Practical Insights: An Overview of the Legal Implications of PSD2 for Third-Party Providers
In the build-up to the revised Payment Services Directive (PSD2) entering into force across EU member states in January 2018, PaymentsCompliance provides practical insight on the regulation of third-party providers under the directive.
On December 23, 2015, Directive (EU) 2015/2366, also known as the revised Payment Services Directive (PSD2), was published in the Official Journal of the European Union. PSD2 will supersede Directive 2007/64/EC, also known as the first Payment Services Directive (PSD1), with effect from January 13, 2018.
PSD2 is a regulation of payment services within the EU and is primarily concentrated on electronic payments. These type of payments have proved to be efficient, practical and help to increase economic growth.
PSD2 determines the following key objectives:
- There are two types of TPPs — payment initiation services providers (PISPs) and account information services providers (AISPs) — for wider attraction of new consumers and to encourage current ones.
- Improvement of consumer rights, increasing security of unauthorised payments and providing a refund where necessary.
- Enhancement of security requirements and strong customer authentication.
- Increasing competitiveness and encouragement of lower prices.
1. Key Regulatory Drivers on Third-Party Providers (TPPs) under PSD2
Along with other new requirements for existing and prospective payment service providers (PSPs), PSD2 has introduced a new set of rules regulating the activities of so-called “third-party providers” (TPPs). Broadly, in regulating TPPs, the European Commission is aiming to decrease costs and encourage innovative payment methods for consumers, while addressing issues such as data protection, consumer protection, security, liability and competition.
However, two key drivers stand out in the regulation of TPPs under PSD2:
a) Legal loophole regarding services of TPPs
The European Commission’s impact assessment of July 2013 indicated that the business models of TPPs, which emerged after the adoption of PSD1 in 2007, lacked a regulatory and supervisory framework:
“[...] an unprecedented development of the payments market, in particular the rapid emergence of e- and m-payments, gave rise to important challenges from a regulatory perspective. Many innovative payment products or services do not fall, entirely or in large parts, under the current scope of the PSD. This leads to legal uncertainty (no supervision, no regulation), potential security risks in the payment chain and to a lack of consumer protection. This is for example the case for online-banking based payment initiation services (PIS) provided by third party providers (TPPs).”
Several TPP business models emerged before PSD2, such as those from iDEAL (Netherlands), Trustly (Sweden) and Sofortüber-weisung (Germany), and now these are subject to a new set of obligations which include authorisation or registration from the competent authority depending on the type of TPP service involved. These are non-banking institutions which are regarded to have introduced cheaper and more convenient methods to initiate transactions in Europe.
According to Recital 29 of PSD2, PISPs “offer a low-cost solution for both merchants and consumers and provide consumers with a possibility to shop online even if they do not possess payment cards”; however, “they are not necessarily supervised by a competent authority and are not required to comply with Directive 2007/64/EC”, raising further legal questions, such as consumer protection, security, liability, competition and data protection issues.
b) Creation of a level playing field
The European Commission also identified market barriers for TPPs, which originate from their lack of access to information on the availability of funds in payment accounts. As a result, three potential policy options were examined:
- Option 1: No policy change.
- Option 2: Define the conditions of access to the information on the availability of funds, define rights and obligations of the TPPs and clarify the liability allocation.
- Option 3: Allow TPPs access to the information on the availability of funds under a contractual agreement with the account servicing bank.
The commission has chosen Option 2, introducing a set of measures to ensure that TPPs are allowed to obtain necessary information on the availability of funds to provide their services. This “would at the same time guarantee that all necessary data protection and security requirements are fulfilled by both TPPs and the [payment service providers] PSPs servicing the account. This option would insure that a consumer is properly informed before giving a TPP an explicit consent to access his or her accounts and that rights and obligations are appropriately shared in a balanced way between TPPs, banks and consumers.”