Payment Services Directive
1. What is the Payment Services Directive?
The Payment Services Directive (PSD) was adopted in 2007. This legislation provides the legal foundation for an EU single market for payments, to establish safer and more innovative payment services across the EU. The objective is to make cross-border payments as easy, efficient and secure as 'national' payments within a Member State.
Since 2007, this Directive has brought substantial benefits to the European economy, easing access for new market entrants and payment institutions, and so offering more competition and choice to consumers. It offered economies of scale and helped the Single Euro Payments Area (SEPA) in practice. The PSD has meant more transparency and information for consumers, for example about execution time and fees; and it has cut execution times, strengthened refund rights, and clarified the liability of consumers and payment institutions. A very tangible benefit is that payments are now easily made throughout the whole of the EU and much more quickly: payments are usually credited to the payment receiver's account within the next day.
2. Why did the Commission propose to review this Directive in 2013?
The Commission proposed to review the PSD to modernise it to take account of new types of payment services, such as payment initiation services (see question 18). These service providers have brought innovation and competition, providing more, and often cheaper, alternatives for internet payments; but were previously unregulated. Bringing them within the scope of the PSD has boosted transparency, innovation and security in the single market and created a level playing field between different payment service providers.
At the same time, certain rules set out in the PSD, such as the exemptions of a number of payment-related activities from the scope of the Directive (payment services provided within a “limited network” or through mobile phones or other IT devices) have been transposed or applied by Member States in different ways, leading to regulatory arbitrage and legal uncertainty. In a number of areas, it has also led to impaired consumer protection and competitive distortions. Updated definitions ensure a level playing field between different providers and address in a more efficient way the consumer protection needed in the context of payments.
The Commission proposed to revise the Payment Services Directive (PSD2) in July 2013 (see IP/13/730 and MEMO/13/719). The proposal was part of a package of legislative measures on payment services, which included a proposal for a Regulation on interchange fees for card-based payment transactions (the Interchange Fee Regulation). The Interchange Fee Regulation 2015/751 entered into force on 9 June 2015.
3. What are the main objectives of the PSD2?
The PSD2 updates and complements the EU rules put in place by the Payment Services Directive (2007/64/EC). Its main objectives are to:
- Contribute to a more integrated and efficient European payments market
- Improve the level playing field for payment service providers (including new players)
- Make payments safer and more secure
- Protect consumers
- Encourage lower prices for payments.
4. What are the main differences between PSD and PSD2?
PSD2 widens the scope of the PSD by covering new services and players as well as by extending the scope of existing services (payment instruments issued by payment service providers that do not manage the account of the payment service user), enabling their access to payment accounts.
PSD2 also updates the telecom exemption by limiting it mainly to micro-payments for digital services (see question 9), and includes transactions with third countries when only one of the payment service providers is located within the EU ("one-leg transactions") (see question 5). It also enhances cooperation and information exchange between authorities in the context of authorisation and supervision of payment institutions. The European Banking Authority (EBA) will develop a central register of authorised and registered payment institutions.
To make electronic payments safer and more secure, PSD2 introduces enhanced security measures to be implemented by all payment service providers, including banks. The EBA will develop specific and objective security standards to that end.
5. What are the benefits for consumers under this Directive?
A. Economic benefits
The new EU rules should help stimulate competition in the electronic payments market, by providing the necessary legal certainty for companies to enter or continue in the market. This would then allow consumers to benefit from more and better choices between different types of payment services and service providers.
During the past years, new players have emerged in the area of internet payments offering consumers the possibility to pay instantly for their internet bookings or online shopping without the need for a credit card (around 60% of the EU population does not have a credit card). These services establish a payment link between the payer and the online merchant via the payer’s online banking module. These innovative and low cost payment solutions are called “payment initiation services” and are already offered in a number of Member States (eg: Sofort in Germany, IDeal in the Netherlands, Trustly in Sweden). Until now, these new providers were not regulated at EU level. The new Directive will cover these new payment providers (“payment initiation services”), addressing issues which may arise with respect to confidentiality, liability or security of such transactions.
