What is PSD2?
Until recently, the Payment Services Directive ("PSD") was the legal framework governing payment services across Europe. With the objective of modernising the regulation in line with developing technology, the European Commission overhauled PSD with the implementation of PSD2. This new regulation covers a wide range of payment related services and will require businesses to re-evaluate their systems and processes to comply with the new rules.
The main changes following the Second Payment Services Directive ("PSD2") relate to the broadened scope of the directive, conduct of business requirements, customer protection, competition and security.
Who does it affect?
PSD2 affects existing payment service providers, including banks e-money institutions, digital wallet services, loyalty programmers and technology providers, whether regulated by the relevant regulatory authority (such as the Financial Conduct Authority in the United Kingdom) or not.
When will this become applicable?
In the United Kingdom and Gibraltar, PSD2 must be implemented by 13 January 2018. Payment service providers must promptly assess the potential impact of PSD2 on their business and take the necessary steps to ensure they are compliant by no later than 13 April 2018.
What does it change for the Fintech industry?
PSD2 expands the reach of the original PSD to include transactions where at least one party (but not necessarily both) is located within the European Union. As a result, more conduct of business and information requirements will apply to international payments. Businesses should therefore consider whether any changes may be needed to comply with these new requirements, particularly for accounts or agreements that previously fell outside the scope of PSD.
Third party payment service providers (TPP)
PSD2 introduces two new regulated payment services:
AIS are providers that can connect to bank accounts and retrieve information from them. They help users gain an overview of their financial position by aggregating information from their various payment accounts.
- Account Information Services (AIS)
- Payment Institution Services (PIS)
PIS are institutions that can initiate payment transactions. Businesses providing either service may need to become regulated for the first time under PSD2.
Several exemptions available under the PSD have been narrowed under PSD2, affecting businesses which to date have fallen outside of the scope of regulation. For example, the previous commercial agent exemption, which applied under PSD where a commercial agent acts on behalf of both the payee and payer, no longer applies.
Existing or proposed shareholders in regulated payment institutions now have an obligation to inform the relevant regulatory authority of any decision to acquire or increase their current shareholding, such acquisition may be subject to opposition by said authority.
The new standards will allow a payer to authorise a transaction by using at least two of three elements, namely, knowledge (passwords or pin codes), possession (physical possession of cards) or inherence (bio-scans).
Businesses will now only have 15 business days to respond to a customer's complaint and will be obliged to advise on an appropriate alternate dispute resolution body if the complaint remains unresolved.
The implementation of PSD2 bans surcharges on the use of payment cards and users will only be liable for transaction charges where the amount is fully disclosed prior to the transaction. Users will also have the right to request monthly transaction statement, without charge.
How to prepare for the new regulation
Businesses which began providing AIS or PIS on or after 12 January 2016 must be registered or authorised, or vary their authorisation, before 13 January 2018 if they wish to carry on providing these services on or after that date.
Businesses that were providing AIS or PIS before 12 January 2016 do not need to seek authorisation or registration, vary their authorisation or cease providing these services until 18 months after the coming into force of the European Banking Authority's Regulatory Technical Standard on Strong Customer Authentication and Common and Secure Communication. However, they will not be entitled to access customer account information under the new PSRs 2017.
For businesses based in the United Kingdom, an application must be submitted to the Financial Conduct Authority by no later than 13 April 2018 which may take up to three months to process.
Businesses that are already authorised or registered with Financial Conduct Authority, will be required to provide additional information and then will be considered for re-registration or re-authorisation under the new regulations.
Burlingtons is a full service law firm based in the heart of London's west end and offices in Gibraltar, Moscow, St Petersburg, Vienna, Malta and Almaty.
It is renowned for its professional culture, delivering work to the highest legal standards and building long-term relationships with clients.
They are able to advise on, but not limited to:
If you would like more information on the re-registration procedure and whether your business would need to apply for re-registration please contact Deborah Mills, Senior Partner at firstname.lastname@example.org.
- whether your business falls within the scope of the regulation and required to provide additional information by the relevant deadline
- assist with collection of documents and regulatory approval
ensuring your business's continued compliance
Disclaimer: this newsletter is provided for general information only and is not intended to be nor should it be relied upon as legal advice in relation to any particular matter.
Back to newsroom