On Saturday 13 January 2018, Payment Services Directive 2 (PSD2) came into force. PSD2 makes a number of changes to the regulation of the payments industry in Europe, including the UK. The first Payment Services Directive (PSD1) was adopted in 2007 and PSD2 was introduced as a result of concerns that the existing regulatory framework no longer reflected market developments or addressed adequately security risks relating to payment services. PSD2 aims to contribute to a more integrated and efficient European payments market by encouraging innovation and competition, as well as improving consumer protection by making payments safer and more secure. PSD2 scope extends to innovative payment services and new providers in the market, such as FinTechs.
PSD2 is implemented in the UK largely through the Payment Services Regulations 2017. FCA guidance on the new regime was finalised in October 2017, as was the Approach Document (see our briefing here). But for those who have missed some of the discussion on PSD2, a reminder of the key features of the regime are outlined below.
Third party providers
One of the most significant changes brought about by PSD2 is the introduction of two new types of new regulated services: account information services (AIS) and payment initiation services (PIS). Firms providing AIS or PIS will have to authorised or registered with the FCA. Firms providing these services prior to 12 January 2016 and continuing to do so immediately before 13 January 2018 have a transitional period to get authorised, but this could cause access problems. Such firms should get authorised as soon as possible.
Banks and other payment service providers will have to provide parties providing AIS or PIS services (known as "TPPs") with access to their customers’ accounts data, as long as their customer consents. This access will need to be provided in a proportionate, objective and non-discriminatory way and the FCA must be notified if access is to be refused. There are expected to be some teething problems and development of the open API requirements is ongoing.
Consumer protection
PSD2 introduces new rules on Strong Customer Authentication (or two factor authentication) which are designed to protect consumers from fraud or abuse. This means that to prove their identity, users will have to provide at least two separate elements out of the following three pieces of information: something they know (a password or PIN code); something they own (a card, a mobile phone); and something they are (biometrics, e.g. fingerprint or iris scan). Customers will have to give their consent to the access, use and processing of their data. TPPs will not be able to access any other data from the payment account beyond those explicitly authorised by the customer. Banks and other payment service providers will have to put in place the necessary infrastructure for SCA. The rules on strong customer authentication are expected to take effect from the third quarter of 2019. As PSD2 prohibits TPPs from accessing any other data from the customer payment account beyond those explicitly authorised by the customer, it will no longer be possible to access the customer's data through the use of the techniques of "screen scraping" (although there is a transitional period before this takes effect). While the intention is to bring greater protection to consumers from fraud, consumers could see more friction in payment processes – like being blocked from using contactless payments after a certain number of uses and being asked for one time passcodes more frequently. Firms will have to adapt their IT infrastructure and processes too.
Security
PSD2 requires banks and other payment service providers to maintain effective incident management procedures to detect and classify major operational or security incidents relating to payment services. They will also be required to notify the FCA within 4 hours of an incident. Firms will also have to have systems in place to collect and monitor statistical data on fraud relating to different means of payments, and report this to the FCA annually.
Exemptions
PSD2 makes changes to some of the activities previously exempted from the regulatory framework. Under PSD2, the commercial agent exclusion (which covered the exclusion applied where payment transactions between a payer and payee were made through a commercial agent with permission to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or payee) will not now apply where a commercial agent acts on behalf of both parties in a transaction (payer and payee). Permission to act on behalf of either party must be given via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee, not both, for the exclusion to apply. This provision could affect e-commerce market places and other firms in the gig economy.
PSD2 also amends the existing limited network exclusion in response to concerns that it was being interpreted too widely. Firms that are providing, or intend to provide, services that benefit from the limited network exclusion are also now required to notify the FCA where the value of payment transactions executed through these services exceeds a certain amount (€1 million in the previous 12 months).
Under PSD2, the digital download exemption has been replaced by the electronic communications exclusion (ECE). The ECE now covers only payments made through telecom operators for the purchase of digital services,such as music and digital newspapers that are downloaded on a digital device, or electronic tickets or donations to charities. PSD2 also introduces value limits for transactions that are within the ECE. Transactions are only excluded if they do not exceed €50 per single payment transaction or €300 cumulative value for an individual subscriber per month. It is anticipated that this will dramatically limit the utility of the ECE.
Surcharging
The rules introduce a ban on credit and debit card surcharges for all purchases made where the banks or payment service provider of the consumer and retailer are within the EEA. In the vast majority of other circumstances surcharges are capped at the cost to the retailer for processing the payment.
Central contact points
Under PSD2, a Member State may require a payment institution that provides cross-border payment services to set up a central contact point if it operates with agents or branches that are established in their territory. The central contact point must ensure adequate communication and information with regard to the activities of the payment institution in the host territory.
