After a lot of talk on the Second Payment Services Directive (PSD2), it is time for action. 2018 is the year when PSD2 will be transposed into national legislation and revolutionize the insights for payment services in the European Union (EU). While there will be challenges implementing PSD2 in the short term, PSD2 will definitely foster innovation and bring competition in the long term.
PSD2 – What Is It Again?
PSD2 extends the scope of the original Payment Service Directive (PSD1) from 2007. The revised Directive is a response to the market developments and introduces enhancements in consumer protection, promotion of innovation and improvement of security.
PSD2 is relevant to payment service providers (PSPs) such as credit institutions, payment institutions, e-money issuers and their agents as well as many FinTech companies, technology providers, payment card operators and e-commerce marketplaces.
PSD2 regulates also two new types of PSPs: payment initiation service providers (PISPs) and account information service providers (AISPs). The key issue in this respect is that PSD2 requires banks to provide access to their customers’ bank accounts to PISPs and AISPs – provided that the customers have given their explicit consent thereto. This requirement is fostering a more open financial sector, also known as open banking, which is said to eventually change the banking as we know it.
Some specific changes compared to PSD1 include the extension of regulation to all currencies and one-leg payment transactions, changes to the scope of exclusions (for example commercial agent exemption and telecoms exemption are narrowed) and requirements regarding operational and security risk management and incident reporting. In addition, PSD2 introduces stronger customer protection measures such as restrictions on surcharges and reduced cap (EUR 50) on liability for unauthorized transactions. Requirements for strong customer authentication and secure communication should be mentioned as well.
Where Are We Now?
PSD2 must be transposed into national law by 13 January 2018, and the majority of the legal provisions will apply from that date. However, not all is clear after PSD2 has been locally transposed. PSD2 empowers the European Banking Authority (EBA) to develop a number of guidelines and technical standards, including regulatory technical standards (RTS) on strong customer authentication (SCA) and secure communication, applicable 18 months after its publication in the Official Journal of the EU. As this RTS became a dispute between the EBA and the European Commission, the RTS was adopted by the European Commission only in late November 2017. Subject to the agreement of the Council and the European Parliament, the RTS is now expected to become applicable around September 2019.
“There will be an interesting period between the implementation of PSD2 and application of the SCA RTS”
Needless to say, there will be an interesting period between 13 January 2018 and the date when the SCA RTS will be enforced. During this transitional period, banks are supposed to comply with PSD2, but are not yet obliged to implement the new security measures specified by the RTS. Different standards and data formats may therefore be expected. On the other hand, forward thinking banks have already started to operate under an open banking environment using open application programming interfaces (APIs) to meet the PSD2 requirements.
Towards the Future – and PSD3?
Thinking ahead, PSD2 will open up the banking system to new innovations that weren’t possible before and improve applications that exist today. As payments at the same time become integrated and invisible part of consuming, we will be introduced a totally different way of living. Accordingly, it is not only banking that is changing. The whole world is subject to change because of PSD2.
“As the digital age has only just begun, we should not be surprised to see a PSD3 initiative”
This change will most likely mean more regulation. Accordingly, by the time we have gotten used to PSD2 (and finally also standards set by the SCA RTS), we should not be surprised to see a PSD3 initiative. This is because the aim of the payment service regulation is to make the EU fit for the digital age – and the digital age has only just begun.
Preparing for PSD2 in Finland
PSD2 is implemented in two parts in Finland, by amending the Payment Services Act and the Payment Institutions Act. Legislative proposals were published in October 2017 and submitted to Parliament’s plenary session in November 2017. Final legislation relating to PSD2 is intended to enter in force on 13 January 2018.
“Prepare for PSD2 by checking your authorization and updating relevant contract terms.”
PSPs operating in Finland should consider the potential impacts of PSD2 on all aspects of their business operations. This does not apply only to banks. From a legal perspective, at least the following should be noted by many PSPs in order to comply with PSD2:
1Check your authorization.
PISPs need to apply for authorization and AISPs register with the Finnish Financial Supervisory Authority (FIVA). Currently regulated PSPs will have to demonstrate to FIVA that they comply with PSD2 including new operational and security requirements, as applicable. Different transition periods apply to different PSPs in this respect.
2Review contract terms and update procedures.
PSD2 includes provisions that will need to be reflected e.g. in customer terms and conditions and marketing materials. On the other hand, complaint handling and alternative dispute resolution procedures need to be updated and fraud, security and risk management as well as reporting policies reviewed.
3Create a regulatory strategy.
The European and national authorities provide further clarification and guidance relating to PSD2. FIVA has even established an open follow-up group relating to the transposition of PSD2. To take advantage of PSD2, prepare a plan how you keep yourself updated on new provisions and challenge yourself to understand also the interaction of different regulations. You may begin your regulatory journey by analyzing PSD2 and General Data Protection Regulation GDPR as both will be relevant in terms of customer data and customer consents in 2018, but from different perspectives.