Payment Service Directive II and Its Implications

Abstract

The EU required member states to implement the new Payment Services Directive (PSD II) by January 2018. The European Banking Authority (EBA) will provide important final guidance on areas such as security during 2018, which will need to be implemented over the following couple of years. The increase in mobile and Internet banking and the failure of the original 2007 first Payment Services Directive (PSD I) to develop cross-border payment services encouraged the development of the revised Directive. The EU also took the opportunity to assist the development of new payment services, which may, in due course, disintermediate some of the traditional payment arrangements including, for example, those provided by credit card companies, and to reduce the cost of payments services for, primarily, businesses. It will pose challenges for banks and present opportunities for both new FinTech operations and large firms such as Apple and Amazon. The full benefits of the new Directive will only be gained if a critical mass of customers see the value of the new services and trust the firms and processes involved.

All banks do is really data, so when you open that data up to third parties it allows for the first time a separation between the person that manages the customer relationship and the person that provides the balance sheet services. (Antony Jenkins, Financial Times, 12 January 2018)

7.1 Introduction

The new Payment Services Directive II (PSD II) is on the face of it, another technical piece of legislation. However, it is much more. It has been described as the EU firing the “starting gun for banks vs. fin-tech fight over payments” (Reuters 2017). It is both “another step towards a digital single market in the EU” and a move to introduce more competition into the EU’s payments market and to break the banks’ control over customer transaction information (Dombrovskis 2018).

A number of existing businesses may be disrupted by the developments encouraged by PSD II. These include credit card issuers and merchant acquirers, providing opportunities for new FinTech companies and very large firms such as Amazon, Apple, etc. There will be opportunities for firms that specialise in “account to account” transfers (A2A) and those who, for example, collect individual customer spending information, analyse the data and market it. Moreover, other jurisdictions are looking at EU legislative innovation which they may emulate (Yap 2017).

Payment services have largely avoided EU regulation until recently. However, regulation can “when drafted and applied correctly … be an effective tool for creating incentives to increase innovation, economic development and competition” (Romānova et al. 2018, p. 21). This chapter looks at how the original view has changed with, initially, the first Payment Services Directive (PSD I); why PSD I was judged less than successful and the EU’s attempt to get ahead of and, to a certain extent, guide the development of both markets and technologies which are fast changing through PSD II.

7.2 Background

In 2007 the EU published its first attempt at payment services regulation—the PSD I.¹ EU member states were required to implement the Directive in 2009. It was a maximum harmonisation Directive (i.e. EU states cannot exceed the terms of the Directive by, for example, imposing additional restrictions).

The central issue was that the payments systems within the EU were organised along national lines and fragmented. The aims of the Directive were to align these to help facilitate the EU single market in goods and services and to support greater competition in payment services (Donnelly 2016). Specifically, its objectives were to assist in the development of the Eurozone’s cross-border payment system known as the Single Euro Payments Area (SEPA); to regulate payment businesses to encourage non-banks to enter the payments market; to increase services for customers by setting maximum payment processing times and standardised terms and conditions and to increase customer protection so that the latter would have greater confidence in the market.

Fundamental to this were provisions to ensure non-discrimination so that any payment service provider competing in the internal market could use “the services of the technical infrastructures” of incumbent payment systems providers on matching terms.²

The Directive was seminal, in that it set the foundations for future work to improve competition and innovation both within national jurisdictions and across the borders of EU states. It sought to break the associations of banks which, for example, in the UK had steered the payments systems. That it did not fully succeed is not to diminish the Directive’s ground-breaking role as new technologies rapidly over-took legislation and existing market practices.

7.3 EU Initiated Review of the Effectiveness of PSD I

The importance of the Directive is evidenced by the fact that relatively shortly after it came into effect, the EU organised an independent review (“the impact study”) of its effectiveness.³ The final report of the impact study prepared by London Economics and iff (in association with PaySys) was submitted in 2011. Its key findings addressed passporting, fees and charges for payment services, market fragmented and what are known as “one-leg” transactions (i.e. where funds are sent from an EU state to a non-EU jurisdiction). These issues are considered in more detail below.

