Legal provisions of COM(2023)367 - Payment services in the internal market - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2023)367 - Payment services in the internal market. |
|---|---|
| document | COM(2023)367 |
| date | June 28, 2023 |
TITLE I
SUBJECT MATTER, SCOPE AND DEFINITIONS
Article 1
Subject matter
1. This Regulation lays down uniform requirements on the provision of payment services and electronic money services, as regards:
(a) the transparency of conditions and information requirements for payment services and electronic money services;
(b) the respective rights and obligations of payment and electronic money service users, and of payment and electronic money service providers in relation to the provision of payment services and electronic money services.
2. Unless specified otherwise, any reference to payment services shall be understood in this Regulation as meaning payment and electronic money services.
3. Unless specified otherwise, any reference to payment service providers shall be understood in this Regulation as meaning payment service providers and electronic money service providers.
Article 2
Scope
1. This Regulation applies to payment services provided within the Union by the following categories of payment service providers:
(a) credit institutions as defined in Article 4(1), point (1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council61, including branches thereof where such branches are located in the Union, whether the head offices of those are located within the Union or outside the Union;
(b) post office giro institutions which are entitled under national law to provide payment services;
(c) payment institutions;
(d) the ECB and national central banks when not acting in their capacity as monetary authority or other public authorities;
(e) Member States or their regional or local authorities when not acting in their capacity as public authorities.
2. This Regulation does not apply to the following services:
(a) payment transactions made exclusively in cash directly from the payer to the payee, without any intermediary intervention;
(b) payment transactions from the payer to the payee through a commercial agent, as defined in Article 1(2) of Directive 86/653/EEC, provided that all of following conditions are met : i) the commercial agent is authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of only the payer or only the payee, but not both of them, irrespective of whether or not the commercial agent is in the possession of the client’s funds, and ii) such agreement gives the payer or the payee a real margin to negotiate with the commercial agent or conclude the sale or purchase of goods or services;
(c) payment transactions consisting of the non-professional cash collection and delivery within the framework of a non-profit or charitable activity;
(d) services where cash is provided by the payee to the payer as part of a payment transaction for the purchase of goods and services, following an explicit request by the payment service user just before the execution of the payment transaction;
(e) services where cash is provided in retail stores following an explicit request by the payment service user but independently of the execution of any payment transaction and without any obligation to make a purchase of goods and services. The payment service user shall be provided with information on any possible charges for this service before the requested cash is provided;
(f) payment transactions based on any of the following documents drawn on the payment service provider to place funds at the disposal of the payee:
(i) paper cheques governed by the Geneva Convention of 19 March 1931 providing a uniform law for cheques;
(ii) paper cheques similar to those referred to in point (i) and governed by the laws of Member States which are not party to the Geneva Convention of 19 March 1931 providing a uniform law for cheques;
(iii) paper-based drafts referred to in the Geneva Convention of 7 June 1930 providing a uniform law for bills of exchange and promissory notes;
(iv) paper-based drafts similar to those referred to in point (iii) and governed by the laws of Member States which are not party to the Geneva Convention of 7 June 1930 providing a uniform law for bills of exchange and promissory notes;
(v) paper-based vouchers;
(vi) paper-based traveller’s cheques;
(vii) paper-based postal money orders as defined by the Universal Postal Union;
(g) payment transactions carried out within a payment or securities settlement system between settlement agents, central counterparties, clearing houses or central banks and other participants of the system, and payment service providers, without prejudice to Article 31;
(h) payment transactions related to securities asset servicing, including dividends, income or other distributions, or redemption or sale, carried out by persons as referred to in point (g) or by investment firms, credit institutions, collective investment undertakings or asset management companies providing investment services and any other entities allowed to have the custody of financial instruments;
(i) without prejudice to Article 23(2), and Articles 58 and 87, services provided by technical service providers;
(j) services based on specific payment instruments that meet one of the following conditions:
(i) instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a single limited network of service providers under direct commercial agreement with a professional issuer;
(ii) instruments which can be used only to acquire a very limited range of goods or services;
(iii) instruments valid only in a single Member State, which are provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer;
(k) payment transactions by a provider of electronic communications networks as defined in Article 2, point (1), of Directive (EU) 2018/1972 of the European Parliament and of the Council62, or services provided in addition to electronic communications services as defined in Article 2, point (4), of that Directive to a subscriber to the network or service:
(i) to purchase digital content and voice-based services, regardless of the device used for the purchase or consumption of the digital content and charged to the related bill; or
(ii) performed from or via an electronic device and charged to the related bill within the framework of a charitable activity or for the purchase of tickets;
provided that the value of any single payment transaction does not exceed EUR 50 and:
- the cumulative value of payment transactions for an individual subscriber does not exceed EUR 300 per month, or
- where a subscriber pre-funds its account with the provider of the electronic communications network or service, the cumulative value of payment transactions does not exceed EUR 300 per month;
(l) payment transactions carried out between payment service providers, their agents or branches for their own account;
(m) payment transactions and related services between a parent undertaking and its subsidiary or between subsidiaries of the same parent undertaking, without any intermediary intervention by a payment service provider other than an undertaking belonging to the same group, and the collection of payment orders on behalf of a group by a parent undertaking or its subsidiary for onward transmission to a payment service provider.
3. Titles II and III apply to payment transactions in the currency of a Member State where both the payer’s payment service provider and the payee’s payment service provider are, or the sole payment service provider in the payment transaction is, located within the Union.
4. Title II, except for Article 13(1), point (b) , Article 20, point (2)(e) and Article 24, point (a), and Title III, except for Articles 67 to 72, apply to payment transactions in a currency that is not the currency of a Member State, where both the payer’s payment service provider and the payee’s payment service provider are, or the sole payment service provider in the payment transaction is, located within the Union, in respect to those parts of the payments transaction which are carried out in the Union.
5. Title II, except for Article 13(1), point (b), Article 20, point (2)(e) and point (5)(h) and Article 24, point (a), and Title III, except for Article 28(2) and (3), Articles 62, 63 and 67, Article 69(1), and Articles 75 and 78, apply to payment transactions in all currencies where only one of the payment service providers is located within the Union, in respect to those parts of the payments transaction which are carried out in the Union.
6. Member States may exempt institutions referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU from the application of all or part of the provisions of this Regulation.
7. By [ OP please insert the date= one year after the date of entry into force of this Regulation], the EBA shall issue Guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010, addressed to the competent authorities designated under this Regulation, on the exclusion for payment transactions from the payer to the payee through a commercial agent referred to in paragraph 2, point (b) of this Article.
8. The EBA shall develop draft Regulatory Technical Standards to specify the conditions of the exclusions referred to in paragraph 2, point (j). The EBA shall take into account the experience acquired in the application of the EBA guidelines of 24 February 2022 on the limited network exclusion under Directive (EU) 2015/2366.
The EBA shall submit the Regulatory Technical Standards referred to in the first subparagraph to the Commission by [ OP please insert the date= one year after the date of entry into force of this Regulation]. Power is delegated on the Commission to adopt the Regulatory Technical Standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
9. Member States shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 6, by the date of application of this Regulation, and, without delay, any subsequent amendment affecting them.
Article 3
Definitions
For the purposes of this Regulation, the following definitions apply:
(1) ‘home Member State’ means either of the following:
(a) the Member State in which the payment service provider has its registered office; or
(b) if the payment service provider has, under its national law, no registered office, the Member State in which the payment service provider has its head office;
(2) ‘host Member State’ means the Member State other than the home Member State in which a payment service provider has an agent, a distributor or a branch or provides payment services;
(3) ‘payment service’ means any business activity set out in Annex I;
(4) ‘payment institution’ means a legal person that has been granted authorisation in accordance with Article 13 of Directive (EU) [PSD3] to provide payment services or electronic money services throughout the Union;
(5) ‘payment transaction’ means an act of placing, transferring or withdrawing funds, based on a payment order placed by the payer, or on his behalf, or by the payee, or on his behalf, irrespective of any underlying obligations between the payer and the payee;
(6) ‘initiation of a payment transaction’ means the steps necessary to prepare the execution of a payment transaction, including the placement of a payment order and the completion of the authentication process;
(7) ‘remote initiation of a payment transaction’ means a payment transaction for which a payment order is placed via the internet;
(8) ‘execution of a payment transaction’ means the process starting once the initiation of a payment transaction is completed and ending once the funds placed, withdrawn, or transferred are available to the payee;
(9) ‘payment system’ means a funds transfer system with formal and standardised arrangements and common rules for the processing, clearing or settlement of payment transactions;
(10) ‘payment system operator’ means the legal entity legally responsible for operating a payment system;
(11) ‘payer’ means a natural or legal person who holds a payment account and places a payment order from that payment account, or, where there is no payment account, a person who places a payment order;
(12) ‘payee’ means a natural or legal person who is the intended recipient of funds which are the subject of a payment transaction;
(13) ‘payment service user’ means a natural or legal person making use of a payment service or of an electronic money service in the capacity of payer, payee, or both;
(14) ‘payment service provider’ means a body as referred to in Article 2(1) or a natural or legal person benefiting from an exemption pursuant to Articles 34, 36 and 38 of Directive (EU) [PSD3];
(15) ‘payment account’ means an account held by a payment service provider in the name of one or more payment service users which is used for the execution of one or more payment transactions and allows for sending and receiving funds to and from third parties;
(16) ‘payment order’ means an instruction by a payer or payee to its payment service provider requesting the execution of a payment transaction;
(17) ‘mandate’ means the expression of authorisation given by the payer to the payee and (directly or indirectly via the payee) to the payer’s payment service provider allowing the payee to initiate a payment transaction for debiting the payer’s specified payment account and to allow the payer’s payment service provider to comply with such instructions;
(18) ‘payment instrument’ means an individualised device or devices and/or set of procedures agreed between the payment service user and the payment service provider which enables the initiation of a payment transaction;
(19) ‘account servicing payment service provider’ means a payment service provider providing and maintaining a payment account for a payer;
(20) ‘payment initiation service’ means a service to place a payment order at the request of the payer or of the payee with respect to a payment account held at another payment service provider;
(21) ‘account information service’ means an online service of collecting, either directly or through a technical service provider, and consolidating information held on one or more payment accounts of a payment service user with one or several account servicing payment service providers;
(22) ‘payment initiation service provider’ means a payment service provider providing payment initiation services;
(23) ‘account information service provider’ means a payment service provider providing account information services;
(24) ‘consumer’ means a natural person who, in payment service contracts covered by this Regulation, is acting for purposes other than his or her trade, business or profession;
(25) ‘framework contract’ means a payment service contract which governs the future execution of individual and successive payment transactions and which may contain the obligation and conditions for setting up a payment account;
(26) ‘money remittance’ means a payment service where funds are received from a payer, without any payment accounts being created in the name of the payer or the payee, for the sole purpose of transferring a corresponding amount to a payee or to another payment service provider acting on behalf of the payee, or where such funds are received on behalf of and made available to the payee;
(27) ‘direct debit’ means a payment service for debiting a payer’s payment account, where a payment transaction is initiated by the payee on the basis of a mandate given by the payer to the payee, to the payee’s payment service provider or to the payer’s own payment service provider;
(28) ‘credit transfer’ means a payment service, including instant credit transfers, for crediting a payee’s payment account with a payment transaction or a series of payment transactions from a payer’s payment account by the payment service provider which holds the payer’s payment account, based on an instruction given by the payer;
(29) ‘instant credit transfer’ means a credit transfer which is immediately executed, regardless of the day or hour;
(30) ‘funds’ means central bank money issued for retail use, scriptural money and electronic money;
(31) ‘value date’ means a reference time used by a payment service provider for the calculation of interest on the funds debited from or credited to a payment account;
(32) ‘reference exchange rate’ means the exchange rate which is used as the basis to calculate any currency conversion cost and which is disclosed by the payment service provider or comes from a publicly available source;
(33) ‘reference interest rate’ means the interest rate which is used as the basis for calculating any interest to be applied and which comes from a publicly available source which can be verified by both parties to a payment service contract;
(34) ‘authentication’ means a procedure which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the user’s personalised security credentials;
(35) ‘strong customer authentication’ means an authentication which is based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data;
(36) ‘technical service provider’ means a provider of services which support the provision of payment services, without entering at any time into possession of the funds to be transferred;
(37) ‘personalised security credentials’ means personalised features provided by the payment service provider to a payment service user for the purposes of authentication;
(38) ‘sensitive payment data’ means data which can be used to carry out fraud, including personalised security credentials;
(39) ‘unique identifier’ means a combination of letters, numbers or symbols specified by the payment service provider to the payment service user and to be provided by the payment service user to identify unambiguously another payment service user or the payment account of that other payment service user for a payment transaction;
(40) ‘means of distance communication’ means a method which, without the simultaneous physical presence of the payment service provider and the payment service user, may be used for the conclusion of a payment services contract;
(41) ‘durable medium’ means any instrument which enables the payment service user to store information addressed personally to that payment service user in a way accessible for future reference for a period of time adequate to the purposes of the information and which allows the unchanged reproduction of the information stored;
(42) ‘microenterprise’ means an enterprise which at the time of conclusion of the payment service contract is an enterprise as defined in Article 1 and Article 2(1) and (3) of the Annex to Recommendation 2003/361/EC;
(43) ‘business day’ means a day on which the payment service provider of the payer or of the payee involved in the execution of a payment transaction is open for business to execute a payment transaction;
(44) ‘agent’ means a natural or legal person who acts on behalf of a payment institution in providing payment services, with the exclusion of electronic money services;
(45) ‘branch’ means a place of business other than the head office which is a part of a payment institution, which has no legal personality and which carries out directly some or all of the transactions inherent in the business of a payment institution; all of the places of business set up in the same Member State by a payment institution with a head office in another Member State shall be regarded as a single branch;
(46) ‘group’ means a group of undertakings that are linked to each other by a relationship as referred to in Article 22(1), points (2) or (7) of Directive 2013/34/EU of the European Parliament and of the Council63 or undertakings as referred to in Articles 4, 5, 6 and 7 of Commission Delegated Regulation (EU) No 241/201464, which are linked to each other by a relationship as referred to in Article 10(1) or Article 113(6), first subparagraph, or 113(7), first subparagraph of Regulation (EU) No 575/2013;
(47) ‘digital content’ means goods or services which are produced and supplied in digital form, the use or consumption of which is restricted to a technical device and which do not include in any way the use or consumption of physical goods or services;
(48) ‘acquiring of payment transactions’ means a payment service provided by a payment service provider contracting with a payee to accept and process payment transactions, which results in a transfer of funds to the payee;
(49) ‘issuing of payment instruments’ means a payment service by a payment service provider contracting to provide a payer with a payment instrument to initiate and process the payer’s payment transactions;
(50) ‘electronic money’ means electronically, including magnetically, stored monetary value as represented by a claim on the issuer which is issued on the receipt of funds for the purpose of making payment transactions and which is accepted by other natural or legal persons than the issuer;
(51) ‘distributor’ means a natural or legal person that distributes or redeems electronic money on behalf of a payment institution;
(52) ‘electronic money services’ means the issuance of electronic money, the maintenance of payment accounts storing electronic money units, and the transfer of electronic money units;
(53) ‘commercial trade name’ means the name which is commonly used by the payee to identify itself to the payer;
(54) ‘ATM deployer’ means operators of automated teller machines who do not service payment accounts.
(55) ‘payment institution providing electronic money services’ means a payment institution which provides the services of issuance of electronic money, maintenance of payment accounts storing electronic money units, and transfer of electronic money units, whether or not it also provides any of the services referred to in Annex I.
TITLE II
TRANSPARENCY OF CONDITIONS AND INFORMATION REQUIREMENTS FOR PAYMENT SERVICES
CHAPTER 1
General rules
Article 4
Scope
1. This Title applies to single payment transactions, framework contracts and payment transactions covered by those contracts. The parties to such single payment transactions, framework contracts and payment transactions covered by them may agree that this Title shall not apply in whole or in part where the payment service user is not a consumer.
2. Member States may apply this Title to microenterprises in the same way as to consumers.
3. Member States shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 2, by the date of application of this Regulation and, without delay, any subsequent amendment affecting them.
Article 5
Currency and currency conversion
1. Payments shall be made in the currency agreed between the parties.
2. Where a currency conversion service is offered prior to the initiation of the payment transaction and where that currency conversion service is offered at an ATM, at the point of sale or by the payee, the party offering the currency conversion service to the payer shall disclose to the payer all charges and the exchange rate to be used for converting the payment transaction.
3. The payer shall be given the possibility to agree to the currency conversion service on that basis.
Article 6
Information on additional charges or reductions
1. Where, for the use of a given payment instrument, the payee requests a charge or offers a reduction, the payee shall inform the payer thereof prior to the initiation of the payment transaction.
2. Where, for the use of a given payment instrument, the payment service provider or another party involved in the transaction requests a charge, it shall inform the payment service user thereof prior to the initiation of the payment transaction.
3. The payer shall only be obliged to pay for the charges referred to in paragraphs 1 and 2 if their full amount was made known prior to the initiation of the payment transaction.
Article 7
Information requirements applicable to cash withdrawal services
Natural or legal persons providing cash withdrawal services as referred to in Article 38 of Directive (EU) [PSD3] shall provide or make available to their customers information on any charges before the customer carries out the withdrawal as well as upon receipt of the cash when the transaction is completed.
