Explanatory Memorandum to COM(2023)367 - Payment services in the internal market

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2023)367 - Payment services in the internal market.
source COM(2023)367
date 28-06-2023


1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

The second Payment Services Directive (PSD21) provides a legal framework for all retail payments in the EU, both Euro and other currencies, domestic and cross-border. The first Payment Services Directive (PSD12), adopted in 2007, established a harmonised legal framework for the creation of an integrated EU payments market. Building on PSD1, PSD2 addressed barriers to new types of payment services and improved the level of consumer protection and security. Most of the rules in PSD2 have been applicable since January 2018, but some rules such as those on Strong Customer Authentication, (SCA) have only applied since September 2019.

PSD2 contains rules on the provision of payment services and rules on licensing and supervision of one category of payment service provider, namely Payment Institutions (PIs). Other categories of PSP include credit institutions, which are regulated under EU banking legislation3, and electronic money institutions (EMIs), which are regulated under the Electronic Money Directive4.

The Commission’s 2020 Communication on a retail payments strategy (RPS) for the EU5 laid down the Commission’s priorities for the retail payments area for the term of office of the current College of Commissioners (2019-2024). It was accompanied by a Digital Finance Strategy, which sets out priorities for the digital agenda in the finance sector other than payments. The RPS announced that “at the end of 2021, the Commission will launch a comprehensive review of the application and impact of PSD2”. This review was duly undertaken, essentially in 2022, and led to a decision by the Commission to propose legislative amendments to PSD2, to improve its functioning. These amendments are set out in two proposals, the present proposal for a Regulation on payment services in the EU and a proposal for a Directive on payment services and e-money services, focussing on licensing and supervision of payment institutions (and amending certain other Directives).

The proposed revision of PSD2 features in the Commission Work Programme for 2023, along with a planned legislative initiative on a framework for financial data access, extending financial data access and use beyond payment accounts to more financial services.

Consistency with existing policy provisions in the policy area

Existing policy provisions of relevance to this initiative include other legislation in the area of payments, other financial services legislation covering also payment services providers and EU legislation of horizontal application which impacts the payments area. Care has been taken in the preparation of this proposal to ensuring coherence with those provisions.

Other legislation in the field of retail payments, apart from those mentioned above, includes the Single Euro Payments Area (SEPA) Regulation of 2012, which harmonises the technical requirements for credit transfers and direct debits in euro6. On 26 October 2022, the Commission proposed an amendment to the SEPA Regulation, to accelerate and facilitate the use of instant payments in euro in the EU7; that proposal contains a requirement for payment services providers offering euro instant payments to offer to users an “IBAN/name verification service”, and the present proposal extends that requirement to payment services providers offering any credit transfer in any EU currency. The Regulation on cross-border payments equalises pricing of domestic and cross-border transfers in euro8. The Regulation on Interchange Fees lays down maximum levels for such fees9. The present proposal is consistent with the objective of improving access to cash, by allowing merchants to offer, in physical shops, cash provision services even in the absence of a purchase by a customer. The work on access to cash is also to be seen in the context of the Commission’s RPS, which stated as a policy objective that cash should remain widely accessible.

Other relevant financial services legislation includes the Settlement Finality Directive (SFD),10 to which a targeted change is made in the proposal for a Directive accompanying this proposal. Other relevant legislation includes the Markets in Crypto-Assets Regulation (MiCA)11, the Digital Operational Resilience Act concerning cyber-security (DORA)12 and the Anti-Money Laundering (AML) Directive, of which a package of proposed amendments is currently under discussion by the co-legislators.13

The initiative is fully consistent with other Commission initiatives laid out in the Commission’s digital finance strategy for the EU14, which was adopted together with the RPS, and aims to promote digital transformation of finance and the EU economy and to remove fragmentation in the digital internal market.

Consistency with other EU policies

The initiative is consistent with the Commission’s 2021 Communication on ‘The European economic and financial system: fostering openness, strength and resilience’15 which reiterated the importance of the Commission’s RPS and of digital innovation in finance for strengthening the internal market for financial services. The same Communication confirmed that the Commission and European Central Bank services would jointly review at technical level a broad range of policy, legal and technical questions arising from a possible introduction of a digital euro, taking into account their respective mandates under the EU Treaties.

