Payment Services Directive
The Revised Payment Services Directive 2015/2366, which replaced the Payment Services Directive is an EU Directive, administered by the European Commission to regulate payment services and payment service providers throughout the European Union and European Economic Area. The PSD directive's purpose was to increase pan-European competition and participation in the payments industry also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users.
The key objectives of the PSD2 directive are creating a more integrated European payments market, making payments safer and more secure and protecting consumers.
Overview
The SEPA is a self-regulatory initiative by the European banking sector represented in the European Payments Council, which defines the harmonization of payment products, infrastructures and technical standards. The PSD provides the legal framework within which all payment service providers must operate.The PSD's purpose in regard to the payments industry was to increase pan-European competition with participation also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users.
The PSD's purpose in regard to consumers was to increase customer rights, guarantee faster payments, describe refund rights, and give clearer information on payments. Although the PSD was a maximum harmonisation directive, certain elements allowed for different options by individual countries.
The final adopted text of PSD went into force 25 December 2007 and was transposed into national legislation by all EU and EEA member states by 1 November 2009.
Technical overview
The PSD contained two main sections:- The 'market rules' described which type of organizations could provide payment services. Next to credit institutions and certain authorities, the PSD mentioned electronic money institutions, created by the E-Money Directive in 2000, and created the new category of 'payment institutions' with its own prudential regime rules. Organizations that are neither credit institutions or EMIs could apply for an authorization as a payment institution if they met certain capital and risk management requirements. The application could be made in any EU country where they are established and they could then "passport" their payment services into all other EU member states without additional PI requirements.
- The 'business conduct rules' specified what transparency of information payment service institutions needed to provide, including any charges, exchange rates, transaction references and maximum execution time. It stipulated the rights and obligations for both payment service providers and users, how to authorize and execute transactions, liability in case of unauthorized use of payment instruments, refunds on payments, revoking payment orders, and value dating of payments.
Updates
The PSD was updated in 2009 and 2012. An implementation report from 2013 found the PSD facilitated "provision of uniform payment services across the EU" and reduced legal and production costs for many payment service providers and that "the expected benefits have not yet been fully realised". The same report found the 2009 update "to be functioning well. For example, charges for €100 transfers followed a further downward trend to €0.50 euro-area average for transfers initiated online and remained low, at €3.10 for transfers initiated at the bank counter".Remaining issues
- The PSD only applied to payments within the European Economic Area, but not to transactions to or from third countries.
- PSD exemptions related to payment activities left users unprotected.
- The PSD option for merchants to charge a fee or give a rebate, combined with the option for countries to limit this, led to "extreme heterogeneity in the market".
- So-called "third party payment service providers" emerged, which facilitated online shopping by offering low cost payment solutions on the Internet by using the customers' home online banking application with their agreement, and informing merchants that the money is on its way. Other 'account information services' offer consolidated information on different accounts of a payments service user. Harmonisation of refund rules regarding direct debits, a reduction of the scope of the "simplified regime" for so-called "small payment institutions" and addressing security, access to information on payment accounts or data privacy with possible licensing and supervision were proposed.
Revised Directive on Payment Services (PSD2)
Then-Commissioner Jonathan Hill, responsible for Financial Stability, Financial Services and Capital Markets Union, said, "This legislation is a step towards a digital single market; it will benefit consumers and businesses, and help the economy grow."
On 16 November 2015, the Council of the European Union passed PSD2. Member states then had two years to incorporate the directive into their national laws and regulations. On 27 November 2017, Commission delegated Regulation 2018/389 supplemented PSD2 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication.
The EU and many banks pushed this development with the new Payments Service Directive 2, which came into force on 13 January 2018. Banks then adapted to these changes which opened many technical challenges, but also many strategic opportunities, such as collaborating with fintech providers, for the future.
An important element of PSD2 is the requirement for strong customer authentication on the majority of electronic payments.
Another important element of the directive is the demand for common and secure communication. eIDAS-defined qualified certificates for are demanded for website authentication and electronic seals used for communication between financial services players. The technical specification ETSI TS 119 495 defines a standard for implementing these requirements.
PSD2 went into full effect on 14 September 2019, but due to delays in the implementation, the European Banking Authority allowed for a time extension of the strong customer authentication until 31 December 2020.
Key dates
- March 2000: Lisbon Agenda to make Europe "the world's most competitive and dynamic knowledge-driven economy" by 2010
- December 2001: regulation EC 2560/2001 on cross-border payments in Euro
- 2002: European Payments Council created by the banking industry, driving the Single Euro Payments Area initiative to harmonize the main non-cash payment instruments across the Euro area
- 2001–2004: consultation period and preparation of PSD
- December 2005: proposal for PSD by DG Internal Market Commissioner McCreevy
- 25 December 2007: PSD entered into force
- 1 November 2009: deadline for transposition in national legislation
- 2009 update: eliminated differences in charges for cross-border and national payments in euro
- 2012 update: Regulation on cross-border payments, 'multilateral interchange fees'
- July 2013: report on implementation of PSD and its two updates
- 16 November 2015: The Council of the European Union passes PSD2, giving member states two years to incorporate the directive into their national laws and regulations.
- 13 January 2018: Directive 2007/64/EC is repealed and replaced by Directive 2015/2366
- 14 March 2019: All Financial Institutions offering an API solution must have it available for external testing by PISPs and AISPs.
- 14 September 2019: The final deadline for all companies within the EU to comply with PSD2's Regulatory Technical Standard pertaining to directive 2015/2366
- 31 December 2020: Extended deadline for all companies within the EU to implement PSD2's Strong Customer Authentication
Privacy concerns