Article 8
Charges for information
1. Payment service providers shall not charge payment service users for providing information under this Title.
2. Payment service providers and payment service users may agree on charges for additional or more frequent information, or transmission by means of communication other than those specified in the framework contract, provided at the payment service user’s request.
3. Charges for information referred to in paragraph 2 shall be reasonable and in line with the payment service provider’s actual costs.
Article 9
Burden of proof on information requirements
The burden of proof shall lie with the payment service providers to prove that they have complied with the information requirements set out in this Title.
Article 10
Derogation from information requirements for low-value payment instruments and electronic money
In cases of payment instruments which, according to the relevant framework contract, concern only individual payment transactions that do not exceed EUR 50 or that either have a spending limit of EUR 200 or store funds that do not exceed EUR 200 at any time:
(a) by way of derogation from Articles 19, 20 and 24, the payment service provider shall provide the payer only with information on the main characteristics of the payment service, including the way in which the payment instrument can be used, liability, charges levied and other material information needed for the payer to take an informed decision as well as an indication of where any other information and conditions specified in Article 20 are made available in an easily accessible manner;
(b) it may be agreed by the parties to the framework contract that, by way of derogation from Article 22, the payment service provider is not required to propose changes to the conditions of the framework contract in the same way as provided for in Article 19(1);
(c) it may be agreed by the parties to the framework contract that, by way of derogation from Articles 25 and 26, after the execution of a payment transaction:
(i) the payment service provider provides or makes available only a reference enabling the payment service user to identify the payment transaction, the amount of the payment transaction, any charges or, in the case of several payment transactions of the same kind made to the same payee, information on the total amount and charges for those payment transactions;
(ii) the payment service provider is not required to provide or make available information referred to in point (i) if the payment instrument is used anonymously or if the payment service provider is not otherwise technically in a position to provide it. The payment service provider shall provide the payer with a possibility to verify the amount of funds stored.
CHAPTER 2
Single payment transactions
Article 11
Scope
1. This Chapter applies to single payment transactions not covered by a framework contract.
2. Where a payment order for a single payment transaction is transmitted by a payment instrument covered by a framework contract, the payment service provider shall not be obliged to provide or make available information which is already given to the payment service user on the basis of a framework contract with another payment service provider or which will be given to the payment service user according to that framework contract.
Article 12
Prior general information
1. Before the payment service user is bound by a single payment service contract or offer, the payment service provider shall make available to the payment service user, in an easily accessible manner, the information and conditions set out in Article 13 with regard to its own services. At the payment service user’s request, the payment service provider shall provide the information and conditions on paper or on another durable medium. The information and conditions shall be given in easily understandable words and in a clear and comprehensible form, in an official language of the Member State where the payment service is offered or in any other language agreed between the parties.
2. If the single payment service contract has been concluded at the request of the payment service user using a means of distance communication which does not enable the payment service provider to comply with paragraph 1, the payment service provider shall fulfil its obligations under that paragraph immediately after the execution of the payment transaction.
3. Payment service providers may also comply with their obligations under paragraph 1 by providing to payment service users a copy of the draft single payment service contract or the draft payment order including the information and conditions set out in Article 13.
Article 13
Information and conditions
1. Payment service providers shall provide or make available to payment service users the following information and conditions:
(a) a specification of the information or unique identifier to be provided by the payment service user in order for a payment order to be properly placed or executed;
(b) the maximum execution time for the payment service to be provided;
(c) the estimated time for the funds of credit transfers and money remittance transactions to be received by the payment service provider of the payee located outside the Union;
(d) all charges payable by the payment service user to the payment service provider and, where applicable, a breakdown of those charges;
(e) where applicable, the actual or reference exchange rate to be applied to the payment transaction;
(f) where applicable, the estimated charges for currency conversion in relation to credit transfers and money remittance transactions, expressed as a percentage mark-up over the latest available applicable foreign exchange reference rate issued by the relevant central bank;
(g) the alternative dispute resolution procedures available to the payment service user in accordance with Articles 90, 94 and 95.
2. In addition, payment initiation service providers shall, prior to initiation, provide the payer with, or make available to the payer clear and comprehensive information on all of the following:
(a) the name of the payment initiation service provider, the geographical address of its head office and, where applicable, the geographical address of its agent or branch established in the Member State where the payment service is offered, and any other contact details, including electronic mail address, relevant for communication with the payment initiation service provider; and
(b) the contact details of the competent authority designated under this Regulation.
3. Where applicable, any other relevant information and conditions set out in Article 20 shall be made available to the payment service user in an easily accessible manner.
Article 14
Information for the payer and payee after the placement of a
payment order
Where a payment order is placed through a payment initiation service provider, the payment initiation service provider shall, immediately after initiation, provide or make available to the payer and, where applicable, to the payee all of the following data:
(a) confirmation of the successful placement of the payment order with the payer’s account servicing payment service provider;
(b) a reference enabling the payer and the payee to identify the payment transaction and, where appropriate, the payee to identify the payer, and any information transferred with the payment transaction;
(c) the amount of the payment transaction;
(d) where applicable, the amount of any charges payable to the payment initiation service provider for the transaction, and where applicable a breakdown of the amounts of such charges.
Article 15
Information for the payer’s account servicing payment service provider
where a payment order is placed through a payment initiation service
Where a payment order is placed through a payment initiation service provider, the payment initiation service provider shall make available to the payer’s account servicing payment service provider the reference of the payment transaction.
Article 16
Information for the payer after receipt of the payment order
Immediately after receipt of the payment order, the payer’s payment service provider shall provide the payer with or make available to the payer, in the same way as provided for in Article 12(1), all of the following data with regard to its own services:
(a) a reference enabling the payer to identify the payment transaction and the information needed for the payer to unambiguously identify the payee, including the payee’s commercial trade name;
(b) the amount of the payment transaction in the currency used in the payment order;
(c) the amount of any charges for the payment transaction payable by the payer and, where applicable, a breakdown of the amounts of such charges;
(d) where applicable, the exchange rate used in the payment transaction by the payer’s payment service provider or a reference thereto, where different from the rate provided in accordance with Article 13(1), point (e), and the amount of the payment transaction after that currency conversion;
(e) the date of receipt of the payment order.
Article 17
Information for the payee after execution
Immediately after the execution of the payment transaction, the payee’s payment service provider shall provide the payee with, or make available to the payee, in the same way as provided for in Article 12(1), all of the following data with regard to its own services:
(a) a reference enabling the payee to identify the payment transaction and, where appropriate, the payer and any information transferred with the payment transaction;
(b) the amount of the payment transaction in the currency in which the funds are at the payee’s disposal;
(c) the amount of any charges for the payment transaction payable by the payee and, where applicable, a breakdown of the amounts of such charges;
(d) where applicable, the exchange rate used in the payment transaction by the payee’s payment service provider, and the amount of the payment transaction before that currency conversion;
(e) the credit value date.
CHAPTER 3
Framework contracts
Article 18
Scope
This Chapter applies to payment transactions covered by a framework contract.
Article 19
Prior general information
1. In good time before the payment service user is bound by any framework contract or offer, the payment service provider shall provide the payment service user on paper or on another durable medium with the information and conditions set out in Article 20. The information and conditions shall be given in easily understandable words and in a clear and comprehensible form, in an official language of the Member State where the payment service is offered or in any other language agreed between the parties.
2. Where the framework contract has been concluded at the request of the payment service user using a means of distance communication which does not enable the payment service provider to comply with paragraph 1, the payment service provider shall fulfil its obligations under that paragraph immediately after conclusion of the framework contract.
3. Payment service providers may also comply with their obligations under paragraph 1 by providing to payment service users a copy of the draft framework contract including the information and conditions set out in Article 20.
Article 20
Information and conditions
The payment service provider shall provide the following information and conditions to the payment service user:
(a) on the payment service provider:
(i) the name of the payment service provider, the geographical address of its head office and, where applicable, the geographical address of its agent, distributor or branch established in the Member State where the payment service is offered, and any other address, including electronic mail address, relevant for communication with the payment service provider;
(ii) the particulars of the relevant supervisory authorities designated under Directive (EU) [PSD3] and of the register provided for in Articles 17 and 18 of that Directive or of any other relevant public register of authorisation of the payment service provider and the registration number or equivalent means of identification in that register;
(b) on the use of the payment service:
(i) a description of the main characteristics of the payment service to be provided;
(ii) a specification of the information or unique identifier that has to be provided by the payment service user in order for a payment order to be properly placed or executed;
(iii) the form of and procedure for placing a payment order or giving permission to execute a payment transaction and withdrawal of such permission in accordance with Articles 49 and 66;
(iv) a reference to the time of receipt of a payment order in accordance with Article 64 and the cut-off time, if any, established by the payment service provider;
(v) the maximum execution time for the payment services to be provided;
(vi) the estimated time for the funds of credit transfers to be received by the payment service provider of the payee located outside the Union;
(vii) whether there is a possibility to agree on spending limits for the use of the payment instrument in accordance with Article 51(1);
(viii) in the case of co-badged card-based payment instruments, the payment service user’s rights under Article 8 of Regulation (EU) 2015/751;
(c) on charges, interest and exchange rates:
(i) all charges payable by the payment service user to the payment service provider including those connected to the manner in and frequency with which information under this Regulation is provided or made available and, where applicable, the breakdown of the amounts of such charges;
(ii) all charges, if any, for domestic, automated teller machines (ATMs) withdrawals payable by payment service users to their payment service provider at an ATM of:
(1) their payment service provider;
(2) a payment service provider belonging to the same network of ATMs as the user’s payment service provider;
(3) a payment service provider belonging to a network of ATMs with whom the user’s payment service provider has a contractual relationship;
(4) an ATM provider not servicing payment accounts when offering cash withdrawal services;
(iii) where applicable, the interest and exchange rates to be applied or, if reference interest and exchange rates are to be used, the method of calculating the actual interest, and the relevant date and index or base for determining such reference interest or exchange rate;
(iv) where agreed, the immediate application of changes in reference interest or exchange rate and information requirements relating to the changes in accordance with Article 22(3);
(v) where applicable, the estimated charges for currency conversion services in relation to a credit transfer expressed as a percentage mark-up over the latest available applicable foreign exchange reference rate issued by the relevant central bank;
(d) on communication:
(i) where applicable, the means of communication, including the technical requirements for the payment service user’s equipment and software, agreed between the parties for the transmission of information or notifications under this Regulation;
(ii) the manner in, and frequency with which, information under this Regulation is to be provided or made available;
(iii) the language or languages in which the framework contract will be concluded and communication during that contractual relationship undertaken;
(iv) the payment service user’s right to receive the contractual terms of the framework contract and information and conditions in accordance with Article 21;
(e) on safeguards and corrective measures:
(i) where applicable, a description of the steps that the payment service user is to take in order to keep safe a payment instrument and how to notify the payment service provider for the purposes of Article 52, point (b);
(ii) the secure procedure for notification of the payment service user by the payment service provider in the event of suspected or actual fraud or security threats;
(iii) where agreed, the conditions under which the payment service provider reserves the right to block a payment instrument in accordance with Article 51;
(iv) the liability of the payer in accordance with Article 57(5), Article 59(3) and Article 60, including information on the relevant amount;
(v) how and within what period of time the payment service user is to notify the payment service provider, and the police in case of impersonation fraud referred to in Article 59, of any unauthorised or incorrectly initiated or executed payment transaction or of any authorised credit transfer made following an incorrect application of the name and unique identifier matching verification service or impersonation fraud, in accordance with Article 54;
(vi) the payment service provider’s liability for unauthorised payment transactions in accordance with Article 56, for the incorrect application of the name and unique identifier matching verification service in accordance with Article 57, and for impersonation fraud in accordance with Article 59;
(vii) the liability of the payment service provider for the initiation or execution of payment transactions in accordance with Articles 75 and 76;
(viii) the conditions for refund in accordance with Articles 62 and 63;
(f) on changes to, and termination of, the framework contract:
(i) where agreed, information that the payment service user will be deemed to have accepted changes in the conditions in accordance with Article 22, unless the payment service user notifies the payment service provider before the date of their proposed date of entry into force that they are not accepted;
(ii) the duration of the framework contract;
(iii) the right of the payment service user to terminate the framework contract and any agreements relating to termination in accordance with Article 22(1) and Article 23;
(g) on redress:
(i) any contractual clause on the law applicable to the framework contract or the competent courts;
(ii) the alternative dispute resolution procedures available to the payment service user in accordance with Articles 90, 94 and 95.
Article 21
Accessibility of information and conditions of the framework
contract
At any time during the contractual relationship the payment service user shall have a right to receive, on request, the contractual terms of the framework contract and the information and conditions set out in Article 20 on paper or on another durable medium.
Article 22
Changes in conditions of the framework contract
1. The payment service provider shall propose any changes in the framework contract or in the information and conditions set out in Article 20 in the same way as provided for in Article 19(1) and no later than 2 months before their proposed date of application. The payment service user can either accept or reject the changes before the date of their proposed date of entry into force.
2. Where applicable, in accordance with Article 20, point (f)(i), the payment service provider shall inform the payment service user that the payment service user is to be deemed to have accepted those changes if the payment service user does not notify the payment service provider before the proposed date of their entry into force that they are not accepted. The payment service provider shall also inform the payment service user that, if the payment service user rejects those changes, the payment service user has the right to terminate the framework contract free of charge and with effect at any time until the date when the changes would have applied.
3. Changes in the interest or exchange rates may be applied by the payment service provider immediately and without notice, provided that such a right is agreed upon in the framework contract and that the changes in the interest or exchange rates are based on the reference interest or exchange rates agreed on in accordance with Article 20, point (c)(iii) and (iv). The payment service provider shall inform the payment service user of any change in the interest rate at the earliest opportunity in the same way as provided for in Article 19(1), unless the parties have agreed on a specific frequency or manner in which the information is to be provided or made available. However, changes in interest or exchange rates which are more favourable to the payment service users, may be applied by the payment service provider without notice.
4. The payment service provider shall implement and calculate changes in the interest or exchange rate used in payment transactions in a neutral manner that does not discriminate against payment service users.
Article 23
Termination
1. The payment service user may terminate the framework contract at any time, unless the parties have agreed on a period of notice. Such a period shall not exceed 1 month.
2. Termination of the framework contract shall be free of charge for the payment service user except where the contract has been in force for less than 6 months. Charges, if any, for termination of the framework contract shall be appropriate and in line with costs. Where, under the framework contract, payment services are offered jointly with technical services aimed at supporting the provision of payment services and provided by the payment service provider or by a third party the payment service provider has partnered with, such technical services shall be subject to the same framework contract requirements on termination fees.
3. If agreed in the framework contract, the payment service provider may terminate a framework contract concluded for an indefinite period by giving at least 2 months’ notice in the same way as provided for in Article 19(1).
4. Charges for payment services levied on a regular basis shall be payable by the payment service user only proportionally up to the termination of the contract. If such charges are paid in advance, those charges shall be reimbursed proportionally by the payment service provider.
5. The provisions of this Article are without prejudice to the Member States’ laws and regulations governing the rights of the parties to declare the framework contract unenforceable or void.
6. Member States may provide for more favourable provisions on termination for payment service users.
7. Member States shall by [ OP please insert the date = data of application of this Regulation] notify to the Commission the provisions of their law adopted pursuant to paragraph 6. They shall, without delay, notify any subsequent amendment to such provisions.
Article 24
Information before execution of individual payment transactions
In the case of an individual payment transaction initiated by the payer under a framework contract, a payment service provider shall, at the payer’s request for this specific payment transaction, provide explicit information on all of the following:
(a) the maximum execution time;
(b) the charges payable by the payer;
(c) where applicable, a breakdown of the amounts of any charges.
Article 25
Information for the payer on individual payment transactions
1. After the amount of an individual payment transaction is debited from the payer’s account or, where the payer does not use a payment account, after receipt of the payment order, the payer’s payment service provider shall provide the payer, without undue delay and in the same way as laid down in Article 19(1), with all of the following information:
(a) a reference enabling the payer to identify each the payment transaction and the information needed to unambiguously identify the payee, including the payee’s commercial trade name;
(b) the amount of the payment transaction in the currency in which the payer’s payment account is debited or in the currency used for the payment order;
(c) the amount of any charges for the payment transaction and, where applicable, a breakdown of the amounts of such charges, or the interest payable by the payer;
(d) where applicable, the exchange rate used in the payment transaction by the payer’s payment service provider, and the amount of the payment transaction after that currency conversion;
(e) the debit value date or the date of receipt of the payment order.
2. A framework contract shall include a condition that the payer may require the information referred to in paragraph 1 to be provided or made available periodically, at least once a month, free of charge and in an agreed manner which allows the payer to store and reproduce information unchanged.
3. Member States may require payment service providers to provide information on paper or on another durable medium at least once a month, free of charge.
4. Member States shall by [ OP please insert the date = data of application of this Regulation] notify to the Commission the provisions of their law adopted pursuant to paragraph 3. They shall, without delay, notify any subsequent amendment to such provisions.
Article 26
Information for the payee on individual payment transactions
1. After the execution of an individual payment transaction, the payee’s payment service provider shall provide the payee without undue delay in the same way as laid down in Article 19(1) with all of the following information:
(a) a reference enabling the payee to identify the payment transaction and the payer, and any information transferred with the payment transaction;
(b) the amount of the payment transaction in the currency in which the payee’s payment account is credited;
(c) the amount of any charges for the payment transaction and, where applicable, a breakdown of the amounts of such charges, or the interest payable by the payee;
(d) where applicable, the exchange rate used in the payment transaction by the payee’s payment service provider, and the amount of the payment transaction before that currency conversion;
(e) the credit value date.