The Commission is submitting a proposal for an EU legal framework on financial information data access (FIDA) is presented in conjunction with the proposals to amend PSD2; that proposal covers access to financial data other than payment account data, which remains covered by payments legislation.

More general EU legislation of relevance includes GDPR16, EU Accessibility Act17, and the proposal for a Data Act, which is relevant for open banking18. In particular, Chapter III and IV of the proposed Data Act establish a horizontal framework for the rights and obligations with regard to the terms and conditions for making data available in business-to-business relations.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The legal basis of PSD2 is Article 114 of the Treaty on the Functioning of the European Union (TFEU), which tasks the EU institutions with laying down provisions to establish the internal market and ensure its proper functioning in line with Article 26 TFEU.

Subsidiarity (for non-exclusive competence)

Payment services may also be provided cross-border by payment service providers within the internal market for payment services. The freedom to provide services and freedom of establishment are widely used by payment service providers. To ensure harmonious conditions and a level playing field within the internal market for retail payment services, EU-level legislation is required. This logic underlied the first and second Payment Services Directives and continues to apply to this proposal.

Proportionality

The proposal contains targeted proportionality measures, such as the possibility, in the area of open banking, for an account servicing payment services provider (ASPSP) to obtain from its national competent authority a derogation from the requirement to have in place a dedicated interface for data access.

Choice of the instrument

PSD2 is currently a directive which is applied by transposing legislation in the Member States. However, in various areas of EU financial services legislation19, it has been found appropriate to enact rules applicable to financial undertakings in a directly applicable Regulation to enhance the coherence of implementation in the Member States. The PSD2 review concluded that this approach would also be appropriate in payments legislation, which has led to the proposed amendments to PSD2 being contained in two distinct legislative acts: this proposal for a Regulation containing rules for payment services providers and consumers and a proposal for a Directive containing in particular rules concerning licensing and supervision of payment institutions.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

Ex-post evaluations/fitness checks of existing legislation

An evaluation of PSD2 was carried out in 2022. Input to the evaluation included a report by an independent contractor and views of stakeholders in various public consultations. The evaluation report is published as an annex of the impact assessment accompanying the present proposal20.

The evaluation report concludes that PSD2 has had varying degrees of success in meeting its objectives. One area of positive impact has been that of fraud prevention, via the introduction of Strong Customer Authentication (SCA); although more challenging to implement than anticipated, SCA has already had a significant impact in reducing fraud. PSD2 has also been particularly effective with regard to its goal of increasing the efficiency, transparency and choice of payment instruments for payment service users. However, there are limits to PSD2’s effectiveness in achieving a level playing field, most notably given the persisting imbalance between bank and non-bank Payment Service Providers (PSPs) ensuing from the lack of direct access by the latter to certain key payment systems. There has been mixed success in the uptake of ‘open banking’ (OB), with issues remaining relating to data access interfaces for OB service providers, despite the costs of implementing the PSD2 provisions on OB. Regarding the internal market objective, while cross-border provision of payment services is increasing, many payment systems (especially debit card systems) remain national. Anticipated cost reductions for merchants from new and cheaper payment means have not fully materialised. Overall, the evaluation concludes that, despite certain shortcomings, the current PSD2 framework has enabled progress towards its objectives, while being relatively efficient with regard to its costs and delivering EU added value.

Stakeholder consultations

To ensure that the Commission’s proposal takes account of the views of all interested stakeholders, the consultation strategy for this initiative comprised:

- an open public consultation, open from 10 May 2022 to 2 August 202221;

- a targeted (but nevertheless public and open) consultation, with more detailed questions than the public consultation, open from 10 May 2022 to 5 July 202222;

- a call for evidence, open from 10 May 2022 to 02 August 202223;

- a targeted consultation on the SFD, open from 12 February 2021 - 7 May 2021;

- consultation of stakeholders in the Commission’s Payment Systems Market Expert Group;

- ad hoc contacts with various stakeholders, either on their initiative or that of the Commission;

- Consultation of Member States’ experts in the Commission Expert Group on Banking Payments and Insurance.

The outcome of these consultations is summarised in Annex 2 to the impact assessment accompanying this proposal.

