IAPP CIPT – GDPR and Payment Services Directive (PSD2)
1. What is PSD 2 and main objectives
Hi guys. In this lesson, we’ll discuss about Payment Services Directive number two or shortly PS two. Two. The first Payment Services directive. PSD one was adopted in 2007. This legislation provides the legal foundation for a European Union single market for payments to establish safer and more innovative payment services across the European Union. The objective was to make cross border payments as easy, efficient and secure as national payments within a member state. Since 2007, this Directive has brought substantial benefits to the European economy, easing access for new market entrants and payments institutions, and so offering more competition and choice to consumers. It offered economies of scale and helped the single euro payment area, or Sepa. In practice, the first PSD has meant more transparency and information for consumers, for example, about execution time and fees. And it has cut execution times, strengthened refund rights, and clarified the liability of consumers and payment institutions.
So why did the Commission propose to review this Directive? The Commission proposed to review PSD One to modernize it to take account of new types of payment services, such as payment initiation services. These service providers have brought innovation and competition, providing more and often cheaper alternatives for Internet payments, but were previously unregulated. Bringing them within the scope of the PSD has boosted transparency, innovation and security in the single market and created a level playing field between different payment service providers. At the same time, certain rules set out in the first PSD, such as the exemptions of a number of payment related activities from the scope of the Directive, has been transposed or applied by member states in different ways, leading to regulatory arbitrage and legal uncertainty. The commission proposed to revise the PSD one in 2013.
The proposal was part of a package of legislative measures on payment services, which included a proposal for a regulation on interchange fees for card based payment transactions. The revised Payment Service Directive PST Two updates and complements the European Union rules put in place by the Payment Service Directive One and its main objectives are to contribute to a more integrated and efficient European payments market, improve the level playing field for payment service providers, make payments safer and more secure, and protect consumers.
The PST Two will be adopted in 2018, so usually it should be started from January and from now on it should be the only directive and the complete directive, and also regulated that the financial institutions and the banks will take care of. What are the main differences between PSD one and PSD two? PSD Two widens the scope of PSD One by covering new services and players, as well as by extending the scope of existing services, enabling their access to payment accounts. PSD Two also updates the telecom exemption by limiting it mainly to micro payments for digital services and includes transactions with third countries when only one of the payment service provider is located within the European Union. It also enhances cooperation and information exchange between authorities in the context of authorization and supervision of payment institutions, the European Banking Authority will develop a central register of authorized and registered payment institutions to make electronic payments safer and more secure. PSD.
Two introduces enhanced security measures to be implemented by all payment service providers, including banks. In particular, PSD. Two requires payment service providers to apply strong customer authentication, or SCA, for electronic payment transactions. As a general rule.
2. Benefits for consumers
Hi guys. In this lesson, we’ll discuss about the benefits for consumers. Under the Psgu directive, there will be three areas of benefits economic, consumers and payment security, and we will treat them one by one. Economic Benefits The new European Union rules should help stimulate competition in the electronic payments market by providing the necessary legal certainty for companies to went or continue in the market. This would then allow consumers to benefit from more and better choices between different types of payment services and service providers. During the past years, new players have emerged in the area of Internet payments, offering consumers the possibility to pay instantly for their Internet bookings or online shopping without the need for a credit card. Around 60% of the population in European Union does not have a credit card.
These services establish a payment link between the Payer and the online merchant via the Payer’s online banking module. These innovative and low cost payment solutions are called payment initiation services and are already offered in a number of member states. Until now, these new providers were not regulated at European Union level. The new directive will cover these new payment providers addressing issues which may arise with respect to confidentiality, liability or security of such transactions. Furthermore, PSD Two will help lower charges for consumers and ban surcharging for card payments in the vast majority of cases, both online and in shops.
The practice of surcharging is common in some member states, notably for online payments and specific sectors such as the travel and hospitality industry. In all cases where card charges imposed on merchants are kept in accordance with the complementary regulation on interchange fees for card based payment transactions, merchants will no longer be allowed to surcharge consumers for using their payment card. This will apply to domestic as well as cross border payments. In practice, the prohibition of surcharging will cover some 95% of all card payments in the EU, and consumers would be able to save more than €550,000,000 annually.
