The Revised Payment Services Directive (PSD2, Directive (EU) 2015/2366, which replaced the Payment Services Directive (PSD), Directive 2007/64/EC) is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA).
The PSD directive’s purpose was to increase pan-European competition and participation in the payments industry also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users. The key objectives of the PSD2 directive are creating a more integrated European payments market, making payments safer and more secure and protecting consumers.
The SEPA (Single Euro Payments Area) is a self-regulatory initiative by the European banking sector represented in the European Payments Council, which defines the harmonization of payment products, infrastructures and technical standards (Rulebooks for credit transfer/direct debit, BIC, IBAN, ISO 20022 XML message format, EMV chip cards/terminals). The PSD provides the legal framework within which all payment service providers must operate.
The PSD’s purpose in regard to the payments industry was to increase pan-European competition with participation also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users. The PSD’s purpose in regard to consumers was to increase customer rights, guarantee faster payments (no later than next day since 1 January 2012), describe refund rights, and give clearer information on payments. Although the PSD was a maximum harmonisation directive, certain elements allowed for different options by individual countries.
The final adopted text of PSD went into force 25 December 2007 and was transposed into national legislation by all EU and EEA member states by 1 November 2009.
The PSD contained two main sections:
- The “market rules” described which type of organizations could provide payment services. Next to credit institutions (i.e. banks) and certain authorities (e.g. central banks, government bodies), the PSD mentioned electronic money institutions (EMI), created by the E-Money Directive in 2000, and created the new category of “payment institutions” (PI) with its own prudential regime rules. Organizations that are neither credit institutions or EMIs could apply for an authorization as a payment institution if they met certain capital and risk management requirements. The application could be made in any EU country where they are established and they could then “passport” their payment services into all other EU member states without additional PI requirements.
- The “business conduct rules” specified what transparency of information payment service institutions needed to provide, including any charges, exchange rates, transaction references and maximum execution time. It stipulated the rights and obligations for both payment service providers and users, how to authorize and execute transactions, liability in case of unauthorized use of payment instruments, refunds on payments, revoking payment orders, and value dating of payments.
Each country had to designate a “competent authority” for prudential supervision of the PIs and to monitor compliance with business conduct rules, as transposed into national legislation.
The PSD was updated in 2009 (EC Regulation 924/2009) and 2012 (EU Regulation 260/2012). An implementation report from 2013 found the PSD facilitated “provision of uniform payment services across the EU” and reduced legal and production costs for many payment service providers and that “the expected benefits have not yet been fully realised”. The same report found the 2009 update “to be functioning well. For example, charges for €100 transfers followed a further downward trend to €0.50 euro-area average for transfers initiated online and remained low, at €3.10 for transfers initiated at the bank counter”.
- The PSD only applied to payments within the European Economic Area, but not to transactions to or from third countries.
- PSD exemptions related to payment activities left users unprotected.
- The PSD option for merchants to charge a fee or give a rebate, combined with the option for countries to limit this, led to “extreme heterogeneity in the market”.
- So-called “third party payment service providers” emerged, which facilitated online shopping by offering low cost payment solutions on the Internet by using the customers’ home online banking application with their agreement, and informing merchants that the money is on its way. Other “account information services” offer consolidated information on different accounts of a payments service user. Harmonisation of refund rules regarding direct debits, a reduction of the scope of the “simplified regime” for so-called “small payment institutions” and addressing security, access to information on payment accounts or data privacy with possible licensing and supervision were proposed.
Revised Directive on Payment Services (PSD2)
On 8 October 2015, the European Parliament adopted the European Commission proposal to create safer and more innovative European payments (PSD2, Directive (EU) 2015/2366). The current rules aim to better protect consumers when they pay online, promote the development and use of innovative online and mobile payments such as through open banking, and make cross-border European payment services safer.
Then-Commissioner Jonathan Hill, responsible for Financial Stability, Financial Services and Capital Markets Union, said, “This legislation is a step towards a digital single market; it will benefit consumers and businesses, and help the economy grow.”
On 16 November 2015, the Council of the European Union passed PSD2. Member states then had two years to incorporate the directive into their national laws and regulations. On 27 November 2017, Commission delegated Regulation (EU) 2018/389 supplemented PSD2 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication.
The EU and many banks pushed this development with the new Payments Service Directive 2 (PSD2), which came into force on 13 January 2018. Banks then adapted to these changes which opened many technical challenges, but also many strategic opportunities, such as collaborating with fintech providers, for the future.
An important element of PSD2 is the requirement for strong customer authentication on the majority of electronic payments.
