The EU’s first Payment Services Directive (PSD1) was introduced in 2009 to harmonise payment services regulation across the EU; whilst also increasing market competition by imposing transparency and conduct of business requirements on payment service providers (PSPs). A decade of technological advancement has significantly changed the payment services market since 2009. For example, we have seen the advent of clever new payment services (such as internet and mobile banking), coupled with an equally sophisticated myriad of security threats.
In order to address the changes to the payment services market, a second Payment Services Directive (PSD2) was brought into force on 12 January 2016, and was transposed into UK law by The Payment Services Regulations 2017.
The fundamental areas covered by PSD1 are largely mirrored in PSD2. For example, both PSD1 and 2 seek to protect consumer rights by setting out the procedure to be followed when obtaining customer consent before entering into a payment transaction; and providing consumers with a right to a refund from their PSP in the event of an unauthorised debit from their account. There are however differences between PSD1 and PSD2 which this article will explore.
Who is subject to PSD2?
PSD1 only applied to transactions where both the payer and the recipients’ PSPs were located in the EU, and where payment was made in either Euros or the currency of another member state. However, under PSD2 the geographical scope has been widened to catch any transaction where either the payer or the recipients’ PSP is located in the EU, regardless of the currency used. As under PSD1, exemptions do apply to certain types of transaction, however PSD2 has narrowed their scope.
This means that non-EU based PSPs who transact with EU based PSPs will now need to be PSD2 compliant.
Who enforces PSD2?
As with PSD1, enforcement of PSD2 is primarily the responsibility of the Financial Conduct Authority (FCA) – the regulator of financial firms and markets in the UK. The FCA’s overarching function in respect of PSD2, is the authorisation and supervision of PSPs. It is therefore the FCA’s responsibility to, for example, determine which PSPs can be authorised or registered by the FCA, monitor PSPs reporting obligations arising under PSD2, and handle complaints against PSPs.
In addition to the FCA, the Payment Services Regulator (PSR) – the regulatory body for the payment services industry in the UK, also has certain, though more limited, regulatory functions in respect of PSD2. For example the PSR is responsible for regulating charges on ATM withdrawals.
New Regulated Payment Services
PSD2 covers two new regulated payment services:
- Account Information Service (AIS) – being a service by which PSPs collect and consolidates information on customers’ bank accounts, regardless of whether these accounts are with the same bank.
- Payment Initiation Service (PIS) – being a service by which customers can initiate payments directly from their bank accounts by a simple credit transfer, rather than via a credit or debit card.
It is therefore important that PSPs providing either of these services are aware of their regulatory obligations under PSD2 and are registered or authorised by the FCA as applicable.
Surcharge Ban
PSD2 has also introduced a ban on ‘surcharges’, being the additional charges incurred for making payments with consumer credit or debit cards, which are in excess of the direct cost borne by the PSP for the specific transaction. It has been estimated by the vice president for the Financial Stability, Financial Services and Capital Markets Union that this ban will save EU consumers more than €550m per year.
Security Obligations
Central to PSD2 is the concept of “open banking” which entails opening up the payment services market more fully, by forcing banks and other financial institutions to share their customers’ financial information with PSPs, when instructed to do so by the Bank’s customers.
However, given the sharing of this sensitive information raises significant privacy and security risks for the customer, PSPs will now be subject to extensive security, risk management and transparency requirements. Of particular note is the requirement for PSPs to carry out a “strong customer authentication” (SCA). SCA is an authentication process by which PSPs validate the identity of a customer by using two of three things:
- Something a customer knows (e.g. a password or the answer to a key question)
- Something the customer has (e.g. a phone or a payment card)
- Something the customer is (e.g. biometric data).
More generally, PSPs will also need ensure to such SCA complies with the Regulatory Technical Standards published by the European Banking Authority.
Next steps
The majority of the changes bought in my PSD2 have been in force since 13 January 2018. An exception to this however, are the SCA obligations which only came into force on 14 September 2019. Further due to the complexity of SCA, coupled with the issues suffered by PSPs in meeting these new obligations, the FCA recently announced an 18 month plan (which runs from 14 September 2019) to assist with implementing the new SCA obligations. The consequence of this, is that the FCA will not sanction PSPs where there is evidence they have taken the necessary steps to comply with the plan. The expectation however, is that firms will be fully SCA compliant by the end of the 18 month period.
It is therefore recommended that PSPs who are not yet SCA complaint are aware of the implementation plan, and have taken the necessary steps to avoid FCA sanction.
Beverley Flynn
Gustaf Duhs