The second Payment Services Directive (PSD2)

What is the second Payment Services Directive (PSD2)?

Since the adoption of the first Payment Services Directive (PSD1), the retail payments market has experienced significant technical innovation, with rapid growth in the number of electronic and mobile payments and the emergence of new types of payment services in the market place, which challenges the current framework.

The review of the Union legal framework on payment services, the analysis of the impact of the first Payment Services Directive, and the consultation on the Commission Green Paper of 11 January 2012, entitled, ‘Towards an integrated European market for card, internet and mobile payments’, have shown that developments have given rise to significant challenges from a regulatory perspective.

Significant areas of the payments market, in particular card, internet and mobile payments, remain fragmented along national borders. Many innovative payment products or services do not fall, entirely or in large part, within the scope of the first Payment Services Directive.

Furthermore, the scope of Directive 2007/64/EC and, in particular, the elements excluded from its scope, such as certain payment-related activities, has proved in some cases to be too ambiguous, too general or simply outdated, taking into account market developments.

This has resulted in legal uncertainty, potential security risks in the payment chain and a lack of consumer protection in certain areas. It has proven difficult for payment service providers to launch innovative, safe and easy-to-use digital payment services and to provide consumers and retailers with effective, convenient and secure payment methods in the Union. In that context, there is a large positive potential which needs to be more consistently explored.

The continued development of an integrated internal market for safe electronic payments is crucial in order to support the growth of the Union economy and to ensure that consumers, merchants and companies enjoy choice and transparency of payment services to benefit fully from the internal market.

New rules should be established to close the regulatory gaps while at the same time providing more legal clarity and ensuring consistent application of the legislative framework across the Union. Equivalent operating conditions should be guaranteed, to existing and new players on the market, enabling new means of payment to reach a broader market, and ensuring a high level of consumer protection in the use of those payment services across the Union as a whole. This should generate efficiencies in the payment system as a whole and lead to more choice and more transparency of payment services while strengthening the trust of consumers in a harmonised payments market.

In recent years, the security risks relating to electronic payments have increased. This is due to the growing technical complexity of electronic payments, the continuously growing volumes of electronic payments worldwide and emerging types of payment services. Safe and secure payment services constitute a vital condition for a well-functioning payment services market. Users of payment services should therefore be adequately protected against such risks. Payment services are essential for the functioning of vital economic and social activities.

Money remittance is a simple payment service that is usually based on cash provided by a payer to a payment service provider, which remits the corresponding amount, for example via a communication network, to a payee or to another payment service provider acting on behalf of the payee. In some Member States, supermarkets, merchants and other retailers provide to the public a corresponding service enabling them to pay utilities and other regular household bills. Those bill-paying services should be treated as money remittance, unless the competent authorities consider the activity to fall under another payment service.

The PSD2 introduces a neutral definition of acquiring of payment transactions in order to capture not only the traditional acquiring models structured around the use of payment cards, but also different business models, including those where more than one acquirer is involved.

This should ensure that merchants receive the same protection, regardless of the payment instrument used, where the activity is the same as the acquiring of card transactions. Technical services provided to payment service providers, such as the mere processing and storage of data or the operation of terminals, should not be considered to constitute acquiring. Moreover, some acquiring models do not provide for an actual transfer of funds by the acquirer to the payee because the parties may agree upon other forms of settlement.

The exclusion from the scope of the PSD1 of payment transactions through a commercial agent on behalf of the payer or the payee is applied very differently across the Member States. Certain Member States allow the use of the exclusion by e-commerce platforms that act as an intermediary on behalf of both individual buyers and sellers without a real margin to negotiate or conclude the sale or purchase of goods or services. Such application of the exclusion goes beyond the intended scope set out in that Directive and has the potential to increase risks for consumers, as those providers remain outside the protection of the legal framework.

Differing application practices distort competition in the payment market. To address those concerns, the exclusion should therefore apply when agents act only on behalf of the payer or only on behalf of the payee, regardless of whether or not they are in possession of client funds. Where agents act on behalf of both the payer and the payee (such as certain e-commerce platform), they should be excluded only if they do not, at any time enter into possession or control of client funds.

The first PSD excludes from its scope certain payment transactions by means of telecom or information technology devices where the network operator not only acts as an intermediary for the delivery of digital goods and services through the device in question, but also adds value to those goods or services.

In particular, that exclusion allows for so-called operator billing or direct to phone-bill purchases which, starting with ringtones and premium SMS services, contribute to the development of new business models based on the low-value sale of digital content and voice-based services.

Those services include entertainment, such as chat, downloads such as video, music and games, information such as on weather, news, sports updates, stocks and directory enquiries, TV and radio participation such as voting, competition entry, and provision of live feedback. Feedback from the market shows no evidence that such payment transactions, trusted by consumers as convenient for low-threshold payments, have developed into a general payment intermediation service. However, due to the ambiguous wording of the relevant exclusion, it has been implemented differently across Member States, leading to a lack of legal certainty for operators and consumers and occasionally allowing payment intermediation services to claim eligibility for an unlimited exclusion from the scope of Directive 2007/64/EC. It is therefore appropriate to clarify and narrow the scope of eligibility for that exclusion for such service providers by specifying the types of payment transactions to which it applies.

