'One single authority' should enforce new EU payment services laws, says European Central Bank

Out-Law News | 11 Feb 2014 | 5:02 pm | 2 min. read

A solitary regulator should have the power to ensure businesses subject to planned new EU laws on payment services comply with the new regime, the European Central Bank (ECB) has said.

The ECB, which acts as the central bank for nations that have adopted the euro as its currency, admitted that there would be challenges for a single regulator to enforce compliance with the new Payment Services Directive (PSD2) that is envisaged across every EU member state.

"For reasons of efficiency, the ECB would welcome one single authority, which would be responsible for ensuring compliance with the directive, but is aware, however, that this might prove difficult in practice due to diverging national arrangements," president of the ECB Mario Draghi said in a new opinion (39-page / 403KB PDF) the body has published on the PSD2 proposals.

The PSD2 regime, if introduced as currently drafted, would update existing rules governing electronic means of payment. Banks and other payment service providers (PSPs) would be among those businesses subject to the new regime, which would also apply to third party providers of payment initiation services and account information services. The anticipated reforms, though, appear unlikely to be finalised until after the European Parliament elections this spring.

The ECB said that it wanted to change the way the draft new framework foresees the handling of some consumer direct debit refunds. The current draft would set an unconditional right of refund for direct debit payers where the "executed payment transaction exceeds the amount which could reasonably have been expected". However, the ECB has suggested that a refund right should not be available in some cases.

"The ECB suggests introducing, as a general rule, an unconditional refund right for a period of eight weeks for all consumer direct debits," it said. "For listed goods or services meant for immediate consumption, debtors and creditors could separately and explicitly agree that no refund rights should apply. The Commission could establish such a list by means of a delegated act."

New rules on the security of payment services should also be amended in the existing draft, the ECB said.  It has called for a new "secure standardised interface" to be created that third parties could use to access payment account information so as to transmit payment orders and to authorise those payments.

New payment blocking rules should also be created and apply to consumer transactions only, it said.

"The payer must have the right to: instruct its account servicing payment service provider to block any payment initiation services from the payer’s payment account; to block any payment initiation services initiated by one or more specified third party payment service providers; or to only authorise payment initiation services initiated by one or more specified third party payment service providers," according to a new amendment that the ECB has suggested be inserted into the PSD2.

The ECB also outlined plans for a new cyber security information sharing regime. Under its plans PSPs would be obliged to "establish a framework with appropriate mitigation measures and control mechanisms to manage the operational risks, including security risks, related to the payment services they provide" and inform regulators "without undue delay" where they experience a "major operational incident", such as a "security incident". In some cases PSPs would also have to notify users of their services of the incidents.

The information sharing obligations would also extend to regulators who would be required to share "relevant details" of the incidents reported to them with the ECB and the European Banking Authority (EBA). The EBA would then coordinate a wider sharing of information about incidents to other regulators.