The revision of Directive 2366/2015/EU (PSD 2), which entered into force in 2015, is eagerly awaited. After seven years, an adjustment of the legal regime appears sensible to take account of market changes and new developments which are triggered not least due to digitalisation and new business models. Therefore, on 20 October 2021, the European Commission submitted to the EBA a Call for Advice (CfA) regarding the review of PSD 2 with a view to considering whether developments in the payment services market and changing needs of payment services users (PSUs) and payment services providers (PSPs) would make a revision of the PSD necessary. The CfA was followed by a targeted consultation of the Commission on 10 May 2022 seeking to gather input from professional stakeholders to decide whether EU coordinated actions or policy measures are warranted.
On 23 June 2022, the European Banking Authority (EBA) has now released a comprehensive opinion setting out responses to the 28 questions raised in the CfA. The responses cover nine areas including, among other things, scope and definitions, licensing of payment institutions (PIs) and supervision of PSPs, strong customer authentication or access to payment systems and accounts.
Below, we set out the EBA’s proposals, which are most notable, and discuss their implications.
Scope of and definitions under PSD 2
Delineating between payment services
Due to diverging approaches in the member states and plenty of business models in the payment services market, the nature and scope of the specific payment services need to be delineated more clearly. In particular, the definition of money remittance business leads to difficulties of delimitation due to its broad nature. Specifically, it is often difficult to differentiate money remittance business from credit transfers. Therefore, the EBA proposes to clarify that for a service to qualify as credit transfer, a payment account should always be opened by the PSP in the name of the PSU.
In addition, the operation of payment accounts should not be treated as a standalone payment service requiring authorisation under PSD 2. Consequently, PIs operating payment accounts should be authorised for individual payment services that do not require them to obtain authorisation for services under item 1 and 2 of Annex I to PSD 2 (i.e. placing and withdrawing cash from a payment account and related services of operating a payment account).
Furthermore, the EBA is of the view that the distinction between the execution of payment transactions with or without providing credit (item 3 and 4 of Annex I to PSD 2) is artificial and suggests merging these payment services into a single service. Besides, the reference to credit transfers, card payment and directs debits should be removed to broaden the scope of the service and capture potential future innovative payment instruments and solutions.
In contrast, the EBA wants to split the payment service of issuing and acquiring (item 5 of Annex I to PSD 2) into two separate payment services since they would be very different in their nature and require a different supervisory approach. Besides, it is currently unclear whether the issuing of payment instruments includes the execution of payment transactions with said payment instrument and the EBA proposes to clarify this further in the revised PSD 2.
Interestingly, the scope of the payment initiation service (PIS) should be narrowed down to exclude certain corporate services that are offered to payers who are no consumer as individuals and that are based on specific, (bilateral) agreements for the provision of services through a custom-built IT system. This will be welcomed by the market because various corporate software solutions are arguably caught by the current definition of PIS, and could only be excluded from the scope based on considerations of the legislative background for authorising PIS.
Payment instrument, payment account and other clarifications
Over the years, it could be observed that many definitions used in PSD 2 leave room for interpretation and therefore prevented a harmonised approach in the member states. The EBA therefore seeks to clarify key terms and definitions under the PSD 2 such as “initiation of payment transactions”, “remote payment transactions” or “payment channel”. For example, with regard to the definition of “payment accounts”, the question arose whether e-money accounts linked to prepaid cards, savings accounts, reference accounts, credit card accounts and others can be considered as payment accounts in the meaning of PSD 2. The EBA notes that the ECJ ruling C-191/17 brought some clarity with regard to the definition. However, it must be recognised that the interpretation of the ECJ is based on the Payment Account Directive, which provides for a stricter approach and narrows down the scope of payment accounts under PSD 2. Therefore, the revised PSD 2 should provide for more guidance in this regard. Similarly, the term “payment instrument” leaves room for interpretation since, for example, in certain circumstances even mobile phones or computers could be considered as payment instruments which demonstrates that the specific features of what constitutes a payment instrument must be clarified.
The EBA has also identified issues in relation to the interpretation and application of some of the exclusions under PSD 2.
