Netherlands finally implements PSD2

With the implementation of PSD2 into Dutch law, two new activities will become regulated in the Netherlands: (1) providing account information services (AIS) and (2) payment initiation services (PIS). On the one hand, this means that parties that wish to offer these services in the Netherlands require an authorisation or a registration. On the other hand, such parties will be entitled access to payment accounts from customers at Dutch Account Servicing Payment Service Providers (ASPSPs) including Dutch banks (subject to the terms and conditions of PSD2). In anticipation of the Dutch implementation date, the Dutch Central Bank (DCB) has allowed interested new market entrants to apply for a 'draft' AIS or PIS licence under PSD2 since July 2018, in order to prepare them as much as possible. Once the legislative proposal will become effective (which is expected to be 1 January 2019) the DCB will finally be able to start granting licenses.

Another topic that PSD2 introduces is strong customer authentication (SCA), in particular when a payer accesses his or her payment account online or initiates an electronic payment.

In general, the Dutch legislator stayed pretty close to PSD2 when transposing it into Dutch law. Then why the delay in implementation? As PSD2 also covers privacy related issues (such as access to payment account data), there has been an extensive discussion about the division of supervision between the DCB and the Dutch Privacy Authority (PA), and the requirement of 'explicit consent' for a PIS provider or AIS provider to have access to the customer's payment account data and the processing of personal data in particular. [2] Combined with a lengthy parliamentary discussion about (the implementation of) PSD2, this caused the delayed implementation. Most of the parliamentary debate was focussed on the protection of the privacy of the account holder and the regulation vis-a-vis processing personal (financial) data. Further to this debate, Dutch banks have been requested to make available in an account holder's online banking interface or banking app a list of all payment services providers to which the account holder has given explicit consent to access her/his payment account data.

PSD2 provides for a few member state options (possibilities where a member state can decide to deviate from PSD2, within a framework); the Netherlands opted to use only (very) few of those. For example, it did not opt for protection of microenterprises, further limitation of a payee's own risk or further extension of the surcharging prohibition to cards not subject to interchange fee caps under the EU Interchange Fee Regulation (e.g. commercial cards).

Furthermore, not only the DCB and the PA supervise compliance with PSD2 in the Netherlands, also the Dutch Financial Market Authority (behavioural supervision/protection of account holder) and the Dutch Authority Consumer & Market (protection of competition) have supervisory authority when it comes to compliance with PSD2. This will require quite some cooperation and alignment between these four supervisory authorities.

Our team of financial regulatory and data protection experts is more than happy to answer any questions you may have about the transposition of PSD2 into Dutch law and the rest of the EU.