Oμιλία από την Σίσσυ Παπαγιαννίδου, Διευθύντρια της Διεύθυνσης Εποπτείας Πιστωτικού Συστήματος, Τράπεζας της Ελλάδος στο πλαίσιο του Digital Finance Forum 2016
Περισσότερες πληροφορίες: http://digitalfinance.ethosevents.eu/
Σίσσυ Παπαγιαννίδου, Διευθύντρια της Διεύθυνσης Εποπτείας Πιστωτικού Συστήματος, Τράπεζας της Ελλάδος
1. 1
Payment Services Directive (PSD2)
S. Papagiannidou, Director
Banking Supervision Department
Bank of Greece
Athens, 31 May 2016
2. 2
Overview of EU and Greek Legal Framework
EU
Directive 2007/64/EC of the European Parliament and of the Council of November 13th, 2007, on
payment services in the internal market - Payment Services Directive (PSD1)
Directive 2015/2366/EU of the European Parliament and of the Council of 25 November 2015 on
payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and
2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (PSD2)
Greece
Greek Law 3862/13 July 2010 on payment services (transposing PSDI)
Bank of Greece Governor’s Act 2628/30 September 2010 on the authorisation & prudential
supervision of Payment Institutions
Bank of Greece Executive Committee Act 33/19 December 2013 “Terms and conditions of
authorisation and supervisory rules of electronic money institutions”
Bank of Greece Executive Committee Act 59/18 January 2016 “Adoption of the EBA Guidelines
on the security of internet payments (EBA/GL/2014/12)”
Bank of Greece Governor’s Act 2577/9 March 2007 “Framework of operational principles and
criteria for the evaluation of the organisation and internal control systems of credit and financial
institutions and relevant powers of their management bodies” (on a proportionate basis)
3. 3
Created a modern and comprehensive set of rules applicable
to all payment services in the EU and improved competition by
regulating payment services and opening up payment markets
to new entrants
It harmonised terms and conditions across the EU for
payments
It provided for clear rules for a new category of payment
service providers, established by the Directive called Payment
Institutions (PIs)
It enhanced consumer protection and set minimum service
levels
3
Objectives PSD1
4. 4
Main Areas of Innovation in European Retail
Payments since PSDI Adoption
The retail payments market has experienced significant technical innovation
Rapid growth in the number of electronic and mobile payments
Emergence of new types of payment services in the market place (instant
payments, P2P mobile payments, mobile and card based contactless proximity
payments)
Market developments have given rise to significant challenges from a regulatory
perspective, in particular:
Many innovative payment products or services do not fall within the scope of
PSDI
Elements excluded from PSDI scope, such as certain payment-related
activities, has proved in some cases to be too general, resulting in legal
uncertainty, potential security risks in the payment chain and a lack of
consumer protection
Difficulty for payment service providers to launch innovative, safe and easy-
to-use digital payment services
5. 5
PSD2 timeline
EU COM
releases PSD2
proposal
Compromise text
approved by
Trilogue
Political
agreement
EU Parliament
adopts PSD2
Publication in EU
Official Journal
Transposition of
PSD2 to national
legislation*
*13 Jan 2018 (2 years after entry into force) - except for the security measures referred to in Articles 65, 66, 67
and 97 which shall enter into force 18 months after the adoption by the Commission of the EBA RTS (not before
September 2018)
6. 6
PSD2 - Aims & Objectives (1)
Extension of scope: new payment services established, i.e. Payment
Initiation Services (PIS) & Account Information Services (AIS)
Inclusion of new players: providers of such services that have to be
licensed/registered, i.e. third party payment service providers (“TPPs”)
Broadening geographical scope to "one leg" transactions: including
payments to and from third countries (where one of the payment service
providers is located in the EU). PSDI applies only to intra-EU payments
Applying in all currencies: the same rules will apply to payments that are
made in a currency that is not denominated in Euro or in another Member
State's currency
Clarification and extension of definitions
Update and narrowing down of the negative scope: ensure a level playing
field and enhance consumer protection. PSD1 exclusions have been applied
by Member States in different ways leading to regulatory arbitrage and legal
uncertainty
7. 7
PSD2 - Aims & Objectives (2)
Establishing safer and more innovative payment services across the EU that
is moving towards a digital economy
Enhancing consumer protection
Improving the security requirements for payments
Increasing competition in terms of lower fees for the services offered,
increasing efficiency and the choice of products for users (both consumers
and merchants)
Further harmonisation of the European payments landscape from a
regulatory perspective
Reinforced supervision on a cross border context (including passport
provisions)
Safequarding (greater harmonisation)
Contributing to a more integrated and efficient European payments market
Offers business opportunities for established and new markets participants to
improve, enlarge, or re-engineer current product service offerings (e.g. AIS
providers’ clients can have a global view on their payment accounts from one
place, “cross-bank”, “cross-product”, “cross-sell” opportunities are created)
9. 9
Main Areas of Impact of PSD2 on EMD2
PSD2 Areas of Impact EMD2
e.g. limited
network
exclusion
licensing,
supervision
& passport
better
access to
bank
accounts
better
access to
payment
systems
enhanced
security of
payments
Scope Services Accounts Systems Payments
10. 10
Potential Implications of PSD2
PSD2 will inevitably result in companies having to make changes:
System changes
Document and process changes
Changes to accommodate new payment services
EBA standards
Big impact to existing account holding PSPs
Existing account holding PSPs may get less interaction with their
customer
Payment schemes, merchant acquirers and card issuers will face
greater competition
11. 11
Authorisation requirements are largely the same as set out in PSD1.
