Revision of the Payment Services Directive (PSD2) Krzysztof Zurek and Silvia Kersemakers DG FISMA, European Commission PSMEG meeting 3 December 2015
PSD2 adopted on 16 November: What will change? Better fostering of innovation by improving level playing field between incumbents and new players Broadening of personal scope more players regarded as payment service provider Broadening of material scope more services regarded as payment service Higher security requirements for all electronic payments and for all payment service providers Reinforced supervision, also in cross-border context Improved rules on consumer protection
innovation security supervision Consumer protection Better complaint procedures PSD2 Level 2 measures
Impact on EMD2 EMD2 follows the logical structure of PSD2 changes in PSD framework will also transpire in EMD2 Main areas of impact: Scope limited network exclusion Licencing, passporting of services and supervision Better access to bank accounts Better access to payment systems Enhanced security of payments
Timeline negotiations PSD2 (2013-2016) July 2013 April 2014 Dec 2014 May 2015 Oct 2015 Nov 2015 Jan 2016 Commission proposal EP report first reading Council general approach Political agreement trilogues Adoption Parliament Adoption Council Entry into force
Next steps (1) After the succesful adoption of the text by EP (8 October) and by Council on 16 November the final stages of the process are: 25 November signing of the text Mid December publication in the Official Journal Beginning January 2016 entry into force
Next steps (2) - APPLICATION: Beginning 2018 (2 years after entry into force) - except for the security measures referred to in Articles 65, 66, 67 and 97 which shall enter into force 18 months after the adoption by the Commission of the necessary RTS, to be developed by EBA (target date: mid 2018)
Next steps (3) PSD2 text gives to the EBA the mandate to develop six different RTS, five sets of guidelines and a register Deadlines: 12 to 24 month after entry into force Areas: - Passporting (coordination of home-host supervision) - Consumer Protection - Authorisation of PSPs (including registration of AIS) - EBA register of PIs and of exempted entities/services - Security (strong customer authentication and communication)
Implementation process PSD2 2016: 4 transposition workshops: 18 February 12 April 23 June 4 October + 24 November, if needed (CEGPI meeting)
Tentative items for first transposition workshop (preliminary suggestions): Articles 1-3 (Scope) Article 4 (Definitions) Articles 65-70 (Access to payment accounts and handling of credentials/personal data) Articles 99-103 (competent authorities, complaints, ADR) Article 115 (transposition and transitional period)
Thank you for your attention! Silvia KERSEMAKERS & Krzysztof ŻUREK Directorate-General for the Financial Services, Financial Stability and Capital Markets Union Retail Financial Services and Consumer Policy * Rue de Spa 2, B-1049 Brussels ( +32 2 29 57368, +32 2 29 98803 Silvia.Kersemakers@ec.europa.eu; Krzysztof.Zurek@ec.europa.eu http://ec.europa.eu/finance/payments/index_en.htm
Scope (Title I) Inclusion of new players in legal framework (PIS and AIS) Broadening of positive scope (to "one leg" transactions and to payment services in all currencies) Clarification and narrowing down of negative scope: Agents impact for commercial platforms offering payment solutions Limited network and duty of notification of networks of certain size Digital exclusion specific categories of payments excluded, but only for low value payments Independent ATM operators partly covered for their information duties
Licencing and supervision (Title II) Licence also includes security requirements Limited networks and telecom operators offering payment services to notify their activities even though not (yet) licenced Licence to be granted in MS in which entity has its head office and carries out at least part of its payment service business Public central EBA register for licenced entities, their agents and branches Waiver regime (now referred to as exemption) more tailor made at level of MS
Cross-border supervision Strong call from MS for more detailed rules to improve cooperation and information exchange between "home" and "host" state, including dispute settlement by EBA More detailed rules in case of application for passport Enhanced competences for host state for better monitoring of activities and to act in case of emergency Option for MS to require central contact point in host state Not the same as under 4AMLD! Mandates for EBA
Access to payment systems and accounts Improved access to designated payment systems: Equal and transparent treatment of all payment service providers that are not (directly/indirectly) participating in system (Article 35) Improved access to bank accounts for payment institutions for the purpose of payment services Access on an objective, non-discriminatory and proportionate basis (Article 36)
Consumer protection (Titles III and IV) Ban on surcharging for vast majority of card payments Safer payments due to higher security standards Own liability decreased from 150 to 50 Euro, except in cases of fraud or gross negligence Unconditional refund right for direct debits in euro More transparency on costs and charges for payments to and from EU countries (so-called one leg transactions).
Third party payment providers (TPPs) New types of payment service providers authorised: - payment initiation services (PIS) -account information services (AIS) (+ card-based payment instrument issuers getting access to information on the availability of funds) Expansion of regulatory framework addresses security, data protection and liability concerns related to the provision of these specific payment services and provides level playing field for all payment service providers
Security of payments (1) Strong customer authentication (SCA) becomes a standard for all electronic payment transactions In addition, for all electronic remote payment transactions, a dynamic link to the amount of the transaction and the account of the payee is required Exemptions to SCA possible, to be developed by EBA in RTS, based on three criteria (amount/recurrence of transaction; level of risk; payment channel used)
Security of payments (2) Stricter approach to security, protection of sensitive payments data as well as rules on operational and security management and on incident reporting & monitoring, including fraud reporting, in the PSD2 text: - new authorisation requirements; - new specific rules of access to accounts for TPPs (+ requirement of professional indemnity insurance); - new rules for payment instrument issuers; - new chapter on operational and security risks and SCA/secure open standards for communication
Transitional provisions (1) Grandfathering clause: - authorised Payment Institutions: 30 months - small (registered) Payment Institutions: 36 months In order to operate after these deadlines, existing PIs need to submit a new application for autorisation, in accordance with PSD2 criteria Member States may decide to automatically grant PSD2 authorisation if the competent authority possesses evidence that a PI complies with new requirements.
Transitional provisions (2) Status quo obligation: PIS and AIS that are already established in the market can continue to perform their activities. All PIS and AIS to apply for authorisation once PSD2 becomes applicable PIS and AIS will comply with new security measures of PSD2 once these become applicable and implemented by banks