of the complaint. In exceptional situations, if
the answer cannot be given within 15 business days for reasons beyond the control of
the payment service provider, it will be required to send a holding reply, clearly indicat-
ing the reasons for a delay in answering to the complaint and specifying the deadline by
which the payment service user will receive the final reply. In any event, the deadline
for receiving the final reply must not exceed 35 business days.
Member States are allowed to introduce or maintain rules on dispute resolution proce-
dures that are more advantageous to the payment service user than those mentioned
above. Where they do so, those rules will apply.
The payment service provider will have to inform the payment service user about at least
one alternative dispute resolution (ADR) entity which is competent to deal with dis-
putes concerning the rights and obligations arising under PSD 2 (Article 101(3)).
The information about competent ADR entities must be mentioned in a clear, com-
prehensive and easily accessible way on the website of the payment service provider,
where one exists, at the branch, and in the general terms and conditions of the contract
75
between the payment service provider and the payment service user. It must specify how
further information on the ADR entity concerned and on the conditions for using it can be
accessed (Article 101(4)).
4.12.4. ADR Procedures
Member States are required to ensure that adequate, independent, impartial, transpar-
ent and effective ADR procedures for the settlement of disputes between payment ser-
vice users and payment service providers concerning the rights and obligations arising
under PSD 2 are established according to the relevant national and European Union law
in accordance with Directive 2013/11/EU of the European Parliament and the Council on
alternative dispute resolution for consumer disputes, using existing competent bod-
ies where appropriate. Member States must ensure that ADR procedures are applicable
to payment service providers and that they also cover the activities of appointed repre-
sentatives.
Member States will ensure that the bodies mentioned above cooperate effectively for the
resolution of cross-border disputes concerning the rights and obligations arising under
PSD 2.
Competent authorities will be allowed to disclose to the public any administrative
penalty that is imposed for infringement of the measures adopted in the transposition of
PSD 2, unless such disclosure would seriously jeopardise the financial markets or cause
disproportionate damage to the parties involved.
4.13. The Role of European Banking Authority (EBA) under PSD 2
Under PSD 2, a key role has been given to the European Banking Authority (EBA) in:
• ensuring consistent application of PSD 2;
• guaranteeing fair competition in the payments market;
76
• promoting cooperation, including the sharing of information, in the area of oper-
ational and security risks associated with payment services among the competent
authorities;
• increasing customer protection;
• enhancing transparency of the operation of payment institutions;
• resolving disputes between competent authorities in the context of cross-border
cooperation
In order to fulfil this role, the EBA has been given the responsibility for the development,
operation and maintenance of an electronic central register of payment service pro-
viders, for the elaboration of guidelines and preparation of draft regulatory technical
standards on the relevant aspects of PSD 2. These will be key to achieving goals of PSD 2.
4.13.1. EBA’s Guidelines
The EBA is empowered by Reg. (EU) No 1093/2010 to issue guidelines and recommen-
dations addressed to competent authorities or financial institutions with a view to estab-
lishing consistent, efficient and effective supervisory practices within the European Sys-
tem of Financial Supervision (ESFS), and to ensuring the common, uniform and consistent
application of the European Union law.
Article 16(3) of Reg. (EU) No 1093/2010 obliges the competent authorities and financial
institutions to make every effort to comply with those guidelines and recommendations.
Under PSD 2, EBA is to issue the following guidelines addressed to payment service
providers.
In the context of authorisation of payment institutions (Article 5), EBA is to issue by 13
July 2017 guidelines concerning the information to be provided to the competent author-
ities in the application for the authorisation of payment institutions (Article 5(5)). EBA will
be required to review those guidelines on a regular basis and in any event at least every
3 years.
In the context of operational and security risks (Article 95), EBA is to issue by 13 Janu-
ary 2018 guidelines on the classification of major operational and security incidents and
77
on the content, the format, including standard notification templates, and the procedures
for notifying such incidents (Article 96(3)). EBA will be required to review these guidelines
on a regular basis and in any event at least every 2 years.
Article 96(5) requires that, while issuing and reviewing these guidelines, EBA take into
account standards and / or specifications developed and published by the European
Union Agency for Network and Information Security for sectors pursuing activities
other than payment service provision.
EBA is to issue the following guidelines addressed to competent authorities.
In the context of authorisation of payment institutions (Article 5), EBA is to issue by
13 January 2017 guidelines on the criteria on how to stipulate the minimum monetary
amount of the professional indemnity insurance or other comparable guarantee referred
to in paragraphs 2 and 3 of Article 5 of PSD 2 (Article 5(4)).