Additional security requirements are established
Payment Institutions’ Authorisation (1)
Internal
Governanc
e
Safeguardi
ng
Requiremen
t
Business
Plan
Initial
Capital
Fit &
Proper
Tests for
shareholder
s BoD
Members
Security
Requirements
Money
Laundering
- €20,000 for remittances
- €50,000 for PIS
- no initial capital for AIS
- €125,000 for all other
payment services
Bank of Greece: competent authority for licensing and supervising credit
institutions, payment institutions, e-money institutions
12. 12
License to be granted in MS in which entity has its head office and
carries out at least part of its payment service business
Public central EBA register for licensed entities, their agents and
branches
Limited networks and telecom operators offering payment services to
notify their activities even though not licensed
Waiver regime: option for MS to apply a lighter authorisation regime for
entities of monthly payment transactions below €3 million (or lighter)
Payment Institutions’ Authorisation (2)
13. 13
Negative Scope
Exclusion PSDI PSD2
Commercial
agent
PSD1 exempts payment transactions from the
payer to the payee through a commercial agent
authorised to negotiate or conclude the sale or
purchase of goods or services on behalf of the
payer or the payee
PSD2 amends this exemption so that it only applies to a
commercial agent that acts on behalf of either the payer or
the payee, but not an agent that acts for both
Limited
network
PSDI exempts payment services based on
instruments that can be used to acquire goods
or services only in the premises used by the
issuer or under a commercial agreement with
the issuer either within a limited network of
service providers or for a limited range of goods
or services
PSD2 requires the relevant instrument to be a “specific
payment instrument” and the range of goods or services
that can be acquired using that instrument to be “very”
limited. PSD2 also requires service providers relying on this
exemption to notify its relevant competent authorities where
the total value of payment transactions executed over the
previous 12 months exceeds €1 million
Digital
download
PSD1 exempts payment transactions for certain
goods or services that are executed though a
telecommunication, digital or IT device provider
unless the relevant operator acts only as an
intermediary between the payment service user
and the supplier of the goods and services
PSD2 exemption only applies to payment transactions
executed by providers of electronic communications networks
or services that are provided in addition to electronic
communication services for a subscriber to the network or
service and which fall below €50 per individual transaction
and a cumulative value of €300 per billing month.
