15 January 2019

Long-overdue PSD2 implementation in the Netherlands: towards an open and secure retail payments market

One of the key events in financial markets regulation in the Netherlands for 2019 will be the implementation of the revised Payment Services Directive (PSD2), which should have become law by 13 January 2018. The exact timing of the implementing legislation's entry into force will depend on when the final steps in the legislative process take place – we expect this to be in January or February 2019. For an overview of other member states' implementation details, click here.
What does PSD2 cover? PSD2 sets regulatory requirements for businesses that provide electronic online payment services. Although PSD2 restates certain existing rules, it also introduces new requirements for providers. One of the most important changes is that account servicing payment service providers (ASPSPs, traditionally banks) will have to give third party payment services providers (TPPs) online access to payment and bank account information. The reasoning is that this will enhance competition and innovation in banking, creating a level playing field for new players. Fintechs - including big tech firms such as the US giants sometimes referred to as 'FAANG' (Facebook, Apple, Amazon, Netflix, Google) and their Chinese counterparts 'BAT' (Baidu, Alibaba and Tencent) - in particular are expected to seize the opportunities offered by PSD2. The directive paves the way for them to unlock their potential to develop the innovative online and mobile payment solutions it provides room for. Consumers also stand to benefit, as they will be able to choose from a wider and more competitively priced range of payment services. In addition, PSD2 aims to make payments safer and more secure. The TPPs that may get access to payment accounts and information will need to apply for authorisation. Under PSD2, two new payment service providers are regulated:
  • account information services providers (AISPs) – these businesses offer online account information services to give the payment service user (PSU) access to consolidated data for all payment accounts held by that PSU (for example, a budgeting app); and
  • payment initiation services providers (PISPs) – these businesses can initiate an online payment on behalf of a PSU, directly from the bank account held by the PSU to Amazon, for example. This offers an alternative to traditional methods for accepting credit or debit card-based online payments, similar to solutions provided by, for example, iDeal or Klarna..
AISPs as well as PISPs can only offer their services with the PSU's explicit consent. Regulatory impact, overview level 2 and level 3 rules for clients PSD2 and the acts, technical standards and guidelines it prescribes (see below) are relevant for payment services providers, including banks, TPPs, credit card providers and e-money institutions. These providers should be aware of the various regulatory amendments, ranging from enhanced consumer protection and security rules, to the requirement for parties with a qualifying holding in a payment institution to apply for a declaration of no-objection. Certain other relevant PSD2 provisions will be implemented in the Dutch Civil Code (as opposed to the Wft). These include rules on surcharges (a partial ban on charges for paying with a debit or credit card, both online and in shops) and how to deal with unauthorised and incorrect payments. Many rules of a more detailed nature than the PSD2 are included in the Commission's implementing and delegated acts, which specify how competent authorities and market participants must comply with the obligations as outlined in the directive. An overview can be found here. Of these acts, the Delegated Regulation with regard to RTS on strong customer authentication and common and secure communication under PSD2 (SCA-RTS) has proven the most controversial. The Commission has made certain amendments to the draft RTS as prepared by the European Banking Authority (EBA) that appear to be born out of fear that banks will not grant TPPs adequate access. To address this, the Commission has stated that if a dedicated interface through which TPPs are allowed access to payment accounts does not function acceptably, access should be allowed using the customer interface (not by screen scraping, as that is not compliant with PSD2, but via customer interfaces that are PSD2-proof). The EBA, on the other hand, is concerned that this will lead to banks being less willing to open up accounts on a dedicated interface (using their own adjusted customer interfaces instead). This, in turn, could negatively impact the PSD2's objective both to standardise access across the EU member states and to create a single EU payment market. The amended SCA-RTS were published in the Official Journal on 13 March 2018 and will become applicable on 14 September 2019. Two requirements, however, will already apply by 14 March 2019: ASPSPs must by then (i) ensure that the technical specification of any of the interfaces is documented, specifying