Payment Services Directive 2
What is it?
The so-called "PSD2" is the revision of an existing directive from 2007, called the "Payment Services Directive" or "PSD" or "PSD1". Since it is a directive, it will need to be transposed/ implemented within the law of the EEA Member States (as opposed to an EU Regulation that is "directly applicable" in the various Members States).
Most of the PSD2 provisions need to be "live" in the various Member States by January 2018, with the exception of the provisions on security (so-called "strong customer authentication" or "SCA") and the technical details of how banks are expected to provide access to third party players (so-called "TPPs"), which will only go live towards the end of 2018 or the beginning of 2019.
Why do you need to know about it?
On some topics, PSD2 is just updating/amending/refining PSD1 (e.g. in relation to the kinds of payment services that fall outside the scope of PSD, and therefore are/were unregulated).
However PSD2 also contains brand new provisions/topics compared to PSD1, including in particular SCA and the "access to account" that financial institutions need to grant to TPPs (so-called "Account Information Service Providers"/AISPs and "Payment Initiation Service Providers"/PISPs).
In terms of new provisions in PSD2 versus PSD1:
• Strong Customer Authentication: PSD2 requires that when a payer accesses its payment account online (e.g. logs into his/her PC banking platform) or initiates an electronic payment transaction (e.g. card payment or credit transfer – either face-to-face or "remote"), SCA should take place. SCA is defined as two of three factors: "something only you know" (e.g. a PIN), "something only you are" (e.g. a fingerprint) and "something only you have" (e.g. your card in a face-to-face context, your phone or tablet for a remote payment, etc.). For example:
– in the case of a face-to-face payment, Chip & PIN should in principle qualify as SCA;
– In a "remote" (e.g. online or mobile) context, the phone (or more precisely a token stored on the phone) should qualify as the "something only you have", and a fingerprint or a selfie should qualify as the "something only you are", therefore meeting the requirements of SCA.
In addition, for "remote" payments, there is a requirement that SCA "includes elements which dynamically link the transaction to a specific amount and a specific payee" (Article 97(2)) which raises technical issues, in particular in relation to card payments.
The EBA (European Banking Authority) has been tasked with the mission to draft possible exemptions to the principle of SCA by default. In a document published on 23 February 2017, the EBA proposed a series of exemptions to the principle of SCA, that are due to be adopted in due course by the European Commission (EC).
- As regards face-to-face transactions, the EBA is proposing an exemption for contactless transactions not exceeding EUR 50 (with a cumulative value of EUR 150 without SCA or 5 consecutive contactless transactions without SCA), and transactions at unattended terminals for parking and transports.
- As regards remote transactions, the EBA propose an exemption for electronic payments to a white list of trusted beneficiaries, and recurring transactions to the same payee and of the same amount. It also proposes an exemption for remote transactions that do not exceed EUR 30 (with a cumulative value of EUR 100 without SCA or 5 consecutive remote transactions without SCA). Finally, the EBA also proposes to enable the PSPs (Payment Service Providers) of the payer and the payee to perform a "Risk-Based Authentication" (RBA) for remote transactions up to a maximum value of EUR 500; this exception is allowed provided that their fraud rates do not exceed specific thresholds.
• TPP "access to account": financial institutions (referred to as Account Servicing PSPs/ASPSPs, e.g. banks (so-called "credit institutions"), EMIs (E-Money Institutions) and PIs (Payment Institutions) that hold "payment accounts" (e.g. current account, but also potentially a credit card account, a prepaid card account, a savings account, etc.) are required to grant "access" to the account, for free, to so-called "TPPs"/Third Party Payment Service Providers – which are categorised as AISPs and PISPs. The former do not provide payment services, but instead generally aggregate data from various accounts; whereas the latter initiate a payment (in practice, a credit transfer) from the account of the payer to pay a merchant (presumably at a cheaper price than a card payment, as otherwise it is unclear why any merchant would prefer that form of payment over a card payment, that typically comes with a payment guarantee). The above mentioned draft RTS provides technical details about how banks are required to grant access to the account to TPPs, i.e. either through a "dedicated interface" (typically referred to as an "API" or "open API") or through the interface made available by the bank to the consumer, the data that those TPPs can get access to (in the case of an AISP the same data as that available to the consumer, including transaction history; whereas in the case of a PISP just information on the initiation and the execution of the payment), how often an AISPs can "refresh" the data when that refresh is not actively requested by the user, etc.
In terms of changes from PSD1 to PSD2, here are a few select examples:
• The concept of "commercial agent", that was used in particular by online market places (e.g. Fnac, etc.) in order to avoid falling within the scope of the PSD, is being narrowed down since a commercial agent will only be able to operate for either the payer or the payee (Article 3(b)).
• The concept of a "limited network" payment instrument (e.g. "closed loop" cards or "filtered loop" cards, such as gift cards, petrol cards, meal voucher cards) is being narrowed down (Article 3(k)).
• The services that telcos can offer to consumers without being regulated under PSD2 are also been narrowed due to some maximum amounts (50 EUR per transaction and 300 EUR per month) (article 3(l)).