With regard to the limited network exclusion, the EBA has recently published guidelines to harmonise the approach among the member states (see our blog post). However, as part of its mandate, the EBA was not able to provide guidance on the interpretation of definitions and terms set out in PSD 2, relating for example to the terms “professional issuer”, “issuer”, “premises” or the geographical scope of the exclusion, and therefore proposes that the Commission should provide for more guidance on these terms and furthermore consider whether to incorporate (parts of) the EBA guidelines in the revised PSD 2.
Also, concerning the commercial agent exclusion, the EBA has identified a number of issues relating to its interpretation. There would be a lack of clarity with regard to activities falling within the scope of the exclusion, the interplay with Directive 86/653/EC setting out requirements for self-employed commercial argents or what is specifically meant by “negotiating or concluding” contracts.
According to the EBA, the independent ATM providers exclusion needs also further clarification, for example, regarding the cases when an ATM provider acts on behalf of card issuing PSPs and whether this requires the conclusion of a direct contracts between the ATM provider and the card issuer. In particular, there has been some uncertainty in the market on the treatment of cash-in-shop services where PSUs withdraw cash from a merchant using their payment card at a POS without making a purchase.
Interestingly, the opinion does not set out further details with regard to the intra-group exemption although its scope has been highly debated in the last years – at least in the Germany.
Business models currently not in scope
The EBA generally takes a restrictive approach regarding the request to bring unregulated business models or those which are currently covered by a different regulatory regime under the scope of PSD 2.
For example, it has always been debated whether payment or card scheme operators should be regulated under PSD 2. Historically, payment schemes are covered by the oversight function of the central banks, i.e. they are not authorised by local regulators and are not subject to a prudential supervisory regime. Although the EBA does not see the need to include payment schemes under the scope of PSD 2, it acknowledges that specific provisions should be introduced to payment schemes to ensure that key securities requirements are properly implemented in the future such as Strong Customer Authentication (SCA).
Similarly, with regard to digital wallet providers, the EBA does not see the need to specifically regulate the “operation of digital wallets” as a separate payment service because the services of a digital wallet provider are usually already covered by the PSD 2, e.g. in the form of issuance of payment instruments.
The EBA also clarifies that payment gateways which provide technical services such as authentication and authorisation of payment transactions and facilitate the implementation of SCA do not require authorisation. The same applies to white label providers which should not be brought under the scope of PSD 2 as providing a separate payment service since these services are usually provided on behalf of PSPs or in support to the provision of payment services.
Similarly, concerning buy now pay later (BNPL) business models, which are currently in focus of regulators in particular from a consumer credit perspective, the EBA arrived at the view that the core service provided is of a lending nature and should be considered as granting credits. Whether additional payment services are offered would depend on the specific business model but as such BNPL services should not require an additional regulatory approach under PSD 2.
Capital requirements and calculation of own funds
While PIs and electronic money institutions (EMIs) are already required to fulfill capital and own funds requirements, the EBA further sees the need to revise the prudential framework for PIs and EMIs. It is proposed to align the initial capital requirements for all PIs/EMIs with the exception of payment initiation service providers (PISPs) and account information service providers (AISPs) and introduce additional own funds requirements for granting of credits which are offered in combination with a payment service.
Recovery and resolution framework and safeguarding requirements
Currently PIs and EMIs are not covered by a recovery and resolution regime, i.e. they do not have to draw up recovery and resolution plans under Directive 2014/59/EU (BRRD) and are not subject to any resolution actions by competent authorities (CAs). The EBA proposes to introduce a simplified recovery and wind-down framework for significant PIs and EMIs since their liquidation may have a spill-over effect on other financial institutions and a negative impact on the repayment of funds to PSUs. The significance should be determined by certain criteria of relevance to be further developed. The framework may cover the information to be provided to CAs and what conditions should be fulfilled if they or the CAs want to liquidate their business. Furthermore, specific powers should be given to CAs such as early intervention or resolution-like measures.
