The new EU Payment Services Directive (PSD2) has been published in the Official Journal of the EU (OJEU) and will come into force on 13 January 2016.23 Dec 2015
PSD2, which was formally adopted by EU law makers in November, will need to be implemented into national legislation across the 28 EU countries with those rules to be applied from 13 January 2018.
The revised Directive will replace the existing Payment Services Directive which has been in place since 2007. The 2007 Directive will be repealed with effect from 13 January 2018.
"The lobbying opportunities to shape PSD2 are far from over – work is going on at the EBA [European Banking Authority] to set standards and, critically, the national implementation process will add a great deal more guidance around how PSD2 will be applied," said payments expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com.
The new legislation imposes obligations on companies that have previously been outside the scope of regulation, reflecting innovations in the payments market that have emerged since 2007 and the different types of companies now involved in delivering payment services.
Under PSD2 banks and other payment service providers (PSPs) must give so-called payment initiation service providers (PISPs) access to their customers' accounts so as to facilitate transactions ordered at the customers' request. However, in return, PISPs must observe a number of data security obligations and takes on certain liabilities in relation to any unauthorised transactions it is responsible for.
PSD2 also promotes account information services, like businesses that allow customers to access information about all their payment accounts in one place. The new rules require PSPs to open up access to the accounts they manage on behalf of a customer where the account information service provider (AISPs) has obtained the "explicit consent" of that customer for such access. Like PISPs, AISPs also face data security obligations.
In addition to rules on customer authentication, facilitating third party access to accounts and account information, data security and liability, PSPs must also abide by a range of requirements relating to transparency over account services and charges, major operational or security incident reporting and complaint handling, amongst other things.
The EBA has a role, under PSD2, to draft a range of technical and regulatory standards which will set out in more detail how companies subject to PSD2 can comply with the rules set within the Directive.
The EBA has already opened consultations on some of the standards it has to draft, including new standards to help PISPs and AISPs communicate with PSPs securely and ensure that transactions are based on "strong customer authentication". The power to adopt the standards rests with the European Commission.
Financial services and technology law expert John Salmon said last week that banks and payment providers must change to stay relevant as a result of the PSD2 reforms and other coming changes to the payments market.
"Financial service businesses will need to keep in mind that innovation in payments will only occur if consumers trust that new products and services in the market are secure," Salmon said in his regular blog for Out-Law.com. "It is therefore up to existing businesses to clearly articulate how they are propositioning security to consumers so that they understand how their data is secured. Again, the final output of the EBA's work may determine what technically must be put in place."
"Security must not, however, be a barrier to innovation. Security together with convenience of use and relevance to consumers are key components that will make for successful new payment solutions. Data hacks, bad customer experience and a lack of relevance are major issues which a growing band of customers are no longer willing to accept," he said.