In developing these guidelines EBA will take account of the following:
• the risk profile of the undertaking;
• whether the undertaking provides other payment services listed in Annex I to PSD
2 or is engaged in other business;
• the size of the activity:
° for undertakings that apply for authorisation to provide payment initiation
services, the value of the transactions initiated;
° for undertakings that apply for registration to provide account information
services, the number of clients that make use of the payment service;
• the specific characteristics of comparable guarantees and the criteria for their
implementation
EBA will be required to review those guidelines on a regular basis.
In the context of operational and security risks (Article 95), EBA is to issue by 13 July 2017
guidelines with regard to the establishment, implementation and monitoring of the security
measures, including certification processes where relevant (Article 95(3)). EBA will be required
to review these guidelines on a regular basis and in any event at least every 2 years.
78
EBA will also issue by 13 January 2018 guidelines on the criteria on how to assess the
relevance of the incident and the details of the incident reports to be shared with other
domestic authorities (Article 96(3)). EBA will be required to review the guidelines on a reg-
ular basis and in any event at least every 2 years.
In the context of dispute resolution, EBA is to issue by 13 January 2018 guidelines on
the complaints procedures to be taken into consideration to ensure compliance with
PSD 2. EBA will be required to update these guidelines on a regular basis, as appropriate
(Article 100(6)).
4.13.2. Regulatory Technical Standards
According to Article 10 of Reg. (EU) No 1093/2010, where the European Parliament and
the Council delegate power to the European Commission to adopt regulatory technical
standards by means of delegated acts in order to ensure consistent harmonisation in the
areas specifically set out in the legislative acts, the EBA may develop draft regulatory tech-
nical standards (RTS). The draft standards will then have to be submitted to the European
Commission for endorsement. Within 3 months of receipt of a draft regulatory technical
standard, the European Commission is required to decide whether to endorse it.
Regulatory technical standards are technical in nature, do not imply strategic decisions
or policy choices, and their content is delimited by the legislative acts on which they are
based.
The purpose of regulatory technical standards to be developed under PSD 2 is to ensure
a level playing field and adequate protection of consumers in the payment services indus-
try across the European Union.
The EBA is to develop a set of draft regulatory technical standards on a number of crucial
aspects of PSD 2.
In the context of authorisation of payment institutions, Article 5(6) provides that EBA,
taking into account experience acquired in the application of the relevant guidelines, may
develop draft regulatory technical standards specifying the information to be provided to
the competent authorities in the application for the authorisation of payment institutions,
including the requirements for:
79
• a programme of operations;
• a business plan;
• evidence that the payment institution holds initial capital;
• a description of the applicant’s governance arrangements and internal control
mechanisms;
• a description of the process in place to file, monitor, track and restrict access to
sensitive payment data;
• a description of business continuity arrangements;
• a description of the principles and definitions applied for the collection of statisti-
cal data on performance, transactions and fraud; and
• a security policy document
Then, the draft regulatory technical standards will have to be submitted to the European
Commission for adoption.
For the purpose of developing, operating and maintaining the electronic central reg-
ister, Article 15(4) requires that EBA develop draft regulatory technical standards
setting technical requirements on development, operation and maintenance of the elec-
tronic central register and on access to the information contained therein. The technical
requirements must ensure that modification of the information is only possible by the
competent authority and EBA. EBA is to submit these draft regulatory technical standards
to the European Commission for endorsement by 13 January 2018.
In the same context, EBA is required to develop draft implementing technical stan-
dards on the details and structure of the information to be notified by the competent
authorities to EBA, including the common format and model in which this information
is to be provided. EBA is to submit those draft implementing technical standards to the
European Commission for endorsement by 13 July 2017.
In the context of exercising the right of establishment and freedom to provide ser-
vices by payment service providers, EBA is to develop draft regulatory technical stan-
dards specifying the framework for cooperation, and for the exchange of information,
between competent authorities of the home and of the host Member State. Those draft
regulatory technical standards will specify the method, means and details of cooper-
80
ation in the notification of payment institutions operating on a cross-border basis
and, in particular, the scope and treatment of information to be submitted, including
common terminology and standard notification templates to ensure a consistent and
efficient notification process. EBA is to submit those draft regulatory technical standards
to the European Commission for adoption by 13 January 2018 (Article 28(5)).
