The Regulatory Technical Standards under Payment Services Directive 2 (PSD2), which set out additional rules on strong customer authentication and secure communication, will enter into force on 14 September 2019. Although penalties for non-compliance can be severe, not all payment service providers (PSPs) are compliant yet. As the Dutch Central Bank has indicated it wants to include PSPs in the same category as banks (in terms of the suitability screening of policy makers), this might be a good time to review your PSPs governance and compliance framework and consider whether your board’s continuous educational programme is adequate for future developments.
Strong customer authentication and secure communication
In its 21 June 2019 Opinion, the European Banking Authority acknowledged that not all PSPs will be able to comply with the strong customer authentication (SCA) and secure communication (SCT) rules in the PSD2 by 14 September. It further indicated that supervisory authorities may give certain PSPs additional time to implement the required changes, under the condition that PSPs have a concrete migration plan in place, which must be discussed with and approved by the supervisory authority. The Dutch Central Bank has stated that it intends to give limited additional preparation time to market parties that have not been able to prepare SCA for credit card transactions in time, but it has not specified how long this additional time would be. Together with the European Banking Authority, the Dutch Central Bank is aiming for a uniform European move towards SCA implementation for credit card transactions.
The Dutch Central Bank has also published an overview of various recent PSD2-related Q&As. This includes a Q&A on the SCA exemption requirements where non-consumer payers are involved. It has also launched a consultation for a Q&A on unobstructed client journey for services provided by payment initiation and account information service providers. The new Regulatory Techical Standards on SCA and SCT stipulate that PSPs should ensure that the dedicated interface for payment initiation and account information service providers allows for the unobstructed and efficient provision of these services. In the Q&A, the central bank sets out the standards it will apply when assessing if an interface allows for the unobstructed and efficient provision of services.
More supervisory attention for PSPs
After the AFM and the Dutch Central Bank’s recent consultation on amendments to the suitability screening of payment institution policy makers, the increased interest for PSPs by these supervisory authorities is clear. The consultation ran through 1 September, and the AFM and central bank expect to publish the final version of the updated Suitability Policy before the end of 2019. According to the consultation, payment institutions will move from Category C up to Category A, resulting in a more principle-based screening instead of a rule-based screening. The current 2012 Suitability Policy Rule already allows supervisory authorities to apply a principle-based screening in addition to a rule-based screening of payment institution policy makers, if supervisory authorities have reasonable cause to do so. The change in category demonstrates the central bank’s increased focus on payment institutions, and the significance of their activities within the financial sector.
Depending on their size and business type, amongst other factors, PSPs and their prospective policy makers should expect the suitability screening to become more stringent. Careful preparation is essential. It would not be surprising if the central bank increased general supervision efforts for PSPs as well. This topic is also relevant for organisations considering expanding their licences to that of a bank to further enhance payment services capabilities or to provide additional regulated services.
Continuous education and screening preparations
Undertakings that consider applying for a licence as payment institution should take the screening by the central bank (including a possible screening interview) seriously. Among other things, a candidate needs to demonstrate knowledge of the sector and of the important regulatory themes. The candidate should also have a vision on market developments, legislation, and important challenges and issues relevant to the undertaking.
De Brauw regularly assists candidates in preparing for screenings, by providing training on financial regulatory law. It also offers education programmes for our client’s board members to help them comply with continuous education requirements. Both programmes are designed to provide insight into the legal context, to assist in understanding important topics and risks for the undertaking, and to provide the knowledge to ask discerning questions. These training sessions are an excellent way to prepare for the screening interview, and remain invaluable throughout the board member’s term.
For the full text of the Regulatory Technical Standards on SCA & SCT under PSD2, click here.
For the European Banking Authority ‘s overview of all Guidelines and RTS under PSD2, click here.
For the full text of PSD2, click here.
De Brauw Blackstone Westbroek
Claude Debussylaan 80
1082 MD Amsterdam
P.O. Box 75084
1070 AB Amsterdam