EU proposals for new payment services legislation

Much of the detail relating to the infrastructure needed for open banking has been moved into the PSR from the Strong Customer Authentication, Regulatory Technical Standards (SCA RTS). In doing that, it has been re-articulated in places, clarified and slightly developed. The requirements for a fall-back mechanism have been removed. In the event of a failure of the dedicated interface used by Third Party Providers (TPP), TPPs are allowed to ask their regulator to allow them to use the customer interface – effectively using a form of data scraping. The TPPs would need certain controls in place where they use the dedicated interface. The dedicated interface is also likely to need some changes to enable it to be used in these cases. There will also be exemptions for certain account providers from needing to allow access to TPP or which would enable those account providers to provide access via their customer interfaces. These will be set out in a later RTS.

Account Information Service Providers (AISPs) will be able to access ongoing data after a first SCA was applied by the customer without having to refresh with the account provider. After 180 days the AISP must obtain a new SCA from the customer, but one it can manage itself. The UK has already implemented relaxations to SCA refresh in these situations.

The PSR requires new customer dashboards to be provided in the customer's banking interface that enables TPP access rights to be controlled. The UK Open Banking standards already requires these types of dashboards. The detail may be different, but the policy intention is the same.

The PSR also contains detail on what will amount to an obstacle for TPP access. These were previously set out in EBA Opinion. This makes these elements more definitively outlawed. More responsibility is placed on regulators to enforce where TPPs access rights are being hindered.

The PSR contains new rules relating to mandates between a customer and a payee. Separately, authorisation of a payment needs to comply with Article 49, which envisages both an authorisation of a single payment, as well as a series of payments. Payments that are considered payee initiated have been extended. The combined effect of the new rules may well permit PISP authorisation of a series of payment transactions and we believe there may be scope of the new rules to enable Variable Recurring Payments (VRP). This could impact whether PISPs can be required to sign separate agreements with account providers to access "premium APIs" permitting VRPs. Although the Recitals to the PSR suggest this could remain possible, the widening of the scope of payments authorisations could create some doubt over this position in the EU. That would have significant commercial impacts for the UK.

The definition is similar and continues to categorise authentication elements into knowledge, possession and inherence. The two required elements no longer need to be in separate categories. Provided that they are technically independent. There is a need to have multiple SCA solutions, including ones for customers with disabilities and lower technology skills. There is also more leeway for card payments and other payee initiated payments – to make it clearer where SCA is not required. Exemptions from SCA will be designed by the EBA in an RTS.

The definition is similar and continues to categorise authentication elements into knowledge, possession and inherence. The two required elements no longer need to be in separate categories. Provided that they are technically independent. There is a need to have multiple SCA solutions, including ones for customers with disabilities and lower technology skills. There is also more leeway for card payments and other payee initiated payments – to make it clearer where SCA is not required. Exemptions from SCA will be designed by the EBA in an RTS.

The Instant Credit Transfer Regulations require the use of a verification of payee scheme for SEPA instant payments. This PSR will extend the verification scheme to all other credit transfers. This will implements a similar scheme to the UK Confirmation of Payee scheme. Under the PSR, a customer has a right to opt out of the service. However, if the customer does not opt out, the PSP will be liable for any losses if a discrepancy (ie something that is not a match) is not notified to the customer before the payment is authorised. The rules for the payee verification scheme are operated by SEPA.

The new requirements do not go as far as the UK mandatory reimbursement model. However, the PSR does expand the existing liability of PSPs where a customer was manipulated by a person pretending to be an employee of the PSP – using name, email address or telephone number of the PSP unlawfully. There seems to be an attempt at placing some responsibility on electronic communications service providers to assist PSPs to stop the use of their communications by fraudsters.

A PSP will also be liable where it does not apply SCA, even if this is due to it using a permitted exemption. There will be a claw back from the payee (or payee's PSP) if either of them failed to develop the technology to apply SCA. There is an attempt at making payment scheme operators or technical services providers liable if they fail to enable PSPs to apply SCA. However, this is limited to being "within the remit of their contractual relationship", making it unclear whether the allocation of liability to a payee or its PSP could be excluded contractually.

There is an ability to delay refunds by up to 10 days where there are pending investigations due to reasonable grounds to suspect fraud or gross negligence by a customer. This is longer than the UK is proposing to implement.

There are provisions aiming to facilitate fraud data sharing arrangements between PSPs. There are also requirements for annual staff training on fraud scenarios and for alerts for customers of new forms of fraud via "all appropriate means and media".

There has been concern about the processing of customer personal data for the purposes of biometric based SCA requirements. The PSR contains a provision that provides clarity that it is compliant to process special category data to the extent necessary for the provisions of payment services and to comply with PSRs obligations. This is subject to specific safeguards around data usage and training.

Definitions that deserve a closer look and could have wider implications on processes would be:

• Initiation of a payment order – steps necessary to prepare the execution of a payment transaction, including placement of payment order and completion of authentication process;
• Execution of payment transaction – process starting once the initiation of transaction is completed and ending once the funds … are available to the payee;
• Payment account – allows for sending and receiving funds to and from third parties;
• Mandate – expression of authorisation given by the payer to the payee;
• Payment instrument – "individualised device" or set of procedures;
• Reference interest rate – must be capable of being verified by both parties;
• Business day – "open for business to execute payment transactions".

PIs, EMIs, as well as their agents and distributors have a right to obtain payment accounts. A bank will no longer need to notify the regulator if it refuses an account to these institutions, but these institutions be able to appeal to the regulator if they are refused. Firms will have the following narrower set of reasons to refuse an account:

• serious grounds for suspecting defective money laundering or terrorism financing controls or illegal activities by the PI or its customers;
• breach of contract by applicant;
• insufficient information/documentation provided by applicant;
• applicant or business model presents excessive risk profile;
• disproportionately high compliance cost for the bank.

The refusal notification will be standardised and the requirements for this set out in an RTS.

As with all proposals, the devil will be in the detail, but key additional changes that would result in significant process changes are these:

• there would be a restriction from automatically increasing spending limits associated with a payment instrument;
• a customer would need to be able to prove any notifications it made to the PSP (eg about a compromised card) for 18 months. This suggests some form of log that a customer can access;
• there are more express rules relating to blocking funds in relation to future card transactions.