Seven things you probably should know about PSD2, but were never told

January 13 was the deadline for the much-anticipated Second Payment Services Directive, or PSD2, to become national law in EU Member States. In the UK, PSD2 was implemented within the 2017 Payment Services Regulations, which are enforced by the Financial Conduct Authority (FCA).

Much of the focus around PSD2, understandably, has been on open banking and APIs, which for the first time, allows third-party providers to access customer bank account data, based on the customer’s approval, to provide value-added services in the payments arena.

Most pundits are preoccupied with the security and liability challenges associated with opening client account information up to non-bank third parties.

If open banking wasn’t challenging enough, hold onto your hats, as a deep dive into PSD2 and the FCA’s new e-money and payment services approach document — which aims to help UK payment service providers navigate their way through the new payment services landscape — has unearthed some more obscure and less well-known aspects of the regulations, which may have compliance officers reaching for a compass or an alternative navigational device any day now.

1. First cab off the rank, you may be surprised to discover that PSD2’s overarching reach is not just confined to the EU. Non-EU transactions are now caught in its tentacles, as well as transactions where one leg is conducted by a payment service provider (PSP) that is outside the EU.
2. If you’re a marketplace or e-commerce platform that handles or controls client money, then you’ll need to quickly get to grips with the finer details of PSD2, which has tightened its interpretation of the “commercial agent” and “limited network” exemptions marketplaces may have relied on to avoid becoming a licensed provider of regulated payment services.
3. Retail consumers can kiss goodbye to annoying card surcharges, which will be scrapped for most of us under PSD2. Charges on corporate cards, however, remain outside the scope of the regulation. 
4. When is a payment account not a payment account? PSD2 and the FCA’s 2015 Payment Account Regulations, which implemented the EU Payment Accounts Directive, have different definitions of what constitutes a payment account, which may cause some head scratching.
5. Monthly account statements. This is a bit of an odd one given that the focus is now on making account data available in more modern, convenient ways and dispensing with outmoded means of communication such as paper statements, once and for all. According to the FCA’s approach document, payment service providers must now “provide” (which has a specific definition relating to proactively pushing this out to the customer) monthly account statements on paper or a “durable medium” (which also has a specific definition).
6. Social media may no longer suffice as a reporting tool for major operational and security incidents: Throughout 2017, there were some well-publicised issues/outages in the payments sector. However, the FCA now requires notification of major operational and security incidents, within hours of them occurring, as well as regular updates. While UK “challenger banks” were praised by (some of) their customers for their openness and keeping people up to date via Twitter, going forward, it may no longer be enough just to post apologies and updates on social media.
7. You can see the newspaper headline now: FCA Drowning in PSD2 Re-authorisation Applications. Under PSD2, all existing e-money and payment services businesses need to go through a re-authorisation process to continue operating beyond mid-July. The FCA wants submissions completed by mid-April, as it needs to decide on “complete” applications within three months. However, anecdotal information suggests that much of the sector has not submitted theirs yet. It’ll be interesting to see how the FCA manages the applications once they come rolling in. The big question is, can they review and approve them quickly enough to ensure continuity of the sector and service to customers?

The ground may not have shaken on January 13th, but compliance officers could be trembling come July, if their application for re-authorisation has still to be approved?

Some of the terms I’ve used are explained further in the Jargon Buster below.

PSD2 Jargon Buster

Durable medium: This terminology may be familiar to the building trade, but sounds out of place in regulatory guidance for payment service providers. Yet, according to the FCA, in the context of PSD2, ‘durable medium’ refers to “any instrument which enables the payment service user to store information addressed personally to them in a way accessible for future reference … and which allows the unchanged reproduction of the information stored.” So, this could mean printouts, CD-ROMs, DVDs, hardly modern-day storage devices in the age of Cloud computing. The FCA says “in certain circumstances internet sites” may qualify as a durable medium.

Payment account: Interpreting regulations is often a game of semantics and PSD2 is no different. It defines a ‘payment account’ as an “account held by one or more payment service users, which is used to conduct payment transactions.” It may include savings and current accounts or accounts that combine savings with mortgage and payment facilities, so long as the account is being used to make payments. However, the FCA’s 2015 Payment Accounts Regulations does not class some savings or credit-card accounts as payment accounts. Clear as mud then. 

Payment Service Provider: In addition to banks and building societies, payment and e-money institutions, PSD2 introduces two new classes of payment service providers: Payment Initiation Service Provider (PISP) and Account Information Service Provider (AISP), which are expected to provide new services under PSD2. For example, AISPs could provide aggregated bank account information and analysis services. PISPs, which “initiate a payment from the user account to the merchant account by creating a software bridge,” could start to offer services such as bill payment and peer-to-peer transfers.