Furthermore, PSD2 will help lower charges for consumers and ban "surcharging" for card payments in the vast majority of cases (including all popular consumer debit and credit cards), both online and in shops. The practice of surcharging is common in some Member States, notably for online payments and specific sectors, such as the travel and hospitality industry. In all cases where card charges imposed on merchants are capped, in accordance with the complementary regulation on interchange fees for card-based payment transactions (the Interchange Fee Regulation), merchants will no longer be allowed to surcharge consumers for using their payment card. This will apply to domestic as well as cross-border payments. In practice, the prohibition of surcharging will cover some 95% of all card payments in the EU and consumers would be able to save €730 million annually. The new rules will contribute to a better consumer experience when paying with a card throughout the European Union.
Consumers will be better protected against fraud and other abuses and payment incidents, with improved security measures in place. As regards losses that consumers may face, the new rules streamline and further harmonise the liability rules in case of unauthorised transactions, ensuring enhanced protection of the legitimate interests of payment users. Except in cases of fraud or gross negligence by the payer, the maximum amount a payer could, under any circumstances, be obliged to pay in the case of an unauthorised payment transaction will decrease from €150 to €50.
B. Consumers' rights
The current PSD protects consumer rights in the event of unauthorised debits from an account under certain conditions. A direct debit is based on the following concept: “I request money from someone else with their prior approval and credit it to myself.” The payer and the biller must each hold an account with a payment service provider and the transfer of funds (money) takes place between the payer's bank and the biller's bank. However, since the biller can collect funds from a payer’s account, provided that a mandate has been granted by the payer to the biller, the payer should also have a right to get the money refunded. Member States currently apply different rules with regard to this issue.
In order to enhance consumer protection and promote legal certainty further, PSD2 provides a legislative basis to theunconditional refund right that already exists for SEPA direct debit (i.e. direct debits in euro). In such cases, payers can request a refund even in the case of a disputed payment transaction.
As far as the direct debit schemes for non-euro payments are concerned, where they offer the protection as set out under PSD1, they can continue to function as they do today. However, Member States may require that for such direct debit schemes refund rights are offered that are more advantageous to payers.
Consumers will also be better protected when the transaction amount is not known in advance. This situation can occur in the case of car rentals, hotel bookings, or at petrol stations. The payee will only be allowed to block funds on the account of the payer if the payer has approved the exact amount that can be blocked. The payer's bank shall immediately release the blocked funds after having received the information about the exact amount and at the latest after having received the payment order.
Furthermore, the new Directive will increase consumer rights when sending transfers and money remittances outside the EU or paying in non-EU currencies. The current PSD only addresses transfers inside the EU and is limited to the currencies of the Member States. PSD2 will extend the application of the PSD rules on transparency to "one-leg transactions", hence covering payment transactions to persons outside the EU as regards the “EU part” of the transaction. This should contribute to better information of money remitters, and lower the cost of money remittances as a result of higher transparency on the market.
Finally, the new Directive will oblige Member States to designate competent authorities to handle complaints of payment service users and other interested parties, such as consumer associations, concerning an alleged infringement of the directive. Payment service providers that are covered by the Directive on their side should put in place a complaints procedure for consumers that they can use before seeking out-of-court redress or before launching court proceedings. The new rules will oblige payment service providers to answer in written form to any complaint within 15 business days.
C. Payment security
The new rules also provide for a high level of payment security. This is a key issue for many payment users and notably consumers when paying via the internet. All payment service providers, including banks, payment institutions or third party providers (TPPs), will need to prove that they have certain security measures in place ensuring safe and secure payments. The payment service provider will have to carry out an assessment of the operational and security risks at stake and the measures taken on a yearly basis.
6. How will PSD2 benefit potential market entrants and contribute to the Single Market?
Since the PSD was adopted in 2007, new services have emerged in the area of internet payments, where so called third party providers (TPPs) offer specific payment solutions or services to customers. For example, there are services which collect and consolidate information on the different bank accounts of a consumer in a single place ("account information services - AIS"). These services will typically allow consumers to have a global view on their financial situation and to analyse their spending patterns, expenses, financial needs in a user-friendly manner. Other third party providers facilitate the use of online banking to make internet payments (so-called "payment initiation services - PIS"). They help to initiate a payment from the user account to the merchant account by creating a software “bridge” between these accounts, fill-in the information necessary for a transfer (amount of the transaction, account number, message) and inform the merchant once the transaction has been initiated.
