On 23 June 2022, the European Banking Authority (EBA) published an opinion (the Opinion) on the review of the second Payment Services Directive (PSD2). The Opinion is the EBA’s response to the European Commission’s (EC) call for advice published 20 October 2021.
In the Opinion, the EBA sets out its findings on the implementation of PSD2 and its suggestions as to how to address the issues it has identified in a revised Directive (PSD3).
We have set out below a summary of some of key proposals in the Opinion.
1. SCOPE AND KEY DEFINITIONS
2. PRUDENTIAL REQUIREMENTS
3. ACCOUNT ACCESS REQUIREMENTS AND OPEN FINANCE
4. STRONG CUSTOMER AUTHENTICATION
5. AGENTS AND DISTRIBUTORS
6. OTHER CONDUCT OF BUSINESS REQUIREMENTS
Who should read the Opinion?
The Opinion is relevant to payment service providers (PSPs) (e.g., banks, payment institutions (PIs), and electronic money institutions (EMIs)) and other firms operating in the EU payments sector (e.g., card schemes and providers of technological services to PSPs) as well as merchants, particularly providers of unregulated cards and/or e-commerce services.
1. SCOPE AND KEY DEFINITIONS
Merging PSD2 and EMD2
The EBA is strongly supportive of merging PSD2 and the second Electronic Money Directive (EMD2), with the aim of avoiding regulatory arbitrage and ensuring technological and business model neutrality. It believes this will bring greater clarity and reduce the overall complexity of the payment services and electronic money regulatory regime. Depending on how the two regimes are merged, this could result in changes to the way EMIs are regulated and the rules that apply in relation to issuing electronic money.
The Opinion recognises that there is uncertainty regarding the territorial scope of PSD2 (including regulatory authorisation requirements), especially where payment services are provided online. The EBA stresses the need for clarity on how to identify the place of provision of services that are provided online but acknowledges that this is something that needs to be addressed at a broader level for the entire financial sector and beyond.
However, the EBA also states in the Opinion that in its view, an acquirer from a non-EU country cannot provide acquiring services to EU merchants “since the service is provided within the EU and the respective PSP that provides it should be authorised within the EU.” It would appear, therefore, that the EBA considers that the place of provision of an acquiring service is determined by the location of the merchant. This could have significant implications for some merchant acquiring business models. If a similar approach were adopted by the EC in relation to all regulated payment services, this could amount to a major extension of the extraterritorial application of PSD2.
Significant and systemic PIs and EMIs
At various points in the Opinion, the EBA proposes introducing certain additional prudential requirements (see below) to “significant” PIs and EMIs. It also refers to “systemic” PIs and EMIs. As the EBA acknowledges, these are not concepts that exist under PSD2/EMD2, and they would need to be defined. However, it suggests that a PI or EMI might be considered to be “significant” if it is “likely to have an impact on the payments’ market and the economy overall, or to have a spill-over effect on other financial institutions, including across borders.” It does not elaborate on the meaning of “systemic.”
There continues to be legal uncertainty regarding the scope of the term “payment account” under PSD2. This is significant because account servicing PSPs (ASPSPs) are only required to grant payment initiation service providers (PISPs) and account information service providers (AISPs) (together, TPPs) access to the accounts they provide if those accounts are payment accounts. It also determines whether accessing an account online triggers a requirement to apply strong customer authentication (SCA).
Many PSPs have relied on the decision of the Court of Justice of the European Union in Case C-191/17, and the EBA’s response to question 2018 4272 (which references this case) in its Q&A on PSD2 (EBA Q&A), which indicate that only an account that can both send and receive funds is a payment account. However, as the EBA notes in the Opinion, Case C-191/17 drew an analogy from the definition of a “payment account” under the Payments Account Directive (PAD), which is narrower than the definition under PSD2.
