PSD2 – the EU's Regulatory Response to Innovation in the Payments Sector
PSD2, the EU Directive on payment services, is seen by many authors as one of the most innovative legal amendments in recent years, developing something called open banking. PSD2 is of particular importance to fintech businesses and will be implemented in the European internal market by the EU member states by 13 January, 2018. The rationale behind the directive is to establish a framework to respond to the significant innovation within the sector, which has left regulatory gaps and legal uncertainties. PSD2 will be the basis for innovative processes while ensuring that payment service providers are able to launch safe, secure and easyto-use digital payment services with sufficient legal clarity, security and protection of consumer rights.
In order to achieve these aims, PSD2 not only significantly amends the existing regulatory framework for payments geographically within the EEA, but also extends the list of regulated business activities to two new services: the payment initiation services and the account information services. The respective service providers are therefore called payment initiation service providers and account information service providers (collectively, "third-party payment provider"). The former is defined as a service to initiate a payment order at the request of the payment service user while an account information service is an online service to provide consolidated information on accounts held by the payment service user.
In practical terms, fintech businesses will need to be proactive in responding to the changes to the scope of regulated activities, which reflect a trend towards customers that have multiple relationships with PSPs and an increased need for interaction. The technical and legal landscape will change quite dramatically. Third-party providers have traditionally used a method called screen-scraping, which, according to the European legislation, shall be replaced by something called a dedicated interface. Screen-scraping is the method by which certain third-party payment providers have accessed certain account information via the customer interface and used it for their own purposes. It has already been the subject of heavy litigation (since it was contrary to the banks' general terms and conditions, which have been considered to be anti-competitive behaviour) and will become much more regulated in the future with both advantages and disadvantages for fintechs. On the one hand, it will now be mandatory for traditional banks to grant third parties access to customer data via specific, dedicated interfaces. This will have a major impact on systems and operations as account servicing PSPs will need to enable third-party providers to access their online payment accounts. Although many fintech companies doubt whether the banks will provide them with high-quality access, the new, to be established, dedicated interfaces must not be discriminatory and any rejection of the requesting payment service needs to be justified by the account servicing PSP. On the other hand, the data to be provided via such interfaces will need to be limited to the purpose of the respective service, ie, payment initiation or account information. Also, third-party PSPs will now be regulated entities and need to comply with respective security requirements.
Further practical considerations, which should be taken by PSPs, are in relation to strong customer authentication requirements where the payer accesses its payment account online, initiates an electronic payment transaction or carries out any actions through a remote channel which may imply a risk of payment fraud or other abuses. Strong customer authentication is a procedure based on the use of several mutually independent elements, such as knowledge (eg, a pin code), ownership (eg, a mobile phone) and inherence (eg, a fingerprint). As provided under Art. 98 of PSD2, regulatory technical standards on strong customer authentication and common and secure communication will be developed by the EBA in order to specify the exact requirements and application. The regulatory technical standards specify the exact requirements of the strong customer authentication procedure are—due to conflicts between the EU Commission and the EBA—not yet released, and therefore not to become effective before June 2019. In the intermediary period, the respective disputes will supposedly continue.
Besides that, PSD2 will strengthen consumer rights in several ways. The directive provides, e.g., an unconditional refund right for direct debits and governs the liability arising from unauthorised transactions and obliges to inform about any fees regarding the payment services.
Ultimately, fintech businesses will need to be aware of any further ongoing changes alongside PSD2. The new standards might bring substantial changes to the regulatory landscape. As such, market participants should remain vigilant and monitor the latest developments.
This content first appeared in Chambers Professional Advisers: FinTech.