Payment Services Directive 2 (Directive 2015/2366/EU; PSD2) is the revised European payment services directive. PSD2 is intended to modernise the statutory framework, improve payment traffic within Europe, and create space for new and innovative parties entering the market that can contribute to a more effective and transparent manner of payment.
PSD2 not only has consequences for payment service providers who already had an existing licence or exemption under the old directive. The revised directive also introduces new categories of regulated service providers, namely account information services and payment initiation services. PSD2 expands the licence requirements for payment service providers among other things.
New types of payment service providers
According to Section 1:1 of the Financial Supervision Act (Wft), a payment service provider is defined as an undertaking that conducts the business of providing payment services. These services may be provided to payers (consumers) and payment service users (merchants). Such services often act as intermediary in this relationship. PSD2 distinguishes between eight different payment services. The following two paragraphs include a brief discussion of two of these services: the “account information service” and the “payment initiation service”.
An Account Information Service Provider (AISP) is defined as an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider.
Account information services provide a user with an online overview of account information he maintains with one or more payment service providers. Account information services could comprise digital household finances such as AFAS Personal for example.
According to the directive, a Payment Initiation Service (PIS) is defined as a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider.
The payment initiation service initiates a payment at the request of the user in which connection the service provider that holds the account forwards information concerning the payment to the initiation service. It can forward confirmation of successful payment to the online merchant immediately. Payment initiation services are not only encountered when making online purchases (such as iDEAL and SOFORT), but also during physical point-of-sale (POS) transactions.
New licence requirements
Under Section 2:3a Wft, any party that performs payment services in the Netherlands requires a licence for payment institutions from De Nederlandsche Bank (DNB) unless an exception or exemption applies.
PSD2 tightens the licence requirements from the original directive. The directive includes new licence requirements particularly in the area of security. A small selection from the new rules.
Payment institutions must provide a description in the licence application of the manner in which procedures for monitoring and handling security incidents and security-related complaints from clients and their follow-up are structured. They must also provide information concerning for example the structure of procedures for storing, monitoring, tracing and limiting access to sensitive payment information and security policy, including detailed risk analyses with respect to the payment services, and measures in the area of security and risk limitation that are implemented in order to protect users against among other things fraud and unlawful use of sensitive and personal data.
In addition, anti-money laundering legislation also plays a role in the application. For example, payment institutions have to demonstrate how the payment institution complies with the rules that apply to it within the context of money laundering and the financing of terrorism and describe the internal control mechanisms set up by the applicant.
The European Banking Authority (EBA) has issued Guidelines supplementary to the directive. These constitute guidelines for further elaboration of the licence application for the benefit of payment institutions.
EBA writes with respect to the procedures for handling security incidents that the applicant has to provide a further description of, among others, the organisational structure. This includes the description of specific measures, resources, department responsible for customer assistance, and processes for fraud and incident reporting.
In addition, it is important to the various aspects of the service and the licence application that the EBA’s conditions concerning data security are satisfied. A Comprehensive Security Policy has to be formulated for example.
It is important to EBA within the context of anti-money laundering legislation that a comprehensive description is provided of the systems and measures that the applicant has set up and implemented in order to counter money laundering and the financing of terrorism. The division of responsibility within the organisation also plays an important role in this connection.
This is merely a small selection from the new statutory framework introduced by PSD2. New players in the payment market should ask themselves whether they require a licence. It involves more than one would think!
A debate that is still ongoing within the context of PSD2 concerns the relationship between the new rules from the directive and privacy legislation. This debate was not considered here.
The Netherlands was unfortunately unable to meet the implementation deadline of 13 January 2018. However, the Minister of Finance expects that PSD2 will enter into effect by the middle of 2018.
You can always contact us if you or your organisation have any questions about payment services or the new directive.
By Rick Sanders