The first Payment Services Directive (PSD)[1] was helpful in its ambition to carve-out payment services from the banking monopoly, spawning over 200 payment institutions.[2] But it was flawed in many respects which created market uncertainty. In July 2013, the European Commission proposed a new directive (‘PSD2’),[3] which I compared with the PSD in an earlier article for the SCL.[4] The European Council proposed further revisions to PSD2 in September, for which I updated the comparison earlier this month,[5] and these were further revised in October.[6] Following discussion of a further interim draft in November, a final compromise draft (dated 1 December 2014) has since been published, with a recommendation that it be referred to the Parliament for agreement at first reading. (see data.consilium.europa.eu/doc/document/ST-16154-2014-INIT/en/pdf).
This will be of particular interest to existing e-money and payment service providers, operators of loyalty schemes (including store cards or gift cards), those who supply or rely on technology which initiates payments, displays data from one or more payment accounts or supports payment transactions e-commerce marketplaces and public communication network operators. If and when PSD2 is approved, Member States will have two years to implement the provisions, and must apply them two years after PSD2 takes effect – well within the IT development windows of larger firms and likely to impact plans for many start-ups.
How is the PSD flawed?
The PSD does not accurately reflect the contractual, operational or technological reality of how some payment methods operate, some exemptions are inconsistent and its effect is uncertain in many respects. This has limited the boost to innovation and competition, created confusion amongst the customers and service providers, and made it expensive and time-consuming to understand whether services were out of scope, or in scope but exempt on certain conditions. Accordingly, some firms have structured services artificially, resulting in ‘regulatory creep’.
Does PSD2 resolve the flaws in the PSD?
Not in my view, for the reasons given below. In fact, the proposals seem likely to reduce innovation and competition, by handing control over wider transaction technology to regulated financial institutions, and leaving the development of security standards to be controlled by the European Banking Authority.
First, a Few Definitions…
Perhaps the most fundamental problem lies in the definition of a ‘payment transaction’, which is carried through into PSD2:
‘an act, initiated by the payer or payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and payee.’
A ‘payee’ is ‘a person who is the intended recipient of funds which have been the subject of a payment transaction’ (my emphasis). The trouble with these definitions is that they assume the intended recipient of funds (‘payee’) is always the supplier of goods or services (the ‘merchant’), thereby conflating the contractual arrangements and funds flows related to the payment method used, on the one hand, with the contract for sale of goods or services on the other. Yet a cardholder, for example, never actually intends to pay the merchant, even though using the card to make a payment discharges the cardholder’s obligation to pay under the contract of sale.[7] In fact, the cardholder intends to pay her card issuer from her current account, either immediately (when using a debit card) or on the due date for payment of her monthly credit card statement. Similarly, the merchant only expects to be paid by its card acquirer, who literally buys each transaction submitted to it via the merchant’s payment terminal or online gateway. As a result, some acquirers consider that the PSD does not apply to their activities.
Of course, the UK’s Financial Conduct Authority has dutifully explained how it considers the PSD applies to card acquiring.[8] Yet in the context of bill payment services, where the customer’s payment to the service provider also discharges the customer’s obligation to pay the supplier’s bill, the FCA does not believe that the supplier is the intended recipient of funds.[9]
The recitals in PSD2 attempt to cure this by requesting Member States to treat bill payment services as money remittance unless the activity falls under ‘another’ payment service. In addition, the term ‘acquiring of payment transactions’ has been defined to mean ‘a payment service provided by a payment service provider contracting with a payee to accept and process payment transactions, which result in a transfer of funds to the payee.’ Leaving aside the circularity in the definition, this may catch the merchant acquiring (or bill payment service), since as between the acquirer or bill payment service provider and the merchant or utility, there is a contract to accept and process payment transactions and the latter is intended to be a payee of funds which are in due course actually transferred. But the definition creates a fresh problem, as it is not clear from whom the transfer of funds to the payee must actually originate. For example, it would seem to catch anyone who supplies to a payee any software etc. that processes payment transaction data in a way that triggers a payment to that payee (eg ‘gateway’ data transfer services supplied to a merchant), even though the service provider does not itself enter into possession of any funds due to the payee. Incidentally, that would also be consistent with the re-casting of the ‘technology service provider’ exemption, discussed below.