Collection and use of expertise

Contents

1.

A number of inputs and sources of expertise were used in preparing this initiative, including the following:


- evidence supplied through the various consultations listed above and on an ad hoc basis by stakeholders.

- evidence provided by the European Banking Authority in its Advice24.

- a study carried out by a contractor, Valdani Vicari & Associati Consulting, delivered in September 2022, “A study on the application and impact of Directive (EU) 2015/2366 on Payment Services (PSD2)25.

- data obtained from private sector operators, for example in the field of open banking, and from consumer organisations.

Impact assessment

These two proposals are accompanied by an impact assessment, which was examined by the Regulatory Scrutiny Board (RSB) on 1 March 2023. The RSB issued a positive opinion with reservations on 3 March 2023.

2.

The impact assessment found that there are four key problems in the EU payment market, despite the achievements of PSD2:


- consumers are at risk of fraud and lack confidence in payments;

- the open banking framework functions imperfectly;

- EU supervisors have inconsistent powers and obligations;

- there is an unlevel playing field between banks and non-bank PSPs.

3.

The consequences of these problems include the following:


- users (in particular consumers, merchants and SMEs) continue to be exposed to fraud risk;

- open banking service providers face obstacles to offering basic OB services and find it harder to innovate and compete with incumbent players such as cards schemes;

- PSPs experience uncertainty about their obligations, and non-bank PSPs are at a competitive disadvantage vis-à-vis banks;

- there are economic inefficiencies and higher costs of commercial operations, with negative impact on EU competitiveness;

- the internal market for payments is fragmented, with “forum shopping” occurring.

4.

There are four specific objectives of the initiative, corresponding to the identified problems:


1. Strengthen user protection and confidence in payments;

2. Improve the competitiveness of open banking services;

3. Improve enforcement and implementation in Member States;

4. Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs.

The impact assessment presents a package of preferred options, aiming to achieve the specific objectives (the list below covers both measures contained in this Regulation and in the accompanying Directive):

- For specific objective 1, improvements to the application of SCA, a legal basis for exchange of information on fraud and obligation to educate customers about fraud, extension of IBAN verification to all credit transfers, and on conditional reversal of liability for authorised push payment fraud; an obligation on PSPs to improve accessibility of SCA for users with disabilities, older people and other people facing challenges regarding the use of SCA; measures to improve the availability of cash; improvements to user rights and information.

- For specific objective 2, a requirement for account servicing PSPs (ASPSPs) to put in place a dedicated data access interface; “permissions dashboards” to allow users to manage their granted open banking access permissions; more detailed specifications of minimum requirements for OB data interfaces;

- For specific objective 3, replacing the greater part of PSD2 with a directly applicable Regulation clarifying aspects of PSD2 which are unclear or ambiguous; strengthening of provisions on penalties; integrating the licensing regimes for PIs and EMIs.

- For specific objective 4, strengthening of PI/EMI rights to a bank account; granting the possibility of direct participation of PIs and EMIs to all payment systems, including those designated by Member States pursuant to the SFD, with additional clarifications on admission and risk assessment procedures.

A number of options were rejected in the impact assessment on grounds of high implementation costs and uncertain benefits. Costs of the selected options are mainly one-off costs and fall largely on ASPSPs (essentially banks). In open banking, costs are offset by savings (such as the removal of having a permanent “fall-back” interface and of its exemption procedure) and by the adoption of proportionality measures (possible derogations for niche ASPSPs). The cost to Member States of improved enforcement and implementation will be limited. The costs of direct access to key payment systems for PIs will be limited and fall on the payment systems in question. The benefits, on the other hand, will accrue to a wide range of stakeholders, including users of payment services (consumers, businesses, merchants and public administrations) and also PSPs themselves (especially non-bank fintech PSPs). The benefits will be recurrent, while the costs will be mainly one-off adjustment costs, therefore the cumulative benefits should exceed the total costs over time.

Regulatory fitness and simplification

The present initiative is not a regulatory fitness and performance programme (REFIT) initiative. Nevertheless, as part of the evaluation and review process, opportunities for administrative simplification were sought. The clarification of rules on SCA and other clarifications, together with the removal of divergences arising from national transposition of a Directive, will contribute to simplification.