In the context of supervision of payment institutions exercising the right of estab-
lishment and freedom to provide services, Article 29(5) requires that EBA develop draft
regulatory technical standards specifying the criteria to be applied when determining, in
accordance with the principle of proportionality, the circumstances when the appointment
of a central contact point is appropriate, and the functions of those contact points.
Those draft regulatory technical standards must, in particular, take account of:
• the total volume and value of transactions carried out by the payment institution
in host Member States;
• the type of payment services provided; and
• the total number of agents established in the host Member State
EBA is to submit those draft regulatory technical standards to the European Commission
for adoption by 13 January 2017.
In addition, EBA will develop draft regulatory technical standards specifying the frame-
work for cooperation, and for the exchange of information, between the competent
authorities of the home Member State and of the host Member State in accordance with
Title II (Payment Service Providers) and to monitor compliance with the provisions of
national law transposing Titles III (Transparency of Conditions and Information Require-
ments for Payment Services) and IV (Rights and Obligations in relation to the Provision
and Use of Payment Services).
The draft regulatory technical standards will specify the method, means and details of
cooperation in the supervision of payment institutions operating on a cross-border
basis and, in particular, the scope and treatment of information to be exchanged, to en-
sure consistent and efficient supervision of payment institutions exercising cross-border
provision of payment services. Those draft regulatory technical standards will also specify
the means and details of any reporting requested by host Member States from pay-
81
ment institutions on the payment business activities carried out in their territories, includ-
ing the frequency of such reporting (Article 29(6)).
EBA is to submit those draft regulatory technical standards to the European Commission
for adoption by 13 January 2018.
In the context of management of operational and security risks, Article 95(4) provides
that EBA, taking into account experience acquired in the application of the guidelines
on the establishment, implementation and monitoring of the security measures, will be
obliged, where requested to do so by the European Commission as appropriate, to
develop draft regulatory technical standards on the criteria and on the conditions for
establishment, and monitoring, of security measures.
In the context of authentication and communication, Article 98(1) requires that EBA
develop draft regulatory technical standards addressed to payment service providers
specifying:
• the requirements of the strong customer authentication;
• the exemptions from the application of those requirements based on the criteria
set out in Article 98(3);
• the requirements with which security measures have to comply in order to protect
the confidentiality and the integrity of the payment service users’ personalised
security credentials; and
• the requirements for common and secure open standards of communication
for the purpose of identification, authentication, notification, and information, as
well as for the implementation of security measures, between account servicing
payment service providers, payment initiation service providers, account informa-
tion service providers, payers, payees and other payment service providers
These draft regulatory technical standards will be developed by EBA in order to:
• ensure an appropriate level of security for payment service users and payment
service providers, through the adoption of effective and risk-based requirements;
• ensure the safety of payment service users’ funds and personal data;
• secure and maintain fair competition among all payment service providers;
82
• ensure technology and business-model neutrality;
• allow for the development of user-friendly, accessible and innovative means of
payment
EBA is to submit these draft regulatory technical standards to the European Commission
for endorsement by 13 January 2017.
EBA will be required to review and, if appropriate, update the regulatory technical stan-
dards on a regular basis in order, inter alia, to take account of innovation and technologi-
cal developments.
When developing regulatory technical standards on authentication and communication,
EBA will systematically assess and take into account the privacy dimension, in order to
identify the risks associated with each of the technical options available and the remedies
that could be put in place to minimise threats to data protection.
In general, when developing guidelines, draft regulatory technical standards and
draft implementing technical standards, EBA will be required to ensure that it con-
sults all relevant stakeholders, including those in the payment services market, reflecting
all interests involved. If necessary for getting a proper balance of views, EBA will make a
particular effort to obtain the views of relevant non-bank actors. EBA will pay particular
attention to the fact that the standards to be applied are to allow for the use of all com-
mon types of devices (such as computers, tablets and mobile phones) for carrying out
different payment services.
The regulatory technical standards are adopted by means of regulations or decisions.
They are published in the Official Journal of the European Union and enter into force
on the date stated therein.
4.14. Impact of PSD 2 on Existing Industry Actors
Until 13 January 2018, the date when PSD 2 comes into effect, the payment market play-
ers will have to follow the rules set out in Article 109 (Transitional Provision) of PSD 2.
83
4.14.1. Impact on Existing Payment Institutions
4.14.1.1. Authorised Payment Institutions
Article 109(1) allows payment institutions that have taken up activities in accordance
with the national law transposing Directive 2007/64/EC (PSD 1) by 13 January 2018, to
continue those activities in accordance with the requirements provided for in Directive
2007/64/EC without being required to seek authorisation in accordance with Article 5
of Directive (EU) 2015/2366 (PSD 2) or to comply with the other provisions of Title II (Pay-
ment Service Providers) of PSD 2 until 13 July 2018.