Exemptions
Technology service providers
The PSD exempts services provided by technical service providers which support the provision of payment services, without the service provider entering into possession of the funds to be transferred. However, PSD2 requires that such services will be exempt only if they are offered to authorised payment service providers (‘PSPs’) rather than payment service users. The recitals to PSD2 confirm that this is intended to apply to so-called payment ‘gateway’ services, for example, which are transaction data transfer services that are often supplied to merchants in parallel with a card acquiring service, rather than to the acquirer.
Where payment is ancillary to a core business activity
The recitals to PSD2 suggest that ‘e-commerce platforms’ (undefined) have unfairly relied on being the agent of both consumer and merchant to remain outside the scope of the PSD. As a result, PSD2 amends the exemption to allow the agent to be authorised to negotiate or conclude the sale or purchase of goods or services on behalf of both the payer and the payee only if the agent does not enter into possession of their funds in the process.
However, it seems unlikely that the operator of an e-commerce marketplace is really engaged in the provision of a payment service as a business activity in its own right. The business activity is arguably enabling a wider end-to-end service that comprises digital marketing, product search and display, order processing, customer support and so on. Such activities are already regulated under distance selling, trading standards and other sales regulations. Payment to the operator also usually discharges the customer’s debt to the merchant, as in the bill payment scenario. As such, the act of payment is but a small ancillary step in the overall service offered by the market operator.
Such treatment of e-commerce platforms is also completely inconsistent with the exemption afforded for transactions involving the purchase of digital content on a public telecommunications network, which PSD2 concedes are merely ‘ancillary services to electronic communications services (i.e. the core business of the operator concerned).’ PSD2 limits this exemption to €50 per transaction and either a total of €200 per billing month or, in the case of pre-funded accounts, €200 per calendar month. But the exemption will apply regardless of the device used for the purchase or consumption of the content. Unfortunately for the network operators, however, the term ‘digital content’ is limited by the qualification that the content must ‘not allow in any way the use or the consumption of physical goods or services’. A software application or mobile app could be said to ‘allow the use’ of the physical device on which it runs.
Network operators receive another regulatory favour in the form of exemptions for payment transactions of up to €50 each, or €200 a month in total, ‘by a provider of electronic communication networks or services for a subscriber’ where those transactions are performed from or via an electronic device and charged to the related service bill for either the purchase of tickets or ‘within the framework of charitable activity’. The recitals suggest that the ticket exemption is limited to electronic tickets related to transport, entry to venues and so on that replace physical tickets, but this is not clear from the exemption itself. Firms benefiting from these exemptions will need to notify the local regulator and provide an annual auditor’s report testifying that they meet the requirements for the relevant exemption.
Limited networks
The PSD exempts payment transactions based on payment instruments accepted only within the issuer’s premises or certain ‘limited networks’. This exemption survives under PSD2 and has been extended to cover public instruments for specific social or tax purposes. However, the same instrument cannot be used in more than one limited network or to acquire an ‘unlimited range of goods and services’.[10]
In addition, operators will be obliged to notify the regulator ‘if the average of the preceding 12 months’ total value of payment transactions executed exceeds €1million [per month]’. The regulator must then inform the European Banking Authority (‘EBA’), which will publish the fact. This gives regulators the opportunity to disagree that the exemption applies, and there is no provision for an orderly transition to full authorisation or registration as an agent of an authorised firm in this event. Yet there is no evidence of any harm to consumers in such scenarios, compared to the collapse of retail pre-payment schemes, such as those offered by Farepak[11] or tour operators,[12] which appear not be caught.
Automated teller machine services
PSD2 maintains the exemption for services which enable the withdrawal of cash from ATMs where the service provider is acting on behalf of card issuer(s) who have no contract with the cardholder. However, such exempt ATM service providers cannot conduct any other regulated payment services, and they must give the cardholder and payee certain information about each transaction before and after processing.
Territorial Scope and Passporting
Territorial scope
PSD2 is intended to apply to ‘payment services provided within the Union’. The main provisions that apply to actual supply of payment services are those requiring disclosure of certain information to customers and customer contracts and those creating specific rights and obligations. These apply:
1. to payment transactions in the currency of a Member State, where both the payer’s and payee’s PSPs are, or the sole PSP is, located ‘therein’;
2. with certain exceptions, to payment transactions:
(a) not in a currency of a Member State, where both payer’s and payee’s PSPs are, or the sole PSP is, located ‘therein’ in relation to the parts of the payment transaction carried out in the Union;
(b) where only one of the PSPs is located ‘within the Union, in respect to those parts of the payment transaction which are carried out in the Union.’