PSD2 also requires these providers to notify the relevant
competent authorities that their activity complies with the
above thresholds (accompanied by annual audit opinion)
Independent
ATMs
PSD1 exempts withdrawing cash from a
payment account through independent ATMs
PSD2 maintains the existing exemption and requires ATM
operators to comply with specific transparency provisions with
regard to withdrawal charges
14. 141
4
TPPs offer the following specific services:
– Account information service (AIS): an online service providing
consolidated information on one or more payment accounts held by the
payment service user with either another payment service provider or with
more than one payment service provider, and/or
– Payment initiation service (PIS): a service initiating a payment order at the
request of the payment service user with respect to a payment account held
at another payment service provider
PIS providers will allow consumers that shop on line to pay through a simple
credit transfer from their payment account
AIS providers shall abide to the conditions set by PSD2 for accessing the
financial information of their clients on their behalf
Existing PIS and AIS providers shall continue to operate in their territories in
accordance with the currently applicable regulatory framework
Existing and new PIS and AIS providers need to apply for
authorisation/registration under PSD2
Third Party Payment Service Providers (TPPs)
15. 15
Cross-border Supervision & Passport
Strengthened cooperation and information
exchange between "home" and "host" state,
including dispute settlement by EBA
More detailed procedure for passport of
services
Enhanced competences for Host MS
competent authority, including:
- better monitoring of payment institution’s
activities,- requiring immediate action / precautionary measures, in case of
emergency
- acting in case of infringement or suspected infringement of PSD2 rules
Option for MS to require central contact point if payment institution of other
MS operates with agents and branches established in its jurisdiction for
communication and information purposes
Not the same central contact point as under the 4th Anti-Money Laundering
Directive (option for MS under Directive 2015/849/EU)
16. 16
Improved Access to Payment Systems and
Accounts
Equal and transparent treatment of all payment service providers that
are not (directly/indirectly) participating in payment system
Improved access to bank accounts for payment institutions for the
purpose of payment services
Access on an objective, non-discriminatory and proportionate basis
17. 17
Security of Payments
Strong customer authentication (SCA) becomes a standard for all electronic payment
transactions and applies to all payment service providers, including TPPs
SCA is an authentication process that validates the identity of the user based on the use
of two or more elements categorised as:
Knowledge (something only the user knows)
Possession (something only the user possesses)
Inherence (something the user is)
These attributes are independent, i.e. the breach of one does not compromise the
reliability of others, and are designed in such a way as to protect the confidentiality of the
authentication data
SCA aims to reducing the risk of fraud (especially for online payments) and to protecting
the confidentiality of the user’s financial data (including personal data)
In addition, for all electronic remote payment transactions, such as online payments, a
dynamic link to the amount of the transaction and the account of the payee is required
Exemptions to SCA (e.g. low value payments at the point of sale to facilitate the use of
mobile and contactless payments) shall be defined by EBA based on three criteria:
amount/recurrence of transaction
level of risk
payment channel used
18. 18
Transparency of Payments Conditions and
Charges
Most part of PSD2 provisions on transparency and information requirements
also apply to payment transactions in currencies of third countries even if one
of the PSPs is located within the EEA, in respect of those parts of the
payments transaction which are carried out in the EEA.
PSDI only addresses payment services where both PSPs are located within
the EEA and is limited to the currencies of the EEA Member States.
PSPs shall be held liable for their part of the improperly executed or
unauthorised payment transaction that is attributable to them
19. 19
Liability
PSD2 introduces a number of changes to the liability regime for improperly
executed or unauthorised transactions. In particular:
the maximum liability that can be imposed on a payer when not at fault for a lost,
stolen or misappropriated payment instrument decreases to €50 from €150 under
PSDI (except in cases of fraud or gross negligence by the payer)
in the case of non-execution, defective or late execution of payment transactions,
the payment service provider of the payer corrects the payment transaction or
without undue delay refund the payer the relevant amount of that transaction. The
value date of the corrective payment is the same as the value date in the case of
correct execution. The payer or payee should not be burdened with any costs
relating to the incorrect payment
the terms governing a customer’s use of a payment instrument must be “objective,
non-discriminatory and proportionate”
where a PSP fails to use “strong customer authentication” when executing a
payment transaction, it will have to bear the financial consequences of any loss
relating from any unauthorised payment transactions, even in cases of the client’s
gross negligence
liability issues between the AIS provider of the payer and the PIS provider are
clarified
20. 20
Consumer Protection
PSD2 higher security standards enhance consumers’
protection against fraud and other abuses
