Payment services: BaFin provides information on the new regulations
On 13 January, the new Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG) entered into force. It transposes the provisions relating to supervisory law of the Second Directive on Payment Services (PSD 2) into German law. The PSD 2 and the revised ZAG serve to provide a legal framework for the rapidly progressing digitalisation in payment services and to promote consistent interpretation and application of the provisions throughout Europe by defining the exclusions in greater detail. The aim is to strengthen competition, increase the security of payment services and improve consumer protection.
In order to inform market participants of the amended set of rules in good time, BaFin published a new Guidance Notice (only availabe in German) on the ZAG at the end of November (see BaFinJournal December 2017 (only available in German)). BaFin subsequently held a conference on the topic at its Frankfurt offices, which was met with considerable interest: around 400 people registered for the event, of which only around 180 could attend.
Important role of innovative digital financial undertakings
The audience was greeted by Raimund Röseler, Chief Executive Director of Banking Supervision. Mr Röseler told of how he started his career in the banking sector in the 1980s. "Back then, the topic of payment transactions certainly wasn’t thought of as something to get excited about", said Mr Röseler. "How times have changed."
Doris Dietze of the Federal Ministry of Finance (Bundesministerium der Finanzen – BMF) followed with a presentation reviewing the development from the First to the Second Payment Services Directive. "Innovative digital financial companies have a hugely important role to play in this process", she explained. They were the reason behind the PSD 2, and it was also owing to these new market participants that the BMF established a Fintech Council last spring (see BaFinJournal April 2017 (only available in German)). However, as much as we may welcome new application models, it is crucial we do not lose sight of consumer protection, data protection and IT security. These considerations therefore feature strongly in the PSD 2.
Authorisation requirement and exclusions
A core element of the revised ZAG is the inclusion of account information services and payment initiation services in the catalogue of payment services. BaFin's experts explained to the attendees how the authority intends to interpret these standards. Here the focus was on the conditions under which new business models may be regarded as purely technical services, which market participants can continue providing without requiring authorisation, and which business models require authorisation and/or registration.
The speakers also outlined the revised, extensive system of exclusions for payment systems1 and telecommunications services. Depending on their design, payment systems may be operated without requiring authorisation as store cards, limited network and limited range payment systems or cards for specific social or tax purposes. Given the boom in cashless payments, this legal classification is of great significance for both the mineral oil industry and the retail sector. The rule applies to fuel cards, public transport cards, cards for purchasing clothing and city cards in addition to the broad area of prepaid cards.
With regard to the industry-wide exclusion for the telecommunications sector, BaFin's speakers presented, among other things, the statistical calculation method for providing evidence of compliance with the relevant thresholds. BaFin's experts also described which procedure should be used to provide notification to BaFin and to the European Banking Authority (EBA) by companies wishing to claim the relevant exclusion when they are required to submit a notification for exceeding certain thresholds.
In addition, BaFin's experts addressed the changes to the services that are included within the scope of issuing payment instruments and/or acquiring payment transactions, which largely redefine the scope of the previous provision and also replace the previous statutory requirements regarding the execution of payment transactions based on any telecommunication, digital or IT device. They also explained the inclusion of acquiring business in the system of payment services and the boundaries of the catch-all provision for money-remittance services. Finally, the speakers discussed the so-called commercial agent exclusion and the intra-group exemption.
Granting authorisation and calculating own funds
Anyone wishing to provide payment initiation services requires authorisation from BaFin. If a company wishes to provide account information services only, then registration is necessary. The new payment services are distinguished from traditional payment services by the fact that the service provider does not take possession of client funds. For this reason, special rules apply to the documentation that must be submitted as part of authorisation and registration procedures for these services. For example, pursuant to the ZAG, new service providers must take out insurance to safeguard against cases of liability, the value of which depends on the scope of the payment services provided. BaFin’s representatives presented the methods for calculating the minimum monetary amount for insurance coverage to safeguard against such liability risks. The basis for this calculation is provided by the corresponding EBA guidelines (see BaFinJournal July 2017 (only available in German)). BaFin has declared that it will apply these guidelines.