The EBA proposes the inclusion of a clearer and more detailed definition of “payment account” in PSD3 that, in its view, should not be narrowed to the scope covered by the PAD. The risk for ASPSPs is that the EC could confirm a broader interpretation than the one indicated in the EBA Q&A response, which would result in a broader range of accounts being treated as payment accounts. This, in turn, could result in a broadening of the application of requirements regarding and payment accounts access for TPPs and SCA requirements.
Definition of payment instrument
In the EBA’s view, the definition of a “payment instrument” requires clarification. In particular, the EBA notes that there is uncertainty as to whether a mobile phone or computer can be considered to be a payment instrument.
The EBA expresses the view that issuing tokenised card details that allow users to initiate a payment order would constitute the issuance of a payment instrument. This may have implications for merchants providing card-on-file services as well as for PSPs supporting e-commerce businesses.
Conversely, the EBA states that in its view, services related to operation of a digital wallet, which are of a technical nature, do not constitute a payment service. The EBA proposes that the nature and regulatory treatment of digital wallets be clarified in PSD3.
Initiation of payment transactions
The EBA also believes that the process for the initiation of payment transactions and the steps involved require clarification. Determining when this process has been completed has important implications — for example, for mandatory execution timeframes, determining when a payment order becomes irrevocable, and at what point SCA should be applied.
Buy-now-pay-later (BNPL) business models
According to the EBA, the existing scope and requirements of PSD2 are sufficient for the regulation of payment services provided by BNPL providers, so additional regulation under PSD3 is not required. However, the EBA does suggest clarifying in PSD3 whether BNPL services can be treated as ancillary credit provided in relation to a PSP’s payment services and how the interplay between BNPL services and the provision of payment services should be treated. This could have implications for PSPs that provide BNPL services.
Limited Network Exclusion (LNE)
Interpretations as to the extent of the LNE vary across member states. The EBA has issued guidelines addressing this and proposes that the EC consider incorporating these into PSD3.
The EBA also believes that further clarifications on the extent of the LNE are required — for example, on the geographical limit of the provision of the excluded services and the interpretation of the terms “professional issuer” and “premises,” which form part of the definition of the LNE.
Commercial Agent Exclusion (CAE)
The EBA has identified various issues with the CAE that it proposes be addressed in PSD3. In particular, the EBA identifies the following concerns:
(i) a lack of clarity over the intended meaning of “agent” (which it notes differs among member states) and whether this is to be understood to have the same meaning as under the Commercial Agents Directive (Directive 86/653/EEC)
(ii) a lack of clarity on interpretation of what it means to “negotiate or conclude” the sale or purchase of goods or services (especially when contracts are concluded electronically) as well as the intended meaning of having a “real margin” to do so as per Recital 11 of PSD2
(iii) difficulties in distinguishing between a payment initiation service and the acquiring of payment transactions and services provided by commercial agents, particularly in the context of e-commerce platforms
The EBA proposes that the extent of the CAE, the specific use-cases intended to be within its scope, and the references to “negotiate or conclude” should all be clarified. Were this to result in a narrowing of the exclusion, this could have significant implications for e-commerce platforms as well as for a range of other intermediaries that facilitate sales of goods or services and hold or control funds as part of that role.
The Opinion notes that the EBA is concerned about the circumvention of PSD2 by resellers that do not bear the responsibility for the goods and/or services being provided but are nevertheless in control of the financial flows. It notes that such arrangements are common in the fuel card industry.
The EBA proposes specifically addressing such business models in PSD3 and delineating models that should be subject to regulation from those that should fall outside the scope of regulation. If the EC addresses this point, this is likely to increase scrutiny of issuers of payment instruments that attempt to avoid regulatory authorisation requirements by seeking to rely on arguments that they are reselling the relevant goods or services (rather than executing a payment transaction between the buyer and the seller).
