Σίσσυ Παπαγιαννίδου, Διευθύντρια της Διεύθυνσης...
26
1 Payment Services Directive (PSD2) S. Papagiannidou, Director Banking Supervision Department Bank of Greece Athens, 31 May 2016
-
Upload
starttech-ventures -
Category
Business
-
view
475 -
download
2
Transcript of Σίσσυ Παπαγιαννίδου, Διευθύντρια της Διεύθυνσης...
1
Payment Services Directive (PSD2)
S. Papagiannidou, DirectorBanking Supervision Department
Bank of Greece
Athens, 31 May 2016
2
Overview of EU and Greek Legal Framework
EU
Directive 2007/64/EC of the European Parliament and of the Council of November 13th, 2007, on payment services in the internal market - Payment Services Directive (PSD1) Directive 2015/2366/EU of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (PSD2)Greece
Greek Law 3862/13 July 2010 on payment services (transposing PSDI)Bank of Greece Governor’s Act 2628/30 September 2010 on the authorisation & prudential supervision of Payment InstitutionsBank of Greece Executive Committee Act 33/19 December 2013 “Terms and conditions of authorisation and supervisory rules of electronic money institutions”Bank of Greece Executive Committee Act 59/18 January 2016 “Adoption of the EBA Guidelines on the security of internet payments (EBA/GL/2014/12)”
Bank of Greece Governor’s Act 2577/9 March 2007 “Framework of operational principles and criteria for the evaluation of the organisation and internal control systems of credit and financial institutions and relevant powers of their management bodies” (on a proportionate basis)
3
Created a modern and comprehensive set of rules applicable to all payment services in the EU and improved competition by regulating payment services and opening up payment markets to new entrants It harmonised terms and conditions across the EU for
payments It provided for clear rules for a new category of payment
service providers, established by the Directive called Payment Institutions (PIs) It enhanced consumer protection and set minimum service
levels
3
Objectives PSD1
4
Main Areas of Innovation in European Retail Payments since PSDI Adoption The retail payments market has experienced significant technical innovation Rapid growth in the number of electronic and mobile payments Emergence of new types of payment services in the market place (instant
payments, P2P mobile payments, mobile and card based contactless proximity payments) Market developments have given rise to significant challenges from a regulatory
perspective, in particular: Many innovative payment products or services do not fall within the scope of
PSDI Elements excluded from PSDI scope, such as certain payment-related
activities, has proved in some cases to be too general, resulting in legal uncertainty, potential security risks in the payment chain and a lack of consumer protection Difficulty for payment service providers to launch innovative, safe and easy-
to-use digital payment services
5
PSD2 timeline
EU COM releases PSD2
proposal
Compromise text approved by
Trilogue
Political agreement
EU Parliament adopts PSD2
Publication in EU Official Journal
Transposition of PSD2 to national
legislation*
*13 Jan 2018 (2 years after entry into force) - except for the security measures referred to in Articles 65, 66, 67 and 97 which shall enter into force 18 months after the adoption by the Commission of the EBA RTS (not before September 2018)
6
PSD2 - Aims & Objectives (1)
Extension of scope: new payment services established, i.e. Payment Initiation Services (PIS) & Account Information Services (AIS)
Inclusion of new players: providers of such services that have to be licensed/registered, i.e. third party payment service providers (“TPPs”)
Broadening geographical scope to "one leg" transactions: including payments to and from third countries (where one of the payment service providers is located in the EU). PSDI applies only to intra-EU payments
Applying in all currencies: the same rules will apply to payments that are made in a currency that is not denominated in Euro or in another Member State's currency
Clarification and extension of definitions Update and narrowing down of the negative scope: ensure a level playing
field and enhance consumer protection. PSD1 exclusions have been applied by Member States in different ways leading to regulatory arbitrage and legal uncertainty
7
PSD2 - Aims & Objectives (2)
Establishing safer and more innovative payment services across the EU that is moving towards a digital economy
Enhancing consumer protection Improving the security requirements for payments
Increasing competition in terms of lower fees for the services offered, increasing efficiency and the choice of products for users (both consumers and merchants)
Further harmonisation of the European payments landscape from a regulatory perspective
Reinforced supervision on a cross border context (including passport provisions)
Safequarding (greater harmonisation)
Contributing to a more integrated and efficient European payments market Offers business opportunities for established and new markets participants to
