BaFin - Navigation & Service

Erscheinung:01.04.2016 | Topic Anti-money laundering Dr. J. Rieg, BaFin

Second Directive on Payment Services: New European provisions for payment service providers

The Second Directive on Payment Services entered into force in mid-January. It regulates the business activity of payment service providers in the EU and will replace the Directive on Payment Services of 2007.

Member states have to transpose its provisions into national law by 13 January 2018, although Article 109 contains transitional provisions for certain companies which will have longer to apply the new provisions. The transposition requirements for certain IT security measures will be defined at European level and applicable from July 2018 at the earliest.

The new Directive on Payment Services further develops the European internal market for electronic payments. To this end, the provisions of the old Directive have been adapted for the innovative payment systems using the Internet and mobile technology, some of which are still in development. New provisions governing information and liability are to increase consumer protection.

Scope

The Directive affects credit institutions, electronic money institutions and payment institutions as well as post office giro institutions (the latter no longer exist in Germany). It also covers the European Central Bank, national central banks, member states and their local authorities, when not acting in their capacity as public authorities.

It applies in principle to all payment services carried out in the European Union and lays down rights and obligations associated with the provision and use of these.

For the parts of the payment transactions which are carried out in the EU in a currency that is not the currency of a member state, where both the payer’s payment service provider and the payee’s payment service provider are located within the Union, or where only one of the payment service providers is located within the Union regardless of the currency, the provisions will also apply from now on, but only to a limited extent. For example, the provisions governing the maximum execution time for the payment transaction to be provided will in principle not be applied.

Authorisation requirement

As the market for electronic payments has changed since 2007, the Second Directive on Payment Services revises the authorisation requirement. The framework of payment service categories has been adjusted and certain exclusions from the authorisation requirement specified.

Definition: Authorisation requirement
The authorisation requirement means that companies wishing to provide payment services commercially or on a scale which requires commercially organised business operations need written authorisation from BaFin. If a company conducts such operations without prior authorisation from BaFin, the authority steps in and ensures that the company does not continue to conduct unauthorised business. BaFin may publish notifications about the measures it takes to protect consumers on its website. The company's legal form is not relevant as far as the authorisation requirement and BaFin's right of intervention are concerned.

Two types of business activity have been newly recognised as payment services and will therefore be subject to approval/registration: payment initiation services and account information services. These are based on credit institutions' internet banking. The service providers transmit data records between customers and credit institutions – usually online – without themselves entering into possession of client funds. Payment initiation services allow customers to initiate a transfer using the service provider's website when they have made a purchase in a merchant's online shop. Account information services provide customers with online information from the service provider about their balance in accounts at various credit institutions.

By contrast, the digitised payment business will no longer be classed as a payment service. However, this element does not merely cease to exist. Rather, depending on the design of the services, these may in future come under one of the other payment services as defined in Annex I (see Definition). The payment authentication business has been expanded as a category of payment service.

The specification of the scope of exclusions affects, among other things, provisions for payment instruments with limited application and for certain payment transactions by providers of electronic communication networks or services which do not exceed certain thresholds. Service providers falling under these two exclusions do not require authorisation from BaFin but do have to notify it of their business.

Requirements of the authorisation procedure

The Directive also governs the authorisation procedure for payment and electronic money institutions. It is consistent across Europe and corresponds to the procedure to date, although there have been some additions.

As before, payment service providers have to submit an application for authorisation, presenting their business model, to the supervisory authority. A viable business plan needs to be appended to the application. Holders of significant holdings must be of good repute and directors must additionally possess the required knowledge and experience. Companies must have in place a proper business organisation, appropriate governance arrangements and internal control mechanisms.

The authorisation application must now include other documents as well. For instance, companies have to present their security policy and specify how they:

  • deal with security incidents and security-related customer complaints,
  • handle sensitive payment data,
  • ensure business continuity and
  • collect certain statistical data, for example regarding transactions.

Payment initiation and account information services

The new Directive also subjects payment initiation and account information services, which have already established themselves, to regulation. Credit institutions have to grant these service providers access to payment accounts managed using online banking. Conversely, these service providers have to observe certain regulations, depending on the design of their business model, on the access to payment accounts, account information and its use.

They need to ensure, for example, that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that they are transmitted by the payment initiation/account information service provider through safe and efficient channels.

In addition, payment initiation and account information service providers must be able to show that they hold professional indemnity insurance.

Strong customer authentication

The new Directive on Payment Services also contains special security requirements for the execution of payments in order to better protect customers from fraud, abuse and other problems.

For instance, in future payment service providers will have to require strong customer authentication in certain circumstances, such as when an electronic payment transaction is initiated. This requires two or more elements categorised as knowledge (e.g. a password), possession (e.g. a debit card) and inherence, which is a permanent characteristic of the customers (e.g. a fingerprint). These elements must be independent, in that the breach of one does not compromise the reliability of the others. The confidentiality of the authentication data must be protected. The authentication process must also include elements which dynamically link the transaction to a specific amount and a specific payee.

Allocation of liability

Just as it does for authorised payment transactions, the new Directive contains detailed provisions on the notification and evidence of unauthorised payment transactions as well as liability for them. Unauthorised payment transactions are, for instance, those made with the use of a lost or stolen payment instrument or from the misappropriation of a payment instrument.

In such cases, the payer may only be obliged to bear the losses up to a maximum of EUR 50, unless he or she has acted fraudulently or failed with intent or gross negligence to fulfil his or her obligations. The rest of the transaction must be refunded by the payment service provider.

If the payment initiation service provider is liable for the unauthorised payment transaction, it compensates the account servicing payment service provider for the losses incurred or sums paid as a result of the refund to the payer.

Information for consumers

Furthermore, the Directive will lead to greater transparency of contractual conditions, since it lays down new information requirements for payment services. For example, certain cash withdrawal services must inform customers of any withdrawal charges before carrying out the withdrawal as well as on receipt of the cash.

By January 2018, the European Commission will have produced a user-friendly electronic leaflet, listing in a clear and easily comprehensible manner the rights of consumers regarding payment services.

The European Banking Authority (EBA) will set up a central electronic register of payment institutions and their agents, which will combine the registers of the national supervisory authorities. The register is to be transparent for customers.

In addition, the EBA is working on various guidelines and implementing and regulatory technical standards to further specify the provisions of the new Directive. The planned regulatory technical standards on authentication and communication will be particularly important in terms of customer protection.

Review

The European Commission is to submit a report on the application and impact of the new Directive by 13 January 2021. This must review, among other things, the appropriateness and the impact of the thresholds under which certain payment transactions by providers of electronic communication networks or services do not fall under the Directive. The Commission may submit a legislative proposal together with its report.

Definition: Payment services

Payment services are services for the processing of payments. While banks are traditional payment service providers, new, innovative companies generally known as FinTechs are also increasingly getting involved in the market. According to the new Directive on Payment Services, payment services are:

  • services enabling cash to be placed on or withdrawn from a payment account (e.g. a current account) as well as all the operations required for operating a payment account,
  • the execution of payment transactions such as direct debits, credit transfers and the use of payment cards, including when these are covered by a credit line,
  • the issuing of payment instruments and the acquiring of payment transactions,
  • the money-remittance business,
  • payment initiation services and
  • account information services.

Additional information

Did you find this article helpful?

We appreciate your feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form. Please send any disclosures about actual or suspected violations of supervisory provisions to our contact point for whistleblowers.

We appreciate your feedback

* Mandatory field