Over the last decade the payment services industry has undergone a renaissance. Rapid technological advancement has allowed for the rise of new products, many of which have had a disruptive impact on how consumers access their accounts and shop online. Much of this innovation is not, however, subject to a unified European regulatory regime. And recent developments have exposed gaps in the 2007 Payment Service Directive (PSD). To plug these holes, the EU has introduced a sequel — PSD2.
What is the new regime?
Perhaps the most important change of PSD2 is the introduction of two new acronyms: payment initiation service providers (PISPs) and account information service providers (AISPs). The former refers to companies that facilitate payments between individual accounts without the intermediation of payment aggregators or card schemes. A PISP could, for example, securely process a customer’s request to send money directly from their bank account to an online retailer. AISPs are companies that aggregate multiple bank accounts into one system to help customers keep track of their personal finances. The providers of these accounts (such as banks) are referred to as account servicing payment service providers (ASPSPs). See our handy graphic to make sense of this new alphabet soup.
In addition to capturing these new activities, PSD2 makes a number of additional changes, including:
- Enhanced Scope: Certain transparency provisions of PSD have been extended to all currencies, and, notably, payment transactions that are initiated or terminated outside the EU (also known as one-leg transactions).
- Surcharges: Now conditioned on the requirements that charges do not exceed the costs borne by the payee for the use of a specific payment instrument.
- Strong Customer Authentication: PSD2 provides a definition of ‘strong’ authentication for the purpose of new regulatory requirements surrounding security and data protection.
- Refunds & Liability: Strengthens consumers’ refund rights and establishes under what conditions ASPSPs and PISPs are liable.
- Unauthorised Transactions: Reduces customers’ personal liability for unauthorised transactions due to lost, stolen or misappropriated payment instruments to €50.
- Security: PISPs, AISPs and ASPSPs face a host of new requirements to ensure that customer payments are secure, and that their personal data is protected.
- Exemptions: PSD2 considerably alters PSD’s exemptions, including those related to payment transactions executed through commercial agents and services based on instruments used within ‘limited networks’ of service providers.
Am I affected?
PSD2 affects a huge variety of firms, including:
- Banks and building societies
- Online retailers
- Payment aggregators
- Credit and debit card companies
- Any other firm providing payment accounts, aggregating accounts and/or initiating a payment order on behalf of customers.
Timeline for implementation
Affected firms have to comply with PSD2 by 13 January 2018. The FCA has warned that it will have little wiggle room to alter its provisions at the national level, so firms should pay close attention to the European Directive.
HM Treasury has already consulted on its proposed regulations and the FCA has now also issued a consultation paper explaining its approach to applying both the Payment Services Regulations and the amended Electronic Money Regulations. We expect to see a policy statement in the third quarter of this year. In addition the FCA is also consulting on the updated registration and authorisation forms to be used by payment institutions and e-money institutions. This includes the forms which existing firms will need to use in order to be re-authorised or re-registered under PSD2.
In addition, the European Supervisory Authorities are required to prepare a number of regulatory technical standards (RTS), implementing technical standards and guidelines to support PSD2. One of the most hotly anticipated regulatory technical standards is in relation to the requirements for strong customer authentication and common and secure communication. This is expected to have a significant impact on firms as it sets out the requirements to provide an appropriate level of security for both payment service providers and consumers. The EBA (European Banking Authority) have now published their report and final draft RTS which will be submitted to the European Commission for adoption and further scrutiny. This RTS will apply 18 months after adoption by the Commission, and the EBA have suggested that the application date will be November 2018 at the earliest.
How can Bovill Help?
The final position on PSD2 is still far from clear as we await further technical guidance and draft rules. Our team is keeping a close eye on upcoming clarifications from Europe, and is happy to answer any questions you might have about PSD2’s progression.
PSD2 will affect existing firms who are already authorised, and firms whose activities fall within scope for the first time. Bovill can help ensure that your company is prepared for implementation by performing a gap analysis or health check against PSD2.