In November 2009, the Payment Services Directive (PSD1) became applicable in the European Economic Area (EEA) and established the foundations for a pan-European single market for payments. Now, almost a decade later, the industry is adjusting to the requirements of the revised PSD (PSD2), which went live in January 2018 and which incorporated and repealed PSD1. The European Commission published FAQs on PSD2 on 13 September 2019.
In addition to improving rules for electronic payments, PSD2 aims to open up the EU payment market to companies offering customer- or business-oriented payment services on access to information about the payment account. It impacts e-commerce platforms in a number of ways.
Strong customer authentication
One of the principal changes made by PSD2 is the introduction of formal requirements for payment security. Unless an exemption applies, a payment service provider must provide strong customer authentication (SCA) where the payer is:
- accessing a payment account online
- initiating a payment instruction
- carrying out a transaction through a remote channel.
The SCA rules, which applied from 14 September 2019 and which are set out in detail in regulatory technical standards, are designed to improve the security of payments and limit fraud during the authentication process. When making payments, customers will be required to go through a two-step authentication process (two-factor SCA) based on two or more elements, which are categorised under the following headings:
- Inherence: something the user is (eg a finger print or iris or retina scanning).
- Knowledge: something only the customer knows (eg a password or PIN).
- Possession: something only the user possesses (this can be physical or non-physical provided there is a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device).
The European Banking Authority issued an opinion in June 2019, in which it acknowledged that not all market participants will be ready for the new regime and therefore national regulators may decide to provide "limited additional time" to allow the e-commerce industry to adopt compliance approaches.
Accordingly the UK Financial Conduct Authority (FCA) has announced an 18-month "adjustment period". This means that it will not take enforcement action against firms that have not met the relevant SCA requirements in areas covered by an industry plan, co-ordinated by UK Finance, where there is evidence that they have taken necessary steps to comply with the plan. After March 2021, any firm failing to comply with the SCA requirements will be subject to the FCA's arsenal of extensive supervisory and enforcement powers as appropriate.
The UK Finance Plan contains a timetable for a managed rollout of compliance SCA solutions. E-commerce businesses will need to ensure that transactions are processed via a secured industry protocol such as 3D Secure (the latest version is 3DS2 and is the version that the industry is encouraging merchants to use). As part of their preparations, businesses will need to review the process the customer follows (the so-called "customer journey") and sales model to ensure it remains appropriate and that any website enhancements have been made.
The FCA will hold regular meetings with merchants and technology providers on a quarterly basis to monitor delivery against agreed milestones and the 14 March 2021 deadline.
Although the position elsewhere in the EEA must be determined on a state-by-state basis, certain EEA Member States such as Ireland and Germany have also announced similar implementation or forbearance periods.
Commercial agent exemption
The PSD regime provides an exemption for transactions executed through a commercial agent. Under PSD1, the exemption read as follows:
"(b) payment transactions from the payer to the payee through a commercial agent authorised to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee"
While the exemption was not intended to be relied upon for both seller and buyer transactions, in practice it was used differently across Member States with certain Member States allowing the exemption to be relied on by e-commerce platforms handling payments transactions on behalf of both the payer and payee.
Under PSD2, the exemption now reads:
"(b) payment transactions from the payer to the payee through a commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of only the payer or only the payee [emphasis added]"
If an e-commerce business acts on behalf of both the buyer and seller then it is likely to require authorisation or registration. A key test for using the exemption will be whether the agent comes into possession or has control of the client's funds. The FCA has said that it is likely that a business will be acting for both the payer and the payee if payments are transferred into an account that it controls or manages before being sent to the payee, but the payer's debt is only settled once the payee has received payment.
The FCA has also explained that in its view an agent would have the authority to conclude the sale or purchase of goods or services on behalf of the payer or the payee only if it had the authority to affect the legal relations of its principal, who is the payer or payee, with third parties or bind the payer or payee to a purchase or sale of goods or services. It goes on to say that simply providing the technical means by which a payer places or a payee accepts the order would not be sufficient. E-commerce platforms should examine carefully whether they can take advantage of this exemption or must be authorised or registered with the FCA under PSD2.
Limited network exemption
Payment transactions based on payment instruments only for use within a limited network, such as those for use within a limited network of service providers or for a limited range of goods or services were outside of the scope of PSD1.
Market feedback showed that payment activities covered by the limited network exemption often comprised significant payment volumes and values and offered consumers hundreds or thousands of different products and services. This was not in keeping with the original purpose of the exemption and gave rise to increased risks and no legal protection for payment users and meant regulated providers were disadvantaged.
As a result, the exemption in PSD2 is now more restricted in its application and introduces a threshold based notification regime.
It now applies only to services based on specific payment instruments that can be used only in a limited way, that meet one of the following conditions:
- instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a professional issuer
- instruments which can be used only to acquire a very limited range of goods or services, or
- instruments valid only in a single Member State provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer.
A person providing services or issuing monetary value falling within the limited network exclusion must notify the FCA if the total value of the payment transactions executed through such services or made with the monetary value issued in any period of 12 months exceeds €1 million.
On the basis of that notification, the FCA shall determine, based on the criteria referred to in the exemption, whether the activity does not qualify as a limited network, and inform the service provider accordingly.
Further details of the FCA's limited network exemption regime can be found here. The notification must be submitted using the FCA's Connect system. The FCA maintains a register of those who fall within the limited network exemption and are required