Bird & Bird on the most important consequences of PSD2

Transcription

1 Bird & Bird on the most important consequences of PSD2 Scott McInnes - Partner, Bird & Bird (Brussels) scott.mcinnes@twobirds.com Tel:

2 Timeline 25 November 2015 PSD2 adopted 13 January 2018 Member States to transpose most provisions into national laws Q / Q1 2019? except provisions on security referred to in Art. 65 ("decoupled" card issuance), 66 and 67 (TPPs) and Art. 97 (strong customer authentication) Page 2

3 Most important changes in PSD2 vs PSD1 1. Scope (e.g. one-leg transactions) 2. Access to payment systems (Art. 35) 3. DCC (Art. 59) 4. Surcharging (Art. 62) 5. "Decoupled" card issuance / availability of funds (Art. 65) 6. PISPs / AISPs (Art ) 7. Cardholder liability (Art. 74) 8. Pre-authorization (Art. 75) 9. Use of transaction data (Art. 94) 10. Operational and security risk incident reporting (Art ) 11. Strong customer authentication (Art. 97 et seq.) 12. Dispute resolution (Art ) Page 3

4 1. Access to payment systems

5 Access to payment systems (Art. 35, recital 52) Non-discriminatory access requirement extended to three party schemes (e.g. Amex), except strictly closed ones Paragraph 1 shall not apply to: (b) payment systems composed exclusively of payment service providers belonging to a group. R52 Such systems include three-party schemes, such as three-party card schemes, to the extent that they never operate as de facto four-party card schemes, for example by relying upon licensees, agents or co-brand partners. Amex challenging this provision in a UK court and, soon, in the EU Court of Justice Page 5

6 2. Strong customer authentication (SCA)

7 SCA EBA Guidelines on the security of internet payments In force in most EEA countries in principle since 1 August 2015 except e.g. in the UK ( comply or explain principle) Contain a requirement of SCA similar to PSD2, but differences Page 7

8 SCA PSD2 Applicable as from Q / H1 2019? PSD2 (Art ) contains different requirements from current EBA guidelines: EBA guidelines applicable only to internet payments (mobile payments excluded, except browser-based ones) Whereas PSD2 applies to F2F and remote (all electronic payments ) EBA guidelines provide for risk-based approach (RBA) by merchant (and issuers?), and exemption for lowvalue payments (i.e. below 30) PSD2 leaves exemptions to EBA RTS (see following slides) PSD2 requirement that that, for electronic remote payments, PSPs should apply SCA that shall include elements dynamically linking the transaction to a specific amount and a specific payee (Art. 97(2) PSD2) EBA guidelines contain specific provisions for e-wallets PSD2 doesn't Page 8

9 SCA PSD2 EBA tasked to develop exceptions based on: the level of risk involved the amount and/or the recurrence of the transaction the payment channel used 8 December 2015: EBA published a Discussion Paper 12 August 2016: EBA published draft RTS. Public hearing on 23 September. Consultation closed on 12 October 2016 "Final" draft EBA RTS due were by 13 January However, EBA announced approx. 1 month delay RTS to be adopted by the EC (or sent back to EBA for amendments) Page 9

10 SCA draft EBA RTS Topic Draft EBA RTS Potential changes? PSPs to apply SCA when the payer: (a) accesses its payment account online; (b) initiates an electronic payment transaction; (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. Scope / what? (b) above is considered to: Include credit transfers ("pushed" by the payer) Include card payments (although some argue that card payments are "pulled" by the payee ) Exclude direct debits (but what about e.g. Paypal wallet funding?) Scope / where? Page 10 Art. 2(4): SCA requirements apply where at least one of the PSPs is located in the EEA, irrespective of the currency used, "in respect to those parts of the payments transaction which are carried out in the [EEA] According to the EC, EEA issuer should decline all transactions at non-eea merchants that don t request SCA Issuers will not be required to decline those one-leg transactions?

