The Second Payments Services Directive (PSD2) has been implemented in Finland on 13 January 2018 by amending two laws, the Payment Services Act and the Payment Institutions Act. The majority of the provisions of PSD2 apply already, but provisions on strong customer authentication and common and secure communication will come into operation at a later stage. Consequently, a transition period has begun and certain outstanding questions remain.
PSD2 changes the European payments market radically for both payment service providers (PSPs) and payment service users by enabling consumers and companies manage their finances in a new way.
One of the key changes is that PSD2 creates two new categories of PSPs: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) also referred as Third Party Providers. Account banks must provide these Third Party Providers with access to the accounts of any customers who authorise it.
As an outcome, PISPs are able to initiate payments through the banks’ infrastructure on behalf of the customers and AISPs can provide their customers access to account information in several banks at the same time. By this way, customers are in control of their own data, and open banking is made possible.
Other changes introduced by PSD2 include, among others, better consumer protection such as adjusted liability rules, limits on customer fees for card payments, amended reporting requirements for PSPs and, in particular, higher security requirements for online payments. These provisions reflect the fact that PSD2 is relevant for anyone active in the payments market.
Status in Finland
PSD2 has been implemented in Finland by amending two laws, the Payment Services Act (in Finnish) and the Payment Institutions Act (in Finnish). As PSD2 is a maximum harmonization directive, the existing legislation has been amended only to the extent required by the implementation of PSD2.
Some of the optionality provided for the Member States in PSD2 has been used in the Finnish implementation, corresponding mainly to the Member State options exercised already in the implementation of PSD1. For example, Finland applies the requirement for payment institutions having agents or branches in Finland to report to the Financial Supervisory Authority (FSA) on the activities carried out in Finland.
Even though Finland is among the first European countries to implement PSD2, payment service users will have to wait for the new services. First of all, PISPs need to apply for authorisation and AISPs register with the FSA in order to provide payment services, and it may take months before first new Third Party Providers have been granted permissions in Finland.
Also existing PSPs have to demonstrate to the FSA that they comply with the amended legislation. The Payment Institutions Act provides the PSPs with additional transition periods for providing necessary information and updating their authorisations. Even then, banks have until autumn 2019 to fully comply with certain provisions of PSD2 as set out below.
The majority of the legal provisions introduced by PSD2 apply as of 13 January 2018. However, some issues are yet to be clarified also on the European level. Most importantly, the Regulatory Technical Standards (RTS) on strong customer authentication (SCA) and secure communication (CSC) drafted by the European Banking Authority (EBA) has not yet entered into force.
The RTS will be applicable only 18 months after its entry into force, i.e. in autumn 2019 according to current estimation. During the transitional period between 13 January 2018 and the date when the RTS will be enforced, banks are supposed to comply with PSD2, but are not yet obliged to implement the new security requirements regarding for example the interfaces (APIs) to enable access to customers’ accounts. This means that different standards and data formats may be expected in terms of access to the banks’ infrastructure around Europe.
To clarify various requirements during the transition period, the EBA has issued an opinion on the transition from PSD1 to PSD2.
In Finland, one of the most debated issue in relation to the transition period is the lawfulness of ‘screen scraping’ where a Third Party Provider logs in to a customer’s bank account with the customer’s security credentials as if it were the customer. This method has been offered as an alternative during the transition period to access necessary data before separate interfaces are in place in line with PSD2 and the RTS.
According to a recently published opinion of the FSA (in Finnish), screen scraping may not be used, if the Third Party Provider cannot be identified in a secure manner and access cannot be restricted only to the account information specified by the customer.
This opinion distinguishes Finland from many other counties. Also the EBA has given green light for the use of screen scraping during the transition period unless national law prevented such access before 12 January 2016. As the FSA’s main concern appears to be security and it is at the same time encouraging early application of interfaces regulated by the RTS, the FSA’s opinion should above all be considered as an initiative for banks and Third Party Providers to find common and secure solutions during the transition period.
To facilitate the interpretation of PSD2, the FSA has also established a PSD2 Monitoring Group (in Finnish), which aims to discuss interpretation issues and give guidance to supervised entities. The Monitoring Group’s presentations are published on the FSA’s website and are likely to address also screen scraping in more detail.
We at Dittmar & Indrenius are happy to discuss any questions you may have regarding PSD2 and its national implementation in Finland.