The following article is reproduced from the February 2018 edition of Exchange – International magazine. For more about financial services regulatory issues across the world, the full magazine is available for download here.
The second Payments Services Directive (2015/2366) (PSD2) came into force throughout the EU on 13 January 2018. PSD2 strengthens and extends the legal foundation for an EU single market for payment services, covering payment institutions, credit institutions and e-money institutions. It is designed to address the significant technological developments which have occurred in retail payment services since the First Payment Services Directive (2007/64) (PSD1) was adopted in 2007.
This article considers the recent developments around PSD2, both at a European and UK level, before providing an overview of its implementation status in key European jurisdictions.
PSD2 – Implementation at European level
Delegated Regulation supplementing the Interchange Fee Regulation with regulatory technical standards on the separation of payment card schemes and processing entities
On 18 January 2018, the Delegated Regulation on interchange fees for card-based payment transactions (2018/72) (Delegated Regulation) was published in the Official Journal of the EU (OJ).
This legislative instrument contains the regulatory technical standards (RTS) on establishing the requirements to be complied with by payment card schemes and processing entities. It supplements the existing Interchange Fee Regulation (2015/751) (IFR), which introduced caps on the fees of consumer debit and credit card payments, allowed retailers to choose which card payment options to use and required card schemes to ensure the independence of their own processing activities from the rest of their operations. To ensure such independence, the new RTS rules introduce detailed requirements around the separation of certain functions, including limits on information exchange and separate profit and loss accounts, corporate authorisations and decision making.
The Delegated Regulation will enter into force on 7 February 2018.
Payments Accounts Directive technical standards published
On 11 January 2018, a number of technical standards required under the Payment Accounts Directive (2014/92) (PAD) were published in the OJ.
PAD came into force on 17 September 2014, with member states having to transpose most of its provisions into national law by 18 September 2016. Its aim was to improve the transparency and comparability of fee information about payment accounts (including current accounts), help people switch payment accounts, and ensure every EU resident has access to a basic bank account.
The technical standards, which were all adopted by the Commission on 28 September 2017, are summarised below:
- Commission Delegated Regulation (2018/32) – contains RTS outlining standardised terminology for most representative services linked to a payment account (article 3(4) of the PAD);
- Commission Implementing Regulation (2018/33) – contains implementing technical standards (ITS) with respect to the standardised presentation format of the statement of fees and its common symbol. This concerns the requirement that payment service providers (PSPs) provide the customer with a statement on fees and applicable information regarding interest rates at least annually and free of charge; and
- Commission Implementing Regulation (2018/34) – contains ITS on the standardised presentation format of the fee information document and its common symbol. This relates to the requirement that PSPs provide the customer with a fee information document in a durable medium.
Final EBA guidelines on security measures for operational and security risk under PSD2
On 12 December 2017, the EBA published its final report on guidelines on the security measures for operational and security risks under PSD2.
This provides that PSPs shall establish a framework with appropriate risk mitigation measures and control mechanisms to manage operational and security risks relating to the payment services they provide.
In developing these guidelines, the EBA has considered existing EBA guidelines on the security of internet payments under PSD1 and carried out a risk analysis to determine the main threats and vulnerabilities to which PSPs are exposed.
In total, the EBA sets out 9 guidelines around the security measures for operational and security risk. These include a general requirement for proportionality, as well as guidelines covering governance, risk management and control models, outsourcing, risk assessment, processes and assets, the protection and integrity of data and systems, physical security and access control.
The guidelines also cover the monitoring, detection and reporting of operational or security incidents, business continuity management, scenario-based continuity plans, the testing of security measures, situational awareness and the management of the relationship with payment service users.
The official EU language versions of the guidelines were published on the EBA website on 12 January 2018, meaning they will apply once the NCAs have implemented them into their national and supervisory frameworks.
