PSD II Directive full of opportunities or perhaps...
Transcript of PSD II Directive full of opportunities or perhaps...
ACAMS Seminar
PSD II
Directive full of opportunities or perhaps challenges?
13 October 2015
Matthijs Bolkenstein
Partner
Eversheds BV | 21/10/2015 |
1. General
Eversheds BV | 21/10/2015 |
• contribute to a more integrated and efficient European payments market
• improve level playing field for payment service providers
• improve consumer protection
• make payments safer and more secure
• regulating pricing of payment services
General - Main objects PSD II
Eversheds BV | 21/10/2015 |
• wider scope
• telecom exemption limited to micro-payments for digital services
• introduction central register of authorised and registered payments institutions maintained by European Banking Authority (EBA)
• new security measures (mandatory) to be implemented
• waiver regime (possibility for EU member state to introduce lower threshold)
• limited network (certain volume, notifying competent authorities and assess whether license should be required)
• more detailed passporting procedure
• central contact point (optional in case of agent or branches on the ground)
• rules to ensure no blocking and hindering access to payment account
General - Differences between PSD I and PSD II
Eversheds BV | 21/10/2015 |
• more and wider choice due to more competition
• lower charges and a ban on surcharging
• improved protection
• unconditional refund right
• scope extended outside EU (so called one-leg transaction)
• complaint handling via competent authority (KiFID?)
General - Main benefits consumers
Eversheds BV | 21/10/2015 |
General - PSD II Timeline
8 October 2015 EP adopted revised Directive on Payment Services
Q4 2017 Implementation in Dutch legislation
New securities measures and authentication
18 months after regulatory technical standards EBA have been issued
Eversheds BV | 21/10/2015 |
• Authorised institutions
• 30 months after entry into force PSD II • at end of this period all requirements for PSD II license should be met;
or
• Member State can opt for automatic PSD II license in case competent authority has evidence institution complies with PSD II
• Small institutions relying on waiver • 36 months after entry into force PSD II
• Established PIS providers and AIS • continue business as Member State is required to maintain
status quo and apply for license
General – Transitional period
Eversheds BV | 21/10/2015 |
2. License Requirements
Eversheds BV | 21/10/2015 |
License requirements - General
• in general similar to current requirements
• enhanced levels of security (mandatory security policy document, description of security incident management procedure, contingency procedure, etc.)
• capital requirements third party service providers (personal indemnity insurance or comparable guarantee covering relevant territories coverage yet to be determined by EBA
Eversheds BV | 21/10/2015 |
• Program of operations (which payment services)
• Business plan
• Capital requirements
• Governance arrangements and internal control mechanisms
• Security procedures (incidents, customer complaints)
• Description process in place to file, monitor, teach and restrict access to sensitive data
• Business continuity arrangements
• Principles and definitions applied for the collection of statistical data on performance, transactions and fraud
• Security policy document (prevention)
• AML procedures
• Organizational chart use of agents and branches and off- and in-site checks and outsourcing arrangements and participation in a national or international payment system
License requirements
Eversheds BV | 21/10/2015 |
• UBO information
• Eligibility policy makers (directors/management)
• If applicable, auditors
• Constitutional documents
• Contact details
EBA will provide further guidance on specific of number of requirements in regulatory technical standards
License requirements (II)
Eversheds BV | 21/10/2015 |
In case the service provider only provides account information services only the following criteria should be met:
• Program of operations
• Business plan
• Description governance arrangements and internal control
• Business continuity arrangements (identification of critical operations)
• Security policy document (including risk assessment)
• Description structural organisation, intended use of agent or branches, supervision thereof, etc.
• Identity policy makers and eligibility of these persons
• Constitutional documents
• Contact details
License requirements accounting information service providers
Eversheds BV | 21/10/2015 |
• Qualify as payment institutions
• Title III (transparency and information requirements) and IV (rights and obligations in relation to the provision and use of payment services) shall not apply except for:
• Article 41 – burden of proof on information requirements
• Article 45 – information and conditions (single transaction)
• Article 52 – information and conditions (framework contracts)
• Article 67 – rules on access and use of payment account information in the
case of account information services
• Article 69 – obligations of the payment service user in relation to payment
instruments and personalised security credentials
• Article 95 to 98 – operational and security risks and authentication
Account information service providers
Eversheds BV | 21/10/2015 |
3. Various topics of PSD II
Eversheds BV | 21/10/2015 |
• Payment service provider to establish framework with appropriate mitigation measures control mechanisms to manage operational and security risks
• Measures and guidelines regarding safe authentication procedures, including safeguarding confidentiality
• Establish and maintain incident management procedures
• Periodical information updates to competent authority about assessment operational and security risk and adequacy of the mitigation measures and control mechanisms
• Notification competent authority about incident and inform payment service users
• Competent authority to inform EBA about incident
• EBA to provide regulatory technical standards
Operational and security risks and authentication
Eversheds BV | 21/10/2015 |
• No charges for fulfillment of information obligation (unless stipulated differently)
• Charges may not exceed the direct costs borne by the payer for the use of the specific payment instrument
• No charges for use of payment instructions for which interchange fees are regulated by the Regulation on interchange fees for card-based payment transactions and for those payment services to which the regulation establishing technical and business requirements for credit transfer and direct debits in Euro applies
• Legislative proposal to prohibit charges for use of debit cards
Charges
Eversheds BV | 21/10/2015 |
• Introduction specific complaint authority
• EBA to set guidelines in relation to complaint procedures
• Payment service providers shall set up complaint resolution procedures and shall monitor their performance
• Complaints registration
Complaint procedure
Eversheds BV | 21/10/2015 |
PSD II introduces stricter set of information provisions between home regulator and host regulator
Host regulator may set conditions:
−periodical reporting on activities by agent/branches
−appoint central point of contact
−EBA to issue regulatory technical standards
Cooperation home regulator and host regulator
Eversheds BV | 21/10/2015 |
• Informing home member state without delay • All measures to be taken to ensure compliance
• Inform host member state about measures as well as all relevant authorities
• Precautionary measures (as long as appropriate and temporary) • Inform home member state(s), Commission and EBA
Measures in case of non-compliance by host regulator
Eversheds BV | 21/10/2015 |
• Member State shall adopt penalty framework
• Member State shall adopt procedure for publication of penalties
Measures home regulator
Eversheds BV | 21/10/2015 |
4. Compliance challenges
Eversheds BV | 21/10/2015 |
Identifying persons in chain
• Payment service provider • Payment initiation service provider
• Supporting evidence to prove fraud or gross negligence on part of the payment service user
• Refunding requirements
Compliance challenges - Liability
Eversheds BV | 21/10/2015 |
• Obligation to ensure proper use
• Monitoring data protection policies throughout the chain of service providers
• Ensure consumers consent
• Member State shall permit processing when necessary to safeguard prevention, investigation and deletion payment fraud
• Payment service providers shall only access, process and retain personal data necessary for the provision of their services
Compliance challenges – Data protection
Eversheds BV | 21/10/2015 |
• Ensuring proper implementation of all required procedures
• Supervision of other service providers in chain
• AML governance
Compliance challenges – operational and security risks and authentications
Eversheds BV | 21/10/2015 |
• Managing, recording of contractual relationships
• Monitoring contractual relationships
• Ensuring contractual fit between all relevant contracts and parties
Compliance challenges – contractual and monitoring
eversheds.com ©2015 Eversheds BV Eversheds BV is a member of Eversheds International Limited
Matthijs Bolkenstein Partner T: 020-5600 636 [email protected] De Cuserstraat 85 A 1081 CN Amsterdam