improve, enlarge, or re-engineer current product service offerings (e.g. AIS providers’ clients can have a global view on their payment accounts from one place, “cross-bank”, “cross-product”, “cross-sell” opportunities are created)
8
PSD2 Key Changes
9
Main Areas of Impact of PSD2 on EMD2
PSD2 Areas of Impact EMD2
e.g. limited network
exclusion
licensing, supervision & passport
better access to
bank accounts
better access to payment systems
enhanced security of payments
Scope Services Accounts Systems Payments
10
Potential Implications of PSD2
PSD2 will inevitably result in companies having to make changes: System changes Document and process changes Changes to accommodate new payment services
EBA standards Big impact to existing account holding PSPs Existing account holding PSPs may get less interaction with their
customer Payment schemes, merchant acquirers and card issuers will face
greater competition
11
Authorisation requirements are largely the same as set out in PSD1. Additional security requirements are established
Payment Institutions’ Authorisation (1)
Internal Governanc
e
Safeguarding
Requirement
Business Plan
Initial Capital
Fit & Proper
Tests for shareholder
s BoD Members
Security Requirements
Money Laundering
- €20,000 for remittances- €50,000 for PIS - no initial capital for AIS- €125,000 for all other payment services
Bank of Greece: competent authority for licensing and supervising credit institutions, payment institutions, e-money institutions
12
License to be granted in MS in which entity has its head office and carries out at least part of its payment service business Public central EBA register for licensed entities, their agents and
branches Limited networks and telecom operators offering payment services to
notify their activities even though not licensed Waiver regime: option for MS to apply a lighter authorisation regime for
entities of monthly payment transactions below €3 million (or lighter)
Payment Institutions’ Authorisation (2)
13
Negative Scope
Exclusion PSDI PSD2
Commercial agent
PSD1 exempts payment transactions from the payer to the payee through a commercial agent authorised to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee
PSD2 amends this exemption so that it only applies to a commercial agent that acts on behalf of either the payer or the payee, but not an agent that acts for both
Limited network
PSDI exempts payment services based on instruments that can be used to acquire goods or services only in the premises used by the issuer or under a commercial agreement with the issuer either within a limited network of service providers or for a limited range of goods or services
PSD2 requires the relevant instrument to be a “specific payment instrument” and the range of goods or services that can be acquired using that instrument to be “very”limited. PSD2 also requires service providers relying on this exemption to notify its relevant competent authorities where the total value of payment transactions executed over the previous 12 months exceeds €1 million
Digital download
PSD1 exempts payment transactions for certain goods or services that are executed though a telecommunication, digital or IT device provider unless the relevant operator acts only as an intermediary between the payment service user and the supplier of the goods and services
PSD2 exemption only applies to payment transactions executed by providers of electronic communications networks or services that are provided in addition to electronic communication services for a subscriber to the network or service and which fall below €50 per individual transaction and a cumulative value of €300 per billing month.PSD2 also requires these providers to notify the relevant competent authorities that their activity complies with the above thresholds (accompanied by annual audit opinion)
Independent ATMs
PSD1 exempts withdrawing cash from a payment account through independent ATMs
PSD2 maintains the existing exemption and requires ATM operators to comply with specific transparency provisions with regard to withdrawal charges
1414
TPPs offer the following specific services:– Account information service (AIS): an online service providing
consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider, and/or
– Payment initiation service (PIS): a service initiating a payment order at the request of the payment service user with respect to a payment account held at another payment service provider
PIS providers will allow consumers that shop on line to pay through a simple credit transfer from their payment account AIS providers shall abide to the conditions set by PSD2 for accessing the
financial information of their clients on their behalf Existing PIS and AIS providers shall continue to operate in their territories in
accordance with the currently applicable regulatory framework Existing and new PIS and AIS providers need to apply for
authorisation/registration under PSD2
Third Party Payment Service Providers (TPPs)
15
Cross-border Supervision & Passport