Fundamental rights

The fundamental right which is particularly concerned by this initiative is the protection of personal data. To the extent that processing of personal data is necessary for the compliance with this initiative, it is proportionate to ensure good functioning of the internal market for digital payments. In the context of this initiative the processing of personal data must be in line with the General Data Protection Regulation (GDPR), which applies directly to all of the payment services concerned by this proposal.

Application of the ‘one in, one out’ principle

The present initiative does not involve administrative costs for businesses or consumers, as the initiative will not lead to any increased oversight or supervision of PSPs, or to specific new reporting obligations not already contained in PSD2. There are also no regulatory fees and charges arising from the initiative. The Commission therefore considers that this initiative does not generate administrative costs which require offsetting under the 'one in one out' principle, although it is relevant for “one in one out” in that it creates implementation costs. The bringing together of the legislative regime for E-Money Institutions and that for Payment Institutions will reduce administrative costs, for example by removing the requirement to obtain a new license in certain circumstances.

Climate and sustainability

No negative implications of the initiative for climate of this initiative have been identified. The initiative will contribute to target 8.2 of the UN Sustainability Development Goals: “To achieve higher levels of economic productivity through diversification, technological upgrading and innovation, including through a focus on high-value added and labour-intensive sectors”.

4. BUDGETARY IMPLICATIONS

The present proposal has no implications for the EU budget.

5. OTHER ELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

The initiative will provide for a review to be completed five years after the date of application. The review will have to pay particular attention to the provisions on open banking rules, fees and charges for payment services, and rules on liability and redress for fraudulent transactions.

Detailed explanation of the specific provisions of the proposal

Subject matter scope and definitions

The proposal lays down rules applicable to payment services providers related to payments. It does not change the list of payment services established in PSD2. The list of exclusions is largely unchanged. There is a list of definitions, extended from the list in PSD2 and containing more terms and clarifications of certain terms. Definitions of Merchant Initiated Transactions (MITs) and of Mail Orders or Telephone Orders (MOTOs) are introduced. The definition of ‘remote payment transaction’ under PSD2 is streamlined to allow for a clearer delineation of ‘initiation of a payment transaction’ and ‘remote initiation of a payment transaction’.

Payment systems and access to accounts held with credit institutions

Regarding payment system operators, the requirement to have access rules and procedures which are proportionate objective and non-discriminatory is extended also to payment systems designated by a Member State pursuant to Directive 98/26 (Settlement Finality Directive26). Payment system operators are required to carry out an assessment of relevant risks when considering an application for participation from a PSP. A decision on an application must be provided in writing and a right of appeal is established. Competent authorities must be designated by Member States in cases where no oversight by the European System of Central Banks exists; where there is ECSB oversight, that can be relied upon to address insufficiencies in admission rules and procedures of payment systems.

Rules concerning access (opening and closing) by a PI to an account with a credit institution are reinforced compared with PSD2. Applicants for a license as a PI (given the importance for them to have a bank account to obtain their license) are also covered, as well as PI’s agents and distributors. Any refusal or withdrawal of access must be based on serious grounds, for example reasonable suspicion of illegal activity or risk to the credit institution. Reasons for refusal or withdrawal of access must be provided in writing and motivated in detail with regard to the specific situation of the PI in question.

Transparency of conditions and information requirements for payment services

Regarding the derogation from information requirements for low-value payment instruments and electronic money for national payment transactions, the option for Member States to adjust the spending limit amounts is deleted.

To ensure internal consistency, the obligation to inform the payment service user about Alternative Dispute Resolution procedures in framework contracts is extended to single payment transactions.

A clarification is included to ensure that PSPs insert in payment account statements the information needed to unambiguously identify the payee, including a reference to the payee’s commercial trade name.

A clarification is included to ensure that where payment services are offered jointly with technical services supporting the provision of payment services and provided by the PSP or by a third party they have partnered with, such technical services should be subject to the framework contract requirements on termination fees.

Additional information requirements for domestic ATM withdrawals are introduced for different scenarios.

