(Note: the below is a high level review of certain potential issues and is not to be relied upon in any definitive manner nor as legal and/or regulatory advice).
What is PSD2?
PSD2 refers to the revision of the existing Payment Services Directive.
What is the status of PSD2?
The PSD2 was published in the Official Journal on 23 December 2015. It came into force on 12 January 2016 and Member States will have until 13 January 2018 to implement it into national laws – although some of its provisions will be implemented at a later date.
What are its key revisions?
Key issues that require very careful consideration as the new Directive is finalised:
- The continued lack of clarity on the use of the ‘limited network’ / ‘limited goods and services’ exclusion
- The rules around Third Party Payment Service Providers being granted access to customer accounts held with other PSPs
- The increase in security obligations
- One leg transactions and all currencies being in scope.
Where can I find out more?
Please click on the links at the sidebar for our review of some of the key articles currently under debate. You can also find out more via our blog posts, our helpful links section as well as an article set out below which was prepared around the time just after the Commission published its proposal.
Payment Services Directive 2 and the challenges it creates for the EU payments market
Since the introduction of the Payment Services Directive (PSD1), the payments landscape in Europe has for the first time been subject to a comprehensive framework of regulation. Many participants in this market ranging from banks, acquirers and e-money issuers will still remember some of the pain that the Directive’s requirements put upon them at the time of its inception. But it was not only the traditional players in this space which felt the impact of the regulations, it also caught many commercial operators who may not even be aware that their payment processes may be subject to the regime – particularly those who provide innovative e-commerce platforms and who facilitate payments between their customers.
Of particular concern to such organisations is asking the first natural question – do we actually fall within the scope of the PSD or can we credibly rely on one of its exclusions? Unfortunately the answer to this question is rarely straightforward, as the exclusions set out in PSD1 were never clearly defined by the Directive and subject further to diverse local Member State regulator interpretation. The result being that as payments are typically a cross border business, the impact of the scope of payments regulations has been haphazard and left both organisations and their advisers with a somewhat rocky road to navigate.
That is why the revision of PSD1 has been much anticipated and on 24 July 2013 the EU Commission issued a new draft PSD (PSD2), together with a draft proposal of a regulation on interchange fees for card based payment transactions.
The new proposals are touted by the Commission as an improvement to the existing legal framework and as such
“will help the payments framework to better serve the needs of an effective European payments market, fully contributing to a payments environment which nurtures competition, innovation and security to the benefits of all stakeholders and consumers in particular.”
Unfortunately, a review of the proposed PSD2 does not in fact fully meet the above objectives and there are still many important uncertainties raised by its revised language. When a business asks again – “do we fall within the scope of the revised PSD2?”, PSD2 does not provide many straightforward answers.
Some of the key concerns include:
- The ability for businesses to rely upon the commercial agent exclusion – particularly those who operate e-commerce marketplace platforms.
- The extent to which a business can gain comfort that they fall outside the scope of regulation if they operate within a ‘limited network of service providers’ or only enable the acquisition of a ‘limited range of goods or services’.
- An apparent narrowing of the ability of operators of communication networks to fall within an exclusion for the payments they process via such networks.
- The introduction of a new class of operators who have previously not required to be regulated, but will do so under PSD2.
Further explanation of these matters is set out below.
Commercial agent exclusion under PSD2 – what now for e-commerce marketplaces?
Since the growth of online marketplaces such as eBay, many other e-tailers have established themselves as successful players in this market – including more segmented operators like Asos.com. The growth in these business models is only set to increase with venture capitalists looking to invest in such businesses which provide large margins as they are built to scale and continue to grow.
Under PSD1 there is an exclusion which has been sought to be relied upon by such organisations. It is made available for payment transactions carried out from the payer (typically a buyer) to the payee (a seller or merchant) through a commercial agent (the marketplace operator) authorised to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee (Article 3(b) of PSD1 – referred to as the “Commercial Agent Exclusion”).
The Commercial Agent Exclusion provides that the intermediary such as the marketplace operator only need to be a commercial agent to negotiate *or* conclude sales (and not necessarily both). The existing scope of this exclusion would seem to apply to e-commerce marketplace providers who, by setting up their business operations to act as a commercial agent with their customers, can process their transactions on their behalf. Such a structure also typically provides for the sender of funds (typically a buyer) to extinguish their debt to the ultimate recipient of those funds (the seller) upon the commercial agent’s receipt of those funds.
