PSD2 and the Future of Payment Services in Europe
Open Banking is a major topic of discussion in the United States as a potential solution to the lack of competition in the marketplace. The European payments services directive (“PSD2”) is the most comprehensive Open Banking initiative we are aware of, and its progress is a good barometer of whether such regulations can successfully introduce new competition in payments. Our London office prepared the following synopsis of how the regulation is doing in Europe.
A. What is PSD2?
The revised Payment Services Directive (“PSD2”) is the main piece of legislation governing payment services in the EU and provides the legal basis for an EU single market for payments. The Directive is part of a legislative package that also includes the regulation of multilateral interchange fees. Together, the regulation and the second payment services directive limit the fees for transactions on consumer debit and credit cards and restrict retailers from imposing surcharges on customers for the use of these types of cards.
The overarching aims of PSD2 are: the contribution to a more integrated and efficient European payments market; leveling the playing field for payment service providers; the promotion of development and usage of innovative online and mobile payments; the facilitation of safer, faster and more secure payments; the protection of consumers against fraud; and the encouragement of lower prices for payments. PSD2 sets the conduct of business rules for firms providing payment services and governs the authentication and prudential requirements for payment institutions. Notably, PSD2 extends both the territorial and material scope of the original PSD.
Expanding the territorial scope of PSD, the provisions of the revised Directive on transparency and conduct of business requirements now also apply to “one-leg” transactions (i.e., payments to and from third countries where one of the payment service providers is located in the EU). They also cover transactions in non-EU currencies that have at least “one leg” in the EU, irrespective of whether these transactions are cleared and/or settled outside the EU.
PSD2 now covers the following types of payment system providers: payment institutions, including registered institutions; credit institutions; e-money institutions; post office; central banks, other than when acting in their capacity as a monetary authority or carrying out other functions of a public nature; and government departments and local authorities, other than when carrying out functions of a public nature.
Importantly, PSD2 also introduces an entirely new set of rights and obligations related to the delivery of third-party services, namely services provided by third-party providers (“TPPs”). These services refer to account information services (“AIS”) and payment initiation services (“PIS”). AIS is defined as an “online service to provide consolidated information on one or more payment accounts held by the Payment Service User with another PSP or with more than one PSP.” In practice, AIS collect and consolidate information belonging to different bank accounts held by the same customer in one place and enable them to access the relevant information by simply logging-in online. PIS is defined as “a service to initiate a payment order at the request of the Payment Service User with respect to a payment account held at another PSP.” PIS enable customers to initiate payments directly from their bank account without the need for a credit or debit card. Similarly, PSD2 requires banks to offer software for third parties to initiate direct bank-to-merchant payments.
B. How is the Directive affecting the marketplace?
Despite the forward-looking spirit of many of the PSD2’s provisions, the revised Payment Services Directive has not yet produced the desired results and its impact on market participants has been relatively small. In principle, PSD2 had to be transposed into the national legislation of the Member States by 13 January 2018. However, the Commission was forced to initiate formal infringement proceedings against 16 countries due to the lack or delay of national transposition measures. According to the information provided in the dedicated webpage of the European Commission, even at present, Malta, Spain and the Netherlands have only communicated partial transposition measures, while Romania has not communicated any measures at all.
In a situation that is indicative of the wider issues associated with the untimely implementation of the Directive, in the UK, five of the nine main banks had to ask for an extension to the January deadline to open up client account information to authorised third-party providers. This delay was partially attributed to the lack of previous technical capability on behalf of the banks. Evidently, PSD2 has not, at least up to the present point, dramatically altered the status quo of payment services in the U.K. The Financial Conduct Authority (“FCA”) continues to be the competent supervisory authority, assigned with the duty to ensure that payment institutions comply with the risk assessment requirements of the Directive. The capital requirement provisions in PSD2 have largely remained the same as those set out in the PSD. PSD2 also preserves the previous access rights for all payment service providers in terms of their direct access to certain payment systems. The government and regulators have exercised minor derogations only in the fields of transparency and information relating to micro-enterprises, low-value payment instruments and e-money and monthly statements.
Notwithstanding the problems and delays concerning the implementation of PSD2, an important step forward was recently taken by the European Banking Authority (“EBA”). On 18 March 2019, the EBA launched its central register of payment and electronic money institutions authorised or registered with the EU and the EEA. In the words of the Executive Director of the EBA, Mr. Adam Farkas, the register aims to “provide a freely accessible and reliable source of key information for market participants across the single market that will facilitate the roll out of PSD2, support the provision of the newly regulated payment services and improve transparency for consumers in the EU.” The register will ultimately contain information on several thousand payment and electronic money institutions and 150,000 agents within the EU. It will collect and present information with respect to the following: payment institutions; exempted payment institutions; account information service providers; electronic money institutions; exempted electronic money institutions; agents; EEA branches; institutions entitled under national law to provide payment services; service providers excluded from the scope of PSD2.
C. What does the future hold for PSD2?
Later this year, another milestone for the full implementation of PSD2, linked to “customer-initiated” payments, is expected to be introduced. On September 14, 2019, Strong Customer Authentication (“SCA”) will enter into force across the EU, influencing all bank transfers and most card payments. This additional regulatory requirement (one of the PSD2’s most significant regulatory standards) is aimed at reducing fraud and making online payments more secure. Upon its adoption, PSPs will have to build additional authentication into their checkout systems to accept and process payments. Most payments conducted via an electronic channel will have to be authenticated by the combination of at least two of the following three elements: something the customer knows (e.g., password or PIN); something the customer has (e.g., phone device or hardware token); or/and something the customer is (e.g., fingerprint or face recognition). Payments which do not meet the predefined criteria will be automatically declined by the customer’s bank.
Overall, while the slow pace in the implementation of PSD2 has brought criticism from market participants, they nonetheless anticipate 2019 will be the year that payment regulations start making a real impact. While the main challenges still lie ahead, it will be fascinating to see how – and to what extent – the changes envisaged in PSD2 are going to reshape the landscape in the provision of payment services across Europe.
 For more information see: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015R0751
 The register is available at: https://eba.europa.eu/-/eba-goes-live-with-its-central-register-of-payment-and-electronic-money-institutions-under-psd2
 It must be noted that recurring direct debits are considered “merchant-initiated” and will not require strong authentication. In-person card payments also remain out of the scope of the new Regulation, with the exception of contactless payments.