Plans for PSD2 would place controls on outsourcing of IT systems for payment services

Out-Law News | 05 Nov 2014 | 11:58 am | 2 min. read

Banks and other businesses that wish to provide payment services under a proposed new legal framework in the EU would face tight rules on outsourcing, according to the latest plans to be tabled by EU law makers.

The EU's Payment Services Directive (PSD) is currently in the process of being updated. The Presidency of the Council of Ministers, which together with the European Parliament must agree on the wording of the new Directive (PSD2), has published its latest proposals for PSD2 (174-page / 1.16MB PDF).

Under the Presidency's proposals, 'payment institutions', which means businesses granted authorisation to provide payment services by national regulators, would be forced to tell their "home" regulator if they intend to "outsource operational functions of payment services".

Payment institutions could be prohibited from entering into IT contracts with suppliers if the contract covers "important operational functions" of payment services and the outsourcing of those functions would "impair materially the quality of the payment institution's internal control and the ability of the competent authorities to monitor and retrace the payment institution's compliance" with its obligations under the new PSD2 framework.

The PSD2, as currently drafted, would introduce a complex new legal framework for payment services in the EU and impose a number of new duties on businesses involved in the provision of payment services.

An example includes proposed new rules on customer authentications for payments. Other rules drafted would require all payment service providers to submit regular updates to regulators noting their assessment of security risks facing their organisation and the measures they have taken in response.

The PSD2 regime would, once introduced, widen the scope of the existing PSD framework to make 'payment initiation services' subject to the new rules, in recognition of the move into the payments market by technology companies in recent times.

The Presidency's latest draft said payment initiation services offer "a software bridge between the website of the merchant and the online banking platform of the payer’s bank in order to initiate internet payments on the basis of a credit transfer".

EU countries, in writing the PSD2 rules into national laws, would be required to hold payment institutions to a number of conditions where they intend to "outsource important operational functions".

An 'operational function' is defined as being 'important' "if a defect or failure in its performance would materially impair the continuing compliance of a payment institution" with licensing conditions imposed on it by regulators, its continuing compliance with PSD2 rules, the company's "financial performance" or "the soundness or the continuity of its payment services", according to the Presidency's plans.

Payment institutions that decide to outsource 'important operational functions' of payment services would have to ensure that the outsourcing does "not result in the delegation by senior management of its responsibility", the proposals said.

The proposed conditions on such outsourcing would also force payment institutions to ensure that their outsourcing does not alter "the relationship and obligations [they have] towards [their] payment service users" under the PSD2 regime.

Outsourcing must also not enable payment institutions to escape from, undermine, remove or modify the conditions regulators placed on them when authorising them to provide payment services, the Presidency's proposals said.

Before the PSD2 reforms come into force, EU countries, the European Commission, the European Central Bank and European Banking Authority should use their "regulatory and enforcement powers" to "prohibit any behaviour hindering competition" in the market for payment services and "ensure that any measures they adopt do not unjustifiably discriminate against any existing or new players in the market".