UK implementation of PSD2
PSD2 is being transposed into UK law via the Payment Services Regulations 2017 (PSRs 2017), most provisions of which came into force on 13 January 2018 in accordance with the timescales under PSD2. The PSRs 2017 repeal and replace the Payment Services Regulations 2009 (SI 2009/209). A number of workstreams with respect to the implementation of PSD2 are still ongoing in the UK, the most recent of which are outlined below.
PSR open letter to NPSO
On 18 January 2018, the Payment Systems Regulator (PSR), published an open letter from its Managing Director Hannah Nixon to the CEO of the New Payment System Operator (NPSO), Paul Horlock, setting out the PSR’s expectations of the NPSO’s initial priorities.
The formation of the NPSO had been announced in September 2017. This organisation will take over the operation of the three key interbank retail payment systems (Bacs, Faster Payments and the new Image Clearing System for cheques).
Ms Nixon notes that the following targets “would need to be met for the NPA to be successful”:
- increased innovation in the payments industry;
- effective competition across all layers of the New Payments Architecture (NPA);
- delivery of the NPA in a timely manner, with support and engagement from all stakeholders; and
- a NPA which is technically robust and resilient.
The PSR also sets out the following 6 priorities for the NPSO:
(i) stakeholder engagement; (ii) strategy setting and decision making; (iii) competitive procurement of the NPA’s central infrastructure; (iv) development and management of NPA rules and standards; (v) clarification of the NPSO’s “market catalyst” role; and (vi) risk management.
The PSR has asked the NPSO to respond to the priorities set out in the Annex of its letter by no later than 30 March 2018.
FCA statement on EBA guidelines on operational and security risks under PSD2
On 19 December 2017, the FCA published a statement relating to the EBA guidelines on operational and security risks under PSD2 (Guidelines). This followed the publication of the EBA’s final guidelines on 12 December 2017. Please refer to the text above for further information on the EBA guidelines.
The FCA stipulated that all PSPs are expected to comply with the Guidelines from 13 January 2018 in addition to the requirements set out in regulation 98 (Management of operational and security risks) of the PSRs 2017, the UK’s implementing legislation. The FCA noted that this would include firms undertaking account information and payment initiation services.
The FCA committed to consulting on its approach to applying these Guidelines and its expectations on PSPs’ future reporting requirements during 2018. The FCA also reminded firms applying or re-applying for authorisation that applications must contain a statement of the applicant’s security policy, including a description of the applicant’s measures to comply with
Regulation 98(1), taking the Guidelines into consideration.
Guidance on new payment surcharge rules for consumer and business transactions
In December 2017, the Department for Business, Energy and Industrial Strategy published its updated guidance on the Consumer Rights (Payment Surcharges) Regulations 2012 (Regulations), which supersedes guidance previously published in March 2013 and August 2015.
For most retail payments, the Regulations ban merchants from charging a fee in addition to the advertised price of a transaction on the basis of a consumer’s choice of payment instrument.
For other retail payments and most payments between businesses made with commercial payment instruments, the Regulations ban merchants from charging customers more than the direct cost borne by them for use of the relevant means of payment.
The Regulations apply to contracts, however concluded, and entitle customers to a refund for any unlawful surcharge which they have paid. In addition, customers may take legal action to recover such surcharges, and consumer enforcement authorities have the power to take civil enforcement action against any traders who breach the Regulations.
PSD2 – Implementation status of member states
For reference, we have included a table setting out the implementation position for PSD2 in our key European jurisdictions. If you require any additional information on those countries listed below please refer to your local DLA Piper contact below.
