PSD2: EU ministers move to tighten payment authorisation requirements for mobile app payments

Out-Law News | 16 Sep 2014 | 5:08 pm | 3 min. read

Plans to tighten rules on the authentication of payments made via mobile wallets have been unveiled by the presidency of EU law making body the Council of Ministers.

In a document detailing its proposals for a new Payment Services Directive in the EU (PSD2) (184-page / 1.18MB PDF), the Council of Ministers' presidency recommended that "strong customer authentication" should be mandated in a range of payment scenarios, including where consumers wish to register "sensitive payment data to be used in a wallet solution". EU countries should ensure that payment service providers (PSPs) implement the authentication procedures, it said.

The presidency defined 'wallet solutions' as "solutions that allow a customer to register in an application personal data and data relating to one or more payment instruments in order to make payments with several e-merchants".

'Strong customer authentication' should also be required in cases where consumers want to access their payment account online, make an electronic payment transaction or signs up to "an electronic debit mandate", it said.

Plans to reform existing EU laws governing electronic payments with PSD2 were first published by the European Commission last year. The reforms would widen the scope of rules on such payments and make providers of 'payment initiation services' subject to the new rules.

The expansion in scope is recognition of the role payment initiation service providers now play in facilitating electronic transactions between consumers' banks and online retailers.

Under the reforms, third party payment initiation service providers would need a licence to operate in the EU.

In its latest proposals, the presidency of the Council of Ministers set out a process by which payment initiation service providers, PSPs and other payment institutions could obtain regulatory authorisations for operating across different EU countries.

Under its plans, payment institutions authorised to operate in its 'home' EU member state would be able to apply to the regulator in that country for permission to expand its service offerings into other EU countries.

The 'home' regulator would then have to liaise with the 'host' regulators in the other EU countries the payment institutions wish to operate in on the businesses' plans. The host regulator would then have a chance to issue an opinion on the application, although it would be the responsibility of the home regulator to determine the outcome of the application and it would have freedom to go against the views of a host regulator so long as it explains its reasons.

Responsibility for regulating payment services being delivered across the EU would rest with the home regulator, although host regulators would have limited powers to take action against payment institutions based elsewhere in the trading bloc if there was a "serious threat to the smooth functioning of the payment system or to the collective interests of the payment service users in the host member state".

The Council of Ministers' presidency's proposals also outline the obligations payment institutions have to inform regulators about certain outsourcing arrangements they put in place.

Under its plans, payment institutions must inform their home regulator where they intend to "outsource operational functions of payment services". It said PSD2 should make clear that the outsourcing of "important operational functions", including the purchasing of IT systems, "may not be undertaken in such way as to impair materially the quality of the payment institution's internal control and the ability of the competent authorities to monitor and retrace the payment institution's compliance with [the Directive]".

Operational functions of payment services would be classed as being 'important', under the presidency's plans, "if a defect or failure in its performance would materially impair the continuing compliance of a payment institution with the requirements of its [regulatory] authorisation … or its financial performance, or the soundness or the continuity of its payment services".

The presidency's proposals would require payment institutions to "take reasonable steps" to ensure that their suppliers of operational functions adhere to the PSD2 rules. They make clear that the payment institutions would "remain fully liable for any acts of their employees, or any agent, branch or entity to which activities are outsourced".

Among the other proposals backed by the presidency of the Council of Ministers are rules which are intended to ensure that all PSPs have access to existing payment systems and that restrictions on that access are limited to certain types of payment systems.

If its proposals were adopted, PSPs would also be subject to rules requiring them to implement "appropriate mitigation measures and control mechanisms to manage the operational risks, including security risks, related to the payment services they provide".

Where a "major operational incident", such as a security incident, arises, the PSPs would be required to notify their home regulator of the incident "without undue delay". A framework for the sharing of information between regulators about incidents is envisaged under the presidency's plans.