Unfortunately, it is not clear whether the word ‘therein’ in the first two provisions refers to the Member State or the Union. Each Member State may also choose to ignore the specified exceptions in each case, which opens up the possibility for inconsistent assertions of jurisdiction throughout the Union.
Passporting
PSD2 empowers host Member States to require passporting firms operating through branches or agents under the right of establishment to report to them on the activities carried out in the host territory by the firm’s agents or branches. Host states may then contact the passporting firm’s home state regulator with any allegations of non-compliance. This is likely to be administratively burdensome and undermines the concept of home state control. This could be especially problematic for firms who rely on agents in other Member States to refer electronic transactions across borders (eg e-commerce ‘aggregators’). Branches of payment institutions will have to be registered with their home Member State authority, as well as details of the branch managers.
Types of Payment Service
New ‘payment initiation services’ and ‘account information services’
In essence, these are services provided by ‘third party’ PSPs (which we will call ‘TPPs’). They only involve interfacing with a payment account; whereas an ‘account servicing payment service provider’ (‘ASP’) actually provides or maintains a payment account.
The new ‘payment initiation service’ is a ‘service to initiate a payment order at the request of payment service user with respect to a payment account at another service provider’. Member States must ensure that payers have the right to use a payment initiation service in relation to payment accounts that are accessible online. A firm offering such a service is called a ‘payment initiation service provider’. Such firms must not handle the payer’s funds in connection with the provision of the payment initiation service. Payment initiation service providers bear the burden of proving that the payment order was received by the payer’s ASP.
The new ‘account information service’ is a service to provide consolidated information on one or more payment accounts held by a payment service user with one or more other PSPs. The provider of such a service is an ‘account information service provider’. They will be exempt from certain authorisation requirements, in which case these firms will be treated as payment institutions but will not need to comply with the information and contractual requirements in Titles III and IV, with certain exceptions. The authorities will not be able to require a separate entity a separate entity to be incorporated merely to provide account information services, unlike for other types of payment service.
The existing PSD service of ‘issuing of payment instruments’ is now defined as ‘a payment service where a [PSP] provides the payer with a payment instrument to initiate and process the payer’s payment transactions’ (emphasis added). This is presumably to distinguish this activity from a ‘payment initiation service’. A requirement has also been added to the pre-contract information to be provided to customers which casts new light on the intended meaning of ”payment instrument”. Essentially, the requirement seems to mean that,4 where customers are shown a range of different card-scheme brands as payment options prior to checkout (termed ‘the issuance of a payment instrument’), they should be informed that they have the right to select a particular brand and to change their selection at point of sale. Describing a checkout process as a ‘payment instrument’ (rather than merely the payment methods available on it), suggests that the entity which serves up the web page that enables checkout is itself the issuer of a payment instrument and should be authorised accordingly. However, it is likely that many e-commerce merchants will host their own checkout page or process, and the transaction only moves to the acquirer’s servers either once the customer has selected which type of payment instrument he or she wishes to use or (if the merchant is PCI compliant) once the transaction is captured and sent to the acquirer. This would effectively require merchants to either cease hosting any aspect of the checkout process or to become authorised as payment issuers, which seems revolutionary.
TPPs who initiate payments will require initial capital of €50,000 and (along with account information service providers), hold professional indemnity insurance. TPPs are also subject to the full information and contractual requirements and certain other obligations, except to the extent that a Member State exempts account information service providers from such requirements. Where a TPP initiates payment transactions:
· it has the burden of proving that within its ‘sphere of competence’ the payment transactions were authenticated, accurately recorded and not affected by a technical breakdown or other deficiencies linked to ‘the payment service it is in charge of’; and
· as well as providing certain data about the transactions initiated through them to the payer, the TPP must also provide that data to the payee. How it will do so is unclear, given there is usually no direct relationship between one payment service user and another’s PSP. The TPP initiating the transaction may currently be in a position to transmit data only to its own customer’s ASP and the ASP of the other user.
However, it is arguable that such transaction initiation and account information services would be more appropriately regulated via the data protection regime, which governs data sharing and access to personal transaction data more generally.[13] It does not seem appropriate for financial institutions to be given control over wider transaction technology, and for the EBA to dictate the security standards, merely because that technology also happens to handle payments.
