PSD 2: extension of scope and removal of exemptions
Third-party Payment Initiation Services
PSD 2 would expressly cover new Payment Initiation Services (‘PI services’). PI services are an alternative to card payments offered by companies like PayPal: third party providers that allow consumers to make payments from their accounts, typically by electronic means.
This development is intended both to benefit consumers – PI services are currently unregulated in some Member States, but under PSD 2 would be subject to various consumer protection measures – and also PI services as well. PSD 2 seeks to reduce barriers for new market entrants offering PI services; and, in particular, would oblige payment service providers (‘PSPs’) such as banks to let their customers use PI services provided by third party providers. It would also oblige PSPs to let their customers use third party Account Information Services: software that displays consolidated information on a consumer’s different payment accounts.
PI services would be required to be licensed, registered and supervised, like any other payment institution. They would be subject to their own information and transparency requirements, as well as the new requirements on internet payment security described below.
Other changes of scope and exemptions
- Payments via store cards, membership cards, meal vouchers, etc: the ‘limited network exemption’ would be restricted to only those arrangements that “address precise needs”; and, where the monthly volume of transactions exceeds €1m, PSPs must seek express permission from the regulator to use this exemption.
- Payments made through commercial agents: the European Commission considered this exemption was being abused; therefore it would be restricted to only commercial agents acting on behalf of either payer or payee; and removed from agents acting for both (e.g. some e-commerce platforms).
- Cash machines: PSD 2 would remove the exemption for ATM services provided by independent operators – companies that typically charge customers for withdrawing money from cash machines.
- Payments for digital content: the exemption would be restricted to low value payments (individual transactions below €50, with a monthly cap of €200) made via providers of electronic communications networks or services such as telephone companies.
- Payments outside the EU: while PSD 1only applies to payment services where both the payer’s PSP and the payee’s PSP are located in the EU, some of the transparency and information requirements in PSD 2 would also apply to payments where only one PSP is in the EU (‘one-leg transactions’).
- Payments in non-EU currencies: PSD 1 only applies to EU currencies, while some of PSD 2’s transparency and information requirements would apply to transfers made in any currency.
New consumer protection requirements
Liability rules for unauthorised transactions
The rules will be further harmonised. In particular, the maximum amount that a customer can be required to pay in the event of an unauthorised transaction would be reduced from €150 to €50. (This limit would not apply in cases of fraud, or where the payer has “with intent or gross negligence” failed to notify the PSP of losing of a card, or failing to take reasonable security steps.)
Additional security requirements for internet payments
These would include:
- ensuring strong customer authentication for internet payments;
- PSPs making an annual assessment of operational and security risks (and the measures they have taken in response); and
- in some cases, notifying customers of relevant security incidents.
As a general rule, a customer would be able to ask for an unconditional refund within eight weeks of the date on which funds were debited. The PSP would then have 10 days in which to make the refund or explain why it will not do so. The customer will have this right will even in the case of a dispute; the only exception to the general refund right would be where “the payee has already fulfilled the contractual obligations and the services have already been received or the goods have already been consumed by the payer”.
Banks would be required to answer any complaints within 15 business days and in writing.
Under PSD 2, Member States would no longer be able to exclude customers with funds of less than €600 from safeguarding requirements.
The threshold for the light-touch regime for small payment institutions would also be reduced to an average monthly payment transaction turnover of less than €1m.
Regulation: charges and fees
As noted above, PSD 2 was accompanied by a proposed Regulation capping interchange fees: these are the fees a payer’s PSP charges a payee’s PSP for its payment services: e.g. the fee that a customer’s bank charges a merchant’s bank when the customer makes a card-payment – which fee is ultimately paid by the customer in the form of higher costs (or, alternatively, a merchant might decide not to offer card payments at all).
The caps would be set at:
- 0.2% of the value of the transactions for debit cards; and
- 0.3% for credit cards.
The cap would only apply to cards within ‘four-party schemes’, such as Visa and Mastercard (which cards cover the vast majority of the EU market).
The cap would not apply to ‘three-party scheme’ cards, such as Diner’s or some American Express cards. The Commission expects that merchants may apply a surcharge for the use of these cards.
The Regulation would also ban surcharges – such as levied by certain discount airlines – for the use of ‘four-party’ scheme cards.
PSD 2 would allow surcharges for other methods of payment, as long as the charges levied do not exceed the actual cost to the payee of the method of payment involved.
As noted above, PSD 2 and the Regulation are both still currently under negotiations between the European Parliament, Commission, and Council of the EU.
As a Directive, the provisions of PSD 2 will need to be transposed into national law by Member States, typically within two years after its adoption.
The Regulation, on the other hand, will be directly effective shortly after it is published. Its provisions, however, include a transitional period of 22 months, in which the cap on interchange fees will apply to cross-border transactions only, and not domestic transactions.
 for “services based on instruments that can be used to acquire goods or services only in the premises used by the issuer or under a commercial agreement with the issuer either within a limited network of service providers or for a limited range of goods or services”
 ‘Strong customer authentication’ is defined in PSD 2 as “a procedure for the validation of the identification of a natural or legal person based on the use of two or more elements categorised as knowledge, possession and inherence that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data”.