2. A framework contract may include a condition that the information referred to in paragraph 1 is to be provided or made available periodically, at least once a month and in an agreed manner which allows the payee to store and reproduce information unchanged.
3. Member States may require payment service providers to provide information on paper or on another durable medium at least once a month, free of charge.
4. Member States shall by [ OP please insert the date = data of application of this Regulation] notify to the Commission the provisions of their law adopted pursuant to paragraph 3. They shall, without delay, notify any subsequent amendment to such provisions.
TITLE III
RIGHTS AND OBLIGATIONS IN RELATION TO THE PROVISION AND USE OF PAYMENT SERVICES
CHAPTER 1
Common provisions
Article 27
Scope
1. Where the payment service user is not a consumer, the payment service user and the payment service provider may agree that Article 28(1), Article 49(7), and Articles 55, 60, 62, 63, 66, 75 and 76 do not apply in whole or in part. The payment service user and the payment service provider may also agree on time limits that are different from those laid down in Article 54.
2. Member States may provide that Article 95 does not apply where the payment service user is not a consumer.
3. Member States may provide that provisions in this Title are applied to microenterprises in the same way as to consumers.
4. Member States shall [ OP please insert the date = data of application of this Regulation] notify to the Commission the provisions of their law adopted pursuant to paragraph 2 and 3. They shall, without delay, notify any subsequent amendment to such provisions.
Article 28
Charges applicable
1. The payment service provider shall not charge the payment service user for fulfilment of its information obligations or corrective and preventive measures under this Title, unless otherwise specified in Article 65(1), Article 66(5) and Article 74(4). Those charges shall be agreed between the payment service user and the payment service provider and shall be reasonable and in line with the payment service provider’s actual costs.
2. For payment transactions provided within the Union, where both the payer’s and the payee’s payment service providers are, or the sole payment service provider in the payment transaction is, located in the Union, the payee shall pay the charges levied by his payment service provider, and the payer shall pay the charges levied by his payment service provider.
3. The payee shall not request charges for the use of payment instruments for which interchange fees are regulated under Chapter II of Regulation (EU) 2015/751 and for credit transfers, including instant credit transfers, and direct debit transactions within the Union.
4. Member States may extend the prohibition or limit the right of the payee to request charges for the use of payment instruments other than the ones referred to in paragraph 3, taking into account the need to encourage competition and promote the use of efficient payment instruments.
5. Without prejudice to paragraphs 3 and 4 and for instruments not covered in those paragraphs, the payment service provider shall not prevent the payee from requesting from the payer a charge, offering him a reduction or otherwise steering the payer towards the use of a given payment instrument. Any charges applied shall not exceed the direct costs borne by the payee for the use of the specific payment instrument.
6. Member States shall [ OP please insert the date = data of application of this Regulation] notify to the Commission the provisions of their law adopted pursuant to paragraph 4. They shall, without delay, notify any subsequent amendment to such provisions.
Article 29
Derogation for low value payment instruments and electronic
money
1. In the case of payment instruments which, according to the framework contract, solely concern individual payment transactions not exceeding EUR 50 or which either have a spending limit of EUR 200, or store funds which do not exceed EUR 200 at any time, payment service providers may agree with their payment service users that:
(a) Article 52, point (b), Article 53(1), points (c) and (d) , and Article 60(4) do not apply if the payment instrument does not allow its blocking or prevention of its further use;
(b) Articles 55 and 56, and Article 60(1) and (4), do not apply if the payment instrument is used anonymously or the payment service provider is not in a position for other reasons which are intrinsic to the payment instrument to prove that a payment transaction was authorised;
(c) by way of derogation from Article 65(1), the payment service provider is not required to notify the payment service user of the refusal of a payment order, if the non-execution is apparent from the context;
(d) by way of derogation from Article 66, the payer shall not revoke the payment order after transmitting the payment order or authorising the payment transaction to the payee;
(e) by way of derogation from Articles 69 and 70, other execution periods apply.
2. Articles 56 and 60 shall apply also to electronic money, except where the payer’s payment service provider does not have the ability to freeze the payment account on which the electronic money is stored or block the payment instrument. Member States may limit that derogation to payment accounts on which the electronic money is stored or to payment instruments of a certain value.
3. Member States shall, by the date of application of this Regulation, notify to the Commission the provisions of their law adopted pursuant to paragraph 2. They shall, without delay, notify any subsequent amendment to such provisions.
Article 30
Issuance and redeemability of electronic money
1. Issuers of electronic money shall issue electronic money at par value on the receipt of funds.
2. Upon request by the holder of the electronic money, the issuer of the electronic money shall redeem, at any moment and at par value, the monetary value of the electronic money held.
3. The contract between the issuer of the electronic money and the holder of the electronic money shall clearly and prominently state the conditions of redemption, including any applicable fees, and the electronic money holder shall be informed of those conditions before being bound by any contract or offer.
4. Redemption of electronic money may be subject to a fee only if stated in the contract in accordance with paragraph 3 and only in any of the following cases:
(a) where the holder of electronic money requests redemption before the termination of the contract;
(b) where the contract provides for a termination date and the holder of electronic money terminates the contract before that date;
(c) where redemption is requested more than one year after the date of termination of the contract.
Any such fee shall be proportionate to and commensurate with the actual costs incurred by the electronic money issuer.
5. Where the holder of electronic money requests redemption before the termination of the contract, the holder may request redemption of the electronic money in whole or in part.
6. Where redemption is requested by the holder of the electronic money on the date of the termination of the contract, or up to one year after such termination, the issuer of the electronic money shall do either of the following:
(a) Redeem the total monetary value of the electronic money; or
(b) Redeem all funds requested by the electronic money holder where the payment institution carries out one or more of the activities as referred to in Article 10(1)(c) of Directive XXX [PSD3] and it is unknown in advance what proportion of funds is to be used as electronic money by electronic money holders.
7. Notwithstanding paragraphs 4, 5 and 6, redemption rights of a person, other than a consumer, who accepts electronic money shall be subject to the contractual agreement between the electronic money issuer and that person.
8. A payment institution providing electronic money services shall not grant to the holder of electronic money interest or any other benefit related to the length of time during which he or she holds the electronic money.
CHAPTER 2
Access to payment systems and to accounts maintained with credit institutions
Article 31
Access to payment systems
1. Payment system operators shall have in place objective non-discriminatory, transparent and proportionate rules on access to a payment system by authorised or registered payment service providers that are legal persons. Payment system operators shall not inhibit access to a payment system more than is necessary to safeguard against specific risks, including where applicable settlement risk, operational risk, credit risk, liquidity risk and business risk or more than is necessary to protect the financial and operational stability of the payment system.
2. A payment system operator shall make publicly available its rules and procedures for admission to participation to that payment system and the criteria and methodology it uses for risk assessment of applicants for participation.
3. Upon receiving an application for participation by a payment service provider, a payment system operator shall assess the relevant risks of granting the applicant payment service provider access to the system. A payment system operator shall only refuse participation to an applicant payment service provider where the applicant poses risks to the system, as referred to in paragraph 1. The payment system operator shall notify that applicant payment service provider in writing whether the request for participation is granted or refused and shall provide full reasons for any refusal.
4. Paragraphs 1, 2 and 3 shall not apply to payment systems composed exclusively of payment service providers belonging to the same group.
5. Payment system operators shall not have in place any of the following requirements:
(a) restrictive rules on effective membership in other payment systems;
(b) rules which discriminate between authorised payment service providers or between registered payment service providers in relation to the rights, obligations and entitlements of members;
(c) restrictions on the basis of institutional status.
6. A participant of a payment system that allows an authorised or registered payment service provider that is not a participant of the payment system to pass transfer orders through that payment system shall, when requested, give the same possibility to other authorised or registered payment service providers in an objective, proportionate, transparent and non-discriminatory manner. In case of a rejection of such request, the participant of a payment system shall provide any requesting payment service provider with full reasons for such rejection.
7. For payment systems that are not covered by Eurosystem oversight, pursuant to Regulation (EU) No 795/2014, Member States shall designate a competent authority responsible for oversight of payment systems to ensure enforcement of paragraphs 1 2, 3, 5 and 6 by payment systems governed by their national law.
Article 32
Provision by credit institutions of payment accounts to payment institutions
1. A credit institution shall only refuse to open or shall only close a payment account for a payment institution for its agents or distributors or for an applicant for a license as a payment institution in the following cases:
(a) The credit institution has serious grounds to suspect defective money laundering or terrorism financing controls by the applicant or that illegal activities are being committed either by the applicant or its customers;
(b) there is or has been a breach of contract committed by the applicant for an account;
(c) insufficient information and documents have been received from the applicant for an account;
(d) the applicant for an account or its business model presents an excessive risk profile;
(e) the applicant for an account would present a disproportionately high compliance cost for the credit institution.
2. Rights granted under paragraph 1 to agents or distributors shall be granted exclusively for the provision of payment services on behalf of the payment institution.
3. A credit institution shall notify to the payment institution or to its agents or distributors, or to the applicant for a license as a payment institution, any decision to refuse to open or to close a payment account to a payment institution or to its agents or distributors, or to an applicant for a license as a payment institution; it shall duly motivate any such decision. Such motivation must be specific to the risks posed by the activity or planned activity of that payment institution or of its agents or distributors, as assessed by the credit institution, and not be generic in nature.
4. A payment institution or its agents or distributors, or an applicant for a license as a payment institution which is the subject of a negative decision by a credit institution on access or of a decision on closure from payment accounts services may appeal to a competent authority.
5. The EBA shall develop draft regulatory technical standards specifying the harmonised format and information to be contained in the notification and motivation referred to in paragraph 3 of this Article.
The EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by [ OP please insert the date= one year after the date of entry into force of this Regulation]. Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
Chapter 3
Account information services and payment initiation services
Section 1
General Principles
Article 33
Rights of payment service users
1. Payment service providers shall not prevent payment service users from making use of a payment initiation service provider to obtain payment initiation services as referred to in point (6) of Annex I. That obligation shall apply to all the payment accounts held by the payment service user that are accessible online.
2. Payment service providers shall not prevent payment service users from making use of account information services as referred to in point (7) of Annex I. That obligation shall apply to all the payment accounts held by the payment service user that are accessible online.
Article 34
Contractual relations
1. The provision of account information services and payment initiation services shall not be conditioned by any party on the existence of a contractual relationship to that end between providers of such services and an account servicing payment service provider.
2. Where a multilateral contractual arrangement is in place and where the same payment account data as regulated under this Regulation is also available in the framework of that multilateral contractual arrangement, access by account information and payment initiation service providers to payment account data regulated under this Regulation shall always be possible without the need to be part of such multilateral contractual arrangement.
Section 2
Data access interfaces for account information services and payment initiation services
Article 35
Provision of dedicated access interfaces
1. Account servicing payment service providers that offer to a payer a payment account that is accessible online shall have in place at least one dedicated interface for the purpose of data exchange with account information and payment initiation service providers.
2. Without prejudice to Articles 38 and 39, account servicing payment service providers that offer to a payer a payment account that is accessible online and have put in place a dedicated interface as referred to in paragraph 1 of this Article, shall not be obliged to also maintain permanently another interface as fall-back for the purpose of data exchange with account information and payment initiation service providers.
3. Account servicing payment service providers shall ensure that their dedicated interfaces referred to in paragraph 1 use standards of communication which are issued by European or international standardisation organisations including the European Committee for Standardization (CEN) or the International Organization for Standardization (ISO). Account servicing payment service providers shall also ensure that the technical specifications of any of the dedicated interfaces referred to in paragraph 1 are documented specifying a set of routines, protocols and tools needed by payment initiation service providers and account information service providers for allowing their software and applications to interoperate with the systems of the account servicing payment service provider. Account servicing payment service providers shall make the documentation on technical specifications of their dedicated interfaces referred to in paragraph 1 available, at no charge and without delay, upon request by authorised payment initiation service providers, account information service providers or by payment service providers that have applied to their competent authorities for the relevant authorisation and shall make a summary of that documentation publicly available on their website.
4. Account servicing payment service providers shall ensure that, except for emergency situations which prevent them from doing so, any change to the technical specifications of their dedicated interface referred to in paragraph 1 is made available to authorised payment initiation service providers, account information service providers, or payment service providers that have applied to their competent authorities for the relevant authorisation, in advance, as soon as possible and not less than 3 months before the change is implemented. Account servicing payment service providers shall document emergency situations where changes were implemented without such advance information and make the documentation available to competent authorities on request.
5. Account servicing payment service providers shall publish on their website quarterly statistics on the availability and performance of their dedicated interface. The performance of the dedicated interfaces shall be measured by the number of successful account information requests over the total number of account information requests, and by the number and transaction volume of the successful payment initiation requests over the total number and transaction volume of the total number of payment initiation requests.
6. Account servicing payment service providers shall make available a testing facility, including support, for connection to the dedicated interfaces and functional testing to enable authorised payment initiation service providers and account information service providers, or payment service providers that have applied for the relevant authorisation, to test their software and applications used for offering a payment service to users. No sensitive payment data or any other personal data shall be shared through the testing facility.
7. In case of an unexpected event or error occurring during the process of identification, authentication, or the exchange of the data elements via the dedicated interface, the account servicing payment service provider shall provide for notification messages to the payment initiation service provider or the account information service provider which explains the reason for the unexpected event or error.
Article 36
Requirements regarding dedicated data access interfaces
1. Account servicing payment service providers shall ensure that the dedicated interface referred to in Article 35(1) meets the following security and performance requirements:
(a) the dedicated interface shall establish and maintain communication sessions between the account servicing payment service provider, the account information service provider, the payment initiation service provider and any payment service user concerned throughout the authentication of the payment service user;
(b) the dedicated interface shall ensure the integrity and confidentiality of the personalised security credentials and of authentication codes transmitted by or through the payment initiation service provider or the account information service provider;
(c) the response time of the dedicated interface to account information service providers’ and payment initiation service providers’ access requests shall not be longer than the response time of the interface that the account servicing payment service provider makes available to its payment service users for directly accessing their payment account online.
2. Account servicing payment service providers shall ensure that the dedicated interface referred to in Article 35(1) allows both account information service providers and payment initiation service providers to:
(a) identify themselves towards the account servicing payment service provider;
(b) instruct the account servicing payment service provider to start the authentication based on the permission of the payment service user given to the account information service provider or the payment initiation service providers in accordance with Article 49(2);
(c) make use, in a non-discriminatory manner, of any authentication exemptions applied by the account servicing payment service provider;
(d) see, prior to initiation of the payment in the case of payment initiation service providers, the unique identifier of the account, the associated names of the account holder and the currencies as available to the payment service user.
3. Account servicing payment service providers shall allow account information service providers to communicate securely, via the dedicated interface, to request and receive information on one or more designated payment accounts and associated payment transactions.
4. Account servicing payment service providers shall ensure that the dedicated interface allows payment initiation service providers, at a minimum, to:
(a) place and revoke a standing payment order or a direct debit;
(b) initiate a single payment;
(c) initiate and revoke a future dated payment;
(d) initiate payments to multiple beneficiaries;
(e) initiate payments, regardless of whether the payee is on the payer’s beneficiaries list;
(f) communicate securely to place a payment order from the payer's payment account and receive all information on the initiation of the payment transaction and all information accessible to the account servicing payment service provider regarding the execution of the payment transaction;
(g) verify the name of the account holder before the payment is initiated and regardless of whether the name of the account holder is available via the direct interface;
(h) initiate a payment with one single strong customer authentication, provided the payment initiation service provider has provided the account servicing payment service provider with all of the following:
(i) the payer’s unique identifier,
(ii) the payee’s legal and commercial name and ‘unique identifier’,
(iii) a transaction reference,
(iv) the payment amount and the currency of the payment, based on which the single strong customer authentication is triggered.
5. Account servicing payment service providers shall ensure that the dedicated interface provides to payment initiation service providers:
(a) the immediate confirmation, upon request, in a simple ‘yes’ or ‘no’ format, of whether the amount necessary for the execution of a payment transaction is available on the payment account of the payer;
(b) the confirmation from the account servicing payment service provider that the payment will be executed on the basis of the information available to the account servicing payment service provider, taking into account any pre-existing payment orders that might affect the full execution of the payment order being placed.
The information referred to in point (b) shall not be shared with the payment initiation service provider but may be used by the account servicing payment service provider in order to provide confirmation of the execution of the operation.
Article 37
Data access parity between dedicated access interface and customer interface
1. Without prejudice to Article 36, account servicing payment service providers shall ensure that their dedicated interface referred to in Article 35(1) offers at all times at least the same level of availability and performance, including technical and IT support, as the interfaces that account servicing payment service providers make available to the payment service user for directly accessing its payment account online.
2. Account servicing payment service providers shall provide account information services providers with at least the same information from designated payment accounts and associated payment transactions made available to the payment service user when directly requesting access to the account information, provided that this information does not include sensitive payment data.
3. Account servicing payment service providers shall provide payment initiation service providers with at least the same information on the initiation and execution of the payment transaction provided or made available to the payment service user when the transaction is initiated directly by the payment service user. That information shall be provided immediately after receipt of the payment order and on an ongoing basis until the payment is final.
