Whither PSD2?

Simon Deane-Johns reviews the latest proposal for a Directive of the European Parliament and of the Council on payment services in the internal market

The first Payment Services Directive (PSD)[1] was laudable in its ambition to carve-out payment services from banking, though flawed in many respects. In July, the European Commission published its proposed PSD2.[2]  Certain firms will need to stay in touch with the proposals as they grind their way through the byzantine European legislative system over the next few years. PSD2 is aimed at existing institutions, and the operators of e-commerce marketplaces, gift card and loyalty schemes, bill payment service providers, public communication networks, account access services, mobile wallets, and anyone who receives payment by direct debit. This article considers whether PSD2 addresses the flaws in the current regulation, and its wider impact.

Does 'Europe' really need a PSD?

Yes. European banks have enjoyed a monopoly on payment services that entrepreneurs have struggled to challenge. The UK, in particular, suffers from a highly concentrated retail financial banking market[3] reinforced by rigid regulatory structures, the public guarantee of bank liabilities and personal tax incentives. It is unrealistic to assume that innovation and competition will thrive without changes to the regulatory framework.

What's good about the PSD?

The PSD exposed the markets for regulated payment services to new entrants, and contains exemptions that endorse certain unregulated activities, as discussed below. The PSD also minimises the initial capital required to enter the regulated market.[4]

As a result, there are now more than 200 new payment institutions, although over 80% are based in the UK (as are the vast majority of e-money institutions),[5] and many were already trading prior to 2009.

How is the PSD flawed?

The PSD does not accurately reflect the contractual, operational or technological reality of how some payment methods operate, some exemptions are inconsistent and its effect is uncertain in many respects.[6] While the UK's Financial Services Authority (now, in this context, the Financial Conduct Authority or FCA) led the way in trying to clarify the application of the PSD,[7] the 'maximum harmonisation' requirement meant that the mistakes simply had to be implemented.

This has limited the boost to innovation and competition, created confusion amongst the customers and service providers, and made it expensive and time-consuming to understand whether services were in or out of scope or exempt.  Some firms have either not launched certain features or structured services to be regulated unnecessarily, resulting in 'regulatory creep'.

Does PSD2 resolve the flaws in the PSD?

Not in my view. In addition to the substantive issues below, the language is often confusing.[8]

Payment transaction: Perhaps the most fundamental problem lies in the definition of a 'payment transaction':

'an act, initiated by the payer or payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and payee;'[9]

This fails to reflect how card payments work, for example,[10] even though 'acquiring of payment transactions' is specified as a 'payment service'.[11] The definition also conflates the contractual transaction flow with the flow of funds, by assuming that the intended recipient of funds ('payee') is the same as the 'merchant' for example.[12] A cardholder never intends to pay the merchant, even though using the card discharges the cardholder's obligation to pay the merchant under the contract of sale. The cardholder only intends to pay his or her card issuer, either immediately (when using a debit card) or on the due date for payment of the monthly credit card statement. Similarly, when initiating a card transaction the merchant only expects to be paid by its acquirer (who literally buys each transaction submitted to it via the payment terminal or online gateway). As a result, some acquirers consider that the PSD does not apply to their activities.

The FCA has explained how it considers the PSD applies to card acquiring.[13] Yet, in the context of bill payment services, the FCA does not believe that the supplier is the intended recipient of funds where the customer's payment to the service provider discharges the customer's obligation to pay the supplier's bill.[14] PSD2 suggests that the bill payment scenario should be treated as money remittance unless the activity falls under 'another' payment service.[15]

Where payment is ancillary to a core business activity: The notes to PSD2 suggest that 'e-commerce platforms' (undefined) have unfairly relied on being the agent of both consumer and merchant to remain outside the scope of the PSD.[16] However, assuming this is a reference to retail marketplaces for goods and services, it seems unlikely that the operators of such platforms are really engaged in the provision of payment services per se as a business activity. Their business is enabling digital marketing, product search and display, order processing, customer support and other related services. Such activities are already regulated under distance selling, trading standards and other sales regulations which don't require licensing. There are also many other types of online marketplace where payment is but a small ancillary step in the overall service offered by the market operator. In such cases, payment to the operator also usually discharges the customer's debt to the merchant, as in the bill payment scenario.

Such treatment of e-commerce platforms is completely inconsistent with the exemption for transactions involving the purchase of digital content on a telecommunication network, which PSD2 concedes are 'ancillary services to electronic communications services (i.e. the core business of the operator concerned).'[17] While this exemption is to be limited to €50 per transaction and a total of €200 per month, it has also been broadened to apply regardless of the device used for the purchase or consumption of the content. Why telecoms operators should receive special treatment is unclear.

