WHAT IS PSD2?
Background and goals of PSD2
EU directive 2007/64 was adopted by the European Parliament on 13 November 2007. This directive is known in the market as the Payment Service Directive (PSD). With the PSD, the EU aimed to create a uniform payment market by establishing a single legal framework for payment transactions within the EU. The aim was to make cross-border payments as easy, efficient and secure as the then-current domestic payments in every EU country. The PSD also provided the legal basis for the implementation of SEPA credit transfer and direct debit products in the EU. The PSD had to be embedded in local legislation by the various EU member states from 1 November 2009.
The PSD also introduced a new category of payment service providers (PSPs), namely the payment institution. From that moment on, non-banking institutions could obtain a special license as a payment institution, with which they could provide the payment services covered by the PSD within the EU. This opened the payment market to new entrants, which had to lead to more efficiency and lower costs as a result of the increased competition in this market.
The PSD has been in force for almost 7 years. The SEPA migration is complete. Domestic payment transactions in all euro countries have been fully migrated to the new SEPA products. In the meantime, however, various new payment services were introduced that were not properly covered by the PSD. For example, services in the field of online initiation and viewing of payment transactions for account holders with payment accounts at different banks. The PSD had to be revised so that this service – the so-called access to the payment account by third parties – also requires clear and uniform rules and guidelines.
PSD Directive: PSD2
On November 25, 2015 the EU directive 2015/2366 was adopted. This is the revision of the first PSD directive and is called PSD2. The PSD2 also includes various other changes and extensions compared to the initial version. A noticeable change concerns the fact that the payment transactions in non-EU / EEA currencies and the payment transactions to and from accounts outside the EU / EEA are also in scope of PSD2. This achieves a further uniformization of payment transactions in the EU / EEA. The changes to the PSD2 must have been implemented in national legislation by the various EU member states as of 13 January 2018. The changes regarding access to the payment account, both directly and through a third party, will only take effect 18 months after the final publication of the regulatory technical standards (RTS) for this access to the payment account. The RTS are in full effect since September 14, 2019.
However, the European Banking Authority published an Opinion in which they acknowledge the following: “The complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular by actors that are not PSPs and, therefore, not directly subject to PSD2 and the EBA’s technical standards, such as e-merchants, which may lead to some actors in the payments chain not being ready by 14 September 2019. The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, National Competent Authorities may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time.” (https://eba.europa.eu/-/eba-publishes-an-opinion-on-the-elements-of-strong-customer-authentication-under-psd2) This exception is made to assure compliancy to the RTS.
On October 16th, the EBA published a follow-up to the Opinion that is mentioned above. In this Opinion, they stated the following: “The European Banking Authority (EBA) published today an Opinion on the deadline for the migration to SCA under the revised Payment Services Directive (PSD2) for e-commerce card-based payment transactions. The Opinion sets the deadline to 31 December 2020 and prescribes the expected actions to be taken during the migration period. Today’s Opinion also recommends national competent authorities (NCAs) to take a consistent approach toward the SCA migration period across the EU and to require their respective payment service providers (PSPs) to carry out the actions set out in the Opinion. In addition, the Opinion recommends that, where required, NCAs communicate to PSPs in their jurisdiction that the supervisory flexibility they have exercised does not represent a delay in the application date of the SCA requirements in PSD2 and the EBA’s Technical Standards. Rather, it means that NCAs will focus on monitoring migration plans instead of pursuing immediate enforcement actions against PSPs that are not compliant with the SCA requirements. Furthermore, the EBA notes that consumers will be protected against fraud as required by the law and NCAs should, therefore, communicate to their PSPs that the liability regime under Article 74 of the PSD2 applies and that issuing and acquiring PSPs are still liable for unauthorised payment transactions.” (https://eba.europa.eu/eba-publishes-opinion-on-the-deadline-and-process-for-completing-the-migration-to-strong-customer-authentication-sca-for-e-commerce-card-based-payment)