Rights and Obligations Related to Payment Services
Surcharging
PSD2 bans surcharging for the use of payment cards and any other instruments where any interchange fees are separately regulated. Member States may also ban or limit surcharging by a payee for any payment instrument ‘taking into account the need to encourage competition and promote the efficient use of payment instruments’.
Refunds for direct debits etc initiated by or through a payee
Where any unauthorised payment transaction was initiated through a payment initiation service provider other than the provider of the relevant payment account, the payer can obtain a refund from either service provider. If the refund is paid by the ‘innocent’ service provider, it can obtain compensation from the guilty service provider for the reasonable costs incurred, in addition to the amount of the refund. The same rights apply in the case of non-executed or defective payment transactions.
A payer is to be entitled to a refund of authorised payment transactions initiated by or through a payee (eg direct debits) if the authorisation did not specify the exact amount of the payment when authorised and the amount ‘exceeded the amount the payer could reasonably have expected taking into account the previous spending pattern, the conditions in the framework contract and relevant circumstances of the case’. Here the onus is on the payer to prove the refund conditions are met, but PSPs can agree to make a refund anyway. Equally, the PSP can agree there is no right to a refund where consent was given directly to the PSP and information on the transaction was provided to the payer at least four weeks before the due date.
However, regardless of the refund position, a payer can revoke a payment order for a direct debit by the end of the business day before the due date for debiting the funds (and later if agreed with the PSPs).
Payments by mistake
If a payer makes a payment to the wrong payee through the payer’s own error, the payer’s PSP must make reasonable efforts to recover the funds involved. The payee’s PSP must cooperate in these efforts “also by communicating to the payer all relevant information”. It should be noted that the previous drafts included an obligation, where the payee refuses to give up the funds, to inform the payer of the payee’s identity and address, with notice to the payee, so the payer can take further action. It is not clear whether this remains within the scope of “all relevant information”.
Force majeure
Typically, force majeure arises where a party is prevented from performing an obligation due to circumstances beyond that party’s ‘reasonable control’. However, Article 83 refers to consequences ‘which would have been unavoidable despite all efforts to the contrary, or where a [PSP] is bound by other legal obligations covered by national or Union legislation’. This arguably introduces a ‘best endeavours’ type obligation.
Complaints handling
The overall deadline for a firm to resolve a complaint is reduced from 8 weeks to 15 business days (or, up to a total of 45 business days if there is a delay for reasons beyond the control of the PSP, and the PSP indicates the reasons for delay and the date for a final reply).
Non-discriminatory access to bank accounts for PSPs
Credit institutions (banks) will not be able to discriminate in the provision of bank account services to authorised or registered payment institutions or e-money institutions. It would be good to see this requirement extended more broadly!
Security
Security and use of payment account data
The latest version of PSD2 is more prescriptive on security matters. Member States may reduce the €50 limit of liability even where a payer has not fraudulently or intentionally failed to either keep security credentials ‘safe’ or notify the service provider of loss, theft, unauthorised use etc of a payment instrument.
Subject to exemptions in EBA technical standards to be developed in due course (see below), all PSPs must apply strong authentication when a payer accesses a payment account online; initiates an electronic payment transaction; and/or ‘carries out any action through a remote channel which may imply a risk of fraud or other abuses’. Such PSPs must “adopt specific security requirements to protect the confidentiality and integrity of the users’ personalised security credentials”. The ASP must allow TPPs to rely on the authentication procedures provided by the ASP to the user. In the case of a payment transaction that is initiated via the Internet or through a device that can be used for distance communications (a ‘remote payment transaction’), the authentication must ‘include elements dynamically linking the transaction to a specific amount and a specific payee’.
All PSPs must establish an operational risk management framework and provide the regulator with their assessment of the risks and the adequacy of their controls. In addition, PSPs must classify ‘major incidents’, which must be reported to their home state authority without undue delay. In turn, the home state authority must report such major incidents to the EBA and the European Central Bank. Where a security incident (one assumes a ‘major’ security incident) impacts the financial interests of users, the PSP must, without undue delay, inform the users of the incident and the possible measures they can take to mitigate the adverse effects.
In addition, there are specific rules relating to TPPs depending on whether they initiate payments, issue a payment instrument or provide account information services; and different rules for ASPs in their dealings with different types of TPPs.