With regard to credit transfers and money remittances from the EU to a non-EU country, an obligation is introduced for PSPs to provide the payment service user with the estimated time for the funds to be received by the PSPs of the payee located outside the EU. To achieve better comparability, the estimated currency conversion charges of such international transactions must be expressed in the same way as for credit transfers within the EU, namely as a percentage mark-up over the latest available euro foreign exchange reference rates issued by the ECB.

Rights and obligations in relation to the provision and use of payment services

Common provisions

Under PSD2, the prohibition of surcharging, covering payment services to which the Interchange Fee Regulation27 applies, is limited under PSD2 to credit transfers and direct debits denominated in euro, and not in other currencies of the EU. Changes are introduced to extend the surcharging prohibition to credit transfers and direct debits in all currencies of the EU.

The rules for merchant initiated transactions (MITs) and direct debits are aligned, applying the same consumer protection measures, such as refunds, to direct debits and MITs as both are transactions initiated by the payee.

Open banking (account information services and payment initiation services)

The provisions on open banking contain a number of modifications compared with PSD2, and incorporate certain provisions currently contained in a Regulatory Technical Standard28. Key changes include the imposition, except in exceptional circumstances, of having a dedicated interface for open banking data access and the removal, except in authorised exceptional circumstances, of the requirement on account servicing PSPs to maintain permanently a ‘fallback’ interface. Additional requirements on dedicated interfaces are introduced as regards performance and functionalities. To enable open banking users to manage their open banking permissions in a convenient way, ASPSPs are required to offer them a “dashboard” allowing the withdrawal of data access from any given open banking provider.

There has been no significant market demand for the specific service of confirmation on the availability of funds, which was covered by article 65 of PSD2 as an open banking service alongside account information and payment initiation services. Very few, if any, business models have been developed on the basis of this service, as the market relies on the use of AIS as an alternative for checking the availability of funds. This provision has therefore been removed as a stand-alone open banking service.

Authorisation of payment transactions

The PSP of the payee is required to provide its payment service user, upon request, with a service checking that the unique identifier of the payee matches the name of the payee as provided by the payer and notifying the PSP of the payer of any detected discrepancy. Where they do not match, the PSP of the payer is to notify the payer of any such discrepancy and the detected degree thereof. The Commission proposal on instant payments amending the SEPA Regulation29, currently in discussion by co-legislators, proposes a similar provision related to the discrepancies between the name and unique identifier of a payee for instant credit transfers denominated in euro. To achieve a coherent framework for all credit transfers, the provision in this proposal applies to credit transfers which are not instant credit transfers in all currencies of the Union and instant credit transfers in currencies which are not in euro. The notification must be given before the payer finalises the payment order and before the PSP executes the credit transfer. The user remains free to decide whether to submit the payment order for a credit transfer in all cases.

With regard to the provision on the limits for the use of a payment instrument, it is clarified that PSPs must not unilaterally increase the spending limits agreed with their payment service users.

In the provision related to the PSP’s liability for unauthorised payment transactions, a clarification is added that only reasonable grounds for suspecting fraud by the payer can lead to a refusal to refund by the PSP. In such a case, the PSP must provide a justification for refusing the refund and indicate the bodies to which the payer may refer the matter.

The PSP of the payer is to be held liable for the full amount of the credit transfer in cases where that PSP has failed to notify the payer of a detected discrepancy between the unique identifier and the name of the payee provided by the payer. A PSP is held to be liable where a consumer has been manipulated into authorising a payment transaction by a third party pretending to be an employee of the consumer’s PSP using lies or deception. An obligation for electronic communications services providers to cooperate with PSPs is introduced, with a view to preventing such fraud.

Where the liability is attributable to the PSP of the payee, the latter is to refund the financial damage incurred by the PSP of the payer. The provisions on notification and rectification of unauthorised or incorrectly executed payment transactions, information requirements and right of recourse are updated in order to reflect the new liability provision for incorrect application of the matching verification service.

New liability provisions for technical service providers and operators of payment schemes are included for failure to support strong customer authentication, given that the evaluation of PSD2 revealed that there were problems concerning the implementation of SCA that were linked to the roles played by such stakeholders in the roll-out of SCA, which even contributed to the postponement of the SCA application from 2018 to 2020.

A clarification is added that the payer shall not bear any financial losses where either the PSP of the payer or the payee applies an exemption from the application of strong customer authentication.

