PSD2 is the legal foundation for the EU’s payment services framework. It integrates the European payments market and seeks to make payments safer and more secure. PSD2 addresses some of the technological developments that have occurred since the EU’s Payment Services Directive (PSD). As a payment services provider you may want to learn more about the regulations in place and the legal support required for PSD2 compliance you may need to avoid fines.
In this article we'll cover
- What is the EU payment services directive (PSD2)?
- Who does the payment services directive apply to?
- What does PSD2 mean for ecommerce businesses?
- Does PSD2 conflict with GDPR?
- How long do you have to get up to date with PSD2?
- What are you required to do under PSD2?
- What are the benefits of complying with PSD2?
What is the EU payment services directive (PSD2)?
PSD2 was published in the Official Journal of the EU on 23 December 2015 and is the main piece of EU legislation governing payment services in the EU. PSD2 replaces the Payment Services Directive (2007/64/EC) and entered into force on 12 January 2016. It required EU member states to transpose its regulations into national laws and regulations by 13 January 2018.
PSD2 provides the legal foundation for a single EU market for payments and seeks to account for new technology that has developed since the original PSD. PSD2 widens the scope of payment services regulation and extends the geographical scope of the regulations. For the first time, payment services regulation applies to payments to and from third countries where one of the payment service providers (PSPs) is located in the EU. Whether the foreign currency transaction is cleared and settled abroad is not relevant.
PSD2 also contains a number of provisions aimed at increasing competition and enhancing security procedures that payment service providers (PSPs) must maintain.
Who does the payment services directive apply to?
PSD2 applies to the following types of PSP:
- Central banks
- Credit institutions
- E-money institutions
- Government departments and local authorities
- The Post Office
Although the UK has exempted the following institutions:
- Credit unions
- The National Savings Bank
It also applies to providers of online payment accounts. These include current accounts, e-money accounts and credit card accounts.
What does PSD2 mean for ecommerce businesses?
PSD2 bans companies from charging additional fees to customers paying by consumer credit or debit cards, both in shops and online. It also introduces rules on Strong Customer Authentication (SCA) for customers making payments online.
PSD2 requires that authentication is based on the use of two or more elements that only a customer could know, could possess or are unique to the user. In practice this means introducing two factor authentication (2FA), such as 3D secure payments, to online transactions.
Does PSD2 conflict with GDPR?
Many have noted that the principle purposes of the General Data Protection Regulation (GDPR) and PSD2 are in contrast with one another. PSD2 enacts data sharing requirements for financial service providers whilst the GDPR gives individuals greater control over their data.
There is also some overlap between the provisions of the GDPR and PSD2. Article 94 of PSD2 requires payment service providers to only access, process and retain personal data necessary for its services, and only with the explicit consent of the payment service user. This overlaps with GDPR’s rules on the processing of personal data (compliance with legal obligation, legitimate interest, contractual necessity etc). Questions have arisen as to which obligations payment service providers are to comply with.
The FCA recently clarified that account servicing payment service providers (ASPSPs) are not required to obtain explicit consent from its customer before it complies with its obligations under regulations 69 and 70 (relating to giving payment account data to account information service providers (AISPs) or payment initiation services providers(PISPs)). Companies are advised to stay abreast of the latest regulatory guidance in this area.
How long do you have to get up to date with PSD2?
Many elements of the PSD2 entered into application on 13 January 2018 with additional regulations added 14 September. In October 2019, the FCA published a policy statement (PS19/26) for strong customer authentication (SCA) and common and secure open standards of communication. It also announced an 18-month period from 14 September 2019 for firms to implement SCA.
The FCA stated that it would not take enforcement action against firms if they did not meet the SCA requirements from 14 September 2019 where there is evidence that they have taken steps to comply. From March 2021, the FCA expects all firms to have the necessary changes in place to apply SCA. For online banking, the implementation of SCA must be completed by 14 March 2020.
What are you required to do under PSD2?
A company’s obligations under PSD2 depend on the nature of business they conduct. For example, banks are required to open their payment services to other companies (third party payment service providers (TPPs)). They are also required to give customers a global view of their situation across different bank accounts.
Small electronic money institutions (small EMIs) wishing to issue e-money after 12 July 2018 must be re-registered under PSD2. Small EMIs who have to re-register will have to stop issuing e-money and providing payment services.
The FCA has produced a PSD2 Navigator webpage to help firms understand the obligations they have under PSD2.
What are the benefits of complying with PSD2?
The FCA has various powers to enforce PSD2 in the UK. These include:
- Information requests requiring information by serving written notice
- Interviews requiring individuals to attend an interview and answer questions
- Search warrants to enter and search a premise
The FCA also has the power to impose penalties and censures for breaches of its rules, and to instigate criminal prosecutions, including against those who lack authorisation to provide payment services. So, it pays to make sure you remain compliant in the first instance.
The FCA may also cancel, vary or place requirements on a firm’s authorisation. It can also suspend an EMI’s authorisation or impose limitations on its payment services or e-money business activities for a maximum of 12 months. Successful prosecutions may even result in an unlimited fine or a prison sentence.
Complying with the payment services directive will protect your business from potential fines and actions being brough against you by the FCA. So, it’s worth getting the PSD2 legal advice you need as soon as possible to ensure you’re compliant.