The law makes payment initiation services and account information services subject to regulatory supervision by the Federal Financial Supervisory Authority (BaFin). Furthermore, there will be stricter authentication requirements when making online payments.
On February 8, 2017, the federal government adopted a bill to implement the Second Payment Service Directive. It thus fulfills its obligation to transpose the PSD II (Directive (EU) 2015/2366), which was previously adopted by the European Parliament and the Council, into national law. Next, the draft must be submitted to the Federal Council (Bundesrat) for its opinion. It must be implemented by January 13, 2018.
The aim of the Second Directive – as with the first – is to harmonize the legal framework for payments within the European internal market that are not done in cash. By this competition on this filed shall be strengthened and security in payment transactions shall be increased. Consumer protection will also be improved. In order to codify these goals, the supervisory provisions contained in the Directive have been transposed into the amended Payment Services Supervision Act (ZAG) and the civil law provisions into the German Civil Code (BGB).
Payment initiation services and account information services
A major change is the expansion of the legal catalogue of regulated payment services (sec. 1 para. 1 sent. 2 no. 7, 8 ZAG draft) with the addition of so-called payment initiation services and account information services. These services are thus subject to the supervision of BaFin.
Payment initiation services are defined as services that, in the case of a transfer-based payment, build a software bridge between the merchant’s website and the payer’s online bank account (online banking). The payment initiation service will confirm to the payment recipient that the payment has been made (for example, by immediate online transfer). Since the service providers in this procedure can come into possession of account information, the legislature felt that it was no longer justifiable that such services were not subject to supervision. They now require permission (sec. 10 para 1 ZAG draft). Furthermore, liability regulations have been extended for cases where a payment initiation service is used for making a payment. Although the service provider holding the account (bank of the payer) is primarily liable, he may have recourse to the payment initiation service involved (sec. 673a para. 1 BGB draft).
In contrast to the payment initiation services, account information services do not require authorization, but are subject to compulsory registration. Account information services are defined as services that provide users of payment services with online information about one or more payment accounts at one or more payment service providers. This is done via the online interfaces of the payment service providers holding the accounts. Since these services do not come into the possession of customer money and do not initiatepayments, they are subject only to limited supervision and are privileged compared to payment services.
The new law allows users of payment services to use payment initiation services and account information services (sec. 675f para. 3 BGB draft) if they have access to online banking. To these ends, the payment service providers that hold the accounts must grant access to selected account information to the providers of the payment initiation services and account information services.
Stricter authentication requirements for online payments
Another change is that authentication for online payments shall be improved. Authorization must therefore consist of at least two procedures. As part of its technical regulation standards, the European Banking Authority (EBA) decides what requirements such authorization will be subject to and what exceptions there will be. Furthermore, the payment service providers must inform the user of the payment service about which procedures the user would like to use in the future (Article 248 sec. 4 para. 1 no. 4a EGBGB draft).
In the case of misuse of a payment authentication instrument, the consumer is only liable to a maximum of 50.00 EUR (previously 150.00 EUR), provided that the payment was not fraudulent, deliberate or grossly negligent. This regulation, which was previously independent from any fault by the consumer, has now been modified by the legislature in such a way that a claim cannot be made against the user of the payment service if the user can prove that the user was not able to notice the loss of the authentication instrument.
If a replacement payment authentication instrument is necessary due to its loss, theft, misuse or “otherwise unauthorized” use, the payment service provider is entitled to charge the user of the payment service for the costs incurred for the replacement of the instrument. However, the claim for compensation is limited exclusively to the costs directly connected with the replacing of the instrument.
Obligation to cooperate in case of incorrect transfer
Furthermore, in the event of an incorrect fund transfer to a wrong recipient, the problem has been that the payment service provider of the (wrong) recipient often provided no information due to banking secrecy regulations, insofar as the recipient refused to repay the (erroneously transferred) amount or to agree to the transfer of the recipient’s name and further information. With the introduction of sec. 675y para. 5 p. 3, 4 BGB draft, this problem has now been remedied. The payment service provider of the recipient is now obliged to provide information concerning the (wrong) recipient. They can no longer rely on banking secrecy.
Entry into force
As previously mentioned, the PSD II has to be implemented into national law by January 13, 2018.
Companies, such as credit institutions, electronic money institutions and payment institutions, that are affected by the new regulations must act and adjust their current conditions to meet the new legal requirements. However, according to Article 109 of the Directive, certain companies are subject to transitional rules and will have some more time to incorporate these new regulations.