Out-Law Analysis 12 min. read
26 Jan 2015, 5:17 pm
There is increasing focus by regulators on consumer protection and the European Commission wants to help develop a unified payment services sector that better fosters competition, innovation and security.
The PSD2 proposals were first outlined by the Commission in the summer of 2013 and have since been scrutinised by various committees of the European Parliament, EU ministers within the auspices of the Council of Ministers, banks and other payment industry bodies and many other stakeholders.
MEPs and officials at the Council, the body that brings together ministers from the 28 different governments within the EU, have agreed on two separate versions of PSD2 that both differ greatly to the Commission's original draft.
Trilogue negotiations between the Parliament, Council and Commission are now scheduled to thrash out the final wording of the PSD2. With the discussions reaching the definitive stage, here we identify some of the main features of the reform package: new rules on access to payment accounts, liability allocation provisions, transparency requirements and customer authentication measures.
The objective of the current Presidency is to conclude negotiations on PSD2 by June 2015. This would lead to implementation at a national level within a couple of years, and there will be a great deal of activity required by industry in advance of that 2017 date to manage the technical and compliance challenges that PSD2 will present.
Access to payment accounts
A major part of the Commission's reform plans include new rules designed to open up access to payment account information to third parties. The proposals reflect the growing number of account aggregators - businesses that enable customers to access different online banking accounts including credit cards, current and savings accounts using a single online portal, and other financial technology companies moving into the payments sphere.
According to the amendments it has voted to support, the European Parliament said that the business that provides and maintains the customer's payment account such as a bank or credit institution ('account servicing PSP'), must give certain third parties that have a licence to provide payment services under the new regime access to customers' account information, providing the customer has given their "explicit consent" to that access. Customers also have a right to be provided with information that properly informs them about "the extent of this access", the proposals said.
Under these plans, the account servicing PSPs would be barred from placing restrictions on third party account information access, and would be prohibited from treating payments that go through third parties differently from those that come from customers directly themselves unless for "objective reasons" are provided. This includes applying added charges to those payments or treating them as being of lower priority, according to the Parliament's proposals.
The Council of Ministers has proposed a similar set of rules on account access, adding that it is the responsibility of the account servicing PSPs to "provide facilities to securely communicate with the account information service providers" and facilitate their access to the account information.
It has clarified that account servicing PSPs will be able to prevent access to accounts via third party account information services if it has evidence the activity is unauthorised or fraudulent.
What happens if a payment is processed incorrectly or late? Who takes the blame when there is more than one payment provider or institution involved, and who is ultimately liable to issue refunds and account for charges or losses that customers may have been landed with? The European Commission attempted to address these questions of liability in its PSD2 proposal.
The Commission suggested liability should broadly be shared between PSPs acting on payer's instructions and those receiving payments on behalf of payees, with each PSP liable for problems with their part of the transaction.
The Commission said that where third party payment services are used to place a payment order, those third party service providers should be liable for the correct execution of that payment unless they can show that the payer's account servicing PSP obtained receipt of the payment order. In those circumstances it is the account servicing PSPs that are responsible for ensuring the money is transferred correctly to the payee.
It said, though, that payers could be held liable for unauthorised payments if it is found they have acted fraudulently or with gross negligence. It also said PSPs should not be required to refund low value unauthorised payments processed in a payer's name where it stems from their loss or misappropriation of a 'payment instrument', such as a mobile device.
The European Parliament's proposal built on the Commission's plans. It said that the rules should require the European Banking Authority to set out guidance to PSPs to understand when payers have acted with 'gross negligence'.
It also said payers should not have to pay anything towards an unauthorised payment stemming from the loss, theft or misappropriation of a payment instrument if that loss, theft or misappropriation was "not detectable to [them] prior to a payment". The Parliament said EU countries should be free to impose rules limiting payer's liability even in cases that were 'detectable', if, for example, the mobile device or payment account used to make the payment was password-protected.
MEPs said payer's PSPs or, where they are involved, third party providers, should be held liable for "correct payment execution", including for the "failure by other parties in the payment chain up to the account of the payee". They otherwise gave their general support to the rules on liability drafted by the Commission, adding only minor tweaks.