2. PRUDENTIAL REQUIREMENTS
Initial capital and own funds requirements
The EBA has proposed that the requirements for initial capital and own funds for PIs and EMIs be harmonised. The EBA also proposes that the EC assess the appropriate level of initial capital and whether there is a need to adjust the calculation of the own funds requirements by introducing an additional buffer in respect of payment services where funds are held for longer periods of time.
Making Method B the default position for calculating own funds
The EBA also suggests that Method B (which is calculated by reference to transaction volumes) be made the default method for the calculation of own funds in relation to payment services, with an EMI or PI being permitted to use other methods subject to approval from its regulator. For firms that currently use Method A or C, this could result in a requirement to change the method used unless the firm is able to convince its regulator that that would not be appropriate.
Capital requirements for credit relating to payment services
The EBA considers it necessary to include in PSD3 a uniform calculation method to determine own funds requirements for credit risk based on the standard method under Capital Requirements Regulation ((EU) 575/2013). This may mean that certain PIs and EMIs are required to hold more regulatory capital than is currently required by PSD2/EMD2.
The EBA notes that there is some uncertainty as to whether safeguarding accounts can be opened with non-EU banks. The EBA proposes that PSD3 clarify that safeguarding accounts may be held only with EU banks and EU branches of third-country banks.
Application of deposit guarantee schemes to safeguarded funds
The EBA proposes that the EC clarify that funds held by EMIs and PIs in safeguarding accounts are protected by the relevant deposit guarantee scheme (DGS) in the event of the bank’s failure.
The Opinion does not however address the question of whether the DGS compensation limit of €100,000 would apply only to a claim from the PSP or in respect of each client whose funds are held in the safeguarding account.
The EBA discusses the benefit of establishing own funds requirements at a consolidated level, including for groups containing multiple regulated entities as well as nonregulated entities (e.g., IT companies) that cooperate in the provision of payment services. The EBA proposes that the EC weigh the advantages and disadvantages of introducing consolidated supervision and suggests that one balanced option could be to limit its scope to significant or systemic (this term is not defined) PIs/EMIs only.
If consolidated supervision were introduced, some corporate groups with multiple licensed entities could be required to hold more regulatory capital or may be otherwise constrained in the allocation of capital across their group structures.
The EBA suggests the introduction for nonbank PSPs of liquidity risk monitoring and management, including the maintenance of liquidity buffers. This would represent an extension to PIs and EMIs of requirements that have to date been more typical for banks.
The EBA notes that some PSPs may have insufficient levels of liquidity on the basis that some of their own funds requirement can be covered by intangible assets that are not liquid. It also notes that some PSPs may have insufficient levels of liquidity due to low revenues. In addition, the EBA claims PSPs issuing payment instruments or providing acquiring services may experience liquidity shortages as a result of exposures to merchants with high levels of chargebacks. We would note however that card scheme settlement guarantees and chargeback procedures already address such risks, so it is not clear (at least in the context of card acquiring) why such liquidity shortages would arise in practice.
Recovery and wind-down frameworks for PSPs
The EBA proposes a simplified recovery and wind-down framework for “significant” PIs and EMIs (see above). The EBA suggests that the EC may wish to take into account the approach on recovery and wind-down frameworks taken in other EU laws such as those that impose similar requirements on banks.
3. ACCOUNT ACCESS REQUIREMENTS AND OPEN FINANCE
Third-party provider access to payment accounts
Establishment of a common API
The EBA proposes a common API standard for TPPs to access payment accounts held with ASPSPs, which, in the view of the EBA “the industry would be best placed to develop.” The EBA also notes that a common API standard could have the additional benefit of creating a foundation for the future development of open finance beyond the requirements in PSD2.
Mandatory dedicated interface
The EBA favours the removal of the option for PSPs to provide repurposed customer interfaces for use by TPPs. This would mean that all in-scope ASPSPs would need to have a dedicated interface for TPPs. The need to provide a repurposed customer interface as a fallback mechanism for TPP access would also be removed.