The impact study praised the way the Directive had helped develop a single market in EU payment services and had increased transparency within the payments market and had also increased the speed at which they were executed. All this was seen as aiding business efficiency. No longer were electronic payments allowed to march at the speed of the slowest piece of paper through the payments’ clearing system. However, there were still significant failures.

7.3.1 Main Findings of Impact Study

The impact study found little evidence of innovation in the market structure. There had been very few new entrants since the Directive came into force in 2009. Moreover, payment services firms had not grasped the opportunity to operate across EU borders using passporting privileges under the Directive.

PSD I required businesses offering payment services, whether within a single EU jurisdiction or across EU member state borders, to be authorised by their local or “home” state regulator. By late 2012 there were only 568 authorised payment institutions (APIs). Of these some 40% carried on the business of money remittance (i.e. sending money to non-EU states; often used by migrant workers). In spite of PSD I, there remained very wide differences between the structures of payment services providers across the various EU jurisdiction with no obvious explanations. 85% of the APIs existed before the Directive so there is no evidence of much new competition entering the market.

Additionally, the impact study found that the use of passporting for payment services varied greatly between jurisdictions but even when this legislative facility was employed, firms only operated in a small number of EU states besides their home nation. The process of obtaining a passport was seen as lengthy and complex. Reasons given for this included a lack of harmonisation of customer protection and anti-money laundering measures. The impact study also indicated that APIs that also provided credit to customers were subject to two separate regulators. It recommended that a single regulator supervise both the provision of credit and payment services.

One of the aims behind PSD I was to ensure equal charges for both domestic and cross-border payments within the EU for sums of €50,000 or less. However, the impact study found mixed results. In some instances, this had resulted in higher fees for both types of transaction and the introduction of new charges. Some EU states also permitted differential charges for different payment instruments reflecting the increased charges on merchants for credit card transactions. These charges could exceed the actual costs card companies imposed on merchants. This appears to contradict the Consumer Rights Directive.⁴ This limits merchants charging “in respect of the use of a given means of payment, fees that exceed the cost borne by the trader for the use of such means”.⁵ However, the impact study did point out that establishing and enforcing the true cost to a merchant of accepting a credit card payment may be complex and difficult.

The impact study also found potential confusion between payments under the PSD I and those relating to e-money, which are subject to the Electronic Money Directive II.⁶ In essence, a payment service provides secure messaging between the person or entity instructing the payment and the recipient of the funds and the respective businesses holding the money to be transmitted and the organisation receiving the funds. The impact study considered that this process, and its importance, may not be clear to customers.

There are a number of payment services providers who were exempt from the Directive (e.g. pre-paid cards, ATM operators, money exchanges, etc.) whom the review, though, could be used to circumvent the Directive’s requirements and hence gain an unfair competition advantage.

Another area of focus is known as “one-leg” transactions, mentioned earlier, since such transactions are normally undertaken by vulnerable migrant customers sending money home. The review recommended treating these types of transfers on the same basis as intra-EU payments. These and the other exemptions cause customer confusion since they may fail to understand which transactions are protected by the Directive and which fall outside it.

There was considerable confusion about the liability for unauthorised payments. Article 61 limited customer liability to €150 except in circumstances involving customer fraud or gross negligence. However, implementation in member states varied. The issue appeared to be the different evidential requirements demonstrating “gross negligence” in each jurisdiction.

Finally, the review reported large differences between national complaints arrangements required by the Directive. It praised those available in the Republic of Ireland and in the UK while observing that in most other member states, complaints systems had still to be developed.

In response to these findings in 2012, the EU Commission published a consultative “Green Paper”: “Towards an integrated European market for card, Internet and mobile payments”.⁷ The Commission remained particularly keen to develop cross-border payments. However, it is possible to speculate that the Commission was also concerned that the major credit card companies continued to dominate the consumer payments system within the EU. This may be seen as reflected in the Commission’s wish to help “to launch innovative, safe and easy-to-use digital payments services and to provide consumers and retailers with effective, convenient and secure payments methods in the Union”.⁸

7.4 Payment Services Directive II

In the light of this report and the rapid changes in technology, the EU quickly developed PSD II.⁹ This repealed and replaced all the measures in PSD I. However, many articles in the original Directive were re-enacted in PSD II.