Strengthened cooperation and information exchange between "home" and "host" state, including dispute settlement by EBA More detailed procedure for passport of
services Enhanced competences for Host MS
competent authority, including: - better monitoring of payment institution’s activities, - requiring immediate action / precautionary measures, in case ofemergency- acting in case of infringement or suspected infringement of PSD2 rules
Option for MS to require central contact point if payment institution of other MS operates with agents and branches established in its jurisdiction for communication and information purposes Not the same central contact point as under the 4th Anti-Money Laundering
Directive (option for MS under Directive 2015/849/EU)
16
Improved Access to Payment Systems and Accounts
Equal and transparent treatment of all payment service providers that are not (directly/indirectly) participating in payment system Improved access to bank accounts for payment institutions for the
purpose of payment services Access on an objective, non-discriminatory and proportionate basis
17
Security of Payments
Strong customer authentication (SCA) becomes a standard for all electronic payment transactions and applies to all payment service providers, including TPPs SCA is an authentication process that validates the identity of the user based on the use
of two or more elements categorised as: Knowledge (something only the user knows) Possession (something only the user possesses) Inherence (something the user is)
These attributes are independent, i.e. the breach of one does not compromise the reliability of others, and are designed in such a way as to protect the confidentiality of the authentication data SCA aims to reducing the risk of fraud (especially for online payments) and to protecting
the confidentiality of the user’s financial data (including personal data) In addition, for all electronic remote payment transactions, such as online payments, a
dynamic link to the amount of the transaction and the account of the payee is required Exemptions to SCA (e.g. low value payments at the point of sale to facilitate the use of
mobile and contactless payments) shall be defined by EBA based on three criteria: amount/recurrence of transaction level of risk payment channel used
18
Transparency of Payments Conditions and Charges
Most part of PSD2 provisions on transparency and information requirements also apply to payment transactions in currencies of third countries even if one of the PSPs is located within the EEA, in respect of those parts of the payments transaction which are carried out in the EEA. PSDI only addresses payment services where both PSPs are located within
the EEA and is limited to the currencies of the EEA Member States. PSPs shall be held liable for their part of the improperly executed or
unauthorised payment transaction that is attributable to them
19
Liability
PSD2 introduces a number of changes to the liability regime for improperly executed or unauthorised transactions. In particular: the maximum liability that can be imposed on a payer when not at fault for a lost,
stolen or misappropriated payment instrument decreases to €50 from €150 under PSDI (except in cases of fraud or gross negligence by the payer) in the case of non-execution, defective or late execution of payment transactions,
the payment service provider of the payer corrects the payment transaction or without undue delay refund the payer the relevant amount of that transaction. The value date of the corrective payment is the same as the value date in the case of correct execution. The payer or payee should not be burdened with any costs relating to the incorrect payment the terms governing a customer’s use of a payment instrument must be “objective,
non-discriminatory and proportionate” where a PSP fails to use “strong customer authentication” when executing a
payment transaction, it will have to bear the financial consequences of any loss relating from any unauthorised payment transactions, even in cases of the client’s gross negligence liability issues between the AIS provider of the payer and the PIS provider are
clarified
20
Consumer Protection
PSD2 higher security standards enhance consumers’protection against fraud and other abuses
PSD2 establishes an unconditional refund right as a general requirement for all euro-denominated direct debit transactions in the EU. This right already exists for SEPA direct debit, i.e. direct debits in euro. Payers can request such a refund even in the case of a disputed payment transaction
The payer’s PSP will be able to block funds on the payer’s payment account only if the payer has given consent to the exact amount of the funds to be blocked and those funds should be released without undue delay after receipt by the payer’s PSP of the information concerning the exact amount of the payment transaction and at the latest immediately after receipt of the payment order (e.g. car rentals, hotel bookings, petrol stations)
21
Complaints