Limited networks: The PSD exempts payment transactions based on payment instruments accepted only within the issuer's premises or certain 'limited networks'.[18] Such instruments are also exempt from the definition of 'electronic money' in EMD2 by reference to the PSD exemption.[19] While this exemption survives under PSD2, operators will be obliged to notify the regulator if the average of their transactions in the preceding 12 months exceeds €1m per month.[20] The regulator may then disagree that the exemption applies. This catches 'closed loop' stored value and other instruments such as retail store cards, gift cards, fuel cards and loyalty programmes. Yet there is no evidence of any harm to consumers in such scenarios, compared to the collapse of retail pre-payment schemes such as those offered by Farepak[21] or tour operators[22] which appear not to be caught.  

New 'payment initiation services' and 'account information services':[23] In essence, these are services provided by 'third party payment service providers' (or 'TPPs')[24] that only involve interfacing with a payment account; whereas providing or maintaining a payment account is the role of an 'account servicing payment service provider' (ASP).[25]

TPPs are considered 'medium risk' for initial capital purposes (€50,000 is required), although they are neither operating a payment account nor (one infers) handling funds.[26] They are also subject to the full weight of the information and contractual requirements, and the obligation to contribute to losses arising from the parts of the transaction that are under their 'control'.[27]

It is also unclear how these services relate to the exemption for technology service providers who supply technology that supports a payment transaction without entering into possession of funds.[28]

At any rate, such services are more akin to personal data services, and the key operational risks would be more readily addressed under the data protection regime, under which official guidance and co-regulation is being developed to govern data sharing and access to personal transaction data.[29] 

If these issues are not addressed, they may well constrain innovation and competition as technology providers could avoid adding payment initiation or account access features to avoid regulatory overhead.

Small payment institutions: PSD2 permits a reduced form of authorisation ('registration') for firms whose average transactions in the preceding 12 months do not exceed €1m per month. The current threshold is €3m per month.[30] No passport is available, and the various authorisation conditions and capital and safeguarding requirements can be waived. It would appear that any small payment institutions whose volumes exceed the new threshold would need to become authorised.

Safeguarding: the safeguarding requirements in PSD2 relate only to funds received from payment service users or through another payment service provider for the execution of 'payment transactions'.[31] That is a narrower range of funds than perhaps one might think, given the problems with the definition of payment transactions discussed above.

In addition, a firm need only deposit funds payable to customers in a segregated bank account 'by the end of the business day following the day when the funds have been received'. The service provider must use an appropriate mechanism under national law to protect those funds from claims by its creditors. However, the timing raises the potential for funds to be deemed the service provider's 'own funds' on receipt and either dissipated at that time or, 'if the music stops' (to quote Chuck Prince[32]), to gather in an own funds account.

To avoid this, it is suggested that the definition of funds to be safeguarded should encompass any that the payment service provider intends to pay to its customers or their payment service providers, and that such funds should arrive into, and be disbursed from, segregated bank accounts that are bankruptcy-remote under the applicable national law.

Flexibility: Member states will have two years to implement PSD2, once adopted. The aim is for it to be adopted by Spring 2014. The Commission will then have a further five years to review its effectiveness. This does not suggest any real ambition to keep pace with rapidly evolving payment methods and services.

Miscellaneous issues

There are numerous remaining issues, but the following are more generally significant:

Is a service supplied on a cross-border basis or by exercise of the right of establishment? This is often unclear, particularly in relation to the use of agents based in other EEA states to facilitate purely online payment services. One would have thought this structure was a fundamental building block of the single market, yet PSD2 gives the authorities another two years after implementation to clarify its regulatory treatment.[33]

Surcharging: PSD2 bans surcharging for the use of payment cards, since interchange fees will be regulated (downward).[34]

Refunds for direct debits etc: it is unclear whether one or two conditions must be satisfied to claim a refund for a direct debit or other payee-initiated payment. Confusing limits and exceptions apply.[35] These rules are also inconsistent with the cancellation rights for distance sales. For instance, distance marketing cancellation rights are limited to the first of 'successive operations of the same nature' or a 'series of separate operations of the same nature'.[36] Yet PSD2 would allow the consumer to reclaim subsequent instalments paid by direct debit, even if he or she is no longer entitled to cancel (or terminate) the contract under which instalments are due.

Security: PSD2 mandates the use of 'strong customer authentication',[37] as well as additional internal controls related to security and fraud.[38] Payment service providers are also to be subject to the Network and Information Security Directive, including risk management and incident reporting obligations.[39]

Calculating capital requirements: As under the PSD, the requirement in PSD2 to hold certain capital 'at all times' is at odds with the methods of calculating those requirements.[40]

Force majeure: Typically, force majeure arises where a party is prevented from performing an obligation due to circumstances beyond that party's 'reasonable control'. However, Article 83 refers to consequences 'which would have been unavoidable despite all efforts to the contrary…'. This arguably introduces a 'best endeavours' obligation.