PSD II was published at the end of 2015 and required implementation in local law by January 2018. The Directive required the European Banking Authority (EBA) to develop a range of technical guidance to flesh out the Directive. These are considered later in this chapter.

The aims of the new Directive were to:

• assist in the integration of the EU’s payments market,

• promote competition by encouraging new participants in the market including FinTech and the development of mobile and Internet payment services across the EU,

• encourage lower prices for payments, and

• increase customer confidence in making more efficient electronic payments by introducing better customer protection against fraud and other abuses and error. This would require enhanced security arrangements.¹⁰

The main themes in the Directive were to increase security measures and other customer protections, level the competitive playing field by reducing the various exemptions from payment services regulation and to permit two new innovative arrangements: “account information service providers (AISPs)” and “payment initiation service providers (PISPs)”. These important developments are considered later. The next sections look at the other major changes first.

7.4.1 Scope of the Directive and the Removal of Exclusions

A number of exclusions exempting business operations from regulation have been removed. For example, payment arrangements which can only be used for buying goods and services from a prescribed list of businesses are now included within the Directive’s scope.¹¹ However, payments made within a group of companies remains exempt from the need for regulation as do payments aimed at collecting funds for charitable purposes. As before, with PSD I, physical cash and paper based payment instruments (e.g. cheques) remain outside the scope of the Directive.

Payments sent or received where one of the Payment Service Providers (PSPs) is located outside the EEA will be covered, as will payments in non-EEA currencies.¹²

PSD II, as with PSD I, is limited to regulating payment services providers which do not also take deposits or issues electronic money. Firms which take deposits which are used to fund payments will continue to be regulated under the Capital Requirements Directive IV (i.e. banks and similar credit institutions).¹³ Similarly, businesses which issue electronic money will continue to be subject to their own Directive.¹⁴

7.4.2 Authorisation of Payment Institutions

There are no substantial changes from PSD I on the authorisation and supervision of payment institutions. However, the EBA is tasked with the job of determining criteria for establishing the minimum amount of professional indemnity insurance or other forms of guarantee required by authorised firms. Moreover, the APIs will only be permitted to provide credit when it is closely linked to the payment service.¹⁵

In order to enhance co-operation between EU member states, the Directive requires the EBA to assist in resolving cross-border disputes between regulators and to publish guidance on this and the necessary data exchanges to aid supervision.¹⁶ The EBA is also required to publish a central public register of authorised payment services firms.¹⁷ The Directive contains various other customer protection measures such as those relating to the transparency of charges and prohibitions on discrimination, based on nationality or place of residence against those residents legally in the EU.¹⁸

Host member states are permitted to take precautionary measures in the event of an emergency situation such as a large-scale fraud.¹⁹

7.4.3 Innovation

PSD II seeks to promote the development of two aspects of FinTech. The first collects, aggregates and analyses information from customer payments transactions. The Directive describes this as an “account information service” (AIS). PSD II views the second as a “software bridge between the website of the merchant and the online banking platform” of the customer initiating a payment across to the merchant’s account.²⁰ It is classified in the Directive as a “payment initiation service” (PIS). It is defined in Article 4 (15) as “a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider”. It is a secure messaging system and at no stage does the PIS provider ever hold the customer’s payment.

Providers of such services are termed “PISPs” and “AISPs”. They are also known collectively as third-party providers (TPPs).²¹ These may be seen as distinct new financial services industries developing new customer services (Chiu 2017).

The Directive also refers to “account servicing payment service provider” (AS PSP). This is the firm where the customer’s payment account is held (e.g. the customer’s bank).

