- The Payment Services Directive (PSD) is a legal framework for EU market for payments, to establish safer and more innovative payment services across the EU.
- PSD was adopted in 2007 in the EU. The aim of PSD is to make cross-border payments as easy, efficient and secure.
- The purpose of directive was to make it easy for third party payment providers (TPPs) to enter the market, which would result in more competition and choices to the customers. It offers transparency of information to TPPs.
- Although service providers brought innovation and competition, providing more, and often cheaper, alternatives for Internet payments, however they were not regulated. Also, the member states applied payment-related activities differently in their states, which resulted in regulatory arbitrage and legal non-compliance.
- The PSD2 is the revised directive as it updates and complements the EU rules put in place by the Payment Services Directive (2007/64/EC)
- In July 2013 the European Commission proposed to revise the Payment Services Directive to modernize it while taking in account new types of payment services. The proposal included more regulation so as to have more integrated and efficient European payments market, make payments safer and secure, protect consumers and encourage lower prices for payment services.
- The revised directive increases the competition in the electronic payment market, that are legally regulated, which then provide consumers more and better choices.
- These services establish a payment link between the payer and the merchant via the payer’s online banking module.
- The new Directive will cover issues such as confidentiality, liability or security of such transactions.
- Also, PSD2 will put a ban on surcharging for card payments both online and in shops. That is, merchants will no longer be allowed to surcharge consumers for using their payment card.
- Consumers will be better protected against fraud and other abuses and payment incidents, with improved security measures in place.
- PSD2 provides a legislative basis to the unconditional refund right
- Designate competent authorities to handle complaints of payment service users and other interested parties.
- The new rules will oblige payment service providers to answer in written form to any complaint within 15 business days.
- The Directive aims to help develop the EU market for electronic payments, which will enable consumers, retailers and other market players to enjoy the full benefits of the EU internal market.
- Due to many barriers across different member states, it was complicated for TPPs to enter the market. With these barriers removed, more competition is expected with new players entering new markets and offering cheaper solutions for payments.
- New security requirements under PSD2 will make sure that all payment service providers take security measure around online payments.
- The new rules would be applicable to payments that are made in a currency that is not denominated in Euro or another Member State’s currency.
- While PSD was only applicable to intra-EU payments, PSD2 extends information obligations, to payments to and from third countries, where one of the payment service providers (primarily banks) is located in the European Union.
- The host Member State can ask payment institutions operating with agents and branches in its territory to regularly report on their activities. Also, in case of emergency, requiring immediate action, host member state can help the branch member state to find a solution.
- Under PSD2, Member States require a payment institution that provides cross-border payment services to set up a central contact point if it operates with agents or branches that are established in their territory. The central contact would be responsible for adequate communication and information with regard to the activities of the payment institution in the host territory.
For payment institutions, access to a payment account maintained by a credit institution is vital for the operation of their business. PSD2 provides specifically that Member States will have to ensure that credit institutions do not block or hinder access to payment accounts and that payment institutions have access to credit institutions’ payment accounts services in an objective, non-discriminatory and proportionate manner. This aspect is very relevant for money remittance services as many of them have lost access to the banking system in the recent years
- Strong customer authentication is an authentication process that validates the identity of the user of a payment service or of the payment transaction. Strong customer authentication is based on the use of two or more elements categorised as knowledge (something only the user knows, e.g. a password or a PIN), possession (something only the user possesses, e.g. the card or an authentication code generating device) and inherence (something the user is, e.g. the use of a fingerprint or voice recognition) to validate the user or the transaction. These elements are independent and designed in such a way as to protect the confidentiality of the authentication data. Payment service providers will be obliged to apply so-called strong customer authentication (SCA) when a payer initiates an electronic payment transaction.
- The PSD2 text introduces strict security requirements for the initiation and processing of electronic payments. This stricter approach on security should contribute to reducing the risk of fraud and protect the confidentiality of the user’s data.