Complaints handling: The deadline for a firm to resolve a complaint is reduced from 8 weeks to 15 to 30 business days.[41]

Simon Deane-Johns is a consultant solicitor with Keystone Law and Chair of the SCL Media Board.

 

 



[1] Directive 2007/64/EC

[2] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52013PC0547:EN:NOT

[3] Final Report, Independent Commission on Banking, September 2011 https://hmt-sanctions.s3.amazonaws.com/ICB%20final%20report/ICB%2520Final%2520Report%5B1%5D.pdf

[4] The first Electronic Money Directive (EMD1), introduced in 2000, required electronic money institutions (EMIs) to hold initial capital of €1m. But in 2009, the PSD enabled 'payment institutions' to launch other types of payment services with only €125,000 of initial capital. In 2011, EMD2 reduced the initial capital for EMIs to €350,000.

[5] Source: European Payment Institutions Federation: http://www.paymentinstitutions.eu/

[6] Partly acknowledged in Recital 3 to PSD2

[7] Approach to the regulation of payment services

[8] Eg Articles 67 and 68; and 72 to 75. In other cases it is not clear whether references are to the payment service provider of the payee or payer.

[9] Article 4: 'payee' means a person who is the intended recipient of funds which have been the subject of a payment transaction;

'payer' means— (a) a person who holds a payment account and initiates, or consents to the initiation of, a payment order from that payment account; or (b) where there is no payment account, a person who gives a payment order;

'payment account' means an account held in the name of one or more payment service users which is used for the execution of payment transactions;

'payment instrument' means any— (a) personalised device; or (b) personalised set of procedures agreed between the payment service user and the payment service provider, used by the payment service user in order to initiate a payment order;

'payment order' means any instruction by— (a) a payer; or (b) a payee.

[10] Deane-Johns, S. 'How Card-based Merchant Acquiring Really Works' Computers & Law, April 2012

[11] Paragraph 5, Annex 1

[12] See also recital 62

[13] Para 8.147 and Annex 5 to the FCA's Approach to the regulation of payment services.

[14] FCA Perimeter Guidance: PERG15, Q.25: http://media.fshandbook.info/content/FCA/PERG/15.pdf

[15] Recital 19

[16] At page 10, Article 3(b). Strangely, the PSD2 seeks to limit e-commerce platforms to representing either the consumer or the merchant, rather than both, if their payment processing is to remain exempt. This is not a very firm distinction, given that 'agency' comes in many forms (at least under English law), and the effect of the agency relationship may be achieved by, say, an outsourcing arrangement between principals.

[17] Article 3(l). 'Digital content' is defined in Article 2(11) of Directive 2011/83/EU to mean 'data which are produced and supplied in a digital form'.

[18] Article 3(k)

[19] Article 1(4)

[20] Recitals 12 and 15; and Article 30. The notes claim that this threshold represents 'massive payment volumes and values… implies greater risks and no legal protection for payment service users'.

[21] http://news.bbc.co.uk/1/hi/business/6124406.stm

[22] http://www.telegraph.co.uk/travel/travelnews/8649837/Holidaymakers-hit-by-tour-operator-collapse.html

[23] Article 4(32), Article 4(33) and point 7 of the Annex

[24] Article 4(11)

[25] Article 4(10). However, an ASP is defined as someone who provides and maintains payment accounts for a payer' rather than 'payee'. So the status of the payment service provider of the payee in this respect is unclear.

[26] Article 6

[27] Recital (69), Article 82. The issue of 'control' will vary depending on how the TPP integrates with the ASP, who must allow the TPP to rely on the ASP's authentication methods (see 'Security').

[28] Article 3(j).  It would also be important to consider whether such services would now be classified as exempt financial services for VAT purposes; if, indeed, payment services generally will continue to be, to the extent that they seem to merely involve the payment of debts.

[29] Eg in connection with UK government's Midata programme. See Midata Thoughts No. 2

[30] Article 26, PSD; Article 27, PSD

[31] Article 9

[32] 'Prince Finally Explains His Dancing Comment', DealBook, NY Times, April 8, 2010

http://dealbook.nytimes.com/2010/04/08/prince-finally-explains-his-dancing-comment/?_r=0

[33] Article 26(5)

[34] Articles 55(3) and (4)

[35] See Article 67 and 68

[36] Regulation 5, Financial Services (Distance Marketing) Regulations 2004

[37] Articles 4(22), 66, 82 and 87

[38] Article 5

[39] Article 85; See http://ec.europa.eu/digital-agenda/en/news/commission-proposal-directive-concerning-measures-ensure-high-common-level-network-and

[40] Article 8. The calculation refers to overheads or transactions 'in the preceding year'. Is this by reference to a specific anniversary, or a rolling 12 month period to date?  Similarly, the 'relevant indicator' is calculated 'over the previous financial year'.

[41] Article 90

Published: 2013-10-03T10:46:43

    0 comments

      Please wait...