Customers must give explicit consent to use PIS and AIS arrangements. There is no requirement for a contract between the customer and either the PISP or AISP. Nor is a contract necessary between the PISP and the merchant supplying goods or services to the customer.²² Customer agreements with PSP can be either ad hoc, good for a single transaction or set-up under a continuing contract. The latter must be capable of termination without charge with a notice period not exceeding a month.²³

PISPs and AISPs must ensure that the personalised security credentials are not shared with other parties and they must not store sensitive payment data. AS PSPs are required to treat payment orders and data requests transmitted via a PISP or AISP “without any discrimination other than for objective reasons”.²⁴

However, both types of innovation enable third parties to delve into the payments accounts of customers. Hence the Directive delegates, to the EBA, the need to develop technical guidance for “secure customer authentication” (SCA). This important aspect is considered later.

7.4.4 Confirmation of Availability of Funds

PSD II creates a new fund availability confirmation service. It allows a third party with the customer’s express permission to obtain confirmation from the customer’s AS PSP (i.e. their bank) that sufficient funds are available to enable a payment to be made. It only requires a “yes/no” response.²⁵ It is not clear how useful this facility will be in practice since it is of little help in assessing credit worthiness. However, there may be some value in a merchant knowing that the funds exist to satisfy a payment a few moments before a payment order is executed on a customer’s account.

7.4.5 Enhancing Competition

There is a broad requirement in the Directive that those participating in a payments system within the EU provide access to authorised payment services firms in a non-discriminatory way.²⁶ This is part of the general theme within PSD II promoting increased competition in payment services.

7.4.6 Customer Protection

Both the 2007 and the 2015 Directives on payment services are based on the understanding that in meeting their objectives customer trust is essential. PSD II, consequently, develops the protections provided initially by PSD I for individual “real” personal customers and EU member states are empowered to extend the Directive’s safeguards to “micro-enterprises”.²⁷

Issues with incorrect or unauthorised payments should be communicated as soon as possible.²⁸

There is an important protection afforded to customers in that the Directive requires that any alleged unauthorised transaction is immediately reimbursed unless there is a “high suspicion” that an “unauthorised transaction results from fraudulent behaviour” by the customer.²⁹ The suspicion must be based on “objective grounds”. These must be passed to the national regulator and the PSP should “conduct, within a reasonable time, an investigation before refunding the payer”.³⁰ Customers have eight weeks to make a claim for a refund.³¹

The customers, unless they are acting fraudulently or are grossly negligent, should only be liable for a maximum of €50 for any loss of their “payment instrument” (e.g. a payment access card) prior to their notifying the PSP.³² What constitutes “gross negligence” will be a matter for national law. Any contractual attempt by a PSP to change or shift the burden of proof against the customer will be nugatory.³³

The customer’s PSP or PISP should assume responsibility for any failure in the payments chain.³⁴ However, if the customer has used the wrong payee’s identifier, the PSP will not be liable but “should be obliged to cooperate in making reasonable efforts to recover the funds” including providing information to the customer to help trace the missing funds.³⁵

In terms of liability, in the event of an unauthorised, non-executed, defective or late executed payment initiated via a PISP, the AS PSP is required to refund the customer immediately. There is an obligation on the PISP to compensate the AS PSP where the former is liable, with the burden of proof lying with the PISP “to prove that, within its sphere of competence, the payment was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency,” linked to the payment service of which it is in charge.³⁶

The Directive stipulates that the full amount transferred should arrive intact without any charges being levied beyond those agreed at the outset.³⁷

All payment made in Euros or other member state currencies should be executed within, at most one day. All other payments should also be completed within the same time period unless otherwise agreed.³⁸

7.4.7 Security

Security measures must be proportionate to the security risk and PSPs must maintain measures to mitigate security risks and to provide the national regulator with regular updates assessing these risks together with their risk reduction actions.³⁹ PSPs are under an obligation to report, quickly, major security incidents to national authorities.⁴⁰

7.4.8 Complaints Handling

The Directive requires that member states have an easily accessible, independent, impartial, transparent and effective alternative disputes resolution arrangement for issues between customers and PSPs.⁴¹ PSPs must have dispute resolution procedures and must respond to complaints within fifteen business days of a complaint being received.⁴²

7.5 European Banking Authority (EBA) Work on PSD II

The EBA has a series of work projects in-hand on the implementation of PSD II to ensure that they are secure and efficient.⁴³ It has been preparing a Regulatory Technical Standard (RTS) on home/host state cooperation and, in particular, the information exchanges needed by both. This includes separate guidance on the reporting of fraud by PSPs to local competent authorities.