The main changes that the Council has proposed relate to the actions it said account servicing PSPs and third party providers - payment initiation service providers (PISPs) - should take in the event that a defective payment is processed.
It said that where defective payments stem from payment orders placed through PISPs, it is the responsibility of the account servicing PSPs to refund payers and "restore the debited payment account to the state in which it would have been had the defective payment transaction not taken place".
The Council said that if the responsibility for "the incorrect execution of the payment transaction" lies with the PISP then the PISP must "immediately compensate the account servicing payment service provider at its request for any losses incurred or sums paid as a result of the refund to the payer", unless the PISP can show that the account servicing PSP received the correct payment order receipt for the transaction.
Not all organisations involved in payment processes however will fall within scope of the proposed regulation and throughout the legislative process concerns have been raised about the extent to which telecoms businesses should be exempted.
To address these concerns the Commission's initial draft sought to limit the exemption only to payment services provided by telcos that are value-added or ancillary to their core services. It also sought to restrict the exemption in terms of the purpose for which payments are made and their value by providing that the exemption will only apply to purchases of digital content and where the value of any single payment transaction does not exceed €50 and the cumulative value of payment transactions does not exceed €200 in any billing month.
This limitation of the exemption has been retained in the Council of Ministers' most recent draft. The intention is that this more restricted exemption will create more of a level playing field between different providers, particularly in terms of the allocation of liability. Questions still remain about the treatment of some providers under the new regime – whether the likes of Apple Pay will be in-scope ultimately comes down to the functionality that they offer and so we, and consumers, shouldn't assume that all "mobile payments" products or providers will be in-scope for PSD2 and subject to the protective regulatory regime.
Transparency of payments and charges
Plans to make more transparent the charges that are applied to payment by those that facilitate such transactions were also set out by the European Commission in its PSD2 draft. Separate provisions have been drafted to cover payments made under framework contracts which provide for a series of payment transactions and those which are not.
The Commission said both the payer and payee in a transaction are entitled to receive information from their respective PSPs about the charges applied to transactions.
Under the plans, payment service users have a right to know what charges, if any, will be applied to payments before payments are processed. This includes a right to a breakdown of those charges. Similarly, both payers and, if applicable, payees are entitled to information from third party payment service providers about "the amount of any charges for the payment transaction and, where applicable, a breakdown thereof" if those third parties initiate payments.
The Commission also said that immediately after placing a payment order payers are entitled to receive information from their PSP detailing the total value of charges they face if they proceed with a transaction, as well as a "breakdown of the amounts of such charges". Payees' PSPs would be required to communicate what charges if any are payable by payees after transactions have been executed.
Where framework contracts are in place for payment services, EU countries would be required to ensure payment service users are also given information on any charges or interest applied.
Before each transaction under a framework contract PSPs would be required to provide customers with "explicit information on the maximum execution time and the charges payable by the payer and, where applicable, a breakdown of the amounts of any charges", according to the proposals. A note of the charges would also have to be provided to payers after funds have been debited from their accounts, and payees' PSPs would similarly have to outline what charges and interest, if any, payees face after each individual payment transaction under a framework contract.
The European Parliament has recommended that the Commission's proposals be expanded on in some areas. It said that payment service users should have the right to information about charges faced for using third party payment services to be provided in "a clear and understandable form" prior to payments being initiated. "All possible charges" should be detailed as part of this information, according to the Parliament's proposals.
The Parliament said that third party payment providers must individually itemise the charges they levy on payments in the information they send to payers. It clarified that account servicing PSPs' obligations to detail information on charges to payers apply only after receipt of a payment order and to the extent that the charges relate to "its own services". Similarly, payees' PSPs are only obliged to provide detail of the charges payable by payees after a payment has been executed "with regard to its own services" and only if those details are available to it.
MEPs backed plans which would allow payment service users to exit from framework contracts with providers without incurring a termination charge, and clarified that payers should not be liable for third party costs passed onto them by PSPs "unless their full amount was made known prior to the initiation of the payment transaction".
The Council, in its version of PSD2, said that PSPs should be able allowed to charge termination fees to payment service users that exit framework contracts that are in their first year. More generally, it gave support to the Commission's plans for greater transparency of charges for payment services.