PSD2 establishes an unconditional refund right as a
general requirement for all euro-denominated direct debit
transactions in the EU. This right already exists for SEPA
direct debit, i.e. direct debits in euro. Payers can request such
a refund even in the case of a disputed payment transaction
The payer’s PSP will be able to block funds on the payer’s
payment account only if the payer has given consent to the
exact amount of the funds to be blocked and those funds
should be released without undue delay after receipt by the
payer’s PSP of the information concerning the exact amount
of the payment transaction and at the latest immediately after
receipt of the payment order (e.g. car rentals, hotel bookings,
petrol stations)
21. 21
Complaints
Member States shall designate competent authorities to handle complaints of
payment service users and other interested parties, such as consumer
associations, concerning an alleged infringement of PSD2
Payment service providers that are covered by PSD2 on their side should put in
place a complaints procedure for consumers that they can use before seeking
out-of-court redress or before launching court proceedings
The new rules will oblige payment service providers to answer in written form to
any complaint within 15 business days
General Secretariat for Consumer Affairs:General Secretariat for Consumer Affairs: is currently the competent authority
for submitting complaints with regard to alleged infringements of “Transparency”
and “Rights and obligations” requirements
22. 22
They comprise six technical standards, five sets of Guidelines, and a register
PSD2 Mandates Conferred on the EBA (1)
Consumer
Protection
(art. 5 & 100)
Coordination
of home-host
supervision
(art. 27-29)
Framework for the cooperation and
exchange of information between Home -
Host
Co-operation and exchange of information
for passport notifications between Home and
Host
Settlement of disagreements between
competent authorities of Member States
Circumstances when the appointment of a
central contact point is appropriate and the
functions of those contact points
Complaints procedures
Guidelines
RTS
RTS
RTS
Guidelines
Minimum monetary amount of professional
indemnity insurance or comparable
guarantee
Area
Procedure
already
defined in
EBA
Regulation
13 Jan
2017
13 Jan
2018
13 Jan
2018
13 Jan
2017
13 Jan
2018
n/a
Type of
deliverable
DeadlineMandate
23. 23
Type of
deliverableArea Mandate
EBA
Register
(art. 15 & 32)
Authorisation
of PSPs and
registration
of AIS
(art. 5)
Information to be provided to competent
authorities in the application of the authorisation
for payment institutions
Guidelines
(later
convertible into
RTS if
requested by
COM)
RTS
Technical requirements on development &
operation of the EBA register & access of its
information
13 Jan 2018
EBA shall publish on its website & update
regularly a list of the names of the registered
entities
Website
register
No deadline
mentioned
Information to be provided by CAs to EBA for
compiling the web register
ITS 13 Jul 2017
EBA shall publish on its website & update
regularly a list of the names of the exempted
entities & services
Website
register
No deadline
mentioned
13 Jul 2017
Security
developed in
close
cooperation
with the ECB
(art. 95,96 & 98)
Improving incident reporting throughout the EU
Establishment, implementation and monitoring of
the security measures, including certification
processes where relevant
RTS
Guidelines
Guidelines
(later
convertible into
RTS if
requested by
COM)
Regulatory technical standards on strong
customer authentication and communication
13 Jan 2017
13 Jan 2018
13 Jul 2017
Deadline
PSD2 Mandates Conferred on the EBA (2)
24. 24
Jan 2017 Jan 2018Jan 2016 Sep 2018July 2017
RTS on Strong
Authentication
& Secure Communication
RTS on Strong
Authentication
& Secure Communication
RTS Central Contact
Points
RTS Central Contact
Points
GL on PI Insurance for
PSPs
GL on PI Insurance for
PSPs
RTS & ITS on EBA registerRTS & ITS on EBA register
13 January 2016
+ 24months
(Incl. all EBA mandates,
except bottom row)
GL on PI authorisationGL on PI authorisation
EBA deliverable:
Entry into force
of PSD 2:
13 January 2016
13 January 2016
+ 12months
13 January 2016
+ 18months
GL on Security measuresGL on Security measures
GL on complaints
procedures
GL on complaints
procedures
Draft RTS
submitted to
EU COM
(Entry into force of RTS: 18
months after EU COM adoption,
i.e. not before Sep. 2018 )
RTSs on Passporting
notification & on
information exchange
RTSs on Passporting
notification & on
information exchange
Consultation period:
11 Dec 2015 - 11 Mar 2016
GL on incident reportingGL on incident reporting
Discussion paper
8 Dec 2015 - 8 Feb 2016
RTSITS
↙↙
↙
↙
EBA Mandates and their Timelines
25. 25
Transitional Provisions
payment institutions: continue operations until 13 July
2018
payment institutions that benefited from the PSD1 waiver
(art. 26 thereof): continue operations until 13 January
2019
Grandfathering clause
Rules for continuing operations
In order to operate after these deadlines, existing payment
service providers need to submit a new application for
authorisation in accordance with PSD2 criteria or for
benefiting a waiver under PSD2. Otherwise the license is
revoked
Member States may decide to automatically grant PSD2
authorisation if the competent authority possesses
evidence that a payment institution complies with PSD2
requirements
26. 26
Transitional Provisions for TPPs
PIS and AIS providers that are already established may continue to perform
their activities in their jurisdictions according to the applicable framework
All PIS and AIS providers to apply for authorisation/registration once PSD2
becomes applicable
PIS and AIS providers will comply with new security measures of PSD2 once
these become applicable and implemented by banks