The arrival of the new Payment Services Directive (PSD2) in the internal market repealing the current Payment Services Directive 2007/64/EC (PSD1) has been a closely monitored development since the publication of the European Commission’s (the Commission) Green Paper on Card, Internet and Mobile Payments (COM (2011) 941) in January 2012.
On 2 June 2015 the final compromise text of PSD2 was released. The updated PSD2
broadens the scope of PSD1, captures a wider range of payment transactions, and also addresses some of the concerns raised during the legislative process regarding questions of liability.
Payment service providers (PSPs) will have to ensure that they comply with its provisions by the transposition date around end-2017. In this article, which first appeared in the EPC website, Maria Troullinou of Clifford Chance LLP looks at the key changes that PSD2 will introduce and at how the text has evolved since the initial Commission proposal was published in the summer of 2013.
A similar structure, a much broader scope
The new Payment Services Directive (PSD2) retains the same basic structure as the original Payment Services Directive (PSD1). PSD2 is divided into six titles, each of which focuses on a different subject-matter. Accordingly, title I covers scope and definitions, title II deals with the authorisation and regulation of payment service providers (PSPs), title III focuses on transparency, title IV establishes the respective rights and obligations of payment service users (PSUs) and PSPs and titles V and VI set out provisions on delegated acts and implementation. In addition, the different categories of payment service are set out in the Annex.
Despite retaining the same basic structure, the reach of PSD2 is broader than its predecessor. This is because of the expansion of the territorial scope provisions and the simultaneous narrowing down of the exemptions (commonly known as the ‘negative scope provisions’).
Territorial scope
Most provisions of title III and title IV of PSD2 will now apply to a broader range of payment transactions. Specifically, transactions in non-European currencies where both the payer’s and the payee’s PSP (or the sole PSP in the transaction) are located in the European Union (EU) will be caught, as will ’one leg out’ payment transactions in all currencies (i.e. where only one PSP is located in the EU).
‘One leg out’ transactions were outside the scope of PSD1, but PSD2 now brings them in scope “in respect of those parts of the payment transaction which are carried out in the Union”. This wording operates as a limit to the reach of PSD2 and seeks to offer some comfort to PSPs who would not be able to fulfil their obligations in respect of transactions (or components thereof) taking place outside of the EU over which they have no control (e.g, because these are subject to foreign systems and rules). PSPs will need to carry out an impact analysis and assess which parts of each transaction qualify as having been “carried out in the Union”; in the absence of guidance as to the precise meaning of this wording, this may not be a straightforward exercise.
Negative scope
PSD2 amends some of the exemptions established under PSD1. Changes to the “commercial agent” exemption attempt to address the divergent interpretations taken by some EU Member States, making clear that the exemption applies when agents act only on behalf of the payer or payee (not both).
Where agents act on behalf of both parties (e.g. in respect of e-commerce platforms) the exemption will only apply in cases where the agent does not come into possession, or have control of, clients’ funds.
Moreover, it will no longer be possible to use the same payment instrument within more than one limited network, or to acquire an unlimited range of goods and services and therefore the “limited network” exemption will now only be available to genuinely small networks. PSD2 also limits the scope of the mobile device content exemption to individual payments that do not exceed 50 euros and, on a monthly basis, transactions not exceeding 300 euros in aggregate per subscriber.
The Automated Teller Machine (ATM) exemption set out in Article 3(o) of PSD1 which was removed from the European Commission’s (the Commission) original PSD2 proposal, has now been reinstated. ATM operators will be subject to obligations to provide customers with information on withdrawal charges — both prior to the transaction and on the customer’s receipt — aiming to enhance transparency.
PSD2 seeks to minimise divergent interpretations around the application of certain exemptions. In certain cases, PSPs pursuant to PSD2 will have to notify competent authorities, so that an assessment can be made as to whether the requirements of an exemption have been met.
Expanding the market
PSD2 creates two new types of PSP, commonly referred to as ‘third party payment service providers‘ (TPPs) and attempts to strike a balance between opening up the payments market and maintaining appropriate security standards for online payments.
PSD2 contains provisions requiring EU Member States to ensure that all payment institutions have access to payment account services provided by banks. This is designed to prevent banks from refusing to open and maintain bank accounts for payment institutions. Although the right of a bank to reject account applications on valid grounds (such as anti-money laundering concerns) would not be affected, banks that decline to provide a bank account to another payment institution will have to explain the rejection to the regulator.
Under PSD2, payment initiation service providers (PISPs) are required to be authorised but are subject to a reduced minimum own funds requirement of 50,000 euros. Account information service providers (AISPs) are expressly exempt from authorisation, but are subject to a registration requirement. Both types of entity have to hold professional indemnity insurance or a comparable guarantee in order to ensure that they are able to meet liabilities arising in relation to their activities, as PSD2 aims to achieve a level of supervision commensurate with the risk such new entrants introduce into the system. PISPs that want to provide different payment services involving holding users’ funds will need to obtain full regulatory authorisation.