PSD, which was implemented in Ireland by the European Communities (Payment Services) Regulations, 2009 (S.I. 2009/383), enabled new types of payment institutions to compete with banks in providing payment services in an increasingly sophisticated financial landscape. Since 2007 there have been rapid changes in online trading and the new directive, Payment Services Directive 2 (2015/2366/EU) (PSD2), is designed to regulate these changes.
Why the need for PSD2?
The development of the ways in which financial services can be delivered to customers has not slowed down in recent years. New regulations were needed to extend the scope of PSD to cover new forms of payment services providers which were unregulated, and to iron out what were perceived as flaws in the original PSD. Focus was placed on improving the transparency and security of payment services.
When does PSD2 come into play?
Member states are obliged to implement PSD2 on a national level by 13 January 2018. In the meantime, PSD remains effective as is. That being said, from 12 January 2016, Member States may not pass laws that contradict PSD2, and from that date, the original PSD must be interpreted in accordance with PSD2. So in reality, the financial climate has already changed.
What are the practical changes behind PSD2?
PSD2 is bringing in numerous changes, but here a few key changes to keep in mind:
- New payment services: PSD2 regulates two new kinds of payment services: payment initiation services (PISPs) and account information services (AISPs). PISPs cut credit cards and debit cards out of the loop and allow customers to pay for goods online directly from their bank accounts by way of a simple credit transfer. AISPs place all of a customer’s different bank accounts in one handy location for ease of access. By making these services regulated, the hope is that lingering concerns about customer security and data protection can be addressed.
- Third party access to customer accounts: Banks are obliged under PSD2 to allow customers with online banking to avail of PISPs provided by third party service providers and to provide appropriate access and information accordingly. Whilst this may be good news for customers who crave choice and streamlined processes, not everyone is happy. There is a degree of friction between traditional banks and the new types of payment institution which are making significant strides in terms of applying financial technology to the payment services sector. The European Banking Federation have expressed concerns about the security implications associated with such sharing of financial data.
- Security: PSD2 requires payment service providers to update their security procedures in light of the development of the electronic sphere. Customers must be notified directly and without delay if a security incident may affect their financial interests. Customer authentication processes (eg, for carrying out electronic payments or accessing an online bank account) are also drafted robustly: something that will inevitably cause friction given that what the vast majority of customers want is an effortless process.
What next?
The Irish Department of Finance ran a public consultation from June to September 2016, inviting submissions on the transposition of PSD2 into Irish law. The results are currently being reviewed before attention turns to the statutory instrument itself.
The PSD2 has been drafted following extensive negotiation, but the conflict between security, increased competition and innovation is a tough balancing act. Watch this space.
