- Access to payment accounts by third party providers (TPPs), called Payment
- Initiation Services (PIS).
- Scope extension: all EU currencies and payments whereby either payer or payee is located outside the EU (“one leg out”) are now included with respect to transparency and information requirements.
- Re-examination of the refund rules and the liability rules that apply in case something goes wrong with a payment transaction.
The EBF welcomed the intention of the PSD2 to tackle issues raised by technological and market developments and by the emergence of new players. However, some concerns on the general approach taken by the European Commission forcing its vision of the payment market were identified. The EBF believes that a dynamic market such as the payment services market characterized by a continuous flow of new solutions should be approached differently.
The main concern for the EBF in the EC proposal for a PSD2 is the treatment of Third Party Providers (TPPs). Their inclusion in the scope of the proposal with a view to solving their current unregulated situation is welcome. However, not all aspects concerning TPPs have been fully considered and resolved in the PSD2 and the final outcome is an unclear picture of the overall legal framework, and more particularly the legal relationship and distribution of rights and obligations between account-holding Payment Service Providers (PSP) and TPPs.
The EBF believes that there is still a lack of precision about the responsibilities of TPPs in terms of security and infrastructure as well as protection of personal data. TPPs will have an unconditional right to access consumers’ payment accounts-but how and on which terms is not sufficiently defined. Specifically the terms and conditions of the TPP/account-holding Payment Service Provider/User relationship as well as the minimum security standards required for TPPs’ access to account information need to be better defined. Likewise, issues relating to the defective execution and disputes need to be clarified in detail.
In order to ensure a proper balance of responsibilities between PSPs and TPPs, actual security of the user, and, therefore, full confidence in the electronic means of payment, the PSD2 should mandate a proper and explicit contractual framework, which encompasses both legs of the tripartite relationship TPP/account-holding PSP/User and also better regulates their responsibilities and liabilities. PIS establishes legal and operational links between the consumer, the TPP and the account servicing payment service provider. This necessitates precise and transparent agreements between the parties involved.
According to the EBF, and in order to ensure the integrity of the payment system, provisions in relation to TPP should take into account the following:
- Business models based on the principle that consumers hand over their personal log-in credentials should not be allowed. It is crucial that the legislator protects consumers’ digital identities. Personal log-in credentials are…personal!
- TPPs should be at all times:
- contractually bound to both user and account-holding PSPs for a single or a series of transactions;
- subject to exactly the same safekeeping, security, privacy and transparency rules as account-holding PSPs;
- fully and directly liable to users, without account-holding PSPs being obliged to refund users in a first place and then to exercise their right to recourse vis-à-vis TPPs;
- liable for any additional cost generated by their activity incurred by the account-holding PSPs.The EBF therefore believes that the current proposal still requires further fundamental improvements and would strongly recommend amendments.The proposal is currently being reviewed by the European Parliament and the Council of the EU representing EU Member States. The Rapporteur of the Economic and Monetary Committee (ECON) of the European Parliament, MEP Diogo Feio issued a draft report in November 2013 that includes draft amendments to the Commission’s proposal. An ambitious calendar has been set by the European Parliament in order to achieve a vote on this piece of legislation before the legislative term of this Parliament. At the time of writing, it is unclear when a co-decision between the European Parliament and the Council could be reached.
The draft PSD2 proposal does not make a distinction between two very different types of PIS:
Overlay services where a third-party provider obtains the sensitive private and secret credentials of a consumer and uses them to impersonate the consumer and enter his/her bank account and initiates a payment order as if it was the consumer him/herself.
Pass-through services where the third party provider redirects the consumer to his/her internet account portal allowing the consumer to log-in and initiate the payment order him/herself. In both cases, the TPP may assist the customer in making a payment to a web merchant, for example by presenting the customer with a pre-filled payment instruction.