Article 38
Contingency measures for an unavailable dedicated interface
1. Account servicing payment service providers shall take all measures in their power to prevent unavailability of the dedicated interface. Unavailability shall be presumed to have arisen when five consecutive requests for access to information for the provision of payment initiation services or account information services receive no response from the account servicing payment service provider’s dedicated interface within 30 seconds.
2. In case of unavailability of the dedicated interface, account servicing payment service providers shall inform payment service providers making use of the dedicated interface of measures taken to restore the interface and of the time estimated necessary for the problem to be resolved. During the period of unavailability, account servicing payment service providers shall offer to account information and payment initiation service providers without delay an effective alternative solution, such as the use of the interface that the account servicing payment service provider uses for authentication and communication with its users, to access payment account data.
3. Where the dedicated interface is unavailable and the account servicing payment service provider has not offered a rapid and effective alternative solution referred to in paragraph 2, payment initiation service providers or account information service providers may request their competent authority, providing all necessary information and evidence, to allow them to use the interface that the account servicing payment service provider uses for authentication and communication with its users for payment account data access.
4. Based on the request referred to in paragraph 3, the competent authority may for a time-limited period until the dedicated interface is restored to availability, authorise all payment initiation service providers and account information service providers to access payment accounts data via an interface that the account servicing payment service provider uses for authentication and communication with its users. The competent authority shall communicate its decision to the requesting account information service provider or payment initiation service provider and make it publicly available on its website. The competent authority shall instruct the account servicing payment service provider to restore the full functioning of the dedicated interface before the expiry of the temporary authorisation.
5. The competent authority shall take a decision without undue delay on any request introduced under paragraph 3. As long as the competent authority has not taken a decision on the request, the requesting payment initiation service provider or account information service provider may exceptionally access payment accounts data via an interface that the account servicing payment service provider uses for authentication and communication with its users. The requesting payment initiation service provider or account information service provider shall cease to do so when the dedicated interface is restored to availability, or when the competent authority adopts a decision not authorising such use, whichever is the sooner.
6. In cases where account servicing payment service providers are obliged to allow account information service providers or payment initiation service providers to access the interface that account servicing payment service providers use for authentication and communication with their users, account servicing payment service providers shall immediately make available any technical specifications needed by account information service providers or payment initiation service providers to adequately connect to the interface that the account servicing payment service provider uses for authentication and communication with its users.
7. When accessing the interface that the account servicing payment service provider uses for authentication and communication with its users, the account information service providers or payment initiation service providers shall meet all requirements laid down in Article 45(2). In particular, the account information service providers or payment initiation service providers shall always duly identify themselves with the account servicing payment services provider.
Article 39
Derogation from having a dedicated interface for data access
1. By way of derogation from Article 35(1), on request of an account servicing payment service provider, the competent authority may exempt the requesting account servicing payment service provider from the obligation to have in place a dedicated interface and allow the account servicing payment service provider to either offer, as interface for secure data exchange, one of the interfaces that the account servicing payment service provider uses for authentication and communication with its payment services users or, where justified, not to offer any interface at all for secure data exchange.
2. The EBA shall develop draft regulatory technical standards which shall specify the criteria on the basis of which, in accordance with paragraph 1, an account servicing payment service provider may be exempted from the obligation to have in place a dedicated interface and be allowed either to provide, as interface for secure data exchange with account information service providers and payment initiation service providers, the interface that it makes available to its payment user for accessing its payment accounts online or, where appropriate, not to have any interface at all for secure data exchange.
The EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by [ OP please insert the date= one year after the date of entry into force of this Regulation]. Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
Section 3
Rights and obligations of account servicing payment services providers
Article 40
Obligations on account servicing payment service providers regarding payment initiation services
The account servicing payment service provider shall perform the following actions to ensure the payer’s right to use the payment initiation service:
(a) communicate securely with payment initiation service providers;
(b) immediately after receipt of the payment order from a payment initiation service provider, provide or make available all information on the initiation of the payment transaction and all information accessible to the account servicing payment service provider regarding the execution of the payment transaction to the payment initiation service provider;
(c) treat payment orders transmitted through the services of a payment initiation service provider as if those payment orders were payment orders transmitted directly by the payer or the payee, in particular in terms of timing, priority or charges.
For the purposes of point (b), where some or all of the information referred to in that point is unavailable immediately after receipt of the payment order, the account servicing payment service provider shall ensure that any information about the execution of the payment order is made available to the payment initiation service provider immediately after that information becomes available to the account servicing payment service provider.
Article 41
Obligations of account servicing payment service providers regarding account information services
1. The account servicing payment service provider shall perform the following actions to ensure the payment service user’s right to use the account information service:
(a) communicate securely with the account information service provider;
(b) treat data requests transmitted through the services of an account information service provider as if the data were requested by the payment service user via the interface that the account servicing payment service provider makes available to its payment service users for directly accessing their payment account.
2. Account servicing payment service providers shall allow account information service providers to access information from designated payment accounts and associated payment transactions held by account servicing payment service providers for the purposes of performing the account information service whether or not the payment service user is actively requesting such information.
Article 42
Restriction of access to payment accounts by account information service providers and payment initiation service providers
1. An account servicing payment service provider may deny an account information service provider or a payment initiation service provider access to a payment account for objectively justified and duly evidenced reasons. Those reasons shall relate to unauthorised, as per Article 49(3), or fraudulent access to the payment account by that account information service provider or that payment initiation service provider, including the unauthorised or fraudulent initiation of a payment transaction. In such cases, the account servicing payment service provider shall inform the payment services user that access to the payment account is denied and provide the reasons therefor. That information shall, where possible, be provided to the payment services user before access is denied and at the latest immediately thereafter, unless providing such information would compromise objectively justified security reasons or is prohibited by other relevant Union or national law.
2. In the cases referred to in paragraph 1, the account servicing payment service provider shall immediately report the incident relating to the account information service provider or the payment initiation service provider to the competent authority. The information shall include the relevant details of the case and the reasons for taking action. The competent authority shall assess the case and shall, if necessary, take appropriate measures.
Article 43
Data access management by payment service users
1. The account servicing payment service provider shall provide the payment service user with a dashboard, integrated into its user interface, to monitor and manage the permissions the payment service user has given for the purpose of account information services or payment initiation services covering multiple or recurrent payments.
2. The dashboard shall:
(a) provide the payment service user with an overview of each ongoing permission given for the purposes of account information services or payment initiation services, including:
(i) the name of the account information service provider or payment initiation service provider to which access has been granted;
(ii) the customer account to which access has been granted;
(iii) the purpose of the permission;
(iv) the period of validity of the permission;
(v) the categories of data being shared.
(b) allow the payment service user to withdraw data access for a given account information service or payment initiation service provider;
(c) allow the payment service user to re-establish any data access withdrawn;
(d) include a record of data access permissions that have been withdrawn or have expired, for a duration of two years.
3. The account servicing payment service provider shall ensure that the dashboard is easy to find in its user interface and that information displayed on the dashboard is clear, accurate and easily understandable for the payment service user.
4. The account servicing payment service provider and the account information service or payment initiation service provider to which permission has been granted shall cooperate to make information available to the payment service user via the dashboard in real-time. For the purposes of paragraph 2 points (a), (b), (c) and (e):
(a) The account servicing payment service provider shall inform the account information service or payment initiation service provider in real time of changes made to a permission concerning that provider made by a payment service user via the dashboard;
(b) An account information service or payment initiation service provider shall inform the account servicing payment service provider in real time of a new permission granted by a payment service user regarding a payment account provided by that account servicing payment service provider, including:
(i) the purpose of the permission granted by the payment service user;
(ii) the period of validity of the permission;
(iii) the categories of data concerned.
Article 44
Prohibited obstacles to data access
1. Account servicing payment service providers shall ensure that their dedicated interface does not create obstacles to the provision of payment initiation and account information services.
Prohibited obstacles shall include the following:
(a) preventing the use by payment initiation services providers or account information services providers of the credentials issued by account servicing payment service providers to their payment services users;
(b) requiring the payment service users to manually input their unique identifier into the domain of the account servicing payment service provider to be able to use account information or payment initiation services;
(c) requiring additional checks of the permission given by the payment service users to a payment initiation service provider or an account information services provider;
(d) requiring additional registrations by payment initiation and account information services providers to be able to access the payment services user’s payment account or the dedicated interface;
(e) requiring, unless indispensable to facilitate the exchange of information between account servicing payment service providers and payment initiation and account information services providers related, in particular, to the updating of the dashboard referred to in Article 43, that payment initiation and account information services providers pre-register their contact details with the account servicing payment service provider;
(f) restricting the possibility of a payment service user to initiate payments via a payment initiation service provider only to those payees that are on the payer’s beneficiaries list;
(g) restricting payment initiations to or from domestic unique identifiers only;
(h) requiring that strong customer authentication is applied more times in comparison with the strong customer authentication as required by the account servicing payment service provider when the payment service user is directly accessing their payment account or initiating a payment with the account servicing payment services provider;
(i) providing a dedicated interface that does not support all the authentication procedures made available by the account servicing payment service provider to its payment service user;
(j) imposing an account information or payment initiation journey, in a ‘redirection’ or ‘decoupled’ approach, where the authentication of the payment service user with the account servicing payment service provider adds additional steps or required actions in the user journey compared to the equivalent authentication procedure offered to payment service users when directly accessing their payment accounts or initiating a payment with the account servicing payment service provider;
(k) imposing that the user be automatically redirected, at the stage of authentication, to the account servicing payment service provider’s web page address when this is the sole method of carrying out the authentication of the payment services user that is supported by an account servicing payment service provider;
(l) requiring two strong customer authentications in a payment initiation service-only journey where the payment initiation service provider transmits to the account servicing payment service provider all the information necessary to initiate the payment, namely one strong customer authentication for the yes/no confirmation and a second strong customer authentication for payment initiation.
2. For the activities of payment initiation services and account information services the name and the account number of the account owner shall not constitute sensitive payment data.
Section 4
Rights and obligations of account information service providers and payment initiation service providers
Article 45
Use of the customer interface by account information service providers and payment initiation service providers
1. Account information service providers and payment initiation service providers shall access payment account data exclusively via the dedicated interface referred to in Article 35, except in the circumstances covered by Article 38(4) and (5) and Article 39.
2. Where an account information service provider or a payment initiation service provider accesses payment account data via an interface that the account servicing payment service provider makes available to its payment service users for directly accessing their payment account, in accordance with Article 38(4) and (5), or where that is the only interface accessible in accordance with Article 39, the account information service provider or the payment initiation service provider shall at all times:
(a) identify itself towards the account servicing payment service provider;
(b) rely on the authentication procedures provided by the account servicing payment service provider to the payment service user;
(c) take the necessary measures to ensure that they do not process data (including access and storage of data) for purposes other than for the provision of the service as requested by the payment service user;
(d) log the data that are accessed through the interface operated by the account servicing payment service provider for its payment service users, and provide, upon request and without undue delay, the log files to the competent authority. Logs shall be deleted 3 years after their creation. Logs may be kept for longer than this retention period if they are required for monitoring procedures that are already underway.
For the purpose of point (d) logs shall be deleted 3 years after their creation. Logs may be kept for longer than this retention period if they are required for monitoring procedures that are already underway.
Article 46
Specific obligations of payment initiation service providers
1. Payment initiation service providers shall:
(a) provide account servicing payment service providers with the same information as the information requested from the payment service user when initiating the payment transaction directly;
(b) provide services only where based on the payment service user’s permission, in accordance with Article 49;
(c) not hold at any time the payer’s funds in connection with the provision of the payment initiation service;
(d) ensure that the personalised security credentials of the payment services user are not, with the exception of the payer and the issuer of the personalised security credentials, accessible to other parties and that they are transmitted by the payment initiation service provider through safe and efficient channels;
(e) ensure that any other information about the payment services user obtained when providing payment initiation services, is only provided to the payee and only with the payment services user’s permission;
(f) every time a payment is initiated, identify itself towards the account servicing payment service provider and communicate with the account servicing payment service provider, the payer and the payee in a secure way.
2. Payment initiation service providers shall not:
(a) store sensitive payment data of the payment service user;
(b) request from the payment service user any data other than those necessary to provide the payment initiation service;
(c) process any personal or non-personal data (including use, access or storage of data) for purposes other than for the provision of the payment initiation service as permitted by the payment services user;
(d) modify the amount, the payee or any other feature of the transaction.
Article 47
Specific obligations of and other provisions concerning account information service providers
1. The account information service provider shall:
(a) provide services only where based on the payment service user’s permission, in accordance with Article 49;
(b) ensure that the personalised security credentials of the payment service user are not accessible to other parties, with the exception of the user and the issuer of the personalised security credentials, and that when those credentials are transmitted by the account information service provider, transmission is done through safe and efficient channels;
(c) for each communication session, identify itself towards the account servicing payment service provider of the payment service user and securely communicate with the account servicing payment service provider and the payment service user;
(d) access only information from designated payment accounts and associated payment transactions;
(e) have in place suitable and effective mechanisms that prevent access to information other than from designated payment accounts and associated payment transactions, in accordance with the payment service user's permission.
2. The account information service provider shall not:
(a) request sensitive payment data linked to the payment accounts;
(b) use, access or store any data for purposes other than for performing the account information service permitted by the payment service user, in accordance with Regulation (EU) 2016/679.
3. The following Articles shall not apply to account information service providers: Articles 4 to 8, Articles 10, 11 and 12, Articles 14 to 19, Articles 21 to 29, Articles 50 and 51, Articles 53 to 79, and Articles 83 and 84.
Section 5
Implementation
Article 48
Role of competent authorities
1. Competent authorities shall ensure that account servicing payment service providers comply at all times with their obligations in relation to the dedicated interface referred to in Article 35(1) and that any identified prohibited obstacle listed in Article 44 is immediately removed by the relevant account servicing payment service provider. Where such non-compliance of the dedicated interfaces with this Regulation or obstacles are identified, including on the basis of information transmitted by payment initiation services and account information services providers, the competent authorities shall take without delay the necessary enforcement measures and impose any appropriate sanction or, where appropriate, grant access rights in accordance with Article 38(4).
2. Competent authorities shall take without delay every necessary enforcement action where necessary to preserve the access rights of payment initiation services and account information services providers. Enforcement actions may include appropriate sanctions.
3. Competent authorities shall ensure that payment initiation service and account information service providers comply with their obligations in relation to the use of data access interfaces at all times.
4. Competent authorities shall have the necessary resources, notably in terms of dedicated staff, in order to comply at all times with their tasks.
5. Competent authorities shall cooperate with supervisory authorities under Regulation (EU) 2016/679 where processing of personal data is concerned.
6. Competent authorities shall, on their initiative, hold regular joint meetings with account servicing payment service providers, payment initiation service and account information service providers and shall deploy their best efforts to ensure that possible issues arising from the use of and access to data exchange interfaces between account servicing payment service providers, payment initiation service and account information service providers are rapidly et durably solved.
7. Account servicing payment service providers shall provide competent authorities with data on access by account information service providers and payment initiation service providers to payment accounts which they service. Competent authorities may also, where appropriate, require account information service providers and payment initiation service providers to provide any relevant data on their operations. In accordance with its powers pursuant to Article 29, point (b), Article 31 and Article 35(2) of Regulation (EU) No 1093/2010, the EBA shall coordinate that monitoring activity by competent authorities, avoiding data reporting duplication. The EBA shall report every two years to the Commission on the size and operation of the markets for account information services and payment initiation services in the Union. Those periodical reports may, where appropriate, contain recommendations.
8. The EBA shall develop draft regulatory technical standards specifying the data to be provided to competent authorities pursuant to paragraph 7 as well as the methodology and periodicity to be applied for such data provision.
The EBA shall submit those draft regulatory technical standards to the Commission by [ OP please insert the date= 18 months after the date of entry into force of this Regulation].
Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Article 10 to 14 of Regulation (EU) No 1093/2010.
CHAPTER 4
Authorisation of payment transactions
Article 49
Authorisation
1. A payment transaction or a series of payment transactions shall be authorised only if the payer has given its permission for the execution of the payment transaction. A payment transaction may be authorised by the payer prior to or, if agreed between the payer and the account servicing payment service provider, after the execution of the payment transaction.
2. Access to a payment account for the purpose of account information services or payment initiation services by payment service providers shall be authorised only if the payment service user has given its permission to the account information services provider or, respectively, to the payment initiation service provider, to access the payment account and the relevant data in that account.
3. In the absence of permission, a payment transaction or access to a payment account by an account information service provider or a payment initiation service provider shall be considered to be unauthorised.
4. Account servicing payment service providers shall not verify the permission given by the payment service user to the account information service provider or payment initiation service provider.
5. The permission referred to in paragraphs 1 and 2 shall be expressed in the form agreed between the payer and the relevant payment service provider. Permission to execute a payment transaction may also be expressed via the payee or the payment initiation service provider.
6. The procedure for giving permission shall be agreed between the payer and the relevant payment service provider.
7. The payment service user may withdraw permission to execute a payment transaction or to access a payment account for the purpose of payment initiation services or account information services may be withdrawn by the payment service user at any time. The payment service user may also withdraw permission to execute a series of payment transactions, in which case any future payment transaction shall be considered to be unauthorised.
