EU-Wide Rules On Electronics Payments set to Regulate Mobile Payment Transactions – An Article by Alkan Shenyuz
Alkan Shenyuz, a barrister and specialist in banking and financial services looks at the new EU Payment Services Directive and its impact on the regulation of mobile payment transactions in the UK and the EU.
In a move to create a single market for electronic payments in the European Union, the European Parliament voted to adopt the Directive on Payment Services (known as PSD2) in October 2015. Member States are required to adopt it as national law by 13 January 2018. PSD2 incorporates and repeals directive 2007/64/EC (otherwise known as the Payment Services Directive), which provided the legal basis for the creation of an EU-wide single market for payment services. Certain provisions of PSD2 have been delegated to the European Banking Authority, such as the development of Regulatory Technical Standards (RTS), and will come into force up to 18 months later.
By way of background, the Payment Services Directive was introduced in 2007 and was brought into UK law in 2009 through the Payment Services Regulations (PSRs). Its objectives were to:
- create a single market for payments in the European Union
- open up the market to new entrants
- create a platform for the Single Euro Payments Area
- protect consumers rights when making paymentsPSD is generally considered to have eased access to new market entrants and created competition. However, recent advances in mobile payment technology, the appearance of new forms of electronic payments and the need for increased online security for consumers have necessitated a wholesale review of existing EU-wide legislation. A series of measures introduced by PSD2 will open up the market for firms offering mobile payment services, improve consumer rights and ensure mobile payment technology provides appropriate safeguards for consumers and retailers. By doing so, PSD2 sets out to create a more secure environment for payments made over the internet or by mobile phone, in particular for those using remote channels. The new Directive will have an impact on the operations of not only credit institutions (such as banks and building societies) but also payment institutions such as money remitters, foreign exchange service providers, card issuers and acquirers. It will also affect electronic money institutions (Apple Pay is one such example), post offices and independent ATM operators. It is hoped that new Directive will also provide the necessary legal certainty for firms entering or who continue to operate in the market. In general, PSD2 will continue to govern the authorisation and prudential requirements for payment institutions while setting conduct of business rules for the provision of payment services by all payment services providers (including banks, building societies, money remitters and e-money issuers).The key changes introduced by PSD2 include:
- Revision to the conduct of business rules to include payment transactions in all currencies where at least one payment services provider is located within the European Economic Area (EEA). PSD2 will require compliance with transparency requirements and the provision of information where “one leg out” transactions occur, namely transactions where money is being sent out of or into Europe.
- An update to the list of activities exempt from regulation under PSD2 and in some cases, restrictions on exempt activities. In particular, businesses that benefit from the ‘Limited Network Exemption’ or ‘Digital Download Exemption’ will in future be required to be registered with national regulators (which in the UK is likely to be the FCA). The ATM operators exemption will also be removed and independent ATM operators will now be subject to PSD2 regime
- Firms wishing to passport their activities into another EEA country may be subject to additional reporting requirements by that host Member State. Firms with agents in another Member State may also need to provide a ‘Central Contact Point’ within that state.
- The introduction of two new types of payment service which will be regulated under PSD2
- Account Information Services (AIS) are online services offering a consolidated view of a user’s payment accounts from across one or more payment service providers.
- Payment Initiation Services (PIS) initiate a payment transaction at the request of the user from an account held by the user at another payment service provider.
The introduction of these new types of services represents a major shift in the way payments are processed will allow retailers and consumers to use organisations such as those that provide mobile applications to access account information or to initiate payments. This will allow users to use regulated payment service providers other than their own banks to meet their specific banking needs. For example, business users may allow third party providers to link with their payroll systems for faster more efficient processing. Consumers, on the other hand, will be able to give access to, say Amazon, to communicate directly with their banks to authorise a payment. This change to the way the electronic payment operates today (whereby Amazon would usually act through an acquirer who would in turn contact the consumer’s card scheme) is likely to lead to faster payment processing and imminent settlement.
Furthermore, account information services will be able to provide businesses access to all their account information on a single platform and generate analysis which may help them to make improvements to payables and receivables. There are also new rules in the event of unauthorised payments which make the account provider liable to restore the payment to the payer.
- Improved protection and security for consumers in the event of unauthorised online transactions. Customer liability for unauthorised transactions will be reduced to EUR 50 instead of the previous EUR 150 (though in the UK the maximum is currently £50). A payment service provider will need to prove that they have certain security measures in place ensuring safe and secure payments. Under Article 87 of PSD2, Member States will be obliged to ensure that payment service providers (PSP) apply “strong customer authentication when the payer: (a) access his payment account online; (b) initiates an electronic payment transaction; [or] (c) carries out any action, through a remote channel, which may imply a risk of payment fraud or other abuses”. In the case of (b) for electronic remote payment transactions, PSPs must apply strong customer authentication that shall include elements dynamically linking the transaction to a specific amount and a specific payee. PSPs must also ensure that they have in place adequate security measures to protect confidentiality and the integrity of the PSU’s personalised security credentials.
The changes envisaged by PSD2 are likely to mean that existing payment service providers will have to review their business plans to understand how exactly they will be affected and how they can best adapt to the new regulatory framework. There is likely to be a significant up-front expenditure for a payment service provider to ensure that they are compliant as well as additional costs to the transaction process which may ultimately be passed onto consumers. UK payment service providers are advised to get in touch with the Financial Conduct Authority (FCA) to discuss the technical standards expected of them.
For further information on PSD2 or if you are a new or existing payment service provider who may be potentially affected by the new regulatory regime, please get in touch with Alkan Shenyuz (email@example.com) or +44 (0)20 7936 5541