Furthermore, the EBA wishes some issues regarding the safeguarding regime to be clarified in the revised PSD 2. For example, the EBA is of the view that the term ‘credit institutions’ in the meaning of Art. 10 PSD 2 covers only CRR credit institutions and that it should therefore not possible for PIs or EMIs to safeguard client funds on the accounts of a third country credit institution, but only with a CRR credit institution or its branches domiciled in the EU. This question has particularly become relevant for PIs and EMIs after Brexit. Furthermore, it should be clarified that funds placed in a safeguarding account held in a credit institution are protected by a deposit guarantee scheme in case that the credit institution were to fail.
In order to delineate between the right of establishment (ROE) and freedom to provide services (FPS), the EBA proposes to provide clarity on the criteria and clarify to which extent it should be possible for PIs and EMIs to operate in other member states simultaneously on the basis of the concept of ROE and FPS and whether this should be communicated clearly to PSUs. This would obviously not only have an impact of PIs or EMIs but may also serve as guidance for other financial services institutions.
Also, with regard to so-called “triangular passporting” where a PI or EMI authorised in country A uses an intermediary in country B for offering payment services in another country C, the supervisory responsibilities between the relevant CAs should be addressed explicitly in the revised Directive.
Strong customer authentication (SCA)
PSD 2 introduced for the first-time in the EU detailed requirements relating to the SCA including details on two factor authentication which was accompanied by EBA RTS and various other guidance documents. Although the EBA has not identified the need to bring into the scope of application additional types of transactions, it recommends a number of clarifications including the regulatory treatment of merchant-initiated transactions, transactions outside the scope of SCA, the mitigation of social engineering fraud risks and the need to ensure that certain groups of society are not excluded from using payment services as a fundamental service. Further areas which may needs clarification cover, among other things, outsourcing, the inherence SCA elements and its interplay with GDPR, independence of SCA elements, nature of the exemptions of SCA, the liability regime for cases where an SCA exemption has been applied.
Access to payment systems and accounts
The EBA proposes to explore the possibility of having a common API standard across the EU to be developed by the industry and that all account servicing payment service providers (ASPSPs) should provide a dedicated interface for the access of third-party providers (TPP) and remove the requirement for ASPSPs to also provide a fall-back mechanism. Furthermore, AISPs should apply their own SCA instead of ASPSPs after an initial SCA has been performed with the ASPSP the first time the PSUs access the payment account through the respective AISP.
A related topic which concerns the obligation of credit institutions to grant PIs access to payment account services relates to the fact that the reference to “fully justified reasons” for refusing and terminating access is quite unclear. The EBA proposes that it should be specified such as shortcomings in ML/TF controls, a breach of contract or the particular business model of the credit institution or PI/EMI. Regulators should be informed within a specific time with the reasons for any rejection.
In addition, there is a divergent practice across members states regarding the access of payment schemes: while in some jurisdictions credit institutions are obliged to grant PIs and EMIs access to payment schemes with settlement finality, others allow a direct participation of PIs and EMIs. Since this gives rise to general level-playing fields issues and regulatory arbitrage, the EBA sees the need for further harmonisation.
PSD 3 is currently in a very early stage. The CfA and the EBA’s opinion do not constitute a final position or formal proposal but give an indication what can be expected. In particular, the very detailed opinion demonstrates impressively that many concepts and definitions under PSD 2 need further clarity and development. Responses to the Commission’s targeted consultation must be submitted by 5 July 2022. We expect that this will be followed by a substantive proposal for revisions in form a first draft of the PSD 3, potentially by the end of 2022 or early 2023. The interplay with other legislative acts such as DORA (see our blog post), MiCA and the Settlement Finality Directive also needs to be closely observed. The EBA proposes, e.g. to merge PSD 2 and the E-Money Directive to address issues on the delineation between payment accounts and e-money accounts.
The EBA has arrived at the view that there are a significant number of issues that should be addressed in order to more fully achieve the objectives of PSD 2 of enhancing competition in retail payments vis-a-vis incumbents, facilitating innovation, increasing security of payment transactions, protecting consumers, enhancing customer convenience, (...) and creating a single EU retail payments market.