• Three-party card schemes that are not entirely closed will be forced to grant "access" / licenses, in particular to acquirers – who will pay regulated levels of interchange fees on those transactions (see below on the EU Interchange Fee Regulation), and therefore should be able to undercut the pricing (Merchant Service Charge/MSC or Merchant Discount Rate/MDR) currently offered by those three-party schemes to to merchants (Article 35 and recital 51).
EU Interchange Fee Regulation
What is it?
The IFR is an EU regulation impacting card payments – in three "tranches": June 2015, December 2015, and June 2016. In particular, the IFR impacts the economics of card payments by capping the amount of "interchange fees" that merchant acquirers (and, in most cases, ultimately merchants) pay to the card issuer on every (consumer) card transaction. In that respect, the IFR is the continuation of the competition law cases that have been pursued, for many years, by the EC and various national competition authorities (NCAs) in relation to MasterCard, Visa and some of the domestic debit card schemes that exist in a few EEA countries (such a Cartes Bancaires in France, Pagobancomat in Italy, etc.). In addition, the IFR also regulates a series of so-called "business rules", i.e. imposes new obligations and creates new rights for the various participants in the payment card value chain, namely merchants, acquirers, issuers, cardholders, card schemes and processors.
Why do you need to know about it?
The IFR covers various topics – which we address briefly below:
• Interchange fees: the IFR caps the amounts of interchange fees applicable to consumer card transactions in the EU (Articles 3 and 4). It also contains an anti-circumvention clause, and in particular the concept of "net compensation" which requires calculations of how much the card scheme is paying to the issuer, and how much the issuer is paying to the card scheme (Article 5 IFR).
• Pan-European licenses: the IFR requires that licenses granted by card schemes to issuers and acquirers should have a pan-EU geographic scope (Article 6 IFR).
• Separation of scheme and processing: the IFR requires that companies operating both a "scheme" business as well as a "processing" business should implement a "functional separation" of these two activities. In particular, those two businesses need to be operated independently in terms of "accounting, organisation and decision-making process" (Article 7 IFR).
• Co-badged cards: the IFR provides more freedom to issuers in terms of which brands/schemes they can place on a card. Under one interpretation of the IFR, it is in fact the consumer who can choose, amongst the brands that are issued by an issuer, which brands he/she would like to see placed on his/her card. When a co-badged card is used to make a payment (whether face-to-face or online), the IFR provides that, ultimately, it is the cardholder who can choose which brand/scheme will be used to make the payment – although the merchant may seek to influence that choice by having a priority selection installed in the terminal (Article 8 IFR).
• Steering: the merchant can also steer the consumer towards its preferred means of payment or card brand, e.g. by setting a minimum price below which he does not accept the card, or offering a discount for cash payments (Article 11 IFR). In countries that allow merchants to surcharge card transactions (such as e.g. the UK, Belgium, etc.), merchants may continue to surcharge consumer cards until January 2018 at the latest; as from January 2018 such surcharging will no longer be allowed (however may be allowed to continue in relation to commercial cards) – this is regulated by the revised version of the PSD2.
• More information for merchants: acquirers are required to provide more information to merchants, both in the merchant contract (Article 9 IFR) as well as on a regular basis – e.g. once a month (Article 12 IFR).
• Relaxation of the Honour All Cards Rule (HACR): historically, a merchant who had decided to accept a brand of card payments was required to accept all the cards under that brand, including commercial cards under that brand. In a nutshell, that is no longer the case: a merchant is now free to determine which brands and/or categories of cards it would like to accept – e.g. only accept consumers' cards (that are subject to the interchange fee caps) but not commercial cards under that same brand (that are not subject to interchange fee caps).
• By June 2019, the EC is expected to produce a report on the impact of the IFR on the market (e.g. will issuers increase the fees they charge to consumers so as to recoup the reduction of interchange fee revenue? Will merchants pass onto consumers the reduction of interchange fees/Merchant Service Charges in the form of lower retail prices, or not?).
How will it affect your business?
The IFR essentially grants new rights to EU consumers and EU merchants – and creates additional obligations for issuers, acquirers and card schemes. It raises of lot of questions of interpretation – for example:
• As an issuer, how are you expected to perform net compensation calculations? Are you required to issue a MasterCard/Visa co-badged card to a consumer if he/she would like one, or a tri-badged MasterCard/Visa/domestic scheme card? Do so-called "individual pay" cards qualify as commercial cards in your country (attracting unregulated interchange fees), or as consumer cards (capped interchange fees)?
• As an acquirer, how are you supposed to comply with the transparency requirements that are imposed in relation to the merchant contract (Article 9), as well as the regular information requirements contained in Article 12?
• As a merchant, how do you differentiate the cards that you are forced to honour based on what is left of the HACR, or those cards that you are free not to honour? How do you identify the cards that you are free to surcharge vs. those cards that you are not allowed to surcharge? If you are operating a co-brand programme, in particular with three party card schemes, do the interchange fee caps interfere with the economics of that program, and if so how?
Should you have any questions in relation to PSD2, the IFR, or other legislation impacting payments such as the 4th AML directive (currently under revision), the General Data Protection Regulation (GDPR), the EU NIS (or cybersecurity) directive, etc, do not hesitate to contact our team of lawyers specialised in the payments sector.