The EBA considers that an exemption could be made for “specialised niche activities that do not service retail customers.” This could potentially be very helpful for B2B PSPs, especially if the EC does not confirm the narrow interpretation of the term “payment account” based on recent EU case law and the EBA Q&A (see above).
Meaning of online access
The EBA requests that the EC clarify the meaning of “online access” to payment accounts — in particular whether this covers secure corporate protocols and machine-to-machine communications. This could have significant implications for B2B payment services that involve payment accounts.
Contractual arrangements of PISPs
The EBA has clarified that in its view, PISPs must have a contractual agreement with the payer even where they also contract with the payee. PISPs that have established business models under which they contract only with merchants will need to put in place a process for onboarding the merchant’s customers on this basis.
Distribution of liability between TPPs and ASPSPs
The EBA proposes that PSD3 further clarify the distribution of liability between TPPs and ASPSPs and on the PSP that payment service users (PSUs) should approach with any complaints.
The EBA is supportive of the proposal to extend account access provisions to cover “non-payment accounts and banking products and subsequently extend to other financial products” but states that it favours a phased approach to this.
The EBA proposes that the EC consider bringing AISPs within scope of any (broader) new legal framework for open finance and remove them from the scope of PSD3. This would probably mean a broadening, rather than a narrowing, of regulatory requirements for AISPs — given that the open finance regime would be broader than the current TPP access rules under PSD2.
4. STRONG CUSTOMER AUTHENTICATION
Meaning of “electronic payment transaction”
One of the triggers for applying SCA is a payer initiating an “electronic payment transaction.” However, this term is not defined in PSD2. The EBA proposes instead requiring SCA for the initiation of all payment transactions and specifying which types of payment transactions are exempt. Depending on the scope of such exemptions, this could potentially result in a broader application of SCA requirements.
Application of SCA by AISPs
The EBA proposes allowing AISPs to apply their own SCA using security credentials issued to the PSU by the AISP instead of those issued by the ASPSP (although for the initial connection to their payment account, PSUs would still need to authenticate themselves to their ASPSP). This could have implications for the allocation of liability between ASPSPs and AISPs (see below).
Outsourcing of SCA
The EBA proposes that PSD3 clarify when the use of third-party technology in relation to SCA would be considered outsourcing (and therefore trigger the application of the EBA Outsourcing Guidelines) and whether conditions nevertheless need to be applied in the event that the EC concludes that this does not constitute an outsourcing.
In the EBA’s view, a PSP’s delegation of SCA to a technical service provider (including another group entity) does constitute outsourcing, and this should be clarified in PSD3.
Payee-initiated transactions including merchant-initiated transactions (MITs)
The EBA proposes that the definition of MITs be clarified as well as the distinction between MITs and direct debits and the applicable regulatory requirements for each.
Additionally, the EBA proposes new requirements for the establishment of electronic mandates for payee-initiated transactions. The EBA also proposes the introduction of limits on the maximum number of payment transactions to be executed and/or the duration of the mandate before it needs to be renewed by the PSU. This could have a significant effect on subscription-based business models.
The EBA has reiterated its view that behavioural biometrics cannot constitute inherence and refers only to physical characteristics. It does not consider that further clarifications in PSD3 are required on this point.
Application of SCA to refunds
There is ongoing debate as to whether SCA should be applied to refunds. The view of the EBA (as stated in the EBA Q&A) is that refunds initiated by merchants are separate payment transactions in respect of which the merchant is the payer and SCA must therefore be applied. The EBA proposes that the EC clarify the position in the PSD3 and either reflect the EBA Q&A or introduce an exemption from SCA for refunds.
Potential security measures other than SCA
PSPs are required to monitor transactions to detect unauthorised or fraudulent payment transactions for the purposes of compliance with SCA requirements. The EBA proposes that a general transaction monitoring obligation be introduced in PSD3. It is not clear how this would interact with the separate obligation of PSPs to conduct transaction monitoring as part of their anti-money-laundering obligations.