For payment transactions where the transaction amount is not known in advance and funds are blocked on a payment instrument, a legal obligation is introduced for the payee to inform the PSP of the exact amount of the payment transaction immediately after delivery of the service or goods to the payer, as well as a requirement that the amount of the blocked funds must be proportionate to the amount of the future payment transaction that can reasonably be expected at the time of blocking of the funds.

Execution of payment transactions

In cases where a payment initiation service provider provides an incorrect unique identifier of a payee, that payment initiation service provider is held to be liable for the amount of the transaction.

Data protection

A new provision is included to explicitly define substantial public interest for which the processing of special categories of personal data could be necessary in the context of this proposed Regulation.

Operational and security risks and authentication

A new provision is added requiring PSPs to have transaction monitoring mechanisms in place to provide for the application of strong customer authentication and to improve the prevention and detection of fraudulent transactions. This provision adds clarity to the notion of ‘inherence’, by detailing that such transaction monitoring mechanisms must be based on the analysis of payment transactions, taking into account elements which are typical of the payment service user in the circumstances of a normal use of the personalised security credentials, including environmental and behavioural characteristics such as those related to location of the payment service user, time of transaction, device being used, spending habits, online store where the purchase is carried out.

For the purpose of transaction monitoring, provisions have been added allowing PSPs to exchange, on a voluntary basis, personal data such as unique identifiers of a payee subject to information sharing arrangements. These information sharing arrangements must define details for participation and on operational elements, including the use of dedicated IT platforms. Before concluding such arrangements, the PSPs must conduct a data protection impact assessment and, where necessary, carry out prior consultation of the supervisory authority, according to Regulation (EU) 2016/679 .

As regards the application of SCA in the case of merchant-initiated payment transactions (MITs), it is clarified that there is a need to apply strong customer authentication at the set-up of the mandate, but without any need to apply it for subsequent MITs. Regarding the application of SCA in the case of mail orders and telephone orders (MOTOs), it is clarified that only the initiation of a payment transaction needs to be non-digital in order for that transaction to not be covered by the strong customer authentication obligations. However, payment transactions based on paper-based payment orders, mail orders or telephone orders placed by the payer should be subjected to security standards and checks by the PSP of the payer allowing authentication of the payment transaction in order to prevent abusive circumvention of the strong authentication requirements. In addition, the scope of SCA exemption has been narrowed in the cases of payment transactions for which payment orders are placed by the payee based on a mandate given by the payer (direct debits), whereas an obligation to require SCA has been introduced in cases where a mandate is placed through a remote channel with the direct involvement of a payment service provider.

SCA is only required for account information services on the occasion of the first data access; however, account information service providers must require SCA when their customers access aggregated account data on the account information service provider’s domain, at least every 180 days.

Provisions have been added to improve the accessibility of SCA, in particular to ensure that all customers, including persons with disabilities, older persons, persons with low digital skills and those who do not have access to digital channels or a smartphone, have at their disposal at least one means enabling them to perform strong customer authentication.

With regard to the requirement for “remote payments” for PSPs to apply SCA that includes elements which dynamically link the transaction to a specific amount and a specific payee, it is clarified that this obligation applies to electronic payment transactions for which a payment order is placed through a payer’s device using proximity technology for the exchange of information with the payee’s infrastructure, and for which the performance of strong customer authentication requires the use of internet on the payer’s device.

There is a provision requiring payment service providers and technical service providers to enter into outsourcing agreements in cases where the latter provide and verify the elements of strong customer authentication.

Product intervention powers of the European Banking Authority

This proposal grants the EBA product intervention powers in line with Article 9(5) of Regulation 1093/2010/EU. This will allow the EBA, on the basis of some criteria, to prohibit temporarily the sale of certain payment products which would present certain risks.

Other provisions

Empowerments are provided for regulatory technical standards (RTSs) prepared by the EBA, including existing RTSs, and in certain cases, new RTSs. The EBA may amend existing RTSs but if it does not do so, they will remain in force.

The proposed Regulation will enter into force on the twentieth day after publication in the Official Journal and enter into application 18 months thereafter30. A correlation table of articles with respect to the corresponding articles of PSD2 and EMD2 is annexed.