According to Article 1 (Subject matter):

1. This Directive establishes the rules in accordance with which Member States shall distinguish between the following categories of payment service provider:

(a) credit institutions as defined in point (1) of Article 4(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council (28), including branches thereof within the meaning of point (17) Article 4(1) of that Regulation where such branches are located in the Union, whether the head offices of those branches are located within the Union or, in accordance with Article 47 of Directive 2013/36/EU and with national law, outside the Union;

(b) electronic money institutions within the meaning of point (1) of Article 2 of Directive 2009/110/EC, including, in accordance with Article 8 of that Directive and with national law, branches thereof, where such branches are located within the Union and their head offices are located outside the Union, in as far as the payment services provided by those branches are linked to the issuance of electronic money;

(c) post office giro institutions which are entitled under national law to provide payment services;

(d) payment institutions;

(e) the ECB and national central banks when not acting in their capacity as monetary authority or other public authorities;

(f) Member States or their regional or local authorities when not acting in their capacity as public authorities.

2. This Directive also establishes rules concerning:

(a) the transparency of conditions and information requirements for payment services; and

(b) the respective rights and obligations of payment service users and payment service providers in relation to the provision of payment services as a regular occupation or business activity.

The main differences between PSD1 and PSD2.

PSD2 widens the scope of PSD1 by covering new services and players as well as by extending the scope of existing services (payment instruments issued by payment service providers that do not manage the account of the payment service user), enabling their access to payment accounts.

PSD2 also updates the telecom exemption by limiting it mainly to micro-payments for digital services, and includes transactions with third countries when only one of the payment service providers is located within the EU ("one-leg transactions"). It also enhances cooperation and information exchange between authorities in the context of authorisation and supervision of payment institutions.

To make electronic payments safer and more secure, PSD2 introduces enhanced security measures to be implemented by all payment service providers, including banks. In particular, PSD2 requires payment service providers to apply strong customer authentication (SCA) for electronic payment transactions as a general rule. To that end, the Commission adopted rules that spell out how strong customer authentication (SCA) is to be applied.

PSD1 and PSD2 protect consumer rights in the event of unauthorised debits from an account under certain conditions. A direct debit is a payment that is not initiated by the payer, but by the payee on the basis of consent of the payer to the payee. It is based on the following concept: "I request money from someone else with their prior approval and credit it to myself". The payer and the biller must each hold an account with a payment service provider and the transfer of funds (money) takes place between the payer's bank and the biller's bank. However, since the biller can collect funds from a payer's account, provided that a mandate has been granted by the payer to the biller, the payer should also have a right to get the money refunded. Member States have applied different rules with regard to this issue.

Under PSD1, payers had the right to a refund from their payment service provider in case of a direct debit from their account, but only under certain conditions. In order to enhance consumer protection and promote legal certainty further, PSD2 provides a legislative basis for an unconditional refund right in case of a SEPA direct debit during an 8 week period from the date the funds are debited form the account. The right to a refund after the payee has initiated the payment still allows the payer to remain in control of his payment. In such cases, payers can request a refund even in the case of a disputed payment transaction.

As far as the direct debit schemes for non-euro payments are concerned, where they offer the protection as set out under PSD1, they can continue to function as they do today. However, Member States may require that for such direct debit schemes refund rights are offered that are more advantageous to payers.

Consumers will also be better protected when the transaction amount is not known in advance. This situation can occur in the case of car rentals, hotel bookings, or at petrol stations. The payee will only be allowed to block funds on the account of the payer if the payer has approved the exact amount that can be blocked. The payer's bank shall immediately release the blocked funds after having received the information about the exact amount and at the latest after having received the payment order.

Furthermore, the PSD2 increases consumer rights when sending transfers and money remittances outside the EU or paying in non-EU currencies.

PSD1 only addresses transfers inside the EU and is limited to the currencies of the Member States. PSD2 extends the application of PSD1 rules on transparency to "one-leg transactions", hence covering payment transactions to persons outside the EU as regards the “EU part” of the transaction. This contributes to better information of money remitters, and lower the cost of money remittances as a result of higher transparency on the market.

PSD2 obliges Member States to designate competent authorities to handle complaints of payment service users and other interested parties, such as consumer associations, concerning an alleged infringement of the directive. Payment service providers that are covered by the Directive on their side should put in place a complaints procedure for consumers that they can use before seeking out-of-court redress or before launching court proceedings. The new rules will oblige payment service providers to answer in written form to any complaint within 15 business days.

The second Payment Services Directive (PSD2):

Cyber Risk GmbH, some of our clients