Until now, entering the market of payments was complicated for TPPs, as many barriers were preventing them from offering their solutions on a large scale and in different Member States. With these barriers removed, more competition is expected with new players entering new markets and offering cheaper solutions for payments to more and more consumers throughout Europe. The TPPs will have to follow the same rules as the traditional payment service providers: registration, licensing and supervision by the competent authorities. In addition, new security requirements included in the text of the PSD2 will oblige all payment service providers to step up the security around online payments.
PSD2 will allow consumers and merchants to benefit fully from the internal market, particularly in terms of e-commerce. The Directive aims to help develop the EU market for electronic payments, which will enable consumers, retailers and other market players to enjoy the full benefits of the EU internal market, in line with the digital single market. Such further integration is becoming increasingly important as the world moves beyond bricks-and-mortar trade towards a digital economy.
Scope of the Directive
7. What is the scope of the Directive?
The Directive applies to payment services in the European Union. The Directive focuses on electronic payments, which are more cost-efficient than cash and which also stimulate consumption and economic growth.
There are a number of payment means (including cash and cheques) not falling within the scope of this Directive.
8. Will the new rules also apply to international payments?
While the former Directive (2007/64/EC) only applies to intra-EU payments, PSD2 extends a number of obligations, notably information obligations, to payments to and from third countries, where one of the payment service providers is located in the European Union.
The extension of the scope has implications primarily for the banks and other payment service providers that are located in the EU. In practice, this means that these financial services providers shall provide information and transparency on the costs and conditions of these international payments, at least in respect of their part of the transaction. They can also be held liable for their part of the payment transaction if something goes wrong that is attributable to them.
Moreover, the extension in scope will also have as an effect that the same rules will apply to payments that are made in a currency that is not denominated in Euro or another Member State's currency.
This will be an important improvement for consumer protection in particular in the area of global money remittances.
9. To what extent will payments through telecom operators be covered by this Directive?
Under the current PSD, payments made through a telecom operator are not covered, where the telecom operator acts as an intermediary between the consumer and the payment service provider (by operator billing or direct to phone-bill purchases). Under PSD2, the purchase of physical goods and services through a telecom operator now falls within the scope of the Directive.
Under the new rules, the exclusion for payments through telecom operators has also been further specified and narrowed down. The exclusion now covers only payments made through telecom operators for the purchase of digital services such as music and digital newspapers that are downloaded on a digital device or of electronic tickets or donations to charities.
In order to avoid the risk of exposure to substantial financial risks to payers, only payments under a certain threshold are excluded (€50 per transaction; €300 per billing month). Telecom operators that engage in such an activity shall notify to the competent authorities, on an annual basis, that they comply with these limits. The activity will also be listed in the public registers.
Enhanced rules on authorisation and supervision of payment institutions
10. Will there be changes in the authorisation requirements for payment institutions?
Under PSD2, payment institutions are required to fulfil a variety of requirements in order to obtain an authorisation to provide payment services. These requirements are largely the same as under the current PSD.
The main changes relate to the enhanced levels of payment security under PSD2. Entities that wish to be authorised as a payment institution shall provide with their application a security policy document, as well as a description of security incident management procedure, contingency procedures etc.
Capital requirements which aim to ensure financial stability have largely remained the same under PSD2 as they were set out in the original PSD. Specific capital requirements have been defined for third party service providers in relation to their respective activities and the risks these represent. Third party service providers are not subject to own fund requirements. However, they need to hold a professional indemnity insurance covering the territories in which they offer services.
11. Will the rules change for waived payment institutions?
Under the current PSD, entities with an average volume of monthly payment transactions below €3 million can benefit from a lighter authorisation regime, if their Member State of establishment makes use of that option.
This so-called "waiver" regime will be maintained under PSD2 as an option for Member States, albeit with this difference, that Member States making use of the option can decide to define a lower threshold under which such "waivers" can be granted.