The new rules will contribute to a better consumer experience when paying with a card throughout the European Union. Consumers Rights PSD One and PSD Two protect consumer rights in the event of unauthorized debit from an account under certain conditions. A direct debit is a payment that is not initiated by the payer by the payee on the basis of consent of the payer to the payee. It is based on the following concept I request money from someone else with their prior approval and credit it to myself. The Payer and the biller must each hold an account with a payment service provider and the transfer of funds takes place between the payer’s bank and the biller’s bank. However, since the biller can collect funds from a Payer’s account, provided that a mandate has been granted by the pair to the biller, the Payer should also have a right to get the money refunded. Member states have applied different rules with regard to this issue.
Under PSD One payers had the rights to a refund from their payment service provider in case of a direct debit from their account, but only under center conditions in order to enhance consumer protection and promote legal certainty. Further, PSD Two provides a legislative basis for an unconditional refund right in case of a separate direct debit during an eight week period from the date the funds are debited from the account. The right to a refund after the payee has initiated the payment still allows the payer to remain in control of his payment. In such cases, payers can request a refund even in the case of a disputed payment transaction. As far as the direct debit schemes for non euro payments are concerned, where they offer the protection as set out under PSD One, they can continue to function as they do today. Consumers will also be better protected when the transaction amount is not known in advance. This situation can occur in the case of car rentals, hotel bookings or at petrol stations. The payee will only be allowed to block funds on the account of the payer if the pair has approved the exact amount that can be blocked.
The payer’s bank shall immediately release the blocked funds after having received the information about the exact amount and at the latest, after having received the payment order. Furthermore, the new directive will increase consumer rights when sending transfers and money remittances outside the European Union or paying in non European Union currencies. PSD One only addresses transfers inside the European Union and is limited to the currencies of the member States. PSD Two will extend the application of PSD One rules on transparency to one leg transactions, hence covering payment transactions to persons outside the European Union as regards to the European Union part of the transaction.
This should contribute to better information of money remitters and lower the cost of money remittances as a result of higher transparency on the market. Finally, the new directive will oblige Member States to designate competent authorities to handle complaints of payment service users and other interested parties, such as consumer associations, concerning an alleged infringement of the directive. Payment service providers that are covered by the directive on their side should put in place a complaint’s procedures for consumers that they can use before seeking out of court to redress or before launching court proceedings.
The new rules will oblige payment service providers to answer in written form to any complaint within 15 business days. Payment Security the new rules also provide for a high level of payment security. This is a key issue for many payment users and notably, consumers when paying via the Internet. All payment service providers, including banks, payment institutions or third party providers called TPPs, will need to prove that they have certain security measures in place ensuring safe and secure payments. The payment service provider will have to carry out an assessment of the operational and security risks that’s and the measures taken on a yearly basis.
3. Scope of PSD2 directive
Hi, guys. In this lesson, we’ll discuss about the scope of the directive. The directive applies to payment services in the European Union. It focuses on electronic payments, which are more cost efficient than cash and which also stimulate consumption and economic growth. There are a number of payment means, including cash and checks, not falling within the scope of this directive. Will the new rules also apply to international payments? While PSD One only applies to intraeuropean union payments, PSD Two extends a number of obligations, notably information obligations, to payments to and from third countries.
Where one of the payment service providers is located in the European Union. The extension of the scope has implications primarily for the banks and other payment service providers that are located in the European Union. In practice, this means that these financial service providers should provide information and transparency on the costs and conditions of these international payments, at least in respect of their part of the transaction. They can also be held liable for their part of the payment transaction if something goes wrong that is attributable to them. Moreover, the extension in scope will also have as an effect that the same rules will apply to payments that are made in a currency that is not denominated in euro or another member state currency. This will be an important improvement for consumer protection, in particular in the area of global money remittances. To what extent will payments through telecom operators be covered by this directive? Under PSD One, payments made through a telecom operator were not covered.
