What is the new regime?
Perhaps the most important change of PSD2 is the introduction of two new acronyms: payment initiation service providers (PISPs) and account information service providers (AISPs). The former refers to companies that facilitate payments between individual accounts without the intermediation of payment aggregators or card schemes. A PISP could, for example, securely process a customer’s request to send money directly from their bank account to an online retailer. AISPs are companies that aggregate multiple bank accounts into one system to help customers keep track of their personal finances. The providers of these accounts (such as banks) are referred to as account servicing payment service providers (ASPSPs).
In addition to capturing these new activities, PSD2 makes a number of additional changes, including:
- Enhanced Scope: Certain transparency provisions of PSD have been extended to all currencies, and, notably, payment transactions that are initiated or terminated outside the EU (also known as one-leg transactions).
- Surcharges: Now conditioned on the requirements that charges do not exceed the costs borne by the payee for the use of a specific payment instrument.
- Strong Customer Authentication: PSD2 provides a definition of ‘strong’ authentication for the purpose of new regulatory requirements surrounding security and data protection.
- Refunds & Liability: Strengthens consumers’ refund rights and establishes under what conditions ASPSPs and PISPs are liable.
- Unauthorised Transactions: Reduces customers’ personal liability for unauthorised transactions due to lost, stolen or misappropriated payment instruments to €50.
- Security: PISPs, AISPs and ASPSPs face a host of new requirements to ensure that customer payments are secure, and that their personal data is protected.
- Exemptions: PSD2 considerably alters PSD’s exemptions, including those related to payment transactions executed through commercial agents and services based on instruments used within ‘limited networks’ of service providers.
Am I affected?
PSD2 affects a huge variety of firms, including:
- Banks and building societies
- Online retailers
- Payment aggregators
- Credit and debit card companies
- Any other firm providing payment accounts, aggregating accounts and/or initiating a payment order on behalf of customers.
Timeline for implementation
Affected firms have to comply with PSD2 by 13 January 2018 and the FCA’s Connect system is now open for applications. The FCA has warned that it will have little wiggle room to alter its provisions at the national level, so firms should pay close attention to the European Directive.
How can Bovill Help?
The FCA has now published its Policy Statement setting out the final Handbook changes, including those to PERG, and its revised Approach Document. Certain other requirements under PSD2 still await further elaboration through Regulatory or Implementing Technical Standards and Guidelines drafted by the European Banking Authority (EBA). Our team is keeping a close eye on upcoming clarifications from Europe, and is happy to answer any questions you might have about PSD2’s progression.
Of particular interest is the Delegated Regulation setting out the Regulatory Technical Standards for strong customer authentication (SCA) and common and secure open standards of communication. This has proved to be a contentious issue and on 27 November 2017 the European Commission finally adopted the Delegated Regulation. The next stage is for it to considered by the Council of the EU and the European Parliament. If neither of them objects, it will be published in the Official Journal. The majority of the requirements will come into effect 18 months after its publication, which expected to be in September 2019.
PSD2 will affect existing firms who are already authorised, and firms whose activities fall within scope for the first time. Bovill can help ensure that your company is prepared for implementation by performing a gap analysis or health check against PSD2.