Payment institutions that have obtained a waiver under the current Directive may need to re-assess their status under PSD2, depending on whether the Member State that has made use of the option under PSD1 decides to continue to make use of the option and/or to lower the threshold under which the waiver is granted.
12. What are the changes for limited networks under this Directive?
As under PSD, payment transactions based on a specific payment instrument within a limited network - for instance a chain of department stores or a network of petrol stations under the same brand offering a dedicated payment instrument to their customers - are outside the scope of the Directive. In order to ensure a more coherent supervision of such networks across the Union, the Directive provides that networks, when their activities reach a certain value, shall notify these activities to competent authorities, so that these can assess whether or not the network shall apply for a licence as a payment institution. This is to ensure that the financial risks for consumers are minimised.
13. Will this Directive strengthen the supervision of payment institutions that provide services cross-border?
As a main principle, payment institutions are supervised by the Member State where they are authorised to provide the defined payment services (the so-called 'home Member State'). When a payment institution intends to provide payment services in another Member State, the supervision of these activities in principle remains with the home Member State. However, if the payment institution provides these services through established agents or branches in the other Member State (the host Member State), that Member State can act in case of an infringement or a suspected infringement of EU rules under the Directive.
In this respect, the supervision under PSD2 has not changed. However, to reinforce the investigative and supervisory powers of the host Member State, PSD2 has introduced a more detailed passporting procedure. This procedure will ensure better cooperation and information exchange between the national competent authorities. Furthermore, the host Member State can ask payment institutions operating with agents and branches in its territory to regularly report on their activities. To that end, the payment institution can be requested to set up a central contact point in the host territory (see question 15 below). In emergency situations, requiring immediate action, the host Member State is allowed to take precautionary measures with regard to the payment institution concerned, in parallel to the host's duties of cooperation with the home Member State to find a remedy.
The European Banking Authority has been mandated to draft regulatory technical standards on the cooperation and information exchange between authorities.
14. Is there a need to set up a central contact point in a Member State if they are providing payments services cross border?
The PSD2 contains an option for Member States to require a payment institution that provides cross-border payment services to set up a central contact point if it operates with agents or branches that are established in their territory. The central contact point shall ensure adequate communication and information with regard to the activities of the payment institution in the host territory. The European Banking Authority is mandated to draft regulatory technical standards on the criteria under which a central contact point can be requested, and the functions of such contact point.
The fourth Anti-Money Laundering Directive (Directive EU/2015/849) also contains an option for Member States to request a central contact point in its territory. The set-up of such a contact point, however, can only be requested for the purpose of ensuring compliance with the money laundering and anti-terrorist financing rules. This provision should be distinguished from the Member States option under PSD2, which can only be invoked for the purpose of adequate communication and information by the payment institution on compliance with the rules under PSD2.
15. Will payment institutions be able to access accounts maintained by credit institutions?
For payment institutions, access to a payment account maintained by a credit institution is vital for the operation of their business. PSD2 provides specifically that Member States will have to ensure that credit institutions do not block or hinder access to payment accounts and that payment institutions have access to credit institutions' payment accounts services in an objective, non-discriminatory and proportionate manner. This aspect is very relevant for money remittance services as many of them have lost access to the banking system in the recent years.
Security of payments
16. What is strong customer authentication?
The PSD2 text introduces strict security requirements for the initiation and processing of electronic payments, which apply to all payment service providers, including newly regulated payment service providers. This stricter approach on security should contribute to reducing the risk of fraud for all new and more traditional means of payment, especially online payments, and to protecting the confidentiality of the user’s financial data (including personal data).
Payment service providers will be obliged to apply so-called strong customer authentication (SCA) when a payer initiates an electronic payment transaction. Strong customer authentication is an authentication process that validates the identity of the user of a payment service or of the payment transaction (more specifically, whether the use of a payment instrument is authorised). Strong customer authentication is based on the use of two or more elements categorised as knowledge (something only the user knows, e.g. a password or a PIN), possession (something only the user possesses, e.g. the card or an authentication code generating device) and inherence (something the user is, e.g. the use of a fingerprint or voice recognition) to validate the user or the transaction. These elements are independent (the breach of one element does not compromise the reliability of the others) and designed in such a way as to protect the confidentiality of the authentication data.
