On 13 January 2018, the second Payment Services Directive (PSD2) was transposed into German national law. The Act implementing the second Payment Services Directive (Zahlungsdiensteumsetzungsgesetz, ZDUG) took account of the regulatory framework in the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG) and the civil law provisions in the German Civil Code (Bürgerliches Gesetzbuch, BGB). In addition, it was necessary to make subsequent changes to other laws, such as the German Banking Act (Kreditwesengesetz, KWG). The PSD2 is an EU Directive on the regulation of payment services and payment service providers. It aims to:
- improve the security of payment transactions;
- enhance consumer protection;
- foster innovation;
- increase competition on the market.
The PSD2 applies to payments in EU/EEA currencies between payment service providers domiciled in the EU/EEA. Furthermore, in some cases, it also applies to payments in non-EU/EEA currencies (e.g. US dollar or pound sterling) and to payment service providers domiciled outside the EU/EEA (e.g. in Switzerland or the United States).
The PSD2 is to be implemented in two phases. The first phase took place on 13 January 2018 and included reducing the maximum liability for unauthorised card payments irrespective of culpability, introducing the prohibition on surcharging and extending the Directive’s scope to include non-EU/EEA currencies. Further details on the strong customer authentication requirement and on opening up payment accounts for “third parties” can be found in the European Commission’s Regulatory Technical Standards (RTS). These come into force in the second implementation phase, which begins on 14 September 2019.
How will the PSD2 affect consumers, retailers and payment service providers?
PSD2 and consumers
With the PSD2, there are clear regulations on the use of payment initiation services for initiating online credit transfers and on account information services for querying and evaluating account details. This means, for instance, that you do not need to additionally log in to your online banking account with your credit institution when making a purchase online, but can instead authorise the payment via a payment initiation service provided on the retailer’s website. Using an account information service enables you to have a complete overview of the balances and transactions on all of your accounts at different banks.
However, in order for payment initiation service providers and account information service providers to be able to offer their services, they require your permission and access to your account. The PSD2 governs the access of “third-party payment service providers” to the payment accounts held with the payment service providers managing the account. These third-party service providers are only granted access if you, as the account holder, give them your express permission.
Nothing will change without your express permission: no payments will be made and no third-party payment service providers will have access to your account details!
A payment initiation service is a service requested by the payer to initiate a credit transfer from their payment account held with another payment service provider (e.g. credit institution). Generally, the payment initiation service is offered as a payment option on the retailer’s website. It confirms to the retailer that the transfer has been made so that they can dispatch the goods, for example.
An account information service provides an account holder with consolidated information about their payment accounts held with one or more payment service providers. In addition, an account information service can also be used, for example, to check whether an account has sufficient funds so that other services (e.g. loans) can be offered on this basis.
Furthermore, as of 14 September 2019, the PSD2 introduces the obligation to carry out what is known as “strong customer authentication” (SCA). For you, this means greater security in payment transactions. As a rule, online and card payments must now be confirmed using a combination of two independent authentication factors from the categories “knowledge”, “possession”, and “inherence”.
- Knowledge factors (e.g. PIN, password ...)
- Possession factors (e.g. mobile phone, card, TAN generator ...)
- Inherence factors (e.g. fingerprint ...)
This means that, in the future, when making a payment online or when logging in to online banking, for instance, you will have to enter a TAN in addition to your user ID and PIN. Only TAN procedures that generate a new TAN for every transaction (dynamic TAN procedure) will be permitted.
Specific details on the requirements of strong customer authentication can be found in Commission Delegated Regulation (EU) 2018/389.
As a consumer, the PSD2 provides you with greater protection against misuse and fraud in card payments. The maximum amount for which a payer can be made liable in the event that their payment card is lost, stolen or misappropriated has been lowered from €150 to €50. In addition, unauthorised payments (e.g. in cases of fraud) must be refunded to the payer’s account within one bank working day.
The PSD2 has increased the transparency of reserved card payments where the exact payment amount is not determined until a later point in time. For example, if a hotel or a car hire company reserves a certain amount on the card account when a booking is made, this “blocking” of funds now requires your express consent. Furthermore, the block must be lifted as soon as the exact payment amount has been determined.
PSD2 and retailers
The PSD2 also has an impact on you as a retailer. Due to the opening of account interfaces for third-party service providers, innovative (online) payment methods from new providers will now be available to you. This will allow you to offer your customers a wider range of payment options for online purchases. Payment service providers’ obligation to carry out strong customer authentication for online payments results in greater security against attempts at fraud. Due to the surcharge ban, consumers may not be charged additional fees for payments by card, credit transfer, or direct debit.
PSD2 and payment service providers
With the PSD2, third-party providers that were previously unregulated are now classified as payment service providers and therefore fall within the Directive’s scope of applicability. Third-party payment service providers can offer payment initiation services, account information services, and payment cards where payments are debited from accounts held with other payment service providers. Third-party payment service providers are now subject to supervision and monitoring by the Federal Financial Supervisory Authority (BaFin) or, in other EU Member States, by the relevant national supervisory authority. Credit institutions have the right to also begin operating as payment initiation service providers, account information service providers or third-party issuers.
The PSD2 gives payers the right to use third-party payment service providers and obligates the account servicing payment service provider to provide the third-party payment service provider with a (dedicated) interface that can be used to initiate transfers (e.g. to online retailers), download account information, or query available card funds.
A list of third-party payment service providers authorised by the Federal Financial Supervisory Authority (BaFin) is available on the BaFin website (only in German).
Payment institutions domiciled abroad are registered by the supervisory authorities in the respective country. These registers are also available online.