What you need to know?
14 September 2018
With just a few months to go, PSD2 brings with it a number of implementation challenges, not least in relation to the new regime for third party payment service providers, or TPPs. Here, we look at what firms implementing the new requirements need to know.
The revised Payment Services Directive (PSD2) overhauls the existing EU framework for the regulation of payment services under the original Payment Services Directive (PSD1). It broadens the scope of payment services regulation in the EU and brings third party payment service providers (TPPs) within scope of regulation for the first time. It also introduces changes to conduct of business requirements aimed at improving consumer protection and competition and changes to security and transparency requirements.
It is the result of a number of drivers, including the need to catch up with technology developments, a desire to increase competition in the payments market and facilitate new fintech businesses to provide payment services as well as react to the increased threat of cyber attack. The need to strike a balance between these sometimes competing aims of innovation, competition and security has been a common theme throughout the development of PSD2, most notably in relation to the regulation of TPPs and the development of regulatory technical standards that will govern their ability to access payment accounts and data held with banks and other account providers.
PSD2 entered into force on 12 January 2016 and must be transposed into Member States' national laws and regulations by 13 January 2018. Therefore, payment service providers will need to promptly assess the potential impact of PSD2 on their business and, if they have not done so already, swiftly take the steps necessary to implement any resulting changes to documentation, systems and processes by 13 January 2018.
RTS and guidelines
PSD2 empowers the European Banking Authority (EBA) to draft regulatory technical standards (RTS) and guidelines, including RTS on strong customer authentication (SCA) and secure communication (CSC), guidelines on authorisation and registration under PSD2, guidelines on security measures for operational and security risks, guidelines on major incident reporting and guidelines on fraud reporting requirements.
Work on many of these measures is ongoing and in some cases, firms may have only a short implementation timeframe after they are finalised. For example, the EBA is currently consulting on its fraud reporting requirements guidelines and has not yet published final guidelines on security measures for operational and security risks, although both sets of guidelines are expected to apply from 13 January 2018. On the other hand, whilst the RTS on SCA and CSC are not yet finalised, they are expected to apply 18 months after publication in the Official Journal.
Member State implementation
The fact that PSD2 is a Directive, which needs to be transposed into national law in each Member State, has a number of consequences for firms seeking to implement its requirements.
Firstly, there is a risk that not all Member States will transpose PSD2 into national law by the deadline of 13 January 2018. For example, Sweden has recently confirmed that it does not intend to implement PSD2 until May 2018. Therefore, in some jurisdictions, existing rules under PSD1 may continue to apply past 13 January 2018.
Even for jurisdictions that do meet the transposition deadline, firms may have only a short period between publication of the final legislation and rules implementing PSD2 and application of the relevant requirements. As at September 2017, only around half of Member Stated had published implementing measures. In the UK, whilst the final Payment Services Regulations 2017 have been published, the FCA has not yet published final Handbook changes or its final approach document. In the absence of final implementing legislation and rules in many Member States, firms may need to base their implementation plans on the text of PSD2 itself, or on draft implementing legislation and rules, if available.
This timing issue is compounded by the fact that PSD2 allows Member States to exercise various options and discretions when implementing its requirements. Some Member States may also decide to "gold plate" PSD2 requirements, by applying PSD2 standards more widely and/or imposing requirements that go beyond those set out in PSD2.
Next steps and key implementation areas
If they have not done so already, firms should promptly identify the practical steps they will need to take in order to implement PSD2. The first step will be to identify changes that are absolutely necessary for 13 January 2018 and those that are not.
Key implementation areas are likely to include:
- technology and systems build, for example development of an open application programming interface (API) for TPP access;
- client documentation changes, for example take into account the increased scope of PSD2 and reflect changes to security requirements;
- client communications, including notifications about a refusal to allow a TPP access or a security incident that might impact the client's financial interests;
- policies and procedures, including a security policy, procedures for incident reporting and dispute resolution procedures; and
- reauthorisation requirements for authorised payment institutions, with more information required as part of the application.
Firms will also need to consider how each relevant Member State intends to implement PSD2, to ensure their implementation plans take into account the way in which these Member States are exercising any options and discretions, as well as any gold plating. Since this may not be known until a relatively late stage, firms may need to keep this under review and build a level of flexibility into their implementation plans to allow them to adapt to the way in which different Member States decide to implement PSD2.
Following implementation, firms may also wish to carry out a benchmarking exercise, to ensure that their approach to implementation, for example in relation to client documentation, is not out of step with the market.
Read the full Clifford Chance briefing, including a more detailed analysis of the changes being introduced under PSD2 and the implications of these changes for firms seeking to implement PSD2.