PSD2 and the ecosystem of European payments
What is Payment Services Directive 2?
The Payment Services Directive 2 (PSD2, Directive (EU) 2015/2366) is a European directive aimed at enhancing the regulation of payment services in the European Union. It entered into force on 12th January 2016 and provided a period for transposition into national legislation until 13th January 2018. At a Member State level, it is usually enforced as a national law, not an EU directive.
PSD2 establishes rules regarding the transparency of conditions and information requirements for payment services, as well as the rights and obligations of providers and payment service users.
Who is affected by the PSD2?
Payment Services Directive 2 applies to payment services provided within the EU. According to the Art. 4 of the Directive payment services include:
- services enabling cash to be placed and withdrawn on/from a payment account;
- execution of payment transactions;
- issuing of payment instruments and/or acquiring of payment transactions;
- money remittance;
- payment initiation services;
- account information services.
Key provisions of PSD2
Strong Customer Authentication (SCA)
Strong Customer Authentication means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data. In other words, SCA is two-factor authentication.
Payment services providers are obliged by Art. 97 of the PSD2 to implement SCA in the following operations:
- accessing payment account online;
- initiation of an electronic payment transaction;
- carrying out any action through a remote channel, which may imply a risk of payment fraud or other abuses.
Outsource to third-party payment services
If an authorised payment services provider wants to provide its services through a third-party agent, it must report to the respective authority in its Member State the following information about the agent:
- the name and address of the agent;
- a description of the internal control mechanisms that will be used by the agent in order to comply with the obligations in relation to money laundering and terrorist financing;
- the identity of directors and persons responsible for the management of the agent;
- the payment services for which the agent is mandated;
- where applicable, the unique identification code or number of the agent.
Within two months, the authority verifies the provided information and decides whether the agent should be entered in the register of authorised payment services providers.
Information obligation
PSD2 in its Art. 45 establishes information and conditions obligation for payment services providers. They are obliged to inform its users in easily understandable words and in a clear and comprehensible form about:
- a specification of the information or unique identifier in order for a payment order to be properly initiated or executed;
- the maximum execution time for the payment service to be provided;
- all charges that the user should pay;
- if applicable, the actual or reference exchange rate applied to the transaction.
Record-keeping
Payment services providers are required to retain all relevant records for a minimum of 5 years (Art. 21 of the PSD2).
Interplay of PSD2 and GDPR
Since payment services providers (controllers) acting in the field covered by the PSD2 must always ensure compliance with the requirements of both PSD2 and GDPR, the collision appears to be problematic for providers.
Luckily, the European Data Protection Board has issued Guidelines on the interplay of the PSD2 and the GDPR.
Lawful grounds for processing
Payment services are provided to users on a contractual basis. This means that the main legal basis for the processing of personal data in this case is Article 6(1)(b) of the GDPR, meaning that the processing is necessary for the performance of a contract.
Explicit consent
Both the PSD2 and the GDPR include the concept of explicit consent. However, in reality, these are two distinct definitions with different effects.
- PSD2: explicit consent, mentioned in the Art. 94(2), means a contractual consent. When entering a contract with a payment service provider under the PSD2, data subjects must be made fully aware of the specific categories of personal data that will be processed. The consent in the meaning of the PSD2 is not a legal ground for the processing of personal data.
- GDPR: four conditions, freely given, specific, informed, and unambiguous, are essential for the validity of consent. One obvious way to ensure consent is explicit is to expressly confirm it in a written statement. Consent is a tool that gives data subjects control over whether or not personal data will be processed.
Sensitive data
Sometimes, payments can reveal data that falls under “special categories of personal data” as defined in the GDPR. For example, donations to religious or political organisations, or membership fees to the trade union, etc. This means that payment service providers often process not only payment information, but also special categories of personal data.
The definition of sensitive payment data in the PSD2 differs considerably from the term “sensitive personal data”, used within the context of the GDPR:
- PSD2: “sensitive payment data” is data, including personalised security credentials, which can be used to carry out fraud.
- GDPR: “special categories of personal data” is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
PSD2 enforcement and risks for businesses
Art. 103 of the PSD2 delegates the determination of penalties to EU member states; such penalties shall be effective, proportionate, and dissuasive. Additionally, member states are obligated to disclose the imposition of administrative fines to the public, provided that this information does not jeopardise the financial markets or cause disproportionate damage to the involved parties.
Here are examples of regulators in some of the EU countries:
- Germany: BaFin (Federal Financial Supervisory Authority)
- France: ACPR (Prudential Supervision and Resolution Authority)
- Spain: Bank of Spain
- Ireland: Central Bank of Ireland
We can help you with compliance
Compliance with PSD2 is complex, but we are here to help you with this task! Legal IT Group supports financial companies and startups in building compliant and secure business operations.