Article 50
Discrepancies between the name and unique identifier of a payee in case of credit transfers
1. In case of credit transfers, the payment service provider of the payee shall, free of charge, at the request of the payment service provider of the payer, verify whether or not the unique identifier and the name of the payee as provided by the payer match, and shall communicate the outcome of this verification to the payment service provider of the payer. Where the unique identifier and the name of the payee do not match, the payment service provider of the payer shall notify the payer of any such discrepancy detected and shall inform the payer of the degree of that discrepancy.
2. The payment service providers shall provide the service referred to in paragraph 1 immediately after the payer provided to its payment service provider the unique identifier and the name of the payee, and before the payer is offered the possibility to authorise the credit transfer.
3. Payment service providers shall ensure that the detection and notification of a discrepancy as referred to in paragraph 1 does not prevent payers from authorising the credit transfer concerned. If the payer, after being notified about a detected discrepancy, authorises the credit transfer and the transaction is executed in accordance with the unique identifier given by the payer, that transaction shall be deemed to have been executed correctly.
4. Payment service providers shall ensure that payment service users have the right to opt out from being offered the service referred to in paragraph 1 and shall inform their payment service users of the means to express such opt-out right. Payment service providers shall ensure that payment service users that initially opted out from receiving the service referred to in paragraph 1, have the right to opt in to receive that service.
5. Payment service providers shall inform their payment service users that authorising a transaction despite a detected and notified discrepancy or that opting out from receiving the service referred to in paragraph 1 may lead to transferring the funds to a payment account not held by the payee indicated by the payer. Payment service providers shall provide that information at the same time as the notification of discrepancies or when the payment service user opts out from receiving the service referred to in paragraph 1.
6. The service referred to in paragraph 1 shall be provided with respect to payment orders placed through electronic payment initiation channels and through non-electronic payment orders involving a real-time interaction between the payer and the payment service provider of the payer.
7. The matching service referred to in paragraph 1 shall not be required where the payer did not input himself the unique identifier and the name of the payee.
8. This Article shall not apply to instant credit transfers denominated in euro falling within the scope of Regulation XXX (IPR).
Article 51
Limits and blocking of the use of the payment instrument
1. Where a specific payment instrument is used for the purposes of giving permission, the payer and the payer’s payment service provider may agree on spending limits for payment transactions executed through that payment instrument. Payment service providers shall not unilaterally increase the spending limits agreed with their payment service users.
2. If agreed in the framework contract, the payment service provider may reserve the right to block the payment instrument for objectively justified reasons relating to the security of the payment instrument, the suspicion of unauthorised or fraudulent use of the payment instrument or, in the case of a payment instrument with a credit line, a significantly increased risk that the payer may be unable to fulfil its liability to pay.
3. In such cases the payment service provider shall inform the payer of the blocking of the payment instrument and the reasons for it in an agreed manner, where possible before the payment instrument is blocked and at the latest immediately thereafter, unless providing such information would compromise objectively justified security reasons or is prohibited by other relevant Union or national law.
4. The payment service provider shall unblock the payment instrument or replace it with a new payment instrument once the reasons for blocking no longer exist.
Article 52
Obligations of the payment service user in relation to payment instruments and personalised security credentials
The payment service user entitled to use a payment instrument shall:
(a) use the payment instrument in accordance with the terms governing the issue and use of the payment instrument, which shall be objective, non-discriminatory and proportionate;
(b) notify the payment service provider, or the entity specified by the payment service provider, without undue delay on becoming aware of the loss, theft, misappropriation or unauthorised use of the payment instrument.
For the purposes of point (a) the payment service user shall, as soon as in receipt of a payment instrument, take all reasonable steps to keep its personalised security credentials safe.
Article 53
Obligations of the payment service provider in relation to payment
instruments
1. The payment service provider issuing a payment instrument shall:
(a) make sure that the personalised security credentials are not accessible to parties other than the payment service user that is entitled to use the payment instrument, without prejudice to the obligations on the payment service user set out in Article 52;
(b) refrain from sending an unsolicited payment instrument, except where a payment instrument already given to the payment service user is to be replaced;
(c) ensure that appropriate means are available at all times to enable the payment service user to make a notification pursuant to Article 52 point (b), or to request unblocking of the payment instrument pursuant to Article 51(4);
(d) provide the payment service user with the possibility to make a notification pursuant to Article 52 point (b) free of charge and only charge any possible replacement costs directly attributed to the payment instrument;
(e) prevent all use of the payment instrument once a notification pursuant to Article 52 point (b) has been made.
(f) For the purposes of point (c), the payment service provider shall provide the payment service user upon its request with the means to prove, for 18 months after notification, that the payment service user made such a notification.
2. The payment service provider shall bear the risk of sending a payment instrument or any personalised security credentials relating to it to the payment service user.
Article 54
Notification and rectification of unauthorised, authorised or incorrectly executed payment transactions
1. The payment service provider shall only rectify any unauthorised, incorrectly executed payment transaction or authorised payment transaction where the payment service user notifies the payment service provider in accordance with Articles 57 and 59 without undue delay after becoming aware of any such transaction giving rise to a claim, including a claim under Article 75, and no later than 13 months after the debit date.
The time limits for notification laid down in the first subparagraph shall not apply where the payment service provider has failed to provide or make available the information on the payment transaction in accordance with Title II.
2. Where a payment initiation service provider is involved, the payment service user shall obtain rectification from the account servicing payment service provider pursuant to paragraph 1 of this Article, without prejudice to Article 56(4) and Article 75(1).
Article 55
Evidence on authorisation and execution of payment transactions
1. Where a payment service user denies having authorised an executed payment transaction or claims that the payment transaction was not correctly executed, the burden shall be on the payment service provider to prove that the payment transaction was authorised, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency of the service provided by the payment service provider.
If the payment transaction is initiated through a payment initiation service provider, the burden shall be on the payment initiation service provider to prove that within its sphere of competence, the payment transaction was authorised, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment service of which it is in charge.
2. Where a payment service user denies having authorised an executed payment transaction, the use of a payment instrument recorded by the payment service provider, including the payment initiation service provider as appropriate, shall in itself not be sufficient to prove either that the payment transaction was authorised by the payer or that the payer acted fraudulently or failed with intent or gross negligence to fulfil one or more of the obligations under Article 52. The payment service provider, including, where appropriate, the payment initiation service provider, shall provide supporting evidence to prove fraud or gross negligence on part of the payment service user.
Article 56
Payment service provider’s liability for unauthorised payment
transactions
1. Without prejudice to Article 54, in the case of an unauthorised payment transaction, the payer’s payment service provider shall refund the payer the amount of the unauthorised payment transaction immediately, and in any event no later than by the end of the following business day, after noting or being notified of the unauthorised transaction, except where the payer’s payment service provider has reasonable grounds for suspecting fraud committed by the payer and communicates those grounds to the relevant national authority in writing.
2. Where the payer’s payment service provider had reasonable grounds for suspecting fraud committed by the payer, the payer’s payment service provider shall, within 10 business days after noting or being notified of the transaction, do either of the following:
(a) refund the payer the amount of the unauthorised payment transaction if the payer’s payment service provider has concluded, after further investigation, that no fraud has been committed by the payer;
(b) provide a justification for refusing the refund and indicate the bodies to which the payer may refer the matter in accordance with Articles 90, 91, 93, 94 and 95 if the payer does not accept the reasons provided.
3. Where applicable, the payer’s payment service provider shall restore the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place. The payer’s payment service provider shall also ensure that the credit value date for the payer’s payment account shall be no later than the date the amount had been debited.
4. Where the payment transaction is initiated through a payment initiation service provider, the account servicing payment service provider shall refund immediately, and in any event no later than by the end of the following business day, the amount of the unauthorised payment transaction and, where applicable, restore the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.
5. If the payment initiation service provider is liable for the unauthorised payment transaction, the payment initiation service provider shall immediately compensate the account servicing payment service provider at its request for the losses incurred or sums paid as a result of the refund to the payer, including the amount of the unauthorised payment transaction. In accordance with Article 55(1), the burden shall be on the payment initiation service provider to prove that, within its sphere of competence, the payment transaction was authorised, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment service of which it is in charge.
6. The payer may be entitled to further financial compensation from the payment service provider in accordance with the law applicable to the contract concluded between the payer and the payment service provider or the contract concluded between the payer and the payment initiation service provider, where applicable.
Article 57
Payment service provider’s liability for incorrect application of the matching verification service
1. The payer shall not bear any financial losses for any authorised credit transfer where the payment service provider of the payer failed, in breach of Article 50(1), to notify the payer of a detected discrepancy between the unique identifier and the name of the payee provided by the payer.
2. Within 10 business days after noting or being notified of a credit transfer transaction executed in the circumstances referred to in paragraph 1, the payment service provider shall do either of the following:
(a) refund the payer the full amount of the authorised credit transfer;
(b) provide a justification for refusing the refund and indicate the bodies to which the payer may refer the matter in accordance with Articles 90, 91, 93, 94 and 95 if the payer does not accept the reasons provided.
3. Where the payment service provider of the payee is responsible for the breach of Article 50(1) committed by the payment service provider of the payer, the payment service provider of the payee shall refund the financial damage incurred by the payment service provider of the payer.
4. The burden shall be on the payment service provider of the payer or, in the case referred to in paragraph 3, of the payee to prove that there was no breach of Article 50(1).
5. Paragraphs 1 to 4 shall not apply if the payer has acted fraudulently or if the payer opted out from receiving the verification service in accordance with Article 50(4).
6. This Article shall not apply to instant credit transfers denominated in euro falling within the scope of by Regulation XXX (IPR).
Article 58
Liability of technical service providers and of operators of payment schemes for failure to support the application of strong customer authentication
Technical service providers and operators of payment schemes that either provide services to the payee, or to the payment service provider of the payee or of the payer, shall be liable for any financial damage caused to the payee, to the payment service provider of the payee or of the payer for their failure, within the remit of their contractual relationship, to provide the services that are necessary to enable the application of strong customer authentication.
Article 59
Payment service provider’s liability for impersonation fraud
1. Where a payment services user who is a consumer was manipulated by a third party pretending to be an employee of the consumer’s payment service provider using the name or e-mail address or telephone number of that payment service provider unlawfully and that manipulation gave rise to subsequent fraudulent authorised payment transactions, the payment service provider shall refund the consumer the full amount of the fraudulent authorised payment transaction under the condition that the consumer has, without any delay, reported the fraud to the police and notified its payment service provider.
2. Within 10 business days after noting or being notified of the fraudulent authorised payment transaction, the payment service provider shall do either of the following:
(a) refund the consumer the amount of the fraudulent authorised payment transaction;
(b) where the payment service provider has reasonable grounds to suspect a fraud or a gross negligence by the consumer, provide a justification for refusing the refund and indicate to the consumer the bodies to which the consumer may refer the matter in accordance with Articles 90, 91, 93, 94 and 95 if the consumer does not accept the reasons provided.
3. Paragraph 1 shall not apply if the consumer has acted fraudulently or with gross negligence.
4. The burden shall be on the payment service provider of the consumer to prove that the consumer acted fraudulently or with gross negligence.
5. Where informed by a payment service provider of the occurrence of the type of fraud as referred to in paragraph 1, electronic communications services providers shall cooperate closely with payment service providers and act swiftly to ensure that appropriate organizational and technical measures are in place to safeguard the security and confidentiality of communications in accordance with Directive 2002/58/EC, including with regard to calling line identification and electronic mail address.
Article 60
Payer’s liability for unauthorised payment transactions
1. By way of derogation from Article 56, the payer may be obliged to bear the losses relating to any unauthorised payment transactions, up to a maximum of EUR 50, resulting from the use of a lost or stolen payment instrument or from the misappropriation of a payment instrument.
The first subparagraph shall not apply where any of the following occurred:
(a) the loss, theft or misappropriation of a payment instrument was not detectable to the payer prior to a payment, except where the payer has acted fraudulently; or
(b) the loss was caused by acts or lack of action of an employee, agent or branch of a payment service provider or of an entity to which its activities were outsourced.
The payer shall bear all of the losses relating to any unauthorised payment transactions if those losses were incurred by the payer acting fraudulently or failing to fulfil one or more of the obligations set out in Article 52 with intent or gross negligence. In such cases, the maximum amount referred to in the first subparagraph shall not apply.
Where the payer has neither acted fraudulently nor intentionally failed to fulfil its obligations under Article 52, national competent authorities or payment service providers may reduce the liability referred to in this paragraph, taking into account, in particular, the nature of the personalised security credentials and the specific circumstances under which the payment instrument was lost, stolen or misappropriated.
2. Where the payer’s payment service provider fails to fulfil the obligation to require strong customer authentication set out in Article 85, the payer shall not bear any financial losses unless the payer has acted fraudulently. The same shall apply where either the payment service provider of the payer or of the payee applies an exemption from the application of strong customer authentication. Where the payee or the payment service provider of the payee fails to develop or amend the systems, hardware and software that are necessary to apply strong customer authentication, the payee or the payment service provider of the payee shall refund the financial damage caused to the payer’s payment service provider.
3. Where the payee’s payment services provider applies an exemption from the application of strong customer authentication, the payee’s payment services provider shall be liable towards the payer’s payment services provider for any financial loss incurred by the latter.
4. The payer shall not bear any financial consequences resulting from use of the lost, stolen or misappropriated payment instrument after notification in accordance with of Article 52, point (b), except where the payer has acted fraudulently.
If the payment service provider does not provide appropriate means for the notification at all times of a lost, stolen or misappropriated payment instrument, as required under of Article 53(1), point (c), the payer shall not be liable for the financial consequences resulting from use of that payment instrument, except where the payer has acted fraudulently.
Article 61
Payment transactions where the transaction amount is not known in advance
1. Where a payment transaction is initiated by or through the payee in the context of a card-based payment transaction and the exact future amount is not known at the moment when the payer authorizes the execution of the payment transaction, the payer’s payment service provider may only block funds on the payer’s payment account if the payer has given his or her permission to that precise amount of funds to be blocked.
2. The amount of the funds blocked by the payer’s payment service provider shall be in proportion with the amount of the payment transaction which can reasonably be expected by the payer.
3. The payee shall inform its payment service provider of the exact amount of the payment transaction immediately after delivery of the service or goods to the payer.
4. The payer’s payment service provider shall release the funds blocked on the payer’s payment account immediately after receipt of the information about the exact amount of the payment transaction.
Article 62
Refunds for payment transactions initiated by or through a payee
1. A payer shall be entitled to a refund from the payment service provider of an authorised payment transaction which was initiated by the payer through a payee and which has already been executed, where both of the following conditions are met:
(a) the authorisation did not specify the exact amount of the payment transaction when the authorisation was made;
(b) the amount of the payment transaction exceeded the amount the payer could reasonably have expected taking into account the previous spending pattern, the conditions in the framework contract and relevant circumstances of the case.
At the payment service provider’s request, the payer shall bear the burden of proving such conditions are met.
The refund shall consist of the full amount of the executed payment transaction. The credit value date for the payer’s payment account shall be no later than the date the amount was debited.
Without prejudice to paragraph 3 of this Article, in addition to the right referred to in the first subparagraph of this paragraph, for authorised payment transactions which were initiated by a payee, including direct debits as referred to in Article 1 of Regulation (EU) No 260/2012, the payer shall have an unconditional right to a refund within the time limits laid down in Article 63 of this Regulation.
2. For the purposes of paragraph 1, first subparagraph, point (b), the payer shall not invoke reasons related to possible currency exchange costs if the reference exchange rate agreed with its payment service provider in accordance with Article 13(1), point (e), and Article 20, point (c)(iii), was applied.
3. The payer and the payment service provider may agree in a framework contract that the payer has no right to a refund where:
(a) the payer has authorised the execution of the payment transaction directly with the payment service provider;
(b) where applicable, information on the future payment transaction was provided or made available in an agreed manner to the payer for at least 4 weeks before the due date by the payment service provider or by the payee.
4. For direct debits in currencies other than euro, payment service providers may offer more favourable refund rights in accordance with their direct debit schemes provided that they are more advantageous to the payer.
Article 63
Requests for refunds for payment transactions initiated by or
through a payee
1. The payer may request the refund referred to in Article 62 of an authorised payment transaction initiated by or through a payee for a period of 8 weeks from the date on which the funds were debited.
2. Within 10 business days of receiving a request for a refund, the payment service provider shall do either of the following:
(a) refund the full amount of the payment transaction;
(b) provide a justification for refusing the refund and indicate the bodies to which the payer may refer the matter in accordance with Articles 90, 91, 93, 94 and 95 if the payer does not accept the reasons provided.
The payment service provider’s right under the first subparagraph of this paragraph to refuse the refund shall not apply in the case set out in of Article 62(1), fourth subparagraph.
CHAPTER 5
Execution of payment transactions
Section 1
Payment orders and amounts transferred
Article 64
Receipt of payment orders
1. The time of receipt of a payment order shall be when the payment order is received by the payer’s payment service provider.
The payer’s account shall not be debited before receipt of the payment order. If the time of receipt is not on a business day for the payer’s payment service provider, the payment order shall be deemed to have been received on the following business day. The payment service provider may establish a cut-off time near the end of a business day beyond which any payment order received shall be deemed to have been received on the following business day.
2. If the payment service user placing a payment order and the payment service provider agree that the execution of the payment order shall start on a specific day or at the end of a certain period or on the day on which the payer has put the funds at the payment service provider’s disposal, the time of receipt for the purposes of Article 69 shall be deemed to be the agreed day. If the agreed day is not a business day for the payment service provider, the payment order received shall be deemed to have been received on the following business day.
