Legal framework - PSD2
The rapid development in the payments market as well as the introduction of new technologies and a host of innovative business models as a result of digitalisation have led to a need for adjustments. The revised Payment Services Directive 2, or PSD 2 (Directive (EU) 2015/2366) was therefore adopted at the end of 2015, containing a number of regulations designed to increase security in payment transactions and enable more competition. The PSD 2 must be implemented by the German legislature in German law by 13 January 2018.
One of the core elements of PSD 2 is the inclusion of "third-party providers" – which provide payment initiation services, account information services and payment card issuance services – within the scope of the Directive. A payment initiation service is a service requested by the payer to initiate a credit transfer from his/her payment account held with another payment service provider (eg a credit institution). An account information service provides an account holder with consolidated information about his/her payment accounts held with one or more payment service providers. Third-party card issuance means that third parties are now able to issue cards without managing the payment account to which the card transactions are charged. PSD 2 regulates the access of "third-party providers" to the payment accounts held with the payment service providers managing the account.
The security of payment transactions is enhanced by the requirement of so-called "strong customer authentication". This obligation is based on the recommendations of the European Forum on the Security of Retail Payments concerning the security of internet payments, and prescribes that authentication should occur using a combination of two factors from the categories "knowledge" (eg password, code, PIN), "possession" (eg token, smartphone) and "inherence" (eg fingerprint, voice recognition). More detailed guidelines on the issue of strong customer authentication and secure communication between the parties involved have been drafted by the European Banking Authority (EBA) in the form of "regulatory technical standards" (RTS) and will be enacted by the European Commission. These RTSs, which also include possible exemptions from the application of strong customer authentication, must be adhered to by payment service providers 18 months after their entry into force.
Furthermore, the consumer protection rules have been strengthened. For example, the maximum amount for which a payer can be made liable in the event that his/her payment card is lost, stolen or misappropriated (with the exception of cases of fraud and gross negligence) has been lowered from the previous amount of €150 to €50.
The European legislature has also stipulated that consumers have an eight-week unconditional right of reimbursement on direct debits. In Germany, this right of return is already traditionally regulated in the terms and conditions of business, and already applies throughout Europe for SEPA core direct debits.
Up until now, the Payment Services Directive applied only to payments in EU/EEA currencies between payment service providers domiciled in the EU/EEA. These restrictions are now being lifted: PSD 2 also applies to payments in non-EU/EEA currencies (eg US dollar and pound sterling) and also in cases where a payment service provider is domiciled outside the EU/EEA (eg in Switzerland or the United States). However, for such payments, some of the provisions contained in the PSD are excluded or restricted to the parts of the payment chain that occur within the EU/EEA.