The European Commission introduced the Directive 2007/64/EC or Payment Services Directive (PSD) in 2007 to regulate the payments industry through a single payment market in the European Union (EU). It aims to promote innovation and security for payment providers and users. In 2013, the European Commission proposed an amendment, now coined as PSD2, intended to boost security, innovation and competition in the digital payments market.  

One of the parties greatly affected by the PSD2 are the Payment Service Providers (PSPs), which have been under stricter compliance requirements since the enactment of the EU directive. 

The Directive (EU) 2015/2366, repealing Directive 2007/64/EC, provides for a stronger legal framework to facilitate the integration of the EU’s internal digital payments system. With this, the development of new technologies in the payments industry are taken into account.  

The directive set out rules with regard to: 

• strict security measures and requirements for fraud reduction; 
• transparency of conditions and information requirements (Title III); and 
• the rights and obligations of payment services users and providers (Title IV). 

PSD2 and the PSPs

PSPs are defined and categorised in Article 1(1) of the PSD2 as: (1) credit institutions, (2) electronic money institutions, (3) post office grio institutions, (4) payment institutions, (5) the ECB and national central banks when not acting as public authorities and (6) EU Member States or their regional or local authorities when not acting as public authorities. 

PSPs work with merchants and businesses to safely accept and process digital payments from their customers. Accordingly, the PSD2 legislation targets fraud detection and management.  

As mentioned above, the PSD2 introduced regulatory changes to heighten the EU internal payment markets’ security, innovation and competitiveness. We discuss how the PS2D affect PSPs using each element: 

Introduction of new security requirements 

The PSD2 introduced new security requirements to address the increasing security risks and lack of consumer protection in the electronic payment system. PSPs are specifically required to adapt the Strong Customer Authentication (SCA) system, which is defined as “an authentication based on the use of two or more elements” which are namely, a customer’s knowledge, possession and inherence.

Legal persons looking to provide payment services in the EU region are required to obtain authorisation as a payment institution (PI). Such authorisation, in compliance with Article 11(3) of the PSD2, requires a PI to have a registered office and locate its head office in the same Member State. In addition, it should carry out at least a part of its payment service operation in said EU jurisdiction, indicating that it should have a “local” or “entity of substance” in the EU. This further ensures that security risks in the EU payment system are thoroughly attended to and safeguarded.  

Some EU Member States such as Belgium, the Netherlands and Sweden have already implemented the use of SCAs for digital payment transactions. 

Facilitating greater innovation 

PSPs are urged to internally develop their current technological assets and abilities not only to ensure safe and secure digital transactions but also to provide better customer experience.  

Increase in competition 

According to the Directive 2007/64/EC, competent authorities were not supervising payment initiation services, raising legal issues in terms of competition in the payment services market. 

In connection with the promotion of innovative approaches to ensure good customer service, the PSD2 also facilitates competition amongst service providers. The result is a fair and level EU payment market where competition is stimulated, expanding consumer choices at different price points.  

Overall, the PSD2 established the aforementioned rules and guidelines to facilitate a better integrated EU payments system and ultimately eliminate online fraud. With this, consumers, merchants and PSPs would reap the benefits of a secure and transparent payments market. 

Bolder Group as your compliance partner 

The legislation and directives concerning EU market participants, especially in the fast-developing financial technology (fintech) industry, are seen to impose stricter requirements in the coming years. As a result, compliance becomes increasingly complex and challenging.  

Bolder Group has an active presence and knowledge in the EU region, with professionals ready to assist industry clients with their corporate and compliance needs.  

For any questions or further assistance, contact Bolder Group’s Amsterdam Managing Director patrick.vanmaurik@boldergroup.com. Get in touch with your nearest Bolder office to know more about our services.