5. AGENTS AND DISTRIBUTORS
Harmonised rules for agents and distributors
The EBA argues that EMD2 does not define the nature of e-money distributors in sufficient detail. In its view, there is a lack of recognition of business models where e-money distributors provide additional services akin to those provided by PSD agents (who are subject to more stringent requirements) such as being involved in the movement of electronic money.
The EBA therefore proposes the application of a single framework to PSD agents and distributors of electronic money. In practice, this may mean an extension of the regulatory requirements applicable to e-money issuers in relation to their supervision of distributors.
The Opinion identifies specific concerns in relation to business models where a white label provider carries out payment services on behalf of the PSP and obtains control over the business and relationship with the PSU. In particular, the EBA notes that this may give rise to information and communications technology and operational risks as well as money laundering and reputational risks. The EBA also observes that the PSU may not always know which entity is the authorised provider of the payment service.
The EBA considers that business models where the white label provider acts on behalf of the PSP should fall within the scope of the framework for agents under PSD2. This would mean certain firms that rely on third parties to provide white-labelled services would need to register those third parties as agents and would bear regulatory liability for their actions in relation to the relevant services.
6. OTHER CONDUCT OF BUSINESS REQUIREMENTS
In anticipation of the further development of instant payments in the EU, the EBA proposes that PSD3 be adapted to take account of the specific features of instant payments, for example, execution times, finality of payments, and the specific risks arising from instant payments.
The EBA proposes that PSPs be required to inform the PSU of the irrevocability of instant payments, immediately notify the PSU of the execution (or non-execution) of an instant payment, and obtain the express consent of the PSU for the use of instant payment instruments.
Direct obligations on payment schemes, merchants, and intermediaries
The Opinion suggests introducing certain specific requirements for technical service providers and other intermediaries in PSD3 such as requiring payment schemes, payment gateways, and merchants to ensure that key security requirements are properly implemented. The EBA has also suggested that under PSD3, merchants could be made liable for unauthorised and/or fraudulent transactions instead of their PSP where they have not implemented IT solutions supporting the application of such security requirements.
However, the EBA notes that there are potential challenges to imposing such requirements on merchants, such as the question of which competent authority would be responsible for enforcing compliance where the PSP and the merchant are located in different member states. We would also query whether some smaller merchants would have the resources to comply with such a requirement in practice.
The Opinion supports the introduction of specific criteria to determine when a bank may refuse to provide a PI or an EMI with a bank account (or terminate an existing account). The EBA has also called for more detailed requirements on banks in relation to notification to competent authorities, including notification to the home state competent authority of the PI/EMI refused access to a bank account.
The EBA observes that the reliance on the use of mobile phones for the application of SCA has led to exclusion of certain groups of society from using remote electronic payment transactions and online access to payment accounts, such as those who do not have access to or are less comfortable using mobile devices, and people with certain disabilities.
The EBA has suggested introducing a general duty for PSPs to take into account the needs of all their customers when designing their authentication solutions. As an alternative, the EBA suggests introducing specific measures, such as awareness and educational campaigns about the authentication measures used by PSPs and requiring PSPs to inform their customers about the different SCA solutions offered by the PSP.
The EBA has suggested that the EC consider mechanisms to strengthen enforcement under PSD3. The EBA does not provide much in the way of detail. However, if further enforcement mechanisms or powers are introduced, as a practical matter this may increase the risks to PSPs of failure to implement changes arising from the other proposed reforms. In particular, competent authorities may be emboldened (or pressured) into taking a more assertive approach to enforcement once PSD3 takes effect.
WHAT SHOULD FIRMS SHOULD DO NEXT?
Firms should consider the potential effect of these proposals on their businesses and engage with the EC and other EU legislative institutions directly or through trade associations as appropriate.
Firms should also look out for further statements from the EBA and the EC and a detailed proposal for PSD3, which the EC may publish during Q4 2022 or early in 2023.