Under PSD2 this exclusion has been amended such that it shall only apply to payment transactions from the payer to the payee through a commercial agent authorised to negotiate or conclude the sale or purchase of goods or services on behalf of either the payer or the payee. The key distinction made here is that the commercial agent can only be an agent of either the payer or the payee (and not both as is permitted under PSD1).
On first reading of this proposed amendment, it does not appear to exclude its applicability from e-commerce marketplace providers, such that they could still rely upon it if they only act as agent of one set of its customers, which would typically be its payees (ie the sellers). What is troubling, however, is that Recital 11 to PSD2 states the following:
“The exemption of payment transactions through a commercial agent on behalf of the payer or the payee, as established in Directive 2007/64/EC is being applied very differently in the Member States. Certain Member States allow the use of the exemption by e-commerce platforms that act as an intermediary on behalf of both individual buyers and sellers without a real margin to negotiate or conclude the sale or purchase of goods or services. That goes beyond the intended scope of the exemption and may increase risks for the consumers, as these providers remain outside the protection of the legal framework. Different application practices also distort competition in the payment market. The definition should become more precise and clearer to address these concerns.”
The mention in the above recital to the inappropriate use of the commercial agent exclusion by e-commerce platforms gives the impression that such operators are not to take advantage of the exclusion and for the added reason that they do not allow: “a real margin to negotiate or conclude the sale or purchase of goods and services”.
It appears that the ‘negotiating’ factor has become an important one to determine whether the exclusion is available but it is not reflected in the wording of the revised exclusion itself – and in particular, does not focus on the ability of a commercial agent to conclude sales, but rather there must be also be the ability to negotiate. This creates a great deal of uncertainty as to what exactly is the test to be applied. Is it merely to ensure that a commercial agency structure is established and that the agent has the authority to conclude sales, or must an operator also show that they negotiate in some form of a substantive sense the sale of goods and services? In an e-commerce world where business models are created in a scalable manner, this will not always be easy, and there is no further guidance as to the extent by which one can say they are effectively negotiating on behalf of the other, even though the test reads as having the ability to negotiate or conclude. The approach provided by PSD2 cannot be demonstrated to nurture innovation in this space, but rather create a great deal of uncertainty. Whether this uncertainty will be clarified in the transposition of the PSD2 into national Member State law is yet to be seen, and in particular, whether the interpretative effect of a recital in an EU Directive will also be fully transposed in the law of a Member State, whether in the law itself or accompanying public regulator guidance, is also yet to be known. Clearly an area to ‘watch this space’.
Limited network / goods and services exclusion – a missed opportunity to clarify its scope
PSD2 substantially retains the existing exclusion set out in the negative scope of PSD1 allowing operators to be excluded from the Directive if such operators enter into commercial agreements with a limited network of service providers, or are based on specific instruments which can only be used to acquire a limited range of goods or services. This exclusion is particularly useful to operators that do not provide general use payment services and are limited in a small scale with reference to the number of service providers within their network, or that offer a limited range of products.
The widely known challenge with this exclusion is that the Directive does not define what is meant by ‘limited’ other than by giving guidance related to a small sub-set of operators who may look to rely on it. Of particular challenge is the fact that the term ‘limited’ is not defined with reference to discrete numbers of what is exactly a limited network or range of goods or services. Does ‘limited’ mean 3, 30 or 300? This could all depend on the nature of the business of the operator. While some may welcome such flexibility, the uncertainty clearly outweighs it, particularly because the interpretation of what is meant by ‘limited’ will be subject to the often different interpretation of Member State regulators (and unfortunately there is no scope to ‘passport’ an exclusion), leading to an uneven landscape for operators to provide their services across the EEA.
While PSD2 does not assist in clarifying the question of what exactly is ‘limited’, it also adds a further challenge to businesses seeking to rely upon it. This is because, under PSD2, there is proposed to be a further requirement that if any operator seeks to reply upon the limited network exclusion it is to seek approval and recognition from the relevant regulator, if it processes an average of €1 million payment transactions / month (taken over an annual period).
