As outlined in last month’s blog, on 10 May the European Commission (EC) published a public consultation and two targeted consultations that cover the PSD2 review and a future Open Finance Legal Framework for Europe. The two targeted consultations closed on 5 July, the non-targeted consultation is set to close on 2 August.
On 23 June, the EBA (European Banking Association) published its “Opinion on its technical advice on the review of the PSD2.” In this document, the EBA recommends that the EC revises PSD2 to address issues and areas for improvement.
More precisely, as far as the scope and definitions of the PSD2 are concerned, the EBA made the following recommendations to the EC:
- Clarify how to identify the place of provision of payment services when they are provided online;
- Update and clarify the list of payment services set out in Annex I to PSD2, including by splitting issuing and acquiring into two separate services, due to their different nature;
- Introduce specific requirements for payment card schemes, payment gateways and merchants in relation to the implementation of key security requirements such as strong customer authentication (SCA) without requiring them to be authorised under the Directive;
- Clarify the application of the exclusions from the scope for commercial agents, limited networks and independent automated teller machine (ATM) providers;
- Apply identical legal requirements for payment institutions (PIs) and e-money institutions (EMIs), in particular in relation to authorisation, requirements with regard to safeguarding, initial capital and own funds;
- Clarify the nature and status of distributors of electronic money and apply a coherent framework to agents and distributors.
As for the licensing of PIs and the supervision of payment service providers (PSPs) under PSD2, the EBA recommends that the EC to:
- Align the initial capital requirements for all PIs with the exception of payment initiation service providers (PISPs) and account information service providers (AISPs);
- Introduce additional own funds requirements for granting of credit related to the provision of payment services;
- Provide clarity on the criteria delineating between the right of establishment and freedom to provide services overall and the use of agents and distributors.
As far as the rights and obligations under PSD2 are concerned, the EBA recommends that the EC, among others:
- Does not introduce maximum limits for the amounts to be blocked on the payer’s payment account when the exact transaction amount is not known in advance, instead, the EC shall introduce a range of requirements for such blocking of funds, including for the PSP to have a justified reason, the provision of consent from the payment service user (PSU) for blocking funds, and setting out the time for the blocking;
- Clarifies the regulatory treatment of transactions where the final amount is different from the amount the payer was made aware of and agreed to when initiating the transaction, in particular that SCA should be applied in case the final amount is higher;
- Clarifies the distribution of liability between third-party providers (TPPs) and account servicing payment service providers (ASPSPs) and between the issuing and acquiring PSPs when a SCA exemption has been applied;
As for instant payments-related provisions, the EBA recommends that a number of PSD2 provisions are amended, including the ones about information to the PSU on the irrevocability of an instant payment order, the correct execution of a payment order, the requirements on value-date and the framework contracts.
Regarding the SCA provisions of PSD2,the EBA recommends that the EC, among others:
- Clarifies aspects on the application of SCA related to reliance on third-party technology, delegation of SCA to TPPs and delegation to technical service providers, including digital wallet providers;
- Clarifies different aspects in relation to the use of the SCA elements “knowledge,” “inherence” and “possession”;
- Clarifies the nature of the exemptions from SCA and whether these should be optional or mandatory;
- Introduces requirements in relation to the transactions excluded from the scope of application of SCA;
- Introduces clear definitions of merchant-initiated transactions, clarify the regulatory approach to these transactions, introduce requirements with regard to the setup of the mandate;
- Introduces a clear definition of transactions based on mail order and telephone order, clarify the treatment of these transactions, introduce minimum level of security requirements for these transactions.
Finally, as far as theaccess to and use of payment accounts data in relation to payment initiation services (PIs) and account information services (AIs) is concerned, the EBA recommends that the EC, among others:
- Explores the possibility of having a common application programming interface (API) standard across the EU, to be developed by the industry;
- Requires all ASPSPs to provide a dedicated interface for the TPPs’ access and remove the requirement for ASPSPs that offer a dedicated interface/API to also provide a fall-back mechanism;
- Amends the approach taken in the PSD2 and require AISPs to apply their own SCA, instead of ASPSPs, after an initial SCA has been performed with the ASPSP the first time the PSU accesses the payment account through the respective AISP. To support this change, the EBA proposes that the allocation of liability between TPPs and ASPSPs towards the customer be amended accordingly. In order for PSUs to remain in control of their data, they should be allowed to withdraw the consent given to the AISP via the ASPSP;
- Requires ASPSPs to share with AISPs and PISPs the name of the PSU/account holder and of the person initiating the payment;
- Considers the merits of requiring ASPSPs to share with PISPs information on the execution of a payment as soon as this becomes available to the ASPSP;
- Clarifies the scope of information to be shared with TPPs, such as information on standing orders, future-dated payments, overdrafts in relation to AIS, and others;
- Clarifies the type of information to be shared from TPPs to ASPSPs.