Another important element of the directive is the demand for common and secure communication (CSC). eIDAS-defined qualified certificates for are demanded for website authentication and electronic seals used for communication between financial services players. The technical specification ETSI TS 119 495 defines a standard for implementing these requirements.
PSD2 went into full effect on 14 September 2019, but due to delays in the implementation, the European Banking Authority allowed for a time extension of the strong customer authentication (SCA) until 31 December 2020.
- March 2000: Lisbon Agenda to make Europe “the world’s most competitive and dynamic knowledge-driven economy” by 2010
- December 2001: regulation EC 2560/2001 on cross-border payments in Euro
- 2002: European Payments Council created by the banking industry, driving the Single Euro Payments Area initiative to harmonize the main non-cash payment instruments across the Euro area (by end 2010)
- 2001–2004: consultation period and preparation of PSD
- December 2005: proposal for PSD by DG Internal Market Commissioner McCreevy
- 25 December 2007: PSD entered into force
- 1 November 2009: deadline for transposition in national legislation
- 2009 update: eliminated differences in charges for cross-border and national payments in euro (EC Regulation 924/2009)
- 2012 update: Regulation on cross-border payments, “multilateral interchange fees” (EU Regulation 260/2012)
- July 2013: report on implementation of PSD and its two updates
- 16 November 2015: The Council of the European Union passes PSD2, giving member states two years to incorporate the directive into their national laws and regulations.
- 13 January 2018: Directive 2007/64/EC is repealed and replaced by Directive (EU) 2015/2366
- 14 March 2019: All Financial Institutions offering an API solution must have it available for external testing by PISPs and AISPs.
- 14 September 2019: The final deadline for all companies within the EU to comply with PSD2’s Regulatory Technical Standard (RTS) pertaining to directive (EU) 2015/2366 (PSD2)
- 31 December 2020: Extended deadline for all companies within the EU to implement PSD2’s Strong Customer Authentication (SCA)
Privacy First, a privacy organization, criticized the open banking elements of the new legislation, claiming it focuses too much on improving competition and innovation while the privacy interests of account holders are overlooked.
- ^Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (Text with EEA relevance), OJ L, 23 December 2015, retrieved 12 July 2020
- ^ Jump up to:ab “Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC”. Official Journal of the European Union. 5 December 2007. Retrieved 2 August 2014.
- ^ Jump up to:ab “Payment services (PSD 1) – Directive 2007/64/EC”. European Commission. Retrieved 13 February 2017.
- ^“Authorised Payment Institution | Payments | Licensing & Compliance”. BCC UK. Retrieved 26 May 2020.
- ^“The Payment Services Directive – What it means for Consumers” (PDF). European Commission. Archived from the original (PDF) on 30 May 2013. Retrieved 20 March 2014.
- ^“Directive on Payment Services (PSD) – Member States’ options”. EC.Europa.eu. European Commission. Archived from the original on 27 February 2015. Retrieved 27 February 2015.
- ^“Payment Services”. EC.Europa.eu. European Commission. Retrieved 13 February 2017.
- ^“Competent authorities for the authorisation and supervision of payment institutions (Article 20)” (PDF). EC.Europa.eu. Archived from the original (PDF) on 27 February 2015. Retrieved 27 February 2015.
- ^ Jump up to:ab c “Report from the Commission to the European Parliament and the Council on the application of Directive 2007/64/EC on payment services in the internal market and on Regulation (EC) No 924/2009 on cross-border payments in the Community”. Eur-lex.europa.eu. 24 July 2013. Retrieved 27 February 2015.
- ^ Jump up to:ab“European Parliament adopts European Commission proposal to create safer and more innovative European payments” (Press release). European Commission. 8 October 2015. Retrieved 4 May 2016.
- ^ Jump up to:ab“Electronic payment services: Council adopts updated rules” (Press release). Council of the EU. 16 November 2015. Retrieved 16 November 2015.
- ^“COMMISSION DELEGATED REGULATION (EU) 2018/389”. 27 November 2017.
- ^“Capitalizing on the potential benefits of open banking”. McKinsey. Retrieved 21 September 2019.
- ^“strong customer authentication (SCA) Enforcement Date : Stripe: Help & Support”. Retrieved 21 September 2019.
- ^“EBA publishes an Opinion on the elements of strong customer authentication under PSD2” (Press release). European Banking Authority. Retrieved 21 September 2019.
- ^Jones, Brendan (23 October 2018). “The Implications and Requirements of PSD2 open banking for Programme Managers”. Finextra.
- ^“European PSD2 legislation puts privacy under pressure. Privacy First demands PSD2 opt-out register”. www.privacyfirst.eu. Retrieved 26 May 2020.