The Payment Services Directive 2 (PSD2) is a European directive for the regulation of payment services and payment service providers within the European Union. PSD2 has been in effect since 19th February 2019.
PSD2 is the successor to PSD1, which aimed to increase competition within the European Economic Area (EEA) – including non-banking institutions. PSD2 continues this trend by allowing new payment service providers access to bank account data and regulating this service provision.
PSD2 is a European directive. Unlike regulations, European directives must be implemented into national legislation. In the Netherlands, PSD2 has been implemented in the Financial Supervision Act (Wft).
PSD2 enables third parties to access the payment accounts of consumers and businesses. Third parties may include entities facilitating payments between consumers and online retailers or those providing an overview of your payment accounts.
With the introduction of PSD2, two new payment services have emerged:
Non-banking institutions seeking access to payment accounts in the Netherlands must obtain the appropriate license. Service providers wishing to access financial data of bank customers (Service 8; ‘account information service’) or initiate payments from bank customers’ accounts (Service 7; ‘payment initiation service’) must register with a relevant supervisory authority within the European Union; in the Netherlands, this authority is the Dutch Central Bank (DNB).
PSD2 mandates banks, among other things, to share payment data (free of charge) with third parties holding the appropriate license. Consumer consent is required for this sharing, with the consumer always retaining the option to withhold consent. This consent consists of two elements:
Under PSD2, third parties are only permitted to view, process, and retain the personal data that is necessary for providing the payment service. Explicit consent from the consumer is required for this. Additionally, the third party is obligated to comply with the requirements of the GDPR.
Processing of personal data is only allowed if there is a legal basis mentioned in the GDPR. One of these bases is consumer consent. However, the concept of consent under the GDPR differs from the concept of consent under PSD2.
In a payment initiation service, the consumer grants permission to the payment initiation service provider to withdraw the money from their payment account once. The payment initiation service provider then transfers the money from the consumer’s payment account to the account of, for example, the online store. This is an interesting service, especially in combination with instant payments (since 2019), which allows an online store to have the money in its account within five seconds.
In an account information service, a third party is granted access to the transaction data of the payment account, but only when the consumer has explicitly given consent. For instance, a mortgage lender could use this to analyze the payment behavior and establish a risk profile of the consumer, which could then potentially lead to a discount on the mortgage interest rate. The account information service also provides the opportunity, for example, within an app, to see various accounts from different banks in one overview.
The European Commission has set itself the goal of fostering innovation. Additionally, the European Commission aims to promote competition among payment service providers. Since the implementation of PSD1 in 2009, the payment market has grown in size and has further evolved due to new payment methods. With PSD2, the European Commission aims to stimulate this trend by also allowing new payment service providers access to bank account data and regulating this service provision.
PSD2 has a broader geographical scope than PSD1. The so-called ‘one-leg’ transactions also fall within the ambit of PSD2. ‘One-leg’ transactions are payments where only one of the involved payment service providers is located within the EEA (either the payer’s or the payee’s payment service provider). With ‘one-leg’ transactions, PSD2 applies solely to the portion executed within the EU.
While ‘one-leg’ transactions fall within the scope of PSD2, there are some differences compared to payment transactions entirely within the EU. The main distinction is that the prescribed D+1 execution time, applicable to regular transactions, doesn’t apply to ‘one-leg’ transactions: For ‘one-leg’ transactions received within the EU, they must be credited on the same day, and the currency date rules apply for both debiting (outgoing one-leg) and crediting (incoming one-leg), provided the transaction occurs in euro or another EEA currency. Hence, transactions in currencies other than the euro also fall within the scope of PSD2.
Compared to PSD1, PSD2 also limits exemptions for limited networks, ATMs, telecom providers, and commercial agents.
Since PSD2, the passing on of costs for card payments has been restricted. However, costs may still be charged to discourage the use of inefficient payment instruments (such as acceptgiro), unless prohibited by local legislation. Additionally, a payment service provider may charge fees for the early termination of a contract by a payment service user. In principle, the payment service user can terminate the agreement free of charge, except when the agreement has been in effect for less than six months.
If third parties are used to place a payment order, the liability for any incorrect transaction lies with these payment service providers. In PSD2, the role of the third-party payment service provider (‘PISP’) is formalized. If this third-party payment service provider is responsible for the incorrect execution of the payment transaction, then the PISP must immediately and fully compensate the account servicing payment service provider (‘AS PSP’), unless the PISP can demonstrate that the AS PSP received the correct payment order. Thus, the consumer remains protected from user risk if they have not acted fraudulently or negligently.
The PSD2 grants 11 mandates to the European Banking Authority (EBA). EBA has developed 6 Regulatory Technical Standards (RTS) and 5 Guidelines. An important difference between an RTS and a Guideline is that an RTS is established by the European Commission (EC) after scrutiny by the European Parliament (EP). It is then published as a directive or regulation. A Guideline is established by a European supervisor. Most mandates are intended for national supervisors (such as DNB in the Netherlands), but one RTS affects all market participants; the RTS on strong customer authentication (SCA) and secure communication.
A payment service provider must ensure an integral and controlled business operation. The requirements for a licensing application primarily focus on minimizing security risks and procedures related to incident management.
Some of the key obligations for payment service providers are as follows:
Regarding controlled business operations:
Regarding integral business operations:
Providers of payment initiation and/or account information services must have liability insurance (or other comparable security) to cover the risk in case they are held liable for damages suffered in case of incorrect, unauthorized, non-execution, or delayed processing of a payment instruction.
In the Netherlands, the Dutch Central Bank (De Nederlandsche Bank or DNB) supervises compliance with PSD2. Companies offering payment initiation or account information services must have a license from the regulator. The bank of the account holder checks in advance whether the license is present.
Attached, an overview of the regulatory framework of PSD2 is presented.
Projective Group brings extensive experience within the financial sector, including at payment institutions, we are here to assist you with compliance with PSD2, AML (Anti-Money Laundering) regulations, and other relevant legislation. Interested in learning more about our services? Feel free to contact us for further information.