Out-Law News | 17 Nov 2015 | 9:45 am | 3 min. read
The new Payment Services Directive (PSD2) was given formal backing by the EU's Council of Ministers in a vote on Monday. MEPs voted to approve the legislation in October. The Directive comes into force 20 days after its publication in the Official Journal of the EU and each EU country will have two years from that date in which to implement it into their national laws.
PSD2 replaces the existing Payment Services Directive which has been in place since 2007. The new legislation imposes obligations on companies that have previously been outside the scope of regulation, reflecting innovations in the payments market that have emerged since 2007 and the different types of companies now involved in delivering payment services.
"These reforms will provide a platform for innovation in the payments market," financial services and technology law expert John Salmon of Pinsent Masons, the law firm behind Out-Law.com, said. "The reforms are aimed at opening up the market to digital disruptors but there are opportunities for incumbent banks and payment service providers to expand the nature of their existing services too. We are already seeing an appetite from major institutions to do so."
"In the UK, the government is behind a move to standardise banking APIs in an effort to spur innovation in the sector. It wants bank systems to be interoperable and deliver new ways to use customers' financial data in a way that benefits customers. A further announcement on this work is expected before the end of the year. It is important that the standardisation in the UK is practical and reasonable in terms of the requirements it places on banks and others to update their systems. If it is, there is a real opportunity for the UK to influence the standardisation work the European Banking Authority will now undertake in respect of the PSD2 reforms," he said.
Under PSD2 banks and other payment service providers (PSPs) must give so-called payment initiation service providers (PISPs) access to their customers' accounts so as to facilitate transactions ordered at the customers' request. However, in return, PISPs must observe a number of data security obligations and takes on certain liabilities in relation to any unauthorised transactions it is responsible for.
PSD2 also promotes account information services, like businesses that allow customers to access information about all their payment accounts in one place. The new rules require PSPs to open up access to the accounts they manage on behalf of a customer where the account information service provider (AISPs) has obtained the "explicit consent" of that customer for such access. Like PISPs, AISPs also face data security obligations.
In addition to rules on customer authentication, facilitating third party access to accounts and account information, data security and liability, PSPs must also abide by a range of requirements relating to transparency over account services and charges, major operational or security incident reporting and complaint handling, amongst other things.
On incident reporting, the European Banking Authority (EBA) is obliged to draw up guidelines for PSPs within two years of PSD2 coming into force. The guidelines will have to be drafted with separate incident reporting requirements under the proposed new Network and Information Security Directive in mind, according to the new rules.
The EBA is also tasked with developing a range of "technical standards" under the new framework. These include standards that ensure that PISPs and AISPs can communicate with PSPs securely and that transactions are based on "strong customer authentication". The EBA has a year from the date that PSD2 comes into force to draw up those standards. The power to adopt those standards rests with the European Commission.
A clause included in the new Directive means that the Commission will review the PSD2 reforms five years after it comes into force.
"This is the end of several years of development, with the final version answering a number of concerns that had been opened up by the version that emerged pre-summer from the trilogue negotiations between the Council, Commission and European Parliament," said financial services and technology law expert Angus McFadyen of Pinsent Masons.
"Regulators like the FCA can now move to national implementation but work at the European level continues as the EBA has a great deal of work to do in developing standards and guidelines to support that. For those that haven’t already started, the strategy and compliance exercises for corporates and PSPs must now kick in – there’s a great deal to do in the next two years to take advantage of the opportunities that are presented," he said.
In a statement, the Council of Ministers said: "The revised directive adapts the rules to cater for emerging and innovative payment services, including internet and mobile payments. It sets out to ensure a more secure environment for payments, in particular for those using remote channels."
"The directive promotes stronger security measures for internet payments and for the use of services provided by new market players. It will ensure strong customer authentication to identify the client for each transaction. The new and strengthened supervisory regime will further increase the security level and consumer protection in this field," it said.