Introduction – What is PSD2?
On 24th of July 2013 the European Commission published a proposal for a new Directive on payment services in the internal market (PSD2), repealing the previous payment services Directive from 13th of November 2007 (2007/64/EC – PSD1). PSD1 obliged the Commission to present a report on the review of the Directive before November 2012. The current proposal addresses the deficits discovered in the practice of implementation and application. It is currently undergoing the legislative process.
The new figure of the „third party payment service provider“ (TPP)
The draft creates, among numerous other proposals, a new category of institutions requiring authorisation. The provision predominantly targets services such as German Sofort Überweisung, Dutch iDeal or Swedish Trustly; it is, however, not limited to these and capable of encompassing other services as well. PSD2 introduces important changes for these services as well as for their customers.
The European Commission considers third party payment service providers (TPPs) to provide innovative and low-cost alternatives for (internet) payments made by consumers. Given that the usage of such services raises security, data protection and liability issues, especially when used by consumers, the Commission has decided to bring TPPs – like other payment institutions – within the scope of regulatory and civil payments legislation. PSD2 will have far-reaching consequences for TPPs, but also raise security levels for payment service users. Even eCommerce merchants may be able to indirectly profit from the new PSD2 provisions insofar as these are capable of raising acceptance levels of new low-risk and low-cost ways of payment.
Third party payment service providers
The term “third party payment service provider” encompasses two categories of services: payment initiation services on the one hand and account information services on the other hand. Contrary to other payment service providers, a TPP does not hold a payment account and does at no point in time enter into possession of the funds to be transferred.
Payment initiation services are services enabling access to a payment account. For that matter it is irrelevant whether the payer is actively involved in the payment initiation or the TPP’s software, or whether payment instruments can be used by the payer or the payee to transmit the payer’s credentials to the account servicing payment service provider. Thus, the term covers, inter alia, services which establish a software bridge between the website of an eCommerce merchant and the website of an account servicing payment institution. Through this software bridge the payer can authorise the payment transaction himself or transmit payment instruments such as PIN and/or TAN to the TPP for the TPP to initiate payment with the account servicing payment institution. It appears that services such as Sofort Überweisung in Germany and similar services offered in other member states prompted the Commission to propose regulation of such services under PSD2.
Account information services are payment services where consolidated and user-friendly information is provided to a payment service user on one or several payment accounts held by the payment service user with one or several account servicing payment service providers. These include in particular services such as Star Finanz, which offer to the user a consolidated over-view over these accounts, either through software provided by the account information service or on a secure space on a website. In cases in which the user can additionally initiate payments through such an account information service, the service will also be classified as a payment initiation service.
Authorisation requirements and other regulatory consequences
The most significant consequence for TPPs under PSD2 is the fact that they are classified as payment service providers. Consistent with the overall aim of the legislation, the draft supplementary provides that payment initiation services and account information services do not fall within the exception created for technical service providers. Insofar as the TPP is not already licensed as a credit institution or exempted from authorisation requirements, it is to be treated as a payment institution. Payment institutions domiciled in Germany require an authorisation by the German Federal Financial Supervisory Authority (BaFin) under the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG). They are subject to initial capital and own funds requirements under PSD2 and require an initial capital of EUR 50,000. When outsourcing activities or using agents, they must comply with regulatory requirements and are subject to anti-money laundering provisions requiring them to identify costumers when establishing business relationships. These duties stand vis-à-vis the right derived from the European Banking Passport allowing the provision of services in the EEA if an authorisation has been granted in one member state.
PSD2 contains a stringent civil liability regime for TPPs. Where a payer has not authorised a payment transaction executed through the TPP, the TPP is liable to refund the amount of the unauthorised payment to the payer. In addition, where the payer denies authorisation, the burden of proof lies on the TPP to prove that the payment transaction was not caused by a technical failure or other glitch. Even if the TPP succeeds in proving that prior to the payment transaction a payment instrument such as PIN and/or TAN was used, this does not necessarily satisfy a proof of authorisation. Thus the rules governing the burden of proof and liability regimes applying to payment services providers are also applied to TPPs under PSD2. PSD2 envisages a split in potential joint and several liability between the TPP and the payment institution insofar that each is liable for that part of the transaction which it controls. Out of comparable principles the TPP is liable for payment orders which are not properly executed.
Other duties of TPPs under PSD2 include the compliance with data protection and security requirements. TPPs must satisfy the same standards as the account servicing institution itself. In the case of payment initiation services, the TPP must comply with extensive information requirements vis-à-vis the payer and potentially the payee. All TPPs must ensure that the payer’s access data are not accessible by third parties, that authentication requirements towards the account servicing payment institution are complied with and that certain data is not saved. Furthermore, a TPP must obtain the express consent of the payer regarding access to the account and must inform the payer of the extent of such access.