Where the telecom operator acts as an intermediary between the consumer and the payment service provider by operator billing or direct to phone bill purchases. Under PSD Two, the purchase of physical goods and services through a telecom operator now falls within the scope of the Directive. Under the new rules, the exclusion for payments through telecom operators has also been further specified and narrowed down.
The exclusion now covers only payments made through telecom operators for the purchase of digital services, such as music and digital newspapers that are downloaded on a digital device or of electronic tickets or donations to charities. In order to avoid the risk of exposure to substantial financial risks to payers only payments under certain threshold are excluded €50 per transaction, €300 per billing month. Telecom operators that engage in such an activity shall notify to the competent authorities on an annual basis that they comply with these limits. The activity will also be listed in the public registers.
4. New rules on authorisation and supervision
Hi, guys. In this lesson, we’ll discuss about enhanced rules on authorization and supervision of payment institutions. Will there be changes in the authorization requirements for payment institutions under PSD Two? Payment institutions are required to fulfill a variety of requirements in order to obtain an authorization to provide payment services. These requirements are largely same as under PSD One. The main changes relate to the enhanced level of payment security. Under PSD Two, entities that wish to be authorized as a payment institution shall provide with their Application and security policy document, as well as a description of security, incident management procedure, contingency procedures, et cetera. Right now, you can also see my course related to incident response procedures that really relates to the things that should be provided here.
Capital requirements which aim to ensure financial stability have largely remained the same under PSD Two as they were set out in PSD One. Specific capital requirements have been defined for third party service providers in relation to their respective activities and the risks this represent. Will the rules change for waived payment institutions under PSD One? Entities with an average volume of monthly payment transactions below €3 million can benefit from a lighter authorization regime if their Member State of establishment makes use of that option. This so called waiver regime will be maintained under PSD Two as an option for Member States, albeit with this difference that Member States making use of the option can decide to define a lower threshold under which such waivers can be granted. Payment institutions that have obtained a waiver under PSD 1 may need to reassess their status under PSD Two.
What are the changes for limited networks under this Directive? As under PSD One, payment transactions based on a specific payment instrument within a limited network, for instance, a chain of department stores or a network of petrol stations under the same brand offering a dedicated payment instrument to their customers are outside the scope of the Directive. In order to ensure a more coherent supervision of such networks across the Union, the Directive provides that networks, when their activities reach a certain value, shall notify these activities to competent authorities so that these can assess whether or not the network should apply for a license as a payment institution. Will this Directive strengthen the supervision of payment institutions that provide services cross border?
As a main principle, payment institutions are supervised by the Member States where they are authorized to provide the defined payment services. When a payment institution intends to provide payment services in another Member State, the supervision of these activities, in principle, remains with the home Member State. However, if the payment institution provides these services through established agents or branches in the other Member States, that Member States can act in case of an infringement or a suspected infringement of European Union rules under the Directive. In this respect, the supervision under PSD Two has not changed. However, to reinforce the investigative and supervisory powers of the host member state. PSD Two has introduced a more detailed passporting procedure. This procedure will ensure better cooperation and information exchange between the national competent authorities.
Furthermore, the host member state can ask payment institutions operating with agents and branches in its territory to regularly report on their activities. Is there a need to set up a central contact point in a member state if they are providing payment services crossborder? PSE Two contains an option for member state to require a payment institution that provides crossborder payment services to set up a central contact point if it operates with agents or branches that are established in their territory. The central contact point shall ensure adequate communication and information with regard to the activities of the payment institution in the host territory.
The European Banking Authority is mandated to draft regulatory technical standards on the criteria under which a center contact point can be requested and the functions of such contact point. Will payment institutions be able to access accounts maintained by credit institutions? For payment institutions, access to a payment account maintained by a credit institution is vital for the operation of their business. PSD Two provides specifically that member states will have to ensure that credit institutions do not block or hinder access to payment accounts, and that payment institutions have access to credit institutions payment account services in an objective, nondiscriminatory and proportionate manner. This aspect is very relevant for money remittance services, as many of them have lost access to the banking system in the recent.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »