BaFin - Navigation & Service

Second Payment Services Directive

Article from the Annual Report 2016 of the BaFin

The Second Payment Services Directive1 entered into force in mid-January 2016. European legislators are pursuing the objective of further developing the European internal market for electronic payments. The Directive governs the operations of payment service providers and replaces the Payment Services Directive dating from 20072. In substance, the provisions are adapted to innovative online and mobile payment processes. New information and liability requirements are aimed at improving customer protection. The Directive also revises the authorisation requirement with respect to the continuing digitalisation. It amends the definition of payment services accordingly and specifies exclusions.

In principle, the Directive applies to all payment services provided within the European Union (EU). As in the previous Directive, it distinguishes between privileged payment service providers (which are exempted from applying certain requirements of the Directive with consideration to their specific statutory responsibilities or existing institutional supervision) and payment institutions that are also subject in particular to the authorisation requirement and ongoing supervision in accordance with the Directive.

In accordance with the definition, payment services serve to settle payments. Banks are classed as traditional payment service providers. However, start-ups with novel business concepts, such as fintech companies3, are increasingly making a début.

The EU member states must transpose the Directive into national law by 13 January 2018. Certain IT security requirements will only be mandatory for undertakings 18 months after a delegated regulation enters into force, i.e. at the earliest in October 2018.

Revision of the authorisation requirement

The Directive newly classifies two business activities – payment initiation services and account information services – as payment services, and these will generally be subject to mandatory authorisation or registration going forward. Both services are based on online banking. When customers make an online purchase, they can initiate the payment order by means of a payment initiation service. This transmits the payment order to the merchant without taking possession of the customers' money. Account information services provide users with consolidated information on their payment accounts.

The digital payments business will no longer be a payment service subject to separate standards and requirements. However, this does not mean that it will cease to exist without replacement, but rather will be merged in existing and new definitions of payment services.

The specification of exemptions concerns in particular payment instruments with limited fields of application and certain payment transactions by providers of electronic communications networks or services that do not exceed a specific threshold. Although the providers covered by these exemptions do not require authorisation, they must report their transactions to BaFin.

Authorisation procedure

The Directive also governs the authorisation procedure for payment institutions. This corresponds to the current procedure but with several additions.
As before, payment institutions must submit an authorisation application to the supervisory authority, present their business models and enclose a viable business plan. Going forward, undertakings will also be required to submit their security policy documents. These include disclosures on how they handle security incidents and security-related customer complaints, how they process sensitive payment data and how they intend to ensure business continuity in crisis situations and collect specific statistical data.
Another new feature is the registration procedure for account information services.

Payment initiation and account information services

The new Directive also includes specific provisions regarding payment initiation and account information services. Going forward, credit institutions will be required to grant the new service providers access to the payment accounts managed by them in online banking. Depending on their business models, these service providers will have to comply with specific requirements concerning access to the payment account and account information. Clear identification vis-à-vis the institution managing the payment account is necessary when accessing the account.
Payment initiation and account information services must ensure that personalised security credentials are not accessible to any party other than the user and issuer. They must be transmitted through safe and efficient channels.

In addition, payment initiation and account information service providers must hold professional indemnity insurance.

Strong customer authentication

The amendments contain specific security requirements for payment service providers in relation to executing payments; these are aimed at better protecting customers against fraud and abuse. In certain cases, for instance when payers initiate electronic payment transactions, payment service providers will in future have to request strong customer authentication of the payer. This requires a minimum of two elements from the categories "knowledge" (e.g. a password), "possession" (e.g. a payment card) and "inherence" (e.g. a fingerprint); the elements must be independent of each other. In other words, the non-fulfilment of one criterion may not compromise the reliability of the others. Where online payments are concerned, the authentication process must also include elements that dynamically link the payment transaction to a specific amount and a specific payee.

On 23 February 2017, the European Banking Authority published a draft of the regulatory technical standards that will govern the technicalities of secure communication and the requirement for and exemptions from strong customer authentication.

Allocation of liability

The new Directive stipulates differentiated requirements for notification, evidence and liability with respect to unauthorised payment transactions. Unauthorised payment transactions are those that are initiated using lost, stolen or otherwise misappropriated payment instruments. Going forward, the aim is for the payer to bear an excess amounting to a maximum of €50 in cases of ordinary negligence.

Strengthening payers' rights

The Directive strengthens the payer's legal rights in other ways, too. To date, the common practice in Germany whereby consumers can unconditionally request a refund within eight weeks of a direct debit from their accounts was only agreed in the contract between the bank and the customer; for SEPA direct debits in euros, this refund right is now also laid down in law.

Businesses frequently charge considerable fees for using certain means of payment, in particular credit cards. The Directive prohibits such charges for payments made using SEPA credit transfers and SEPA direct debits, and for the majority of card payments. The only exceptions are company cards and cards issued under so-called three-party schemes; however, the most popular debit and credit cards in Germany are issued under four-party schemes.

Customer information

The new information requirements contained in the Directive will result in more transparent contractual terms. Cash withdrawal services will inform customers on site of all charges and fees to withdraw cash.

The European Commission intends to produce an electronic guidance notice by January 2018 that lists the rights of consumers in respect of payment services in a clear and easily comprehensible manner. The EBA will set up a Europe-wide electronic register of payment institutions and payment service agents, in which the national registers will be included.

Footnotes:

Did you find this article helpful?

We appreciate your feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form. Please send any disclosures about actual or suspected violations of supervisory provisions to our contact point for whistleblowers.

We appreciate your feedback

* Mandatory field