The EBA has also produced an RTS and a set of Implementing Technical Standard (ITS) on setting up the EBA register mentioned earlier. There is also guidance on areas such as professional indemnity insurance. Important technical guidance on security measures and SCA, incident reporting and complaints handling have been agreed and published. SCA is considered in more detail later below (see also Zetzsche et al. 2017).⁴⁴

7.6 Secure Customer Authentication (SCA)

As part of the move to protect customers and businesses, PSD II requires SCA—which authenticates the identity of the customer and their right to make the transaction—before an electronic payment can be made.⁴⁵ SCA “is based on the use of two or more elements categorised as knowledge (something only the user knows, e.g. a password or a PIN), possession (something only the user possesses, e.g. the card or an authentication code generating device) and inherence (something the user is, e.g. the use of a fingerprint or voice recognition)”.⁴⁶ There is a view that these arrangements may “ring alarm bells” as these services “open up a new class of vulnerabilities” (Mansfield-Devin 2016). “For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimising the risks in case of mistakes or fraudulent attacks”.⁴⁷

7.6.1 Exemptions for SCA

“As a matter of principle, all electronic means of payment are subject to the requirement for SCA. However, exemptions are possible as it is not always necessary and convenient to request the same level of security from all payment transactions”.⁴⁸ For example, low value transactions such as that used for contactless payments at terminals should not require SCA.⁴⁹

7.7 Commentary

It is not immediately obvious how the availability of PISs will change how customers operate. Customers will not see much change if they use a PISP compared to using their current credit or debit card for making a payment. However, credit card issuers and acquirers are likely to be disintermediated since merchants will not need their services. The PISP will move the funds straight from the customer’s bank account into that of the merchant.

It is likely that this will be cheaper for merchants who, in any event, are not permitted to charge extra for different payment methods under the Directive (Grüschow et al. 2016). It may be possible for the merchant to pass some of the margin saved to the customer but again how this might be done is still not clear since offering a discount, say, for those using a PIS compared with a credit card would fall foul of PSD II.

AISPs may be able to help customers who have multiple financial products which they want to view regularly. With the customer’s express permission, the AISP could access all the customer’s accounts in the EU and present the information in near enough real time. The data could be expressed in charts and analysed into different categories of expenditure.

This information would be of value in the market both in aggregate and individually. It would help firms decide what to market and to whom. It would be of value to competitors since, for example, a customer could be enticed to move their current account with a cheaper overdraft offer.

However, it is not clear what actual level of customer demand exists for AIS. Typically, in the EU, only around 19% of customers have more than two bank accounts (EY 2012). Further, where a customer has two bank accounts, one will normally be for their banking transactions and the other for savings. There is a view that in Europe the advantages for customers of A2A have yet to emerge (Wyman 2016). Banks will almost certainly act to protect their current positions since it is estimated that some 9% of retail payments revenue may be under threat by 2020 (Jackson 2018). The evidence is that most customers are very passive; reluctant to change “their” bank and it usually takes a significant operational failure to prompt a customer to move accounts (European Commission 2007).

There is scope for future socio-legal research on both merchant suppliers and customer attitudes to the changes brought about by PSD II. Various businesses will be undertaking their own research but they are unlikely to approach it from the legal perspective. The EU will probably review whether the results from the Directive demonstrate that the markets in payment services are moving towards meeting its own objectives. Indeed, the EU will need to keep this whole area under close review as a result of both social and technological changes affects the markets and customer outcomes. Much also will depend on fraud prevention where even SCA may prove vulnerable (European Payments Council 2017).

PSD II provides scope for FinTech to develop in key parts of the payment services market. However, it is likely that growing market share will be a significant challenge for small innovators. Nevertheless, there are opportunities for large players such as the Apples and Amazons’ of this world to gain margin from card companies and for banks to introduce their own A2A arrangements buttressed by their reputation with customers.