11 SCA draft EBA RTS Topic Draft EBA RTS Potential changes? F2F payments Exemptions for F2F Chip & PIN = compliant What about Chip & Signature? What about Magstripe & Signature? Contactless transactions does not exceed 50, and cumulative amount transactions without SCA doesn't exceed 150 Is this exemption mandatory or optional? What about "contact" dip&go payments below the thresholds? Ceilings will be increased? Exemption will be optional? Page 11

12 SCA draft EBA RTS Topic Draft EBA RTS Potential changes? Remote payments Multi-purposes device (e.g. mobile phone) can be used for payment and authentication, but "channel, device or mobile application through which the information linking the transaction to a specific amount and a specific payee is displayed shall be independent or segregated from the channel, device or mobile application used for initiating the electronic transaction" Reference to "channel" will be deleted? Exemptions for cards Remote transaction does not exceed 10, and cumulative value of previous remote transactions without SCA does not exceed 100 Should the exemption be mandatory or optional (for the issuer)? No merchant RBA and/or issuer RBA allowed as (1) would likely not sufficiently protect consumers and (2) would possibly harm fair competition between market players Ceilings will be increased? Exemptions will be optional (for merchant and /or issuer)? RBA allowed for merchants + acquirers + issuers? Several options being considered: 1. The exemption is granted if the PSP s bps of fraud for exempted transactions is lower than that when SCA is used; or 2. The exemption is granted if the PSP s bps of fraud is below a certain threshold (e.g. 20 bps) and the amount of the transaction is below EUR ; 3. The exemption is granted according to bps of fraud and transaction tiers: Less than 1 bps and up to EUR 500 Less than 5 bps and up to EUR 250 Less than 10 bps and up to EUR 125 Additional exemptions for credit transfers Page 12 Credit transfers to payees included in a list of trusted beneficiaries created by the payer Series of credit transfers with the same amount and the same payee Will not be made available for cards?

13 SCA draft EBA RTS Topic Draft EBA RTS Potential changes? Liability shift "Where the payee or the payment service provider of the payee fails to accept strong customer authentication, it shall refund the financial damage caused to the payer s payment service provider" (Art. 74(2) PSD2) Only applicable during the period January 2018 to approx. Q4 2018/Q9 2019? This interpretation will need to be revised due to: expected change of position on one-leg transactions? expected change of position on merchant/acquirer RBA? Page 13

14 3. TPPs

15 PISPs / AISPs / decoupled (debit) card issuers 1. PISPs (Art. 66): Granted "access" to "payment account" with a view to initiate a payment In practice, access to current account to trigger a credit transfer (i.e. competition vs card payments). But "payment account" arguably wider than current account (e.g. card account) Bank must "treat payment orders transmitted through the services of a [PISP] without any discrimination other than for objective reasons, in particular in terms of timing, priority or charges vis-à-vis payment orders transmitted directly by the payer" Possibility for recover costs from consumers? 2. AISPs (Art. 67): Aggregating data from various "payment accounts" i.e. not only current account(s), but also credit card account, mortgage account, etc? What about merchant accounts? 3. "Decoupled" (debit) card issuing / availability of funds (Art. 65): "The confirmation referred to in paragraph 1 shall not allow for the [ASPSP] to block funds on the payer s payment account" (Art. 65(4)) Page 15

16 TPPs draft EBA RTS Topic Draft EBA RTS Potential changes? Communication interface (Art. 19) Data exchanges (Art. 22) Other topics Banks to offer at least one communication interface enabling the TPP to: - identify itself - securely communicate to access information (AISP), initiate payment (PISP) or receive confirmation that sufficient funds available (decoupled card issuer) - rely on authentication procedure provided by bank to user Same level of service as the online platform made available to the user when directly accessing its account online Use ISO20022 "if available" + international/european standards Make documentation available for free on website AISP: same information on accounts and payment transactions made available to the user when directly accessing the information online (anytime the user is requesting + no more than twice a day when user not requesting) PISP: information on initiation + execution of payment Decoupled card issuer: "yes" or "no" Identification (qualified certified for website authentication as per e- IDAS Regulation, etc Art. 20) Security of communication session (encryption, etc Art. 21) Traceability (Art. 18) European banks expected to volunteer 1 common dedicated interface, otherwise EBA will grant TPPs a right to access directly online banking platform? Page 16