| Country | Status | Description |
| Denmark | Implemented | Denmark has, since 1 January 2018, implemented PSD2 through the Payments Act (in Danish: lov om betalinger). |
| Finland | Implemented | Finland has implemented PSD2 into Finnish law in two parts: titles III and IV were implemented by amendments to the Finnish Payment Services Act through Law on Amendments to the Payment Services Act (Fi: Laki maksupalvelulain muuttamisesta, 898/2017) and title II, IV and VI by amendments to the Finnish Payment Institutions Act through Law on Amendments to the Payment Institutions Act (Fi: Laki maksulaitoslain muuttamisesta, 890/2017). Both laws entered into force on 13th January 2018. |
| France | Implemented | PSD2 entered into force on 13 January 2018, via Ordonnance no 2017-1252 of 9 August 2017 and Décret (Decree) no 2017-1314 of 31 August 2017. |
| Germany | Implemented | The German implementation entered into force on 13 January 2018, via the Gesetz zur Umsetzung der Zweiten Zahlungsdiensterichtlinie dated 17 July 2017. Some of the commentary to date has been focused on how payment institutions will meet security requirements, the mechanisms by which Payment Initiation Service Providers (PISPs) can authenticate payers and the protection of information provided to Account Information Service Providers and PISPs. |
| Greece | Not implemented | PSD2 has not yet been implemented in Greece. The relevant draft law was published on 2 November 2017. |
| Italy | Implemented | Legislative Decree no. 218 of 15 December 2017, which entered into force on 13 January 2018, has implemented the PSD2 in Italy. The focus of this implementing legislation has been on encouraging electronic device initiated payment transactions and promoting competition. |
| Luxembourg | Not implemented | PSD2 shall be implemented into Luxembourg law by the bill no. 7195 on payment services that was submitted with the Luxembourg Chamber of Deputies on 10 October 2017, but as of 23 January 2018 had not yet been adopted. Furthermore, the Luxembourg Supervision Commission of the Financial Sector has published a Circular CSSF 18/677 concerning the EBA Guidelines on the information to be provided for the authorisation of payment institutions and for the registration of account information service providers under Article 5(5) of Directive (EU) 2015/2366 on payment services in the internal market. |
| Netherlands | Not implemented |
In the Netherlands, the implementation of PSD2 is delayed. It is currently expected that implementation will take place between June and September 2018. This will most likely be via two separate laws that will amend the Dutch Financial Supervision Act (Wet op het financieel toezicht), the Dutch Civil Code (Burgerlijk Wetboek) and ancillary laws. These laws are currently available in their draft form and no final implementation laws are yet available. The laws implementing PSD2 are the Implementing Act PSD2 (Implementatiewet herziene richtlijn betaaldiensten) and Implementing Decree PSD2 (Implementatiebesluit herziene richtlijn betaaldiensten). |
| Norway | Not implemented | In Norway, PSD2 will be transposed in two parts. Titles III and IV are implemented by amendments to the Norwegian Financial Contract Act of 1999 and titles II, IV and V by changes to the Norwegian Financial Undertakings Act of 2015 and the Payment System Act of 1999. Norway is still in the early stages of the legislative process in implementing PSD2. The draft implementation acts and draft explanatory notes in respect of the institutional rules in titles II, IV and VI were published in May 2017, subject to consultation, and the other consultation paper in respect of titles II and IV on 7 September 2017, with a deadline to comment in the consultation process by mid-December 2017. As of 24 January 2018, we are still waiting for the draft acts to be published based on the consultation process. |
| Portugal | Not implemented | A public consultation has been published by the Bank of Portugal on the framework for the transposition of PSD2. However, the scope of the consultation was limited to the options that PSD2 allows each Member State to make and did not include other relevant issues raised by PSD2. Furthermore, as of 11 January 2018 there has been no disclosure of draft PSD2 implementing legislation. |
| Spain | Not implemented | Spain has not implemented PSD2 yet. The Ministry of Economy only recently published a first draft of law implementing PSD2. The public consultation for this closed on 16 January 2018. |
| Sweden | Not implemented | Sweden is delayed in implementing PSD2, and the new regulation will enter into force at the earliest on 1 May 2018. The proposed amendments to the Payments Services Act (Sw. Lag (2010:751) om betaltjänster) were sent to the Swedish Council on Legislation on 9 November 2017. Swedish FSA regulations are expected to be published when the proposition is adopted. |
| UK | Implemented | PSD2 was implemented into UK law via the PSRs 2017, most of the provisions of which came into force on 13 January 2018 (see above). |
and then 