Such payment institutions will be required to submit all relevant information to their com-
petent authorities in order to allow the latter to assess, by 13 July 2018, whether those
payment institutions comply with the requirements of Title II (Payment Service Providers)
of PSD 2 and, if not, which measures need to be taken in order to ensure compliance or
whether a withdrawal of authorisation is appropriate.
Payment institutions which upon verification by the competent authorities comply with
the new requirements will be granted authorisation and entered in the registers. Where
those payment institutions do not comply by 13 July 2018, they will be prohibited from
providing payment services.
Payment institutions may automatically be granted authorisation and entered in the
registers, if the competent authorities already have evidence that the requirements of
Articles 5 (Applications for Authorisation) and 11 (Granting of Authorisation) are complied
with. The competent authorities will inform the payment institutions concerned before
the authorisation is granted.
Article 109(5) provides that payment institutions that have been granted authorisation
to provide payment services as referred to in point (7) of the Annex to PSD 1 will
retain that authorisation for the provision of those payment services which are con-
sidered to be payment services as referred to in point (3) of the Annex I to PSD 2
where, by 13 January 2020, the competent authorities have the evidence that the re-
quirements of point (c) of Article 7 (Initial Capital) and Article 9 (Calculation of Own Funds)
of PSD 2 are complied with.
84
4.14.1.2. Registered / Small Payment Institutions
According to Article 109(3), natural or legal persons who benefited from the waiver /
exemption under Article 26 of PSD 1 (registered / small payment institutions) before 13
January 2018, and pursued payment services activities within the meaning of PSD 1, will
be allowed to continue those activities within the Member State concerned in accor-
dance with Directive 2007/64/EC, until 13 January 2019 without being required to seek
authorisation under PSD 2, or to obtain an exemption pursuant to Article 32 of PSD 2, or
to comply with the other provisions of Title II of PSD 2.
Any such person who has not, by 13 January 2019, been authorised or exempted under
PSD 2 will be prohibited from providing payment services.
Natural and legal persons benefiting from an exemption under PSD 1 may be allowed to
be deemed to benefit from an exemption under PSD 2 and automatically entered in the
registers where the competent authorities have evidence that the requirements of Article
32 of PSD 2 are complied with. The competent authorities will inform the payment institu-
tions concerned.
4.14.2. Impact on Electronic Money Institutions
PSD 2 introduces a number of amendments to Directive 2009/110/EC on the taking up,
pursuit and prudential supervision of the business of electronic money institutions (EMD)
by means of Article 111.
Thus, amended Article 3(1) of EMD provides that Article 5 (Applications for Authorisation),
Articles 11 to 17 (Granting of Authorisation; Communication of the Decision; Withdrawal
of Authorisation; Registration in the Home Member State; EBA Register; Maintenance of
Authorisation; Accounting and Statutory Audit), Article 19(5) and (6) on the use of agents,
branches or entities to which activities are outsourced and Articles 20 to 31 (Liability;
Record-keeping; Designation of Competent Authorities; Supervision; Professional Secre-
cy; Right to Apply to the Courts; Exchange of Information; Settlement of Disagreements
between Competent Authorities of Different Member States; Application to Exercise the
Right of Establishment and Freedom to Provide Services; Supervision of Payment Institu-
tions Exercising the Right of Establishment and Freedom to Provide Services; Measures
in case of Non-compliance, including Precautionary Measures; Reasons and Communica-
tion) of PSD 2, including the delegated acts adopted under Article 15(4), Article 28(5)
85
and Article 29(7) thereof, will apply to electronic money institutions mutatis mutandis.
According to amended by PSD 2 Article 3(4) of EMD, electronic money institutions will
be allowed to distribute and redeem electronic money through natural or legal persons
which act on their behalf. Where the electronic money institution distributes electronic
money in another Member State by engaging such a natural or legal person, Articles 27
to 31 of PSD 2 (Settlement of Disagreements between Competent Authorities of Different
Member States; Application to Exercise the Right of Establishment and Freedom to Pro-
vide Services; Supervision of Payment Institutions Exercising the Right of Establishment
and Freedom to Provide Services; Measures in case of Non-compliance, including Precau-
tionary Measures; Reasons and Communication), with exception of Article 29(4) and
(5), including the delegated acts adopted in accordance with Article 28(5) and Article 29(7)
thereof, will apply mutatis mutandis to such electronic money institution.