Member States shall designate competent authorities to handle complaints of payment service users and other interested parties, such as consumer associations, concerning an alleged infringement of PSD2 Payment service providers that are covered by PSD2 on their side should put in
place a complaints procedure for consumers that they can use before seeking out-of-court redress or before launching court proceedings The new rules will oblige payment service providers to answer in written form to
any complaint within 15 business days General Secretariat for Consumer Affairs:General Secretariat for Consumer Affairs: is currently the competent authority
for submitting complaints with regard to alleged infringements of “Transparency”and “Rights and obligations” requirements
22
They comprise six technical standards, five sets of Guidelines, and a register
PSD2 Mandates Conferred on the EBA (1)
Consumer Protection
(art. 5 & 100)
Coordination of home-host supervision (art. 27-29)
Framework for the cooperation and exchange of information between Home -Host
Co-operation and exchange of information for passport notifications between Home and Host
Settlement of disagreements between competent authorities of Member States
Circumstances when the appointment of a central contact point is appropriate and the functions of those contact points
Complaints procedures
Guidelines
RTS
RTS
RTS
Guidelines
Minimum monetary amount of professional indemnity insurance or comparable guarantee
AreaProcedure already defined in EBA Regulation
13 Jan 2017
13 Jan 2018
13 Jan 2018
13 Jan 2017
13 Jan 2018
n/a
Type of deliverable DeadlineMandate
23
Type of deliverable Area Mandate
EBA Register
(art. 15 & 32)
Authorisation of PSPs and registration
of AIS (art. 5)
Information to be provided to competent authorities in the application of the authorisation for payment institutions
Guidelines (later convertible into RTS if requested by COM)
RTSTechnical requirements on development & operation of the EBA register & access of its information
13 Jan 2018
EBA shall publish on its website & update regularly a list of the names of the registered entities
Website register
No deadline mentioned
Information to be provided by CAs to EBA for compiling the web register ITS 13 Jul 2017
EBA shall publish on its website & update regularly a list of the names of the exempted entities & services
Website register
No deadline mentioned
13 Jul 2017
Security developed in
close cooperation with the ECB
(art. 95,96 & 98)
Improving incident reporting throughout the EU
Establishment, implementation and monitoring of the security measures, including certification processes where relevant
RTS
GuidelinesGuidelines (later convertible into RTS if requested by COM)
Regulatory technical standards on strong customer authentication and communication 13 Jan 2017
13 Jan 2018
13 Jul 2017
Deadline
PSD2 Mandates Conferred on the EBA (2)
24Jan 2017 Jan 2018Jan 2016 Sep 2018July 2017
RTS on Strong Authentication
& Secure Communication
RTS on Strong Authentication
& Secure Communication
RTS Central Contact Points
RTS Central Contact Points
GL on PI Insurance for PSPs
GL on PI Insurance for PSPs
RTS & ITS on EBA register RTS & ITS on EBA register
13 January 2016+ 24months
(Incl. all EBA mandates, except bottom row)
GL on PI authorisationGL on PI authorisation
EBA deliverable:
Entry into forceof PSD 2:
13 January 2016
13 January 2016+ 12months
13 January 2016+ 18months
GL on Security measuresGL on Security measures
GL on complaints procedures
GL on complaints procedures
Draft RTS submitted to
EU COM
(Entry into force of RTS: 18 months after EU COM adoption,
i.e. not before Sep. 2018 )
RTSs on Passporting notification & on
information exchange
RTSs on Passporting notification & on
information exchangeConsultation period: 11 Dec 2015 - 11 Mar 2016
GL on incident reportingGL on incident reporting
Discussion paper 8 Dec 2015 - 8 Feb 2016
RTSITS
↙↙
↙
↙
EBA Mandates and their Timelines
25
Transitional Provisions
payment institutions: continue operations until 13 July 2018 payment institutions that benefited from the PSD1 waiver
(art. 26 thereof): continue operations until 13 January 2019
Grandfathering clause
Rules for continuing operations
In order to operate after these deadlines, existing payment service providers need to submit a new application for authorisation in accordance with PSD2 criteria or for benefiting a waiver under PSD2. Otherwise the license is revoked Member States may decide to automatically grant PSD2
authorisation if the competent authority possesses evidence that a payment institution complies with PSD2 requirements
26
Transitional Provisions for TPPs
PIS and AIS providers that are already established may continue to perform their activities in their jurisdictions according to the applicable framework All PIS and AIS providers to apply for authorisation/registration once PSD2
becomes applicable PIS and AIS providers will comply with new security measures of PSD2 once
these become applicable and implemented by banks
