What is PSD2?
Until recently, the Payment Services Directive (PSD) was the legal framework governing payment services across Europe. With the objective of modernising the regulation in line with developing technology, the European Commission overhauled PSD with the implementation of PSD2. This new regulation covers a wide range of payment related services and will require businesses to re-evaluate their systems and processes to comply with the new rules.
The main changes following the Second Payment Services Directive (PSD2) relate to the broadened scope of the directive, conduct of business requirements, customer protection, competition and security.
Who does it affect?
PSD2 affects existing payment service providers, including banks e-money institutions, digital wallet services, loyalty programmers and technology providers, whether regulated by the relevant regulatory authority (such as the Financial Conduct Authority in the United Kingdom) or not.
When will this become applicable?
PSD2 must be implemented in the United Kingdom by 13 January 2018. Payment service providers must promptly assess the potential impact of PSD2 on their business and take the necessary steps to ensure they are compliant by no later than 13 April 2018.
What does it change for the Fintech industry?
- Increased scope - PSD2 expands the reach of the original PSD to include transactions where at least one party (but not necessarily both) is located within the European Union. As a result, more conduct of business and information requirements will apply to international payments. Businesses should therefore consider whether any changes may be needed to comply with these new requirements, particularly for accounts or agreements that previously fell outside the scope of PSD.
- Third party payment service providers (TPP) - PSD2 introduces two new regulated payment services: Account Information Services (AIS), which are providers that can connect to bank accounts and retrieve information from them. They help users gain an overview of their financial position by aggregating information from their various payment accounts; and Payment Institution Services (PIS), which are institutions that can initiate payment transactions. Businesses providing either AIS or PIS may need to become regulated for the first time under PSD2.
- Narrower exemptions - Several exemptions available under the PSD have been narrowed under PSD2, affecting businesses which to date have fallen outside of the scope of regulation. For example, the previous commercial agent exemption, which applied under PSD where a commercial agent acts on behalf of both the payee and payer, no longer applies.
- Acquisitions - Existing or proposed shareholders in regulated payment institutions now have an obligation to inform the relevant regulatory authority of any decision to acquire or increase their current shareholding, such acquisition may be subject to opposition by said authority.
- Customer authentication - The new standards will allow a payer to authorise a transaction by using at least two of three elements, namely, knowledge (passwords or pin codes), possession (physical possession of cards) or inherence (bio-scans).
- Complaints - Businesses will now only have 15 business days to respond to a customer's complaint and will be obliged to advise on an appropriate alternate dispute resolution body if the complaint remains unresolved.
- Consumer protection - The implementation of PSD2 bans surcharges on the use of payment cards and users will only be liable for transaction charges where the amount is fully disclosed prior to the transaction. Users will also have the right to request monthly transaction statement, without charge.