On Saturday 13 January, the EU’s Payment Services Directive 2 will finally enter into force across the European Union. The updated version of the original 2009 Directive aims to improve current rules and bring the European payments landscape into the digital era. Changing the game for European retail banking, PSD2 enables bank customers, both consumers and businesses, to use new and innovative third-party providers to manage their finances, bans merchants from passing through the costs of payments to their customers (surcharging) and puts in place stronger protections for customers when shopping online.
Opening the market to third-party payment providers
One of the key, and most controversial, changes introduced under the PSD2 is that banks will be obliged to provide licensed third-party payment service providers (PSPs) with access to their customers’ account through open APIs. Such PSPs may be any company holding a banking license and offering financial services. As such, in future, while your bank will continue to hold your current bank account, you may be using third-party payment services offered by FinTechs or global tech companies to manage your spending.
While PSD2 will come into effect on 13 January, regulatory technical standards on the technicalities around PSPs’ access to bank accounts are expected to only enter into force by September 2019. In the meantime, the industry is actively developing technical standards on the integration of Payment Initiation Services (PIS) through initiatives such as at the Euro Retail Payments Board or the Berlin Group.
In line with the EU’s Regulation on Multilateral Interchange Fees (MIF), which entered into force in mid-2016, PSD2, in most cases, bans merchants from passing through the costs of accepting electronic payments to their customers.
This surcharge ban aims to protect consumers by prohibiting merchants from charging consumers additional fees for making payments by card, direct debit or credit transfer. For example, merchants, including ticketing, travel and food delivery websites, will no longer be allowed to charge consumers additional fees for paying by debit or credit card. To help you navigate the surcharge ban, the following are the main elements to bear in mind. The ban applies:
- to online B2C transactions (but not B2B transactions);
- to payments made by consumers using debit and credit card, direct debit and credit transfer using a 4-Party scheme (Mastercard, Visa, Giro or Bancontact); and
- where the PSPs of both the consumer (i.e., the consumer’s bank) and the merchant are located in the EEA
For payment methods not covered by the surcharge ban, i.e. 3-Party schemes such as Amex or Diners Club or certain non-card payment methods, any charges applied by the merchant to the consumer cannot exceed the direct costs incurred by the merchant for accepting that payment method. For platforms or marketplaces, the surcharge ban will not impact the platform or application fee charged to consumers, provided that these fees are not differentiated by payment method.
The PSD2’s ban on surcharge fees follows the MIF Regulation’s significant capping of interchange fees to 0.2% for consumer debit cards and 0.3% for consumer credit cards.
Strong Customer Authentication
With regard to strengthening customer protections when shopping online, the PSD2 also puts in place a requirement for strong customer authentication of online payments. While the regulatory technical
standards are still to be approved by EU legislators, it foresees that, barring a number of exemptions, customers will have to undergo strong customer authentication when buying goods and/or services online.
Exemptions to the rule will be:
- when the customer registers the online merchant as a ‘trusted beneficiary’ with his or her bank;
- recurring transactions to the same beneficiary and with the same amount;
- low-value transactions less than EUR30 (certain conditions continue to apply);
- secure corporate payments initiated through dedicated payment processes and protocols; and
- transaction risk analysis
In order for online merchants to be allowed to apply transactions risk analysis, both the customer and merchant’s PSP need to fall within certain required reference fraud rates for certain monetary values up to EUR500. Following their expected approval in early 2018, the rules on their applicability will come into force in September 2019.