Electronic money institutions will be allowed to provide payment services referred to in
point (a) of Article 6(1) of EMD through agents subject to the conditions laid down in
Article 19 (Use of agents, branches or entities to which activities are outsourced) of PSD
2 (Article 3(5) of EMD as amended by Article 111 of PSD 2).
Article 111 of PSD 2 also adds a new paragraph to Article 18 of EMD. Thus, paragraph
4 allows electronic money institutions that have, before 13 January 2018, taken up ac-
tivities in accordance with EMD and with PSD 1 in the Member State in which their head
office is located to continue those activities in that Member State or in another Member
State without being required to seek authorisation in accordance with Article 3 of
EMD or to comply with other requirements laid down or referred to in Title II (Require-
ments for the Taking up, Pursuit and Prudential Supervision of the Business of Electronic
Money Institutions) of EMD until 13 July 2018.
Electronic money institutions will be required to submit all relevant information to
the competent authorities in order to allow the later to assess, by 13 July 2018, wheth-
er those electronic money institutions comply with the new requirements, and, if not,
which measures need to be taken in order to ensure compliance or whether a withdrawal
of authorisation is appropriate.
Electronic money institutions, which upon verification by the competent authorities, com-
ply with the requirements of Title II will be granted authorisation and entered in the regis-
86
ter. Where those electronic money institutions do not comply with the requirements of
Title II by 13 July 2018 they will be prohibited from issuing electronic money.
4.14.3. Impact on Existing Unregulated PISPs and AISPs
Legal persons that have performed in their territories, before 12 January 2016, activities
of payment initiation service providers and account information service providers within
the meaning of PSD 2, will not be forbidden to continue to perform the same activities in
their territories during the transitional period referred to in paragraphs 2 and 4 of Article
115 in accordance with the currently applicable regulatory framework (Article 115(5)).
4.14.4. Impact on Account Servicing Payment Service Providers
Until individual account servicing payment service providers comply with the regulatory
technical standards on security measures, they must not abuse their non-compliance to
block or obstruct the use of payment initiation and account information services for the
accounts that they are servicing (Article 115(6)).
5. Next Steps
5.1. Transposition
The current Payment Services Directive (Directive 2007/64/EC) will be repealed from 13
January 2018.
Member States are required to adopt and publish the measures necessary to comply
with PSD 2 by 13 January 2018 and apply those measures from 13 January 2018 (Article
115(1) and (2)).
87
Member States must ensure the application of the security measures referred to in:
• Article 65 (Confirmation on the Availability of Funds);
• Article 66 (Rules on Access to Payment Account in the case of Payment Initiation
Services);
• Article 67 (Rules on Access to and Use of Payment Account Information in the case
of Account Information Services), and
• Article 97 (Authentication)
from 18 months after the date of entry into force of the regulatory technical stan-
dards referred to in Article 98.
5.2. EBA Guidelines and Regulatory Technical Standards
To fulfil its mandate under PSD 2 and Interchange Fee Regulation (IFR) to develop require-
ments that will harmonise regulatory and supervisory practices in the field of payment
services across the EU, the EBA launched the preparation process before the official
publications of the revised Payment Services Directive by issuing Discussion and Consul-
tation Papers to collect views and responses of the parties concerned.
The Directive confers on the EBA the development of six technical standards and five sets
of guidelines.
The EBA has already launched a discussion on draft regulatory technical standards on
strong customer authentication and secure communication and two consultations –
one on draft technical standards on the framework for cooperation and exchange of
information between competent authorities for passporting under PSD 2 and the other
on draft technical standards on the separation of payment card schemes and processing
entities under Article 7(6) of the Interchange Fee Regulation (IFR).
The RTS on strong customer authentication and secure communication, on which the
88
EBA has issued a Discussion Paper, is key to achieving the objective of the PSD 2 of en-
hancing consumer protection, promoting innovation and improving the security of pay-
ment services across the European Union.
The EBA will assess the views received on the identified issues and on the potential clari-
fications suggested, and use them as input for the development of the draft RTS, which it
will publish in summer 2016, for a consultation period of three months.
The final draft RTS on the framework for cooperation and exchange of information
between competent authorities for passporting and on separation of payment card
schemes and processing entities are expected to be published in Q2 of 2016.
Then the draft RTS are to be submitted to the European Commission, which will have 3
months to adopt them.
ADVAPAY follows closely the latest developments in the payments industry and will keep
you updated. Stay with us for more information.