"It is essential for payment service users to know the real costs and charges of payment services in order to make their choice," a recital in the Council's text said. "Accordingly, the use of non-transparent pricing methods should not be allowed, since it is commonly accepted that those methods make it extremely difficult for users to establish the real price of the payment service."
The Council backed the Commission's proposals on the provision of information about charges, both by payers' PSPs prior to a transaction being processed but after a payment order has been placed, as well as after transactions have been completed, and in respect of payees' PSPs after a payment has been executed.
In a change to the Commission's plans, however, the Council proposed that PISPs must provide a reference for each transaction they initiate to both the payer and account servicing PSP.
The PSD2 proposals contain a significant stiffening of rules on payment service user authentication, with the purpose of ensuring that PSPs can be confident that the people using their services are who they say they are.
Under the Commission's plans, PSPs would be required to apply "strong customer authentication" when payers initiate "an electronic payment transaction". The proposals, however, would allow the European Banking Authority (EBA) the scope to set guidelines on exemptions to this general rule.
'Strong customer authentication' is defined by the Commission as "a procedure for the validation of the identification of a natural or legal person based on the use of two or more elements categorised as knowledge, possession and inherence that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data". In IT security-speak, this means two-factor authentication.
Given that security measures are growing in sophistication and that the drive is constantly towards a frictionless experience for consumers, there will be some conflict between the direction that industry and regulators wish to travel in – it is unclear whether, or to what extent, consumers will benefit from the mandated security procedures given that the liability provisions largely protect consumers from loss.
PSPs that fail to apply strong customer authentication for payments made online or over the phone cannot require payers to "bear any financial consequences" unless those payers themselves act fraudulently.
In addition, PSPs would be required to compensate other PSPs or intermediaries involved in a transaction "for any losses incurred or sums paid" by those other businesses as a result of their failure to apply strong customer authentication if this results in non-execution, defective or late execution of payments.
Third party PSPs that initiate payment transactions are also required to ensure they apply strong customer authentication. The Commission said those third parties should be free "to rely on the authentication methods" of account servicing PSPs "when acting on behalf of the payment service user". A third party PSP providing payment initiation or account information services would be required to "authenticate itself towards the account servicing payment service provider of the account owner".
The European Parliament's proposals would enshrine into law a right for payers to have use "an authorised third party payment service provider" of payment initiation or account information services where they have a "payment account that can be accessed via online banking". This right cannot, generally, be denied by account servicing PSPs under the plans, and the increased interaction envisaged between those PSPs and third party providers is reflected in the rules the Parliament has backed on authentication.
The Parliament said that the third party providers should have to authenticate themselves to account servicing PSPs "every time a payment is initiated or account information is collected" in accordance with "common and secure open standards of communication" that it said should be developed by the EBA.
The Council has proposed specific rules for both PISPs and account information service providers (AISPs) on authentication. It said that every time a "payment is imitated", PISPs must authenticate themselves towards account servicing PSPs and communicate securely with the PSP, the payer and payee. Similar rules are proposed for AISPs and would apply "for each communication session" with account servicing PSPs.
In an adaptation of the Commission's proposals, PSPs would be forced to apply strong customer authentication when payers access their payment account online, initiate an "electronic remote payment transaction" or "carries out any action, through a remote channel, which may imply a risk of payment fraud or other abuses".
The Council is more explicit in its requirements for strong customer authentication for electronic remote payment transactions. It said PSPs should ensure that that authentication includes "elements dynamically linking the transaction to a specific amount and a specific payee". In all the circumstances where strong customer authentication is required, the Council said PSPs must "adopt specific security requirements, to protect the confidentiality and the integrity of the payment service users’ personalised security credentials". It said those additional requirements apply also to cases where payments are initiated through PISPs.
Like the Commission's plans, the Council would give the EBA scope to set out exceptions to where the strong customer authentication rules should not apply. The EBA should also develop technical standards on 'strong customer authentication' and on "common and secure requirements for communication for the purpose of authentication, notification and information between account servicing payment service providers, payment initiation service providers, account information service providers, payers and payees", it said.
Angus McFadyen is a payments and technology specialist at Pinsent Masons, the law firm behind Out-Law.com