ASPs may discriminate against data requests through account information service providers only where doing so is objectively justified. However, they can agree with payment service users to deny access to payment account data for any TPPs ‘for objectively justified and duly evidenced reasons related to unauthorised or fraudulent use of payment initiation services’, but must inform the payer and unblock the access once the reason no longer exists.
EBA technical standards
PSD2 empowers the EBA to set various technical standards, including those for strong customer authentication and communications among PSPs and with users. These may allow exemptions based on the level of risk; the amount or recurrence of a transaction; and ‘the payment channel used to execute the transaction’. The wisdom of tying the development of security precautions for regulated payment services to the speed of European bureaucracy is to be doubted. Initial drafts of the EBA’s technical standards are to be made available 12 months after PSD2 is approved (although the EBA is currently consulting on certain ‘guidelines’).[14] There is no explicit deadline for them to be finalised. However, existing PSPs will be obliged to implement the standards within 18 months after the technical standards take effect, and newly authorised providers of payment initiation or account information services will need to implement the standards as soon as they take effect. The EBA is tasked with reviewing and, if appropriate, updating the standards ‘on a regular basis’ but neither the frequency nor regularity of such reviews is specified.
Housekeeping and Transitional Arrangements
Acquisitions of shares in payment institutions
The existing or proposed shareholder, rather than the payment institution or e-money institution, has the obligation to inform the authorities of any decision to acquire or increase a shareholding in that institution, which regulators will be empowered to block.
Transitional arrangements
Transitional provisions will give existing payment and e-money institutions an extra six months from implementation at national level to obtain any additional authorisation(s) required under PSD2. While PSD2 nominally requires such institutions to provide information that enables the regulator to assess whether they still meet all the conditions for authorisation, Member States may give their regulators power to grant authorisation automatically to payment institutions where they already have such information. Strangely, however, the same discretion is not granted to Member States in the case of e-money institutions.
Firms operating under a waiver would have an extra 12 months to either become authorised or obtain a fresh waiver, unless the regulator has enough evidence to grant the waiver automatically where that power is given to them.
Failure to satisfy the regulator of the conditions for authorisation or a waiver would mean the firm is no longer authorised, or the waiver is lost, as the case may be.
Simon Deane-Johns is a consultant solicitor with Keystone Law and Chair of the SCL Media Board.
[1] Directive 2007/64/EC
[2] Source: European Payment Institutions Federation: http://www.paymentinstitutions.eu/ . Key in this process was the reduction in the amount of initial capital required to start a payment institution. In 2000, the first Electronic Money Directive required electronic money institutions (EMIs) to hold initial capital of €1m. But in 2009, the PSD enabled ‘payment institutions’ to launch other types of payment services with only €125,000 of initial capital. In 2011, EMD2 reduced the initial capital for EMIs to €350,000.
[3] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52013PC0547:EN:NOT
[4] http://www.scl.org/site.aspx?i=ed33494
[5] http://www.scl.org/site.aspx?i=ed38944
[6] http://data.consilium.europa.eu/doc/document/ST-14314-2014-INIT/en/pdf on 14 October 2014; and http://data.consilium.europa.eu/doc/document/ST-14971-2014-INIT/en/pdf on 31 October 2014.
[7] Deane-Johns, S. ‘How Card-based Merchant Acquiring Really Works‘ Computers & Law, April 2012
[8] Para 8.147 and Annex 5 to the FCA’s Approach to the regulation of payment services.
[9] FCA Perimeter Guidance: PERG15, Q.25: http://media.fshandbook.info/content/FCA/PERG/15.pdf
[10] The recitals to PSD2 go into some detail on what is intended here. In particular, they state that ‘instruments which can be used for purchases in stores of listed merchants should not be exempted… as such instruments are typically designed for a network of service providers which is continuously growing.’
[11] http://news.bbc.co.uk/1/hi/business/6124406.stm
[12] http://www.telegraph.co.uk/travel/travelnews/8649837/Holidaymakers-hit-by-tour-operator-collapse.html
[13] For example, in connection with UK government’s Midata programme: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/327845/bis-14-941-review-of-the-midata-voluntary-programme-revision-1.pdf
[14] http://www.eba.europa.eu/documents/10180/855014/EBA-CP-2014-31+%28CP+on+security+of+internet+payments%29.pdf