For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimising the risks in case of mistakes or fraudulent attacks.
17. Will all payments have to apply strong customer authentication? Are exemptions possible?
As a matter of principle, all electronic means of payment are subject to strong customer authentication. However, exemptions to the principle of strong customer authentication (SCA) are possible, as it is not always necessary and convenient to request the same level of security from all payment transactions.
These exemptions will be defined by the European Banking Authority (EBA) and adopted by the European Commission, taking account of the risk involved, the value of transactions and the channels used for the payment.
Such exemptions could for example include low value payments at the point of sale (to facilitate the use of mobile and contactless payments).
Rules for new types of payment service providers
18. What are payment initiation services?
The PSD2 opens the EU payment market for companies offering consumer or business-oriented payment services based on the access to the information from the payment account – so called "payment initiation services providers" and "account information services providers". Payment initiation services providers typically help consumers to make online credit transfers and inform the merchant immediately of the payment initiation, allowing for the immediate dispatch of goods or immediate access to services purchased online. For online payments, they constitute a true alternative to credit card payments as they offer an easily accessible payment service, as the consumer only needs to possess an online payment account.
19. What are account information services?
Account information services allow consumers and businesses to have a global view on their financial situation, for instance, by enabling consumers to consolidate the different current accounts they may have with one or more banks and to categorise their spending according to different typologies (food, energy, rent, leisure, etc.), thus helping them with budgeting and financial planning (see also question 21).
20. What is payment instrument issuing?
The issuing of a payment instrument is one of the payment services that falls within the scope of the current PSD and of PSD2. Any authorised payment service provider, be it a bank or a payment institution, can issue payment instruments. Payment instruments do not only cover payment cards, such as debit cards and credit cards, but any personalised device or set of rules agreed between the issuer and the user used to initiate a payment.
PSD2 allows payment service providers that do not manage the account of the payment service user to issue card-based payment instruments to that account and to execute card-based payments from that account. Such “third party” payment service provider – which could be a bank not servicing the account of the payer – will be able, after consent of the user, to receive from the financial institution where the account is held a confirmation (a yes/no answer) as to whether there are sufficient funds on the account for the payment to be made (see also the answer to question 23).
21. What opportunities will these providers offer to consumers and enterprises?
The "payment initiation services providers" allow consumers that shop online to pay for their purchases through a simple credit transfer from their payment account. In some countries, these services are already in use (55% of internet payments in the Netherlands). By providing a proper legal framework in which these services can be offered, PSD2 opens possibilities for providers of these services to operate across the EU and to compete on an equal basis with other regulated players in the market, such as banks.
Account information service providers already exist today and offer tools that allow companies and consumers to have a consolidated view of their financial situation. Nowadays, these services are not regulated, at least at EU level. PSD2 will provide for a common framework with clear conditions under which these providers can access the financial information on behalf of their clients. This will allow these services providers to operate without hindrance and to reach a broader audience which normally does not make use of such account managing services.
Today, account holders are not obliged to use payment instruments offered by the same payment service provider with which they hold their account. For example, credit cards are not only provided by the bank where the user holds its account, but also by third party providers. This does not work, however, in the case of debit cards, where payment service providers have found it very difficult to offer such payment service in connection to accounts not held by them. The source of these difficulties is the fact that these third providers do not have access to feedback information on the availability of funds on the account held by other financial institution. PSD2 lifts this obstacle, which is likely to see consumers benefit from competitive card services offered by third party providers.
22. Will these providers be subject to the same rules other payment institutions i.e. authorisation and security?
The PSD2 requires all that payment services providers be authorised and regulated. The inclusion of new payment providers within the scope of PSD2 will allow competent authorities to better monitor and supervise the activities of these new players.
PSD2 also fully clarifies the liability issues between bank servicing the account of the payer and the payment initiation service. When a payment initiation service provider is used by a payer to initiate a payment, it will be liable for any payment incidents within its sphere. In particular, the bank of the payer shall not be held liable for payment incidents that can be traced back to the initiator.