3. This Article shall not apply to instant credit transfers denominated in Euro as covered by Regulation XXX (IPR).
Article 65
Refusal of payment orders
1. Where the payment service provider refuses to execute a payment order or to initiate a payment transaction, the payment service provider shall notify the refusal and, if possible, the reasons for that refusal and the procedure for correcting any factual mistakes that led to the refusal to the payment service user, unless prohibited by other relevant Union or national law.
The payment service provider shall provide or make available the notification in an agreed manner at the earliest opportunity, and in any case within the periods specified in Article 69.
The framework contract may include a condition that the payment service provider may charge a reasonable fee for such a refusal if the refusal is objectively justified.
2. Where all of the conditions set out in the payer’s framework contract are met, the payer’s account servicing payment service provider shall not refuse to execute an authorised payment transaction irrespective of whether the payment order is placed by a payer, including through a payment initiation service provider, or by or through a payee, unless prohibited by other relevant Union or national law.
3. For the purposes of Articles 69 and 75 a payment order whose execution has been refused shall be deemed not to have been received.
Article 66
Irrevocability of a payment order
1. The payment service user shall not revoke a payment order once it has been received by the payer’s payment service provider, unless otherwise specified in this Article.
2. Where the payment transaction is initiated by a payment initiation service provider or by or through the payee, the payer shall not revoke the payment order after giving permission to the payment initiation service provider to initiate the payment transaction or after giving permission to execute the payment transaction to the payee.
3. In the case of a direct debit, and without prejudice to refund rights, the payer may revoke the payment order at the latest by the end of the business day preceding the day agreed for debiting the funds.
4. In the case referred to in Article 64(2), the payment service user may revoke a payment order at the latest by the end of the business day preceding the agreed day.
5. After the time limits laid down in paragraphs 1 to 4, the payment order may be revoked only if agreed between the payment service user and the relevant payment service providers. In the case referred to in paragraphs 2 and 3, the payee’s agreement shall also be required. If agreed in the framework contract, the relevant payment service provider may charge for revocation.
Article 67
Amounts transferred and amounts received
1. The payment service provider of the payer, the payment service provider(s) of the payee and any intermediaries of the payment service providers shall transfer the full amount of the payment transaction and shall refrain from deducting charges from the amount transferred.
2. The payee and the payment service provider may agree that the relevant payment service provider deduct its charges from the amount transferred before crediting it to the payee. In such a case, the full amount of the payment transaction and charges shall be separated in the information given to the payee.
3. If any charges other than those referred to in paragraph 2 are deducted from the amount transferred, the payment service provider of the payer shall ensure that the payee receives the full amount of the payment transaction initiated by the payer. Where the payment transaction is initiated by or through the payee, the payment service provider of the payee shall ensure that the full amount of the payment transaction is received by the payee.
Section 2
Execution time and value date
Article 68
Scope
1. This Section applies to:
(a) payment transactions in euro;
(b) national payment transactions in the currency of the Member State outside the euro area;
(c) payment transactions involving only one currency conversion between the euro and the currency of a Member State outside the euro area, provided that the required currency conversion is carried out in the Member State outside the euro area concerned and, in the case of cross-border payment transactions, the cross-border transfer takes place in euro.
2. This Section applies to payment transactions not referred to in paragraph 1, unless otherwise agreed between the payment service user and the payment service provider, with the exception of Article 73, which is not at the disposal of the parties. However, if the payment service user and the payment service provider agree on a longer period than that set in Article 69, for intra-Union payment transactions, that longer period shall not exceed 4 business days following the time of receipt as referred to in Article 64.
Article 69
Payment transactions to a payment account
1. Without prejudice to Article 2(1), point (c) of Regulation (EU) No 260/2012, the payer’s payment service provider shall ensure that after the time of receipt as referred to in Article 64, the amount of the payment transaction will be credited to the payee’s payment service provider’s account by the end of the following business day. That time limit may be extended by a further business day for paper-initiated payment transactions.
2. The payment service provider of the payee shall value date and make available the amount of the payment transaction to the payee’s payment account after the payment service provider has received the funds in accordance with Article 73.
3. The payee’s payment service provider shall transmit a payment order placed by or through the payee to the payer’s payment service provider within the time limits agreed between the payee and the payment service provider, enabling settlement, as far as direct debit is concerned, on the agreed due date.
Article 70
Absence of payee’s payment account with the payment service
provider
Where the payee does not have a payment account with the payment service provider, the payment service provider who receives the funds for the payee shall make the funds available to the payee within the time limit laid down in Article 69(1).
Article 71
Cash placed on a payment account
Where a consumer places cash on a payment account with that payment service provider in the currency of that payment account, the payment service provider shall ensure that the amount is made available and value dated immediately after receipt of the funds. Where the payment service user is not a consumer, the amount shall be made available and value dated at the latest on the following business day after receipt of the funds.
Article 72
National payment transactions
For national payment transactions, Member States may provide for shorter maximum execution times than those provided for in this Section.
Article 73
Value date and availability of funds
1. The credit value date for the payee’s payment account shall be no later than the business day on which the amount of the payment transaction is credited to the payee’s payment service provider’s account.
2. The payment service provider of the payee shall ensure that the amount of the payment transaction is at the payee’s disposal immediately after that amount is credited to the payee’s payment service provider’s account where, on the part of the payee’s payment service provider, there is either of the following:
(a) no currency conversion;
(b) a currency conversion between the euro and a Member State currency or between two Member State currencies.
The obligation laid down in this paragraph shall also apply to payments within one payment service provider.
3. The debit value date for the payer’s payment account shall be no earlier than the time at which the amount of the payment transaction is debited to that payment account.
Article 74
Incorrect unique identifiers
1. If a payment transaction is executed in accordance with the unique identifier, the payment transaction shall be deemed to have been executed correctly with regard to the payee specified by the unique identifier.
2. If the unique identifier provided by the payment service user is incorrect, the payment service provider shall not be liable under Article 75 for non-execution or defective execution of the payment transaction.
3. The payer’s payment service provider shall make reasonable efforts to recover the funds involved in the payment transaction. The payee’s payment service provider shall cooperate in those efforts also by communicating to the payer’s payment service provider all relevant information for the collection of funds.
Where the collection of funds under the first subparagraph is not possible, the payer’s payment service provider shall provide to the payer, upon written request, all information available to the payer’s payment service provider and relevant to the payer in order for the payer to file a legal claim to recover the funds.
4. Where agreed in the framework contract, the payment service provider may charge the payment service user for recovery.
5. If the payment service user provides information in addition to the information referred to in Article 13(1), point (a), or Article 20 point (b) (ii), the payment service provider shall be liable only for the execution of payment transactions in accordance with the unique identifier provided by the payment service user.
6. Where the unique identifier provided by the payment initiation service provider is incorrect, payment service providers shall be liable in accordance with Article 76.
Article 75
Payment service providers’ liability for non-execution, defective or late execution of payment transactions
1. Where a payment order is placed directly by the payer, the payer’s payment service provider shall, without prejudice to Article 54, Article 74(2) and (3), and Article 79, be liable to the payer for correct execution of the payment transaction, unless it can prove to the payer and, where relevant, to the payee’s payment service provider that the payee’s payment service provider received the amount of the payment transaction in accordance with Article 69(1). In that case, the payee’s payment service provider shall be liable to the payee for the correct execution of the payment transaction.
Where the payer’s payment service provider is liable under the first subparagraph, it shall immediately refund to the payer the amount of the non-executed or defective payment transaction, and, where applicable, restore the debited payment account to the state in which it would have been had the defective payment transaction not taken place.
The credit value date for the payer’s payment account shall be no later than the date on which the amount was debited.
Where the payee’s payment service provider is liable under the first subparagraph, it shall immediately place the amount of the payment transaction at the payee’s disposal and, where applicable, credit the corresponding amount to the payee’s payment account.
The credit value date for the payee’s payment account shall be no later than the date on which the amount would have been value dated, had the transaction been correctly executed in accordance with Article 73.
Where a payment transaction is executed late, the payee’s payment service provider shall ensure, upon the request of the payer’s payment service provider acting on behalf of the payer, that the credit value date for the payee’s payment account is no later than the date the amount would have been value dated had the transaction been correctly executed.
In the case of a non-executed or defectively executed payment transaction where the payment order is placed by the payer, the payer’s payment service provider shall, regardless of liability under this paragraph, on request and without charging the payer, make immediate efforts to trace the payment transaction and notify the payer of the outcome.
2. Where a payment order is placed by or through the payee, the payee’s payment service provider shall, without prejudice to Article 54, Article 74(2) and (3), and Article 79, be liable to the payee for correct transmission of the payment order to the payment service provider of the payer in accordance with Article 69(3). Where the payee’s payment service provider is liable under this subparagraph, it shall immediately re-transmit the payment order in question to the payment service provider of the payer.
In the case of a late transmission of the payment order, the amount shall be value dated on the payee’s payment account no later than the date the amount would have been value dated had the transaction been correctly executed.
Without prejudice to Article 54, Article 74(2) and (3), and Article 79, the payment service provider of the payee shall be liable to the payee for handling the payment transaction in accordance with its obligations under Article 73. Where the payee’s payment service provider is liable under this subparagraph, it shall ensure that the amount of the payment transaction is at the payee’s disposal immediately after that amount is credited to the payee’s payment service provider’s account. The amount shall be value dated on the payee’s payment account no later than the date the amount would have been value dated had the transaction been correctly executed.
In the case of a non-executed or defectively executed payment transaction for which the payee's payment service provider is not liable under the first and third subparagraphs, the payer's payment service provider shall be liable to the payer. Where the payer’s payment service provider is so liable it shall, as appropriate and without undue delay, refund to the payer the amount of the non-executed or defective payment transaction and restore the debited payment account to the state in which it would have been had the defective payment transaction not taken place. The credit value date for the payer’s payment account shall be no later than the date the amount was debited.
The obligation under the fourth subparagraph shall not apply to the payer’s payment service provider where the payer’s payment service provider proves that the payee’s payment service provider has received the amount of the payment transaction, even if execution of payment transaction is merely delayed. If so, the payee’s payment service provider shall value date the amount on the payee’s payment account no later than the date the amount would have been value dated had it been executed correctly.
In the case of a non-executed or defectively executed payment transaction where the payment order is placed by or through the payee, the payee’s payment service provider shall, regardless of liability under this paragraph, on request and without charging the payer, make immediate efforts to trace the payment transaction and notify the payee of the outcome.
3. Payment service providers shall be liable to their respective payment service users for any charges for which they are responsible, and for any interest to which the payment service user is subject as a consequence of non-execution or defective, including late, execution of the payment transaction.
Article 76
Liability in the case of payment initiation services for non-execution, defective or late execution of payment transactions
1. Where a payment order is placed by the payer or by the payee through a payment initiation service provider, the account servicing payment service provider shall, without prejudice to Article 54 and Article 74(2) and (3), refund to the payer the amount of the non-executed or defective payment transaction and, where applicable, restore the debited payment account to the state in which it would have been had the defective payment transaction not taken place.
The burden shall be on the payment initiation service provider to prove that the payment order was received by the payer’s account servicing payment service provider in accordance with Article 64 and that within its sphere of competence the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the non-execution, defective or late execution of the transaction.
2. If the payment initiation service provider is liable for the non-execution, defective or late execution of the payment transaction, it shall immediately compensate the account servicing payment service provider at its request for the losses incurred or sums paid as a result of the refund to the payer.
Article 77
Additional financial compensation
Any financial compensation additional to that provided for under this Section may be determined in accordance with the law applicable to the contract concluded between the payment service user and the payment service provider.
Article 78
Right of recourse
1. Where the liability of a payment service provider under Articles 56, 57, 59, 75 and 76 is attributable to another payment service provider or to an intermediary, that payment service provider or intermediary shall compensate the first payment service provider for any losses incurred or sums paid under Articles 56, 57, 59, 75 and 76. That shall include compensation where any of the payment service providers fail to apply strong customer authentication.
2. Further financial compensation may be determined in accordance with agreements between payment service providers or intermediaries and the law applicable to the agreement concluded between them.
Article 79
Abnormal and unforeseeable circumstances
No liability shall arise under Chapter 4 or 5 in cases of abnormal and unforeseeable circumstances beyond the control of the party pleading for the application of those circumstances, the consequences of which would have been unavoidable despite all efforts to the contrary, or where a payment service provider is bound by other legal obligations covered by Union or national law.
CHAPTER 6
Data protection
Article 80
Data protection
Payment systems and payment service providers shall be allowed to process special categories of personal data as referred to in Article 9(1) of Regulation (EU) 2016/679 and Article 10(1) of Regulation (EU) 2018/1725 to the extent necessary for the provision of payment services and for compliance with obligations under this Regulation, in the public interest of the well-functioning of the internal market for payment services, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons, including the following:
(a) technical measures to ensure compliance with the principles of purpose limitation, data minimisation and storage limitation, as laid down in Regulation (EU) 2016/679, including technical limitations on the re-use of data and use of state-of-the-art security and privacy-preserving measures, including pseudonymisation, or encryption;
(b) organizational measures, including training on processing special categories of data, limiting access to special categories of data and recording such access.
CHAPTER 7
Operational and security risks and authentication
Article 81
Management of operational and security risks
1. Payment service providers shall establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks relating to the payment services they provide. As part of that framework, payment service providers shall establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.
The first subparagraph shall be without prejudice to the application of Chapter II of Regulation (EU) 2022/2554 of the European Parliament and of the Council65 to:
(a) payment service providers referred to in Article 2(1), points (a), (b) and (d) of this Regulation;
(b) account information service providers referred to in Article 36(1) of Directive (EU) (PSD3); and
(c) payment institutions exempted pursuant to Article 34(1) of Directive (EU) (PSD3).
Payment service providers shall provide to the competent authority designated under Directive (EU) XXX (PSD3) on an annual basis, or at shorter intervals as determined by the competent authority, an updated and comprehensive assessment of the operational and security risks relating to the payment services they provide and on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks.
2. The EBA shall promote cooperation, including the sharing of information, in the area of operational and security risks associated with payment services among the competent authorities, between the competent authorities and the ECB and, where relevant, the European Union Agency for Network and Information Security.
Article 82
Fraud reporting
1. Payment service providers shall provide, at least on an annual basis, statistical data on fraud relating to different means of payment to their competent authorities. Those competent authorities shall provide the EBA and the ECB with such data in an aggregated form.
2. The EBA shall, in close cooperation with the ECB, develop draft regulatory technical standards on statistical data to be provided in accordance with paragraph 1 on the fraud reporting requirements referred to in paragraph 1.
The EBA shall submit the regulatory technical standards referred to in first subparagraph to the Commission by [ OP please insert the date= one year after the date of entry into force of this Regulation]. Power is delegated on the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
3. The EBA shall develop draft implementing technical standards establishing the standard forms and templates for the submission of the payment fraud data by competent authorities to the EBA, as referred to in paragraph 1.
The EBA shall submit the implementing technical standards referred to in first subparagraph to the Commission by [ OP please insert the date= one year after the date of entry into force of this Regulation]. Power is delegated on the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Article 15 of Regulation (EU) No 1093/2010.
Article 83
Transaction monitoring mechanisms and fraud data sharing
1. Payment service providers shall have transaction monitoring mechanisms in place that:
(a) support the application of strong customer authentication in accordance with Article 85;
(b) exempt the application of strong customer authentication based on the criteria under Article 85(11), subject to specified and limited conditions based on the level of risk involved, the types and details of the data assessed by the payment service provider;
(c) enable payment service providers to prevent and detect potentially fraudulent payment transactions, including transactions involving payment initiation services.
2. Transaction monitoring mechanisms shall be based on the analysis of previous payment transactions and access to payment accounts online. Processing shall be limited to the following data required for the purposes referred to in paragraph 1:
(a) information on the payment service user, including the environmental and behavioural characteristics which are typical of the payment service user in the circumstances of a normal use of the personalised security credentials;
(b) information on the payment account, including the payment transaction history;
(c) transaction information, including the transaction amount and unique identifier of the payee;
(d) session data, including the device internet protocol address-range from which the payment account has been accessed.
Payment service providers shall not store data referred to in this paragraph longer than necessary for the purposes set out in paragraph 1, and not after the termination of the customer relationship. Payment service providers shall ensure that the transaction monitoring mechanisms take into account, at a minimum, each of the following risk-based factors:
(a) lists of compromised or stolen authentication elements;
(b) the amount of each payment transaction;
(c) known fraud scenarios in the provision of payment services;
(d) signs of malware infection in any sessions of the authentication procedure;
(e) in case the access device or the software is provided by the payment service provider, a log of the use of the access device or the software provided to the payment service user and the abnormal use of the access device or the software.
3. To the extent necessary to comply with paragraph 1, point (c), payment service providers may exchange the unique identifier of a payee with other payment service providers who are subject to information sharing arrangements as referred to in paragraph 5, when the payment service provider has sufficient evidence to assume that there was a fraudulent payment transaction. Sufficient evidence for sharing unique identifiers shall be assumed when at least two different payment services users who are customers of the same payment service provider have informed that a unique identifier of a payee was used to make a fraudulent credit transfer. Payment service providers shall not keep unique identifiers obtained following the information exchange referred to in this paragraph and paragraph 5 for longer than it is necessary for the purposes laid down in paragraph 1, point (c).
