On 13th January 2018 the Second Payment Services Directive, or PSD2, became national law in EU Member States. In the UK, PSD2 was implemented within the 2017 Payment Services Regulations, which are enforced by the Financial Conduct Authority (FCA).
Much of the focus around PSD2, understandably, has been on open banking and APIs, which for the first time, allows third-party providers to access customer bank account data, based on the customer’s approval, to provide value-added services in the payments arena.
Most pundits have been preoccupied with the security and liability challenges associated with opening client account information up to non-bank third parties.
If open banking wasn’t challenging enough to grasp as a concept, hold onto your hats, as a deep dive into PSD2 and the FCA’s e-money and payment services approach document unearths some more obscure and less well-known aspects of the regulations, which have had compliance officers reaching for a compass.
- First cab off the rank, you may be surprised to discover that PSD2’s overarching reach is not just confined to the EU. Non-EU transactions are now caught in its tentacles, as well as transactions where one leg is conducted by a payment service provider (PSP) that is outside the EU.
- If you’re a marketplace or e-commerce platform that handles or controls client money, then you had to quickly get to grips with the finer details of PSD2, which tightened its interpretation of the “commercial agent” and “limited network” exemptions that marketplaces may have relied on to avoid becoming a licensed provider of regulated payment services.
- Retail consumers kissed goodbye to annoying card surcharges, which were scrapped for most of us under PSD2. Charges on corporate cards, however, remain outside the scope of the regulation.
- When is a payment account not a payment account? PSD2 and the FCA’s 2015 Payment Account Regulations, which implemented the EU Payment Accounts Directive, have different definitions of what constitutes a payment account, which caused some head scratching.
- Monthly account statements. This is a bit of an odd one given that the focus is now on making account data available in more modern, convenient ways and dispensing with outmoded means of communication such as paper statements, once and for all. According to the FCA’s approach document, payment service providers must now “provide” (which has a specific definition relating to proactively pushing this out to the customer) monthly account statements on paper or a “durable medium” (which also has a specific definition).
- Social media may no longer suffice as a reporting tool for major operational and security incidents: Throughout 2017, there were some well-publicised issues/outages in the payments sector. However, the FCA now requires notification of major operational and security incidents, within hours of them occurring, as well as regular updates. Whilst UK “challenger banks” were praised by (some of) their customers for their openness and keeping people up to date via Twitter, going forward, it may no longer be enough just to post apologies and updates on social media.
- You can see the newspaper headline now: FCA Drowning in PSD2 Re-authorisation Applications. Under PSD2, all existing e-money and payment services businesses needed to go through a re-authorisation process to continue operating beyond mid-July. The FCA wanted submissions completed by mid-April, as it needed to decide on “complete” applications within three months.
Some of the terms we’ve used are explained further in the Jargon Buster below.
PSD2 Jargon Buster
Durable medium: This terminology may be familiar to the building trade, but sounds out of place in regulatory guidance for payment service providers. Yet, according to the FCA, in the context of PSD2, ‘durable medium’ refers to “any instrument which enables the payment service user to store information addressed personally to them in a way accessible for future reference … and which allows the unchanged reproduction of the information stored.” So, this could mean printouts, CD-ROMs, DVDs, hardly modern-day storage devices in the age of Cloud computing. The FCA says “in certain circumstances internet sites” may qualify as a durable medium.
Payment account: Interpreting regulations is often a game of semantics and PSD2 is no different. It defines a ‘payment account’ as an “account held by one or more payment service users, which is used to conduct payment transactions.” It may include savings and current accounts or accounts that combine savings with mortgage and payment facilities, so long as the account is being used to make payments. However, the FCA’s 2015 Payment Accounts Regulations does not class some savings or credit-card accounts as payment accounts. Clear as mud then.
Payment Service Provider: In addition to banks and building societies, payment and e-money institutions, PSD2 introduces two new classes of payment service providers: Payment Initiation Service Provider (PISP) and Account Information Service Provider (AISP), which are expected to provide new services under PSD2. For example, AISPs could provide aggregated bank account information and analysis services. PISPs, which “initiate a payment from the user account to the merchant account by creating a software bridge,” could start to offer services such as bill payment and peer-to-peer transfers.
This article was originally published by Finextra.