Recital 12 of PSD2 acknowledges that such approval is needed on the basis that: “Payment activities covered by the limited network exception often comprise massive payment volumes and values and offer to consumers hundreds or thousands of different products and services, which does not fit the purpose of the limited network exemption”.
The introduction of this new requirement does gives some indication as to where a regulator will be concerned as to whether a business model is pushing the boundaries of the limited network exclusion and when it should be regulated.
One key concern to business will be that if it wishes to rely upon such an exclusion, it will need to be mindful of this threshold, which may be difficult for some start up businesses, who may not even be aware they are potentially within the scope of the Directive, let alone if they experience strong growth, they could be in contravention of its requirements.
A further concern under PSD2 is that regulators will be required to make their decisions public as to whether they have approved an operator under the limited network / goods and services exclusion. It will be interesting to see whether such public disclosure will act as a quasi precedent for other players and also whether different EU regulators will use this to either be consistent or inconsistent in their approach (as against other regulators). Some operators may also not wish for their approaches with regulators to be made public – it is one thing for an operator’s licence details to be made public, it is another for their ability not to be regulated to be made equally public.
Prudence would dictate that any operator seeking to rely on this type of exclusion should always seek regulator approval in the jurisdictions it operates, regardless of the amount or volume of payments it transacts.
Digital device ‘telco’ exclusion – technology neutral?
PSD1 permitted certain payment transactions to be executed, if such payment transactions are executed by means of any telecommunication, digital or IT device, where the goods or services purchased are delivered to and are to be used through a telecommunication, digital or IT device, provided that the telecommunication, digital or IT operator does not act only as an intermediary between the payment service user and the supplier of the goods and services (Article 3(l) of PSD1).
This exclusion has been amended in PSD2 such that it applies to: “payment transactions carried out by a provider of electronic communication networks or services where the transaction is provided for a subscriber to the network or service and for purchase of digital content as ancillary services to electronic communications services, regardless of the device used for the purchase or consumption of the content, provided that the value of any single payment transaction does not exceed EUR 50 and the cumulative value of payment transactions does not exceed EUR 200 in any billing month”.
Not only does the revised exclusion places strict monetary values on its application, it appears from its wording to apply mainly to telco operators, insofar that the purchase of digital content must be ‘ancillary’ to the electronic communications services and the payment amount limits are made with reference to ‘subscribers’ and ‘billing months’ – all concepts which more typically apply to telco operators. This then leads to the question of its applicability to other innovative product and service providers (such as internet TVs etc) who may not set up their networks in the same manner or who may only (and not by way of an ancillary service) offer ‘pay for’ services through IT devices. Rather than nurturing innovation, the narrowing of this exclusion appears to provide a regulatory advantage to one category of established providers over others.
Regulation of new players – ‘payment initiation services’ and ‘account information services’
One of the key exclusions permitted by PSD1 was that certain operators who are considered ‘technical service providers’ (such as data and authentication service providers) who support payment service providers were excluded – on the proviso that they did not come into the possession of the funds. PSD2 seeks to limit this exclusion for operators who are treated as ‘payment initiation services’ and ‘account information services’.
Operators who had sought to previously rely upon this exclusion and new services which have entered the market on this basis will need to carry out careful analysis as to whether they will now need to become regulated under PSD2.
This will be particularly important for determining whether a payment service support operator falls within the scope of providing ‘payment initiation services’. This proposed new regulated activity will cover: “a payment service enabling access to a payment account provided by a third party payment service provider, where the payer can be actively involved in the payment initiation or the third party payment service provider’s software, or where payment instruments can be used by the payer or the payee to transmit the payer’s credentials to the account servicing payment service provider.”
The scope of the wording could potentially capture a range of business models, depending on how exactly they have set up their operations to assist a third party payment service provider in executing payment transactions.
The above provides a summary of some of the key issues which will face payment operators who wish to know whether their services will fall within the scope of the new proposed PSD2. There is definitely a general theme that the Payment Services Directive revision has sought to capture more participants in the payments space than previously, but in doing so, has left many more unanswered questions than providing for legal certainty. As such, it does not present an improvement to the existing payments regulatory framework. Going forward, it will be up to specific operators and their advisers / business organisations to seek further clarification on what PSD2 will mean for specific businesses, but judging from what has been proposed to date, this will not always be an easy challenge to meet.