4. The information sharing arrangements shall define details for participation and shall set out the details on operational elements, including the use of dedicated IT platforms. Before concluding such arrangements, payment service providers shall conduct jointly a data protection impact assessment as referred to in Article 35 of the Regulation (EU) 2016/679 and, where applicable, carry out prior consultation of the supervisory authority as referred to in Article 36 of that Regulation.
5. Payment service providers shall notify competent authorities of their participation in the information sharing arrangements referred to in paragraph 5, upon validation of their membership by participants of the information sharing arrangement or, as applicable, of the cessation of their membership, once that cessation takes effect.
6. The processing of personal data in accordance with paragraph 4 shall not lead to termination of the contractual relationship with the customer by the payment service provider or affect their future on-boarding by another payment service provider.
Article 84
Payment fraud risks and trends
1. Payment service providers shall alert their customers via all appropriate means and media when new forms of payment fraud emerge, taking into account the needs of their most vulnerable groups of customers. Payment service providers shall give their customers clear indications on how to identify fraudulent attempts and warn them as to the necessary actions and precautions to be taken to avoid falling victim of fraudulent actions targeting them. Payment service providers shall inform their customers of where they can report fraudulent actions and rapidly obtain fraud-related information.
2. Payment service providers shall organize at least annually training programmes on payment fraud risks and trends for their employees and shall ensure that their employees are adequately trained to carry out their tasks and responsibilities in accordance with the relevant security policies and procedures to mitigate and manage payment fraud risks.
3. By [ OP please insert the date= 18 months after the date of entry into force of this Regulation], the EBA shall issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 with regard to the programmes on payment fraud risks referred to in paragraphs 1 and 2 of this Article.
Article 85
Strong customer authentication
1. A payment service provider shall apply strong customer authentication where the payer:
(a) accesses its payment account online;
(b) accesses payment account information;
(c) places a payment order for an electronic payment transaction;
(d) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
2. Payment transactions that are not initiated by the payer but by the payee only shall not be subject to strong customer authentication to the extent that those transactions are initiated without any interaction or involvement of the payer.
3. Where the payer has given a mandate authorising the payee to place a payment order for a payment transaction or a series of payment transactions through a particular payment instrument that is issued to be used by the payer to place payment orders for the payment transactions, and where the mandate is based on an agreement between the payer and the payee for the provision of products or services, the payment transactions initiated thereafter by the payee on the basis of such a mandate may be qualified as payee initiated transactions, provided that those transactions do not need to be preceded by a specific action of the payer to trigger their initiation by the payee.
4. The payment transactions for which payment orders are placed by the payee that are based on the mandate given by the payer shall be subject to the general provisions that apply to payee-initiated transactions as referred to in Articles 61, 62 and 63.
5. Where the mandate of the payer to the payee to place payment orders for transactions referred to in paragraph 3 is provided through a remote channel with the involvement of the payment service provider, the setting up of such a mandate shall be subject to strong customer authentication.
6. For direct debits, where the mandate given by the payer to the payee to initiate one or several direct debit transactions is provided through a remote channel with the direct involvement of a payment service provider in the setting up of such a mandate, strong customer authentication shall be applied.
7. Payment transactions for which payment orders are placed by the payer with modalities other than the use of electronic platforms or devices, such as paper-based payment orders, mail orders or telephone orders, shall not be subject to strong customer authentication, irrespective of whether or not the execution of the transaction is performed electronically, provided that security requirements and checks are carried out by the payment service provider of the payer allowing a form of authentication of the payment transaction.
8. For the remote placement of a payment order as referred to in paragraph 1, point (c), payment service providers shall apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee.
9. For the placement of a payment order as referred to in paragraph 1, point (c), through a payer’s device using proximity technology for the exchange of information with the payee’s infrastructure, the authentication of which requires the use of internet on the payer’s device, payment service providers shall apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee or harmonised security measures of identical effect, which ensure the confidentiality, authenticity and integrity of the amount of the transaction and the payee throughout all of the phases of initiation.
10. For the purposes of paragraph 1, payment service providers shall have in place adequate security measures to protect the confidentiality and integrity of payment service users’ personalised security credentials.
11. Any exemptions from the application of strong customer authentication to be designed by the EBA under Article 89 shall be based on one or more of the following criteria:
(a) the level of risk involved in the service provided;
(b) the amount, the recurrence of the transaction, or both;
(c) the payment channel used for the execution of the transaction.
12. The two or more elements referred to in Article 3, point (35), on which strong customer authentication shall be based do not necessarily need to belong to different categories, as long as their independence is fully preserved.
Article 86
Strong customer authentication in respect of payment initiation and account information services
1. Article 85(9) shall also apply where payments are initiated through a payment initiation service provider. Article 85(10) shall also apply where payments are initiated through a payment initiation service provider and when the information is requested through an account information service provider.
2. Account servicing payment service providers shall allow payment initiation service providers and the account information service providers to rely on the authentication procedures provided by the account servicing payment service provider to the payment service user in accordance with Article 85(1) and (10) and, where the payment initiation service provider is involved, in accordance with Article 85(1), (8), (9), (10) and (11).
3. Without prejudice to paragraph 2, where payment account information is accessed by an account information service provider, the account servicing payment service provider shall only apply strong customer authentication for the first access to payment account data by a given account information service provider, unless the account servicing payment service provider has reasonable grounds to suspect fraud, but not for the subsequent access to that payment account by that account information service provider.
4. Unless the account servicing payment service provider has reasonable grounds to suspect fraud, account information service providers shall apply their own strong customer authentication when the payment services user accesses the payment account information retrieved by that account information service provider at least 180 days after strong customer authentication was last applied.
Article 87
Outsourcing agreements for the application of strong customer authentication
A payer payment service provider shall enter into an outsourcing agreement with its technical service provider in case that technical service provider is providing and verifying the elements of strong customer authentication. A payer’s payment service provider shall, under such agreement, retain full liability for any failure to apply strong customer authentication and have the right to audit and control security provisions.
Article 88
Accessibility requirements regarding strong customer authentication
1. Without prejudice to the accessibility requirements under Directive (EU) 2019/882, payment service providers shall ensure that all their customers, including persons with disabilities, older persons, with low digital skills and those who do not have access to digital channels or payment instruments, have at their disposal at least a means, adapted to their specific situation, which enables them to perform strong customer authentication.
2. Payment services providers shall not make the performance of strong customer authentication dependant on the exclusive use of a single means of authentication and shall not make the performance of strong customer authentication depend, explicitly or implicitly, on the possession of a smartphone. Payment services providers shall develop a diversity of means for application of strong customer authentication to cater for the specific situation of all their customers.
Article 89
Regulatory technical standards on authentication, communication and transaction monitoring mechanisms
1. The EBA shall develop draft regulatory technical standards which shall specify:
(a) the requirements of strong customer authentication as referred to in Article 85;
(b) the exemptions from the application of Article 85(1), (8) and (9), based on the criteria laid down in Article 85(11);
(c) the requirements with which security measures have to comply, in accordance with Article 85(10) in order to protect the confidentiality and the integrity of the payment service users’ personalised security credentials;
(d) the requirements applicable, in accordance with Article 87, to the outsourcing agreements between the payers’ payments service providers and technical service providers concerning the provision and verification of the elements of strong customer authentication by technical service providers;
(e) the requirements under Title III, Chapter 3 for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, as well as for the implementation of security measures, between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers;
(f) supplementary provisions on secure open standards of communication using dedicated interfaces;
(g) the technical requirements for transaction monitoring mechanisms referred to in Article 83.
For the purposes of point (b), as regards the exemption from the application of strong customer authentication for payment transactions, based on transaction risk analysis the draft regulatory technical standards shall specify, inter alia:
(i) the conditions that have to be met for a remote electronic payment transaction to be considered as posing a low level of risk;
(ii) the methodologies and models to implement transaction risk analysis;
(iii) the criteria for the calculation of fraud rates, including on the allocation of fraud rates between payment service providers providing issuing and acquiring services, or within payment service providers providing issuing and acquiring services through a single legal entity;
(iv) detailed and proportionate reporting and audit requirements.
2. When developing the draft regulatory technical standards referred to in paragraph 1, the EBA shall take into account:
(a) the need to ensure an appropriate level of security for payment service users and payment service providers, through the adoption of effective and risk-based requirements;
(b) the need to ensure the safety of payment service users’ funds and personal data;
(c) the need to secure and maintain fair competition among all payment service providers;
(d) the need to ensure technology and business-model neutrality;
(e) the need to allow for the development of user-friendly, accessible and innovative means of payment.
The EBA shall submit the draft regulatory technical standards referred to in paragraph 1 to the Commission by [ OP please insert the date= 1 year after the date of entry into force of this Regulation]. Power is delegated on the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
3. In accordance with Article 10 of Regulation (EU) No 1093/2010, the EBA shall review and, if appropriate, update the regulatory technical standards on a regular basis in order, inter alia, to take account of innovation and technological developments, and the provisions of Chapter II of Regulation (EU) 2022/2554, and the European Digital Identity Wallets implemented under Regulation (EU) No 910/2014.
CHAPTER 8
Enforcement procedures, competent authorities and penalties
Section 1
Complaint procedures
Article 90
Complaints
1. Member States shall set up procedures which allow payment service users and other interested parties including consumer associations, to submit complaints to the competent authorities designated to ensure enforcement of this Regulation, with regard to payment service providers' alleged infringements of the provisions of this Regulation.
2. Where appropriate and without prejudice to the right to bring proceedings before a court in accordance with national procedural law, the reply from the competent authorities to the complaints referred to in paragraph 1 shall inform the complainant of the existence of the alternative dispute resolution (ADR) procedures set up in accordance with Article 95.
Article 91
Competent authorities and investigatory powers
1. Competent authorities shall exercise their powers to investigate potential infringements of this Regulation, and impose administrative sanctions and administrative measures laid down in their national legal frameworks in accordance with this Regulation, in any of the following ways:
(a) directly;
(b) in collaboration with other authorities;
(c) by delegating powers to other authorities or bodies, while retaining the responsibility for overseeing the delegated authority or body;
(d) by applying to the competent judicial authorities.
Where competent authorities delegate the exercise of their powers to other authorities or bodies in accordance with point (c) the delegation of power shall specify the delegated tasks, the conditions under which they are to be carried out, and the conditions under which the delegation of power may be revoked. The authorities or bodies to which the powers are delegated shall be organised in such a manner as to ensure that conflicts of interest are avoided. Competent authorities shall oversee the activity of the authorities or bodies to which the powers are delegated.
2. Member States shall designate competent authorities to ensure and monitor effective compliance with this Regulation. Those competent authorities shall take all appropriate measures to ensure such compliance.
The competent authorities shall be either:
(a) public authorities;
(b) bodies recognised by national law or by public authorities expressly empowered for that purpose by national law, including national central banks.
The competent authorities shall be independent from economic bodies and avoid conflicts of interest. Without prejudice to paragraph 2, point (b), payment institutions, credit institutions, or post office giro institutions shall not be designated as competent authorities.
3. The competent authorities referred to in paragraph 2 shall possess all investigatory powers and adequate resources necessary for the performance of their tasks.
Those powers shall include:
(a) in the course of procedures to investigate potential breaches of this Regulation, the power to require from, inter alia, the following natural or legal persons, all information necessary to carry out that investigation:
(i) payment services providers;
(ii) technical service providers and payment system operators;
(iii) ATM deployers which do not service payment accounts;
(iv) electronic communications services providers;
(v) natural persons belonging to the entities referred to in points (i), (ii) and (iii);
(vi) third parties to whom the entities referred to in points (i), (ii) and (iii) have outsourced operational functions or activities;
(vii) agents and distributors of the entities referred to in points (i), (ii) and (iii) and their branches established in the Member State concerned;
(b) the power to conduct all necessary investigations of any person referred to in points (a) (i) to (vii) established or located in the Member State of the competent authority or providing services therein, where necessary to carry out the tasks of the competent authorities, including the power to:
(i) require the submission of documents;
(ii) examine the books and records of the persons referred to in points (a) (i) to (vii) and take copies or extracts from such books and records;
(iii) obtain written or oral explanations from any person referred to in points (a) (i) to (vii) or their representatives or staff, where applicable;
(iv) interview any other natural person who consents to be interviewed for the purpose of collecting information relating to the subject matter of an investigation;
(c) the power to conduct all necessary inspections at the business premises of the legal persons or of the natural persons referred to in points (a)(i) to (vii), subject to the prior notification of the competent authorities concerned.
4. Where the law of a Member State lays down criminal sanctions applicable to infringements of this Regulation in accordance with Article 96, paragraph (2), that Member State shall have in place the necessary laws, regulations and administrative provisions to enable competent authorities:
(a) to liaise with competent judicial authorities in order to receive specific information regarding criminal investigations of alleged infringements of this Regulation, criminal proceedings commenced in respect of such alleged infringements, and the outcome of such proceedings including the final judgement;
(b) to provide such information to other competent authorities and the EBA to fulfil their obligation of cooperating with each other and with the EBA for the purposes of this Regulation.
5. The implementation and the exercise of powers set out in this Article shall be proportionate and shall comply with Union and national law, including with applicable procedural safeguards and with the principles of the Charter of Fundamental Rights of the European Union. The investigation and enforcement measures adopted in application of this Regulation shall be appropriate to the nature and the overall actual or potential harm of the infringement.
6. By [ OP please insert the date= the date of entry into force of this Regulation], the EBA shall issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010, on complaints procedures, including the channels for submission of complaints, the information requested from complainants, and the disclosure of the aggregate analysis of complaints referred to in Article 90(1).
Article 92
Professional secrecy
1. Without prejudice to cases covered by national criminal law, all persons who work or who have worked for competent authorities, and any experts acting on behalf of the competent authorities, shall be bound by the obligation of professional secrecy regarding the information related to investigations conducted by the competent authorities.
2. The information exchanged in accordance with Article 93 shall be subject to the obligation of professional secrecy by both the sharing and recipient authority.
Article 93
Jurisdiction and cooperation of competent authorities
1. In the event of infringement or suspected infringement of Titles II and III, the competent authorities shall be those of the home Member State of the payment service provider, except for agents and branches conducting business under the right of establishment, where the competent authorities shall be those of the host Member State.
2. In the event of infringements or suspected infringements of Titles II and III by technical service providers, payment system operators ATM deployers which do not service payment accounts, electronic communications services providers or by their agents or branches, the competent authorities shall be those of the Member State where the service concerned is provided.
3. In the exercise of their investigatory and sanctioning powers, including in cross border cases, competent authorities shall cooperate with each other and with other authorities from any sector concerned as applicable to each case and in accordance with Union and national law by exchanging information with each other and ensuring the mutual assistance to other competent authorities concerned as necessary for the effective enforcement of administrative sanctions and administrative measures.
4. The authorities from other sectors concerned, referred to in paragraph 3, shall cooperate with competent authorities for the effective enforcement of administrative sanctions and administrative measures.
Section 2
Dispute resolution procedures and penalties
Article 94
Dispute resolution
1. Payment service providers shall put in place and apply adequate and effective complaint resolution procedures for the settlement of complaints of payment service users concerning the rights and obligations under Titles II and III. The competent authorities shall monitor the performance of those procedures.
Those procedures shall be applied in every Member State where the payment service provider offers the payment services and shall be available in an official language of the relevant Member State or in another language if agreed between the payment service provider and the payment service user.
2. Payment service providers shall make every possible effort to reply, on paper or, if agreed between the payment service provider and the payment service user, on another durable medium, to the payment service users’ complaints. Such a reply shall address all points raised, within an adequate timeframe and at the latest within 15 business days of receipt of the complaint. In exceptional situations, if the answer cannot be given within 15 business days for reasons beyond the control of the payment service provider, it shall send a holding reply, clearly indicating the reasons for a delay in answering to the complaint and specifying the deadline by which the payment service user will receive the final reply. In any event, the deadline for receiving the final reply shall not exceed 35 business days.
Member States may introduce or maintain rules on dispute resolution procedures that are more advantageous to the payment service user than that referred to in the first subparagraph. Where Member States do so, those rules shall apply.
3. The payment service provider shall inform the payment service user about at least one ADR entity which is competent to deal with disputes concerning the rights and obligations under Titles II and III.
4. The information referred to in paragraph 3 shall be mentioned in a clear, comprehensive and easily accessible way on the website of the payment service provider and on the respective mobile application, where they exist, at the branch, and in the general terms and conditions of the contract between the payment service provider and the payment service user. The payment service provider shall specify how further information on the ADR entity concerned and on the conditions for using it can be accessed.
Article 95
ADR procedures
1. Member States shall establish adequate, independent, impartial, transparent and effective ADR procedures for the settlement of disputes between payment service users and payment service providers concerning the rights and obligations under Titles II and III according to the relevant Union and national law in accordance with the quality requirements laid down in Directive 2013/11/EU of the European Parliament and the Council66, using existing competent bodies where appropriate. ADR procedures shall be applicable to payment service providers.
2. The bodies referred to in paragraph 1 of this Article shall cooperate effectively for the resolution of cross-border disputes concerning the rights and obligations under Titles II and III.
3. Member States shall designate a competent authority to accredit, monitor and publish the quality level of the ADR entity or entities on their territory to resolve disputes concerning rights and obligations under Titles II and III, in line with Article 18 of Directive 2013/11/EU.