- However, exemptions to the principle of strong customer authentication (SCA) are possible, as it is not always necessary and convenient to request the same level of security from all payment transactions. These exemptions will be defined by the European Banking Authority (EBA) and adopted by the European Commission, taking account of the risk involved, the value of transactions and the channels used for the payment.
- PSD2 opens possibilities for “payment initiation services” to operate across the EU and to compete on an equal basis with other regulated players in the market, such as banks, with a proper legal framework.
- PSD2 will provide for a common framework with clear conditions under which these providers can access the financial information on behalf of their clients. This will allow these services providers to operate without hindrance and to reach a broader audience.
Financial institutes need to deliver the right set of capabilities to meet the PSD2 requirements. They have to deliver support for technology standard and provide extensibility within framework to integrate with existing banking identity systems and Systems of Records. The three key flows are:-
- TPP onboarding for registering and obtaining API credentials
- Execute payments using a two-step approach (registering intent and payment submission)
- Retrieving the status of a payment submission.
APIs developed by banks for PSD2 will not be a routine IT Management issue within Banks. An API is not a piece of software, so the IT team that manages a bank’s software is not a logical choice to manage the PSD2 API suite. The IT team that manages a bank’s servers is not a logical choice, because a server is not an API (although a server can host APIs that expose the functions provided by the server). So any financial institute that has to comply with the revised payment services directive need to collaborate with the Fintech in order leverage the benefits that each can bring to the table to create customer-centric solutions. This collaboration has lead to the emergence of Open Banking and APIs, using customer data and innovations to create new revenue streams and more contextual services.
- PSD2 provisions ensure that providers of payment initiation services (PIS) and account information services (AIS) that are already established in the market can continue to perform their activities in accordance with the currently applicable regulatory framework.
- As the provision of PIS and AIS is a new payment service recognized in PSD2, existing and new providers of such services would need to apply for authorization under the PSD2 regime from the date of application of the new Directive.
- Furthermore, because the new security measures of PSD2 regarding strong customer authentication and standards for secure communication will become applicable later than other provisions, PIS and AIS providers that seek authorization under PSD2 are not required to submit proof of compliance with these security requirements until that later date. In case banks do not comply on time with the security requirements and standards for secure communication, they cannot use this non-compliance to hinder or obstruct the use of PIS and AIS.
- Under the current PSD, payments made through a telecom operator are not covered, where the telecom operator acts as an intermediary between the consumer and the payment service provider (by operator billing or direct to phone-bill purchases). Under PSD2, the purchase of physical goods and services through a telecom operator now falls within the scope of the Directive.
- Under the new rules, the exclusion for payments through telecom operators has also been further specified and narrowed down. The exclusion now covers only payments made through telecom operators for the purchase of digital services such as music and digital newspapers that are downloaded on a digital device or of electronic tickets or donations to charities.
- In order to avoid the risk of exposure to substantial financial risks to payers, only payments under a certain threshold are excluded (€50 per transaction; €300 per billing month). Telecom operators that engage in such an activity shall notify to the competent authorities, on an annual basis, that they comply with these limits. The activity will also be listed in the public registers.
GDPR does not mention the PSD2, whereas the PSD2 has an entire chapter on data protection. The chapter refers to the data protection regulations of 1994 and 2001 and does not acknowledge the existence of the GDPR, nor does it refer to potential future regulations. Much more is actually written in the preamble, but still it is all about compliance to regulations which will no longer be in force at the time the PSD2 is to be implemented.
The two common elements in both the regulations are “ customer consent” and “Data Privacy”. In the end the power is with the customers and if he decides to share his data, nobody can challenge that.
On one side when PSD2 emphasizes on sharing data with payment services providers, on the other GDPR concentrates on protecting the same data from any TPPs. The GDPR requires customer consent for processing; the PSD2 for sharing with other institutions, where the ASPSP is not the controller for (see “controller” in GDPR). The relation to the regulations about identity and trust services, virtually missing from both the GDPR and PSD2. The “PSD2GDPR Forum” would be highlighting if these two coming regulations are Friends or Foes.