What is it?
The so-called "PSD2" is the revision of an existing directive from 2007, called the "Payment Services Directive" or "PSD" or "PSD1". Since it is a directive, PSD2 will need to be transposed/ implemented within the law of the EEA Member States.
Most of the PSD2 provisions need to be "live" in the various Member States by January 2018, with the exception of the provisions on security (so-called "strong customer authentication" or "SCA") and the technical details of how banks are expected to provide access to third party players (so-called "TPPs"), which will only go live mid-2019.
Why do you need to know about it?
On some topics, PSD2 is just updating/amending/refining PSD1 (e.g. in relation to the kinds of payment services that fall outside the scope of PSD, and therefore are/were unregulated).
However PSD2 also contains brand new provisions/topics compared to PSD1, including in particular SCA and the "access to payment accounts" that financial institutions need to grant to TPPs.
We address below the topics of surcharging, SCA and co-branding.
From January 2018, EU-based airlines will no longer be allowed to surcharge for the use of cards issued in the EU that are subject to interchange fee caps under the EU Interchange Fee Regulation (IFR). This means that EU-based airlines will essentially no longer be allowed to surcharge consumer cards.
As regards cards issued in the EU and not subject to interchange fee caps under the IFR, i.e. essentially commercial cards, EU-based airlines would in principle still be allowed to surcharge those cards – unless the EU Member State where the airline is located would decide to ban surcharging on those cards (e.g. France, Italy, Hungary are expected to ban surcharging on those cards).
When a surcharge is allowed, the amount of the surcharge should not exceed the "direct costs" borne by the airline in relation to the payment.
The above is not applicable to non-EU based airlines – e.g. whether an airline in Singapore or in China can surcharge is regulated by its local Singapore or Chinese law.
Strong Customer Authentication (SCA)
The principle of SCA
One of the objectives of PSD2 is to reduce the amount of fraud related to payments, and in particular online card-based payments. In order to achieve that objective, PSD2 contains a requirement that, in principle, all electronic payments, including "remote" (e.g. online) payments, should be subject to SCA.
SCA requires that the payer to identify itself using at least two independent factors: something only the payer knows (e.g. a password or a PIN) and/or something only the payer is (e.g. a fingerprint) and/or something only the payer has (e.g. a device such as a mobile phone or tablet). In practical terms, this is a reference to, for example, the 3D Secure protocole, otherwise sometimes referred to as "Mastercard SecureCode" and "Verified by Visa").
The SCA requirement would put an end, for example, to so-called "one-click checkout" (subject to the exemptions contained in the final EC Regulatory Technical Standards/RTS – see below).
Exemptions to the principle of SCA
In order to strike the right balance between increased security for (online) payments, while retaining a certain level of convenience in payments (in particular on smaller screens such as a mobile phone), the European Banking Authority (EBA) was tasked with the mission to draft exemptions to the principle of SCA, which the EC finalised on 27 November 2017.
The RTS adopted by the EC on 27 November 2017 contains, amongst others, the following exemptions to the principle of SCA:
- Low value online payments that do not exceed EUR 30, with a cumulative limit of EUR 100 without SCA or 5 consecutive transactions without SCA;
- Transactions where a "transaction risk analysis" or "TRA" is performed by the PSP of the payee and/or the PSP of the payer
- A remote transaction to a white-listed airline (however SCA is required for the creation and amendment of the white list);
When the merchant, or more precisely the merchant's PSP, invokes the benefit an exemption to SCA, the consequence is a liability shift – i.e. the merchant's PSP will be liable in case the transaction happens to be fraudulent.
The ball is now in the camp of the European Parliament (EP) and the Council to approve or veto by 27 February 2018 the RTS adopted by the EC (the EP or the Council can extend this period of objection until 27 May 2018).
If on 27 February 2018 (or potentially on 27 May 2018 in case of an extension), neither the EP nor the Council has objected to the RTS, they will be published in the Official Journal of the EU, but will only become legally binding 18 months later (i.e. 27 August 2018 or 27 November 2018 at the latest).
Although PSD2 states that the provisions on SCA apply to so-called "one leg out" transactions, i.e. transactions with an EU-issued card at an airline working within a non-EU PSP (therefore likely to be a non-EU airline), the EC had previously indicated an EU issuer would have to systematically decline transactions at non-EU airlines when that airline did not request SCA, which may have seriously harmed the business of those non-EEA airlines that do not generally request SCA. However, the EBA indicated in its draft RTS dated 23 February 2017 that the EEA issuer will have to make "every reasonable effort" to determine whether the transaction is legitimate or fraudulent, and therefore authorise or decline the transaction accordingly – but no requirement to systematically decline transactions. Similarly, the EC has also indicated that an EEA issuer should "make its own assessment" whether or not to block the payment in case SCA is not applied by the non-EU PSP of the airline.
On 7 February 2018, the ECJ rendered its judgment in in a case American Express vs the UK Ministry of Finance.The case relates to whether or not the economics of co-brand deals that Amex enters into in particular with airlines are subject to the regulated economics, namely regulated "interchange fees", provided for in the EU Interchange Fee Regulation (IFR).
The ECJ concluded that the interchange fee caps provided for in the IFR do apply to Amex co-brand deals (e.g. co-brand deals with airlines), irrespective of whether the co-branding partner happens to be the issuer-of-record of the card or not (which in practice is never the case – in practice, the issuer of the card is American Express). This means that an Amex/BA card or an Amex/AirFranceKLM card, for example, should be considered as a "four-party scheme" card under the IFR (as opposed to a "three-party scheme" card), and is therefore subject to the interchange caps provided for in the IFR (namely 0.3% of the amount of the transaction for a consumer credit card).
The ECJ judgment is expected to have a serious financial impact on the financials of the co-brand deals that airlines have entered into, or are considering entering into, with schemes such as American Express.
Our team of Bird & Bird lawyers specialised in the payments sector is available to assist you should you have any questions in relation to PSD2, the IFR, or any other legislation impacting payment such as the EU General Data Protection Regulation (GDPR), the EU Network Information Services directive (NIS or cyber-security directive), the EU 4th AML directive (currently under revision), etc.
Video: Scott McInnes explains how PSD2 will affect financial services