23. To what extent will these providers have access to information on my payment or bank account?
These new providers will only be allowed to provide the services the payer decides to make use of. In order to provide these services they will not have full access to the account of the payer. Those offering payment instruments or payment initiation services will only be able to receive information from the payer's bank on the availability of funds (a yes/no answer) on the account before initiating the payment (with the explicit consent of the payer). Account information service providers will receive the information explicitly consented by the payer and only to the extent they are necessary for the service provided to the payer.
The security credentials of the payment service user shall not be accessible to other third parties and will have to be transmitted through safe and efficient channels to the bank servicing the account. A dynamically generated code only valid for that specific transaction (linked to the amount and recipient) will have to be used in the authentication process.
24. When will the new rules become applicable? Is there a different date of application for the security requirements?
The new rules will apply in all EU Member States two years after the publication of the Directive in the Official Journal of the EU, which should happen in late 2015. During these two years the PSD rules (Directive 2007/64/EC) will still be in force.
Without prejudice to this, from the date of entry into force of PSD II, Member States should interpret the existing rules in line with PSD2. They must not adopt new measures contradicting the provisions of PSD2.
A different date of application is foreseen for the new security measures - strong customer authentication and standards for secure communication - introduced in the PSD2. Their entry into force is subject to the adoption of the regulatory technical standards which will be developed by the European Banking Authority and adopted by the Commission. As a result, the new security measures shall apply 18 months after the adoption of the standards by the Commission.
25. Will authorisations under the current Payment Services Directive keep their validity under this Directive?
The text of PSD2 foresees transitional provisions for payment institutions that are already authorised to provide services under the current Directive. These institutions are allowed to continue providing payment services for 30 months (authorised institutions) or 36 months (“small” institutions that benefited from the waiver under Article 26 of PSD) after the entry into force of PSD2.
In order to provide payment services beyond that transitional period, the existing payment institutions would need to submit all relevant information required under PSD2 to the competent authorities that have granted them their existing licenses and fully comply with the relevant PSD2 requirements.
In addition, Member States may provide for the existing payment institutions to be automatically granted PSD2 authorisation if the competent authority already possesses evidence that the payment institution complies with PSD2 requirements. Competent authorities shall make such an assessment on a case-by-case basis. They should inform the payment institution concerned before the authorisation is granted.
26. Can existing providers of payment initiation and account information services continue to provide their services after the adoption of this Directive? As of when will they need to apply for a licence?
PSD2 provisions ensure that providers of payment initiation services (PIS) and account information services (AIS) that are already established in the market can continue to perform their activities. More specifically, PSD2 introduces direct obligations on the Member States, requiring them to maintain the current status quo. They shall allow existing PIS or AIS providers in their territories to operate in accordance with the currently applicable regulatory framework.
As the provision of PIS and AIS is a new payment service recognised in PSD2, existing and new providers of such services would need to apply for authorisation under the PSD2 regime from the date of application of the new Directive.
Furthermore, because the new security measures of PSD2 regarding strong customer authentication and standards for secure communication will become applicable later than other provisions (see answer 24), PIS and AIS providers that seek authorisation under PSD2 are not required to submit proof of compliance with these security requirements until that later date. As provision of both types of services is dependent on the authentication procedures provided by banks, upgrades to the security requirements and procedures applied by banks need to be fully implemented by banks before the application of these measures is possible for the PIS and AIS. In case banks do not comply on time with the security requirements and standards for secure communication, they cannot use this non-compliance to hinder or obstruct the use of PIS and AIS.
27. What is the role of the Internet Security Guidelines, published by the European Banking Authority in 2014, during the transitional period?
The EBA guidelines on the security of internet payments address the issue of security of internet payments as an interim solution, until the application of the PSD2 and its more comprehensive security requirements.
When the EBA Guidelines are applied by the competent authorities of the Member States, in the transitional period, they must be interpreted in so far as there is any scope to do so, in line with the PSD2's content and objectives. As a consequence, compliance with the EBA Guidelines on the security of internet payments should not be used to justify obstructing or blocking the use of PIS or AIS.
Pending the full application of the PSD2 rules, including the rules on the security of payments, and in accordance with the PSD2 text, “Member States, the Commission, the European Central Bank and the European Banking Authority, should guarantee fair competition in that market avoiding unjustifiable discrimination against any existing player on the market”.