The new ZAG has extended the authorisation requirements for all other payment services: in future, applicants will also have to provide information regarding access to sensitive payment data and regarding the procedure in place to handle a security incident. Furthermore, they will have to submit a description of their security policy, including a detailed risk assessment in relation to the payment services provided. The requirements that have applied up to now must still be met. These include a proper business organisation in addition to the requirements for the professional qualifications and reliability of management board members. Companies wishing to submit an application should follow the guidelines of the EBA on authorisation and registration under the PSD 2 when preparing their application. These guidelines will also be applied by BaFin. Documentation should not only be complete, but should also be plausible and consistent.
Second Directive on Payment Services (PSD 2)
Act Implementing the Second Payment Services Directive (ZAG)
Guidance Notice on the ZAG (only available in German)
Regulatory technical standards on passport notifications
Draft regulatory technical standards on central contact points
Draft regulatory technical standards and draft implementing standards on the EBA register
Commission proposal for regulatory technical standards for strong customer authentication and secure communication
EBA guidelines on the authorisation of payment institutions
EBA guidelines on professional indemnity insurance
EBA guidelines on major incident reporting
EBA guidelines on security measures
EBA guidelines on procedures for complaints
In their presentation, BaFin's experts explained that the legislature has also included simplified requirements for new service providers. For example, companies that only intend to provide account information services are not required to hold initial capital or to undergo qualifying holding procedures. Similarly, whilst service providers wishing to provide payment initiation services require at least €50,000 in initial capital, like account information service providers, they are not required to adhere to ongoing own funds requirements.
Potential applicants can address any questions either directly to BaFin or to the competent Regional Office of the Deutsche Bundesbank, which is involved in both the authorisation or registration procedure and in the ongoing supervision of the payment institutions. Before submitting an application for authorisation or registration, the applicant should also be sure of precisely which payment services they intend to offer. For this reason, it may be helpful to contact BaFin in advance.
In order to give the company representatives in attendance an insight into BaFin's ongoing supervisory activities, the speakers also presented the notification requirements stipulated by the new ZAG that affect payment institutions. Regular notifications must be submitted in addition to notifications given for specific reasons, such as changes to the management board. This concerns the calculation of own funds requirements, for example, which changed with the amendment to the ZAG as a result of the European Capital Requirements Regulation – CRR. These so-called monthly returns must be transmitted via the extranet of the Deutsche Bundesbank. Beyond this, further notification requirements will be stipulated by delegated regulations and guidelines.
Security and competition in payment transactions
Lastly, representatives of BaFin spoke about the provisions of the new ZAG that serve to increase security and improve competition in payment transactions. They are directed at all payment service providers subject to supervision and in particular, therefore, at CRR credit institutions. Topics detailed by the speakers included the requirement for strong customer authentication, granting access to payment accounts for payment initiation and account information service providers, supervisory requirements for managing operational and security risks in payment transactions, and the related reporting requirements.
The new reporting procedure for major incidents in payment transactions, which replaces the previous reporting procedure pursuant to the minimum requirements for the security of internet payments (Mindestanforderungen an die Sicherheit von Internetzahlungen – MaSI), can be used already. As of 13 January, major incidents should only be reported using the new reporting templates and via BaFin's reporting and publishing platform (MVP Portal). The EBA has also published guidelines regarding the question of when a security incident is regarded as major and therefore subject to the reporting requirement (see BaFinJournal August 2017 (only available in German)). BaFin intends to apply these guidelines, without any changes to the content, to German supervisory practice by means of a circular. Payment service providers subject to the reporting requirement should already follow the criteria specified in the guidelines.
A further reporting procedure concerns statistical data related to cases of fraud in payment transactions. The corresponding guidelines, for which consultations were held last year, will only be issued in the coming months. Payment service providers may therefore assume that the reporting requirements will only apply to payments conducted from 2019.
The event was concluded with a panel discussion involving representatives from the banking industry, fintechs, payment service providers and the prepaid industry alongside moderator Volker Greve, Executive Director Raimund Röseler and BMF representative Doris Dietze. The speakers were in agreement that competent supervision has clear benefits, noting that it will strengthen Germany's position as a financial centre in the long term.
Mr Röseler also commented that he expects to participate in further conferences on the same topic in future. "The area of payment transactions is likely to continue to develop with great agility."
This article reflects the situation at the time of publication and will not be updated subsequently. Please take note of the Standard Terms and Conditions of Use.
- 1 Hitherto "Group payment systems”.