a set of routines, protocols, and tools needed by TPPs for allowing their software and applications to interoperate with the ASPSPs systems; and (ii) make available a testing facility to enable TPPs to test their software and applications used for offering a payment service to users. In the PSD2, the EBA has been mandated to prepare various technical standards and guidelines, and to set up a register. The EBA has uploaded an overview of its mandate and an accompanying timeline on its website. These are the final guidelines (with publication date): The Dutch Central Bank (DNB) has decided that these guidelines will apply once the Dutch PSD2 implementation act comes into effect. The Guidelines on fraud reporting under PSD2 are an exception, as they will apply from 1 July 2019 (please see below). Another set of guidelines that will not apply as of the PSD2 implementation date in the Netherlands relates to ICT and security risk management. The EBA recently started a public consultation of its draft Guidelines on ICT and security risk management under PSD2. The consultation period runs from 13 December 2018 until 13 March 2019. Once finalised, these guidelines will supersede the current EBA Guidelines on the security measures under PSD2. Other deadlines in 2019 As previously mentioned, the deadline for ASPSPs to make available technical specifications and to launch an interface testing facility for TPPs is 14 March 2019. In addition, the SCA-RTS require ASPSPs that have opted to offer access via a dedicated interface to set up a back-up system to address specific situations, such as when the dedicated interface does not perform adequately, is unavailable or if there is a system failure. This contingency mechanism needs to be in place by 14 September 2019. After consulting the EBA to ensure the consistent application of the conditions, the competent authority must exempt ASPSPs from the obligation to set up the contingency mechanism where the dedicated interface meets certain conditions. The EBA Guidelines on the exemption from the fall back mechanism under the SCA-RTS set out the conditions to qualify for this exemption. In its press release, the EBA acknowledges that the timelines for meeting the exemption conditions are tight. And so the EBA strongly encourages ASPSPs to start testing, to launch their production interfaces and to engage with their supervisor as soon as possible to leave sufficient time before the September 2019 deadline. Another matter that we previously addressed and that may require more preparation in 2019 are the EBA Guidelines on fraud reporting. These guidelines require PSPs to collect and report data on fraudulent payment transactions, using a consistent methodology, definitions and data breakdowns. DNB has informed the EBA of its intention to comply as from 1 July 2019. In practice, this means that Dutch PSPs must report on the second half of 2019, in early 2020. This is to avoid having to report on a period when the PSD2 did not apply in the Netherlands. Interesting to watch in 2019 Finally, privacy and scope are two PSD2-related topics that will be interesting to keep an eye on throughout 2019. As for privacy, the cooperation between DNB and the Dutch Data Protection Authority (Dutch DPA) is uncharted territory when it comes to their joint supervision on overlapping issues that fall under each of their authority. The Dutch DPA's supervision of particular privacy-related issues under PSD2, including the requirement for TPPs to obtain the PSU's explicit consent to access payment accounts, will be a challenge as well. This is also the case for related questions, such as how to safeguard the protection of personal data of third parties (that have not consented to the use of their data by such TPP) that may become available to the TPP when granted access by a PSU. The fact that big tech firms have been expanding into payment services is also viewed by many as a contributing factor to privacy risks. After Amazon (Luxembourg) and Facebook (Ireland), Google too has recently obtained a European licence (in Lithuania) that covers the provision of several payment services, including account information services. With regard to scope, we note that the European Court of Justice (ECJ) recently issued a ruling on savings accounts under PSD1, holding that savings accounts that allow for sums deposited without notice and from which payment and withdrawal transactions may be made solely by means of a current account, do not qualify as payment accounts. It will be interesting to see whether AISPs and PISPs will be allowed to gain access to savings accounts under PSD2. The Dutch Minister of Finance has expressed the view that under PSD2 a broader interpretation of payment accounts is warranted, and intends to submit this question to the European Commission. DNB has indicated that it, too, will await the Commission's opinion. However, DNB apparently also sees possibilities for providers of savings accounts to, in the meantime, already grant AISPs access to these accounts, subject of course to the PSU's consent.