4. Competent authorities, referred to in paragraph 3 shall notify ADR entity or entities in their territories to resolve disputes concerning rights and obligations under Titles II and III to the Commission, in line with Article 20 of Directive 2013/11/EU.
5. The Commission shall make publicly available a list of the ADR entities notified to it in accordance with paragraph 4 and update that list whenever changes are communicated.
Article 96
Administrative sanctions and administrative measures
1. Without prejudice to the supervisory powers of competent authorities designated under Directive (EU) XXX (PSD3), in accordance with Title II, Chapter 1, section 3 of that Directive, and the right of Member States to lay down criminal sanctions, Member States shall lay down rules on administrative sanctions and administrative measures applicable to infringements of this Regulation and shall ensure that they are implemented. The administrative sanctions and administrative measures shall be effective, proportionate and dissuasive.
2. Member States may decide not to lay down rules on administrative sanctions and administrative measures applicable to breaches of this Regulation which are subject to sanctions under national criminal law. In such a case, Member States shall notify the Commission of the relevant criminal law provisions and any subsequent amendments thereto in accordance with Article 103.
3. Where the national rules referred to in paragraph 1 apply to payment service providers and other legal persons, in case of infringements and subject to the conditions laid down in national law, administrative sanctions and administrative measures shall be applicable to the members of the management body of such payment services providers and legal persons and to other natural persons found to be responsible for a breach of this Regulation.
4. Member States may lay down rules, in accordance with their national law, enabling their competent authorities to close an investigation concerning an alleged infringement of this Regulation, following a settlement agreement or an expedited enforcement procedure.
The empowerment of competent authorities to settle or open expedite enforcement procedures does not affect the obligations upon Member States under paragraph 1.
Article 97
Administrative sanctions and other administrative measures for specific infringements
1. Without prejudice to Article 96(2), national laws, regulations and administrative provisions shall lay down the administrative sanctions and other administrative measures referred to in paragraph 2 of this Article in respect of the breaching or circumvention of the following provisions:
(a) the rules on access to accounts maintained with a credit institution laid down in Article 32;
(b) the secure data access rules by either account servicing payment service provider or by account information service providers and payment initiation service providers laid down in of Title III, Chapter 3, without prejudice to Article 45;
(c) the obligation to organise or perform fraud prevention mechanisms including strong customer authentication as set out in Articles 85, 86 and 87;
(d) the duty to comply with the requirements for transparency on fees by ATM operators or other cash distributors, in accordance with Article 20(c) point (ii);
(e) failure of payment service providers to respect the period for compensation of payment service users as set out in Article 56(2), Article 57(2) and Article 59(2).
2. In the cases referred to in paragraph 1, the applicable administrative sanctions and administrative measures shall include the following:
(a) administrative fines;
(i) in the case of a legal person, a maximum administrative fine of at least 10% of its total annual turnover as defined under paragraph 3;
(ii) in the case of a natural person, a maximum administrative fine of at least EUR 5 000 000, or in the Member States whose currency is not the euro, the corresponding value in the national currency on the date of entry into force of this Regulation;
(iii) a maximum administrative fine of at least twice the amount of the profits gained from the breach, where that profit can be determined.
(b) a public statement indicating the legal or natural person responsible for the breach and the nature of the breach;
(c) an order requiring the legal or natural person responsible for the breach to cease the unlawful conduct and to desist from repeating it;
(d) a temporary ban preventing a member of the management body of the legal person, or any other natural person who is held responsible for the breach, from exercising managing functions.
3. The total annual turnover referred to in paragraph 2, point (a)(i) of this Article and in Article 98(1) of this Regulation shall be equal to the net turnover as defined in Article 2, point (5), of Directive 2013/34/EU according to the annual financial statements available for the latest balance sheet date, for which the members of the administrative, management and supervisory bodies of the legal person have responsibility.
Where the legal person is a parent undertaking or a subsidiary of a parent undertaking which is required to prepare consolidated financial statements in accordance with Article 22 of Directive 2013/34/EU, the relevant total annual turnover shall be the net turnover or the revenue to be determined in accordance with the relevant accounting standards, according to the consolidated financial statements of the ultimate parent undertaking available for the latest balance sheet date, for which the members of the administrative, management and supervisory body of the ultimate undertaking have responsibility.
4. Member States may empower competent authorities, in accordance with national law, to impose other types of sanctions and other type of sanctioning powers in addition to those referred to in paragraph 2 of this Article and Article 98 on periodic penalty payments.
Article 98
Periodic penalty payments
1. Competent authorities shall be entitled to impose periodic penalty payments on legal or natural persons for failure to comply with any decision, order, interim measure, request, obligation or other measure adopted in accordance with this Regulation.
Periodic penalty payment referred to in the first subparagraph shall be effective and proportionate and shall consist of a daily amount to be paid until compliance is restored. They shall be imposed for a period not exceeding 6 months from the date indicated in the decision imposing the periodic penalty payments.
Competent authorities shall be entitled to impose maximum periodic penalty payments of at least:
(a) 3% of the average daily turnover in the case of a legal person;
(b) EUR 30.000 in the case of a natural person.
The average daily turnover shall be the total annual turnover referred to in Article 97(3), divided by 365.
2. Member States may provide for higher amounts of pecuniary penalty payments than those laid down in paragraph 1.
Article 99
Elements to be considered when determining administrative sanctions and other administrative measures
1. Competent authorities, when determining the type and level of administrative sanctions or other administrative measures, shall take into account all relevant elements and circumstances to apply proportionate sanctions, including:
(a) the seriousness and the duration of the infringement;
(b) the degree of responsibility of the natural or legal person responsible for the infringement;
(c) the financial strength of the natural or legal person responsible for the breach, as indicated, among others, by the total annual turnover of the legal person, or the annual income of the natural person responsible for the infringement;
(d) the magnitude of profits gained or losses avoided by the natural or legal person responsible for the infringement, insofar as they can be determined;
(e) the losses for third parties resulted from the infringement, insofar as they can be determined;
(f) the disadvantage resulting to the legal or natural person responsible for the breach from the duplication of criminal and administrative proceedings and sanctions for the same conduct;
(g) the impact of the infringement in the interests of consumers and other payment services users;
(h) any actual or potential systemic negative consequences of the infringement;
(i) the complicity or participation of more than one natural or legal person in the infringement;
(j) previous infringements committed by the natural or legal person responsible for the breach;
(k) the level of cooperation of the natural or legal person responsible for the infringement with the competent authority;
(l) any remedial action or measure undertaken by the legal or natural person responsible for the infringement to prevent its repetition.
2. Competent authorities that use settlement agreements or expedited enforcement procedures in accordance with Article 96(4) shall adapt the relevant administrative sanctions and administrative measures laid down in Articles 96, 97, and 98 to the case concerned to ensure the proportionality thereof.
Article 100
Right of appeal
1. The decisions taken by the competent authorities pursuant to this Regulation shall be contestable before the courts.
2. Paragraph 1 shall apply also in respect of failure to act.
Article 101
Publication of administrative sanctions and administrative measures
1. Competent authorities shall publish on their website all decisions imposing an administrative sanction or administrative measure on legal and natural persons, for breaches of this Regulation, and where applicable, all settlement agreements. The publication shall include a short description of the breach, the administrative sanction or other administrative measure imposed, or, where applicable, a statement about the settlement agreement. The identity of the natural person subject to the decision imposing an administrative sanction or administrative measure shall not be published.
Competent authorities shall publish the decision and the statement referred to in the first subparagraph immediately after the legal or natural person subject to the decision has been notified of that decision or the settlement agreement has been signed.
2. By derogation from paragraph 1, where the publication of the identity or other personal data of natural persons is deemed necessary by the national competent authority to protect the stability of the financial markets or to ensure the effective enforcement of this Regulation, including in the case of public statements referred to in Article 97(2)(b) or temporary bans referred to in Article 97(2)(d), the national competent authority may publish also the identity of the persons or personal data provided that it justifies such a decision and that the publication is limited to the personal data that is strictly necessary to protect the stability of the financial markets or to ensure the effective enforcement of this Regulation.
3. Where the decision imposing an administrative sanction or other administrative measure is subject to appeal before the relevant judicial or other authority, competent authorities shall also publish on their official website without delay, information on the appeal and any subsequent information on the outcome of such an appeal, insofar as it concerns legal persons. Where the appealed decision concerns a natural person and the derogation under paragraph 2 is not applied, competent authorities shall publish information on the appeal only in an anonymised version.
4. Competent authorities shall ensure that any publication made in accordance with this Article remains on their official website for a period of up to 5 years. Personal data contained in the publication shall be kept on the official website of the competent authority only if an annual review shows the continued need to publish that data to protect the stability of the financial markets or to ensure the effective enforcement of this Regulation, and in any event for no longer than 5 years.
Article 102
Monitoring of proceedings, sanctions and measures
1. Competent authorities shall report to the EBA, in an anonymised way and aggregated format on a regular basis:
(a) initiated, suspended or closed formal administrative proceedings leading to imposing administrative sanctions or administrative measures;
(b) periodic penalty payments imposed in accordance with Article 98 for ongoing breaches of this Regulation;
(c) where applicable, settlement agreements and expedited enforcement procedures, and the outcome thereof, regardless of their publication; in accordance with Article 96(4);
(d) criminal proceedings resulting in a conviction and related sanctions reported by judicial authorities in accordance with Article 91(4), point (a);
(e) any appeal against decisions to impose criminal or administrative sanctions or administrative measures and the outcome of such an appeal.
2. When the competent authority discloses an administrative sanction or an administrative measure to the public, it shall simultaneously report them to the EBA.
3. Within 2 years after the date of application of this Regulation, and subsequently every 2 years, the EBA shall submit a report to the Commission on the application of sanctions by competent authorities to ensure compliance with this Regulation.
Article 103
Notification of implementing measures
Member States shall notify the laws, regulations and administrative provisions adopted in accordance with this Chapter, including any relevant criminal law provisions, to the Commission by [ OP please insert the date = the date of entry into force of this Regulation]. Member States shall notify the Commission without undue delay of any subsequent amendments thereto.
CHAPTER 9
Product intervention powers by the EBA
Article 104
EBA temporary intervention powers
1. In accordance with Article 9(5) of Regulation (EU) No 1093/2010, the EBA may, where the conditions in paragraphs 2 and 3 of this Article are fulfilled, temporarily prohibit or restrict in the Union, a certain type or a specific feature of a payment service or instrument or an electronic money service or instrument. A prohibition or restriction may apply in circumstances, or be subject to exceptions, specified by the EBA.
2. The EBA shall take a decision under paragraph 1 only if all of the following conditions are fulfilled:
(a) the proposed action addresses a significant number of payment services users or electronic money services users or a threat to the orderly functioning of the payment or electronic money markets, and the integrity of those markets or to the stability of the whole or part of these markets in the Union;
(b) regulatory requirements under Union law that are applicable to the relevant payments service or electronic money service do not address the threat;
(c) a competent authority or competent authorities have not taken action to address the threat or the actions that have been taken do not adequately address the threat.
Where the conditions set out in the first subparagraph are fulfilled, the EBA may impose the prohibition or restriction referred to in paragraph 1 on a precautionary basis before a payment service or electronic money service has been offered or distributed to payment services users.
3. When taking action under this Article, the EBA shall ensure all of the following:
(a) the action does not have a detrimental effect on the efficiency of the payments market or electronic money services market or on payment services or electronic money service providers that is disproportionate to the benefits of the action;
(b) the action does not create a risk of regulatory arbitrage, and
(c) the action has been taken after consulting the relevant national competent authority.
4. Before deciding to take any action under this Article, the EBA shall notify competent authorities of the action it proposes.
5. The EBA shall publish on its website notice of any decision to take any action under this Article. The notice shall specify details of the prohibition or restriction and specify a time after the publication of the notice from which the measures will take effect, while also ensuring that notices on such decisions on natural persons are published only in anonymised version. A prohibition or restriction shall only apply to action taken after the measures take effect.
6. The EBA shall review a prohibition or restriction imposed under paragraph 1 at appropriate intervals and at least every 3 months. If the prohibition or restriction is not renewed after that 3 month period it shall expire.
7. Action adopted by the EBA under this Article shall prevail over any previous action taken by a competent authority.
8. The Commission shall adopt delegated acts in accordance with Article 106 to specify criteria and factors to be taken into account by the EBA in determining when there is a significant number of payment services users or electronic money services users or a threat to the orderly functioning of the payment or electronic money services markets, and the integrity of these markets or to the stability of the whole or part of these markets in the Union referred to in paragraph 2, point (a).
Those criteria and factors shall include:
(a) the degree of complexity of a payment service or instrument or electronic money service or instrument and the relation to the type of users, including consumers, to whom they are offered;
(b) the degree of riskiness, for consumers, of a payment service or instrument or electronic money service or instrument;
(c) the possible use by fraudsters of the payment service or instrument or electronic money service or instrument;
(d) the size or the level of uptake of the payment service or instrument or electronic money service or instrument;
(e) the degree of innovation of a payment service or instrument or electronic money service or instrument.
TITLE IV
DELEGATED ACTS
Article 105
Delegated acts
The Commission is empowered to adopt delegated acts in accordance with Article 106 to amend this Regulation by updating the amounts referred to in Article 58(1).
Article 106
Exercise of the delegation
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
2. The power to adopt delegated acts referred to in Article 105 shall be conferred on the Commission for an undetermined period of time from the date of entry into force of this Regulation.
3. The delegation of power referred to in Article 105 may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or on a later date specified therein. It shall not affect the validity of any delegated acts already in force.
4. Before adopting a delegated act, the Commission shall consult experts designated by Member States in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 2016.
5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
6. A delegated act adopted pursuant to Article 105 shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of 3 months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by 3 months at the initiative of the European Parliament or of the Council.
TITLE V
FINAL PROVISIONS
Article 107
More favourable refund rights and stricter fraud prevention measures
1. Member States or payment service providers may grant payment service users more favourable refund rights in relation to authorised credit transfers as referred to in Articles 57 and 59 and provide for stricter fraud prevention measures that go beyond those set out in Article 83(1) and Article 84.
2. Member States shall, by [ OP please insert the date= the date of entry into force of this Regulation], notify to the Commission the provisions adopted pursuant to paragraph 1. They shall, without delay, notify any subsequent amendment to the Commission.
Article 108
Review clause
1. The Commission shall, by 5 years after the date of application of this Regulation, submit to the European Parliament, the Council, the ECB and the European Economic and Social Committee, a report on the application and impact of this Regulation, and in particular on:
(a) the appropriateness and the impact on competition and the uptake of open banking of the rules on access to payment accounts data on the business of account information services and payment initiation services, and in particular of the rules on dedicated interfaces and their respective derogations as per Articles 38 and 39;
(b) the impact of the rules on the absence of obligatory contractual arrangements and compensation for access by account information service and payment initiation service providers to interfaces referred to in Article 34;
(c) the appropriateness and the impact of the rules on charges including the rules on surcharging as per Article 28;
(d) the appropriateness and impact of the rules on prevention and redress of fraud on both unauthorised and authorised transactions.
Where appropriate, the Commission shall submit a legislative proposal together with its report.
2. The Commission shall, by [ OP please insert the date= 3 years after the date of entry into force of this Regulation] submit to the European Parliament, the Council, the ECB and the European Economic and Social Committee, a report on the scope of this Regulation, with regard in particular to payment systems, payment schemes and technical service providers. Where appropriate, the Commission shall submit a legislative proposal together with that report.
Article 109
Amendments to Regulation (EU) No 1093/2010
Regulation (EU) No 1093/2010 is amended as follows:
1. In Article 1(2), the first sentence is replaced by the following:
“The Authority shall act within the powers conferred by this Regulation and within the scope of Directive 2002/87/EC, Directive 2008/48/EC (1), Directive 2009/110/EC, Regulation (EU) No 575/2013 (2), Directive 2013/36/EU (3), Directive 2014/49/EU (4), Directive 2014/92/EU (5), Directive (EU) [ … ] (PSD3), Regulation (EU) [ … ] (PSR) of the European Parliament and of the Council and, to the extent that those acts apply to credit and financial institutions and the competent authorities that supervise them, within the relevant parts of Directive 2002/65/EC, including all directives, regulations, and decisions based on those acts, and of any further legally binding Union act which confers tasks on the Authority.”;
2. Article 4(2) is amended as follows:
(a) point (i) is replaced by the following:
‘competent authorities or supervisory authorities within the scope of the sectoral acts referred to in Article 1(2), including the European Central Bank with regard to matters relating to the tasks conferred on it by Regulation (EU) No 1024/2013;’
(b) points (iii), (vi), (vii) and (viii) are deleted.
Article 110
Amendment to Regulation (EU) No 2017/2394
In the Annex to Regulation (EU) 2017/2394, the following point is added:
‘29. Regulation (EU) xxxx of the European Parliament and of the Council of xxxx on payment services in the internal market and amending Regulation (EU) No 1093/2010.’
Article 111
Correlation table
Any reference to Directive (EU) 2015/2366 and to Directive 2009/110/EC shall be construed as a reference to Directive (EU) (PSD3) or to this Regulation and shall be read in accordance with the correlation table in Annex III to this Regulation.
Article 112
Entry into force and application
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from [ OP please insert the date= 18 months after the date of entry into force of this Regulation].
However, Articles 50 and 57 shall apply from [ OP please insert the date= 24 months after the date of entry into force of this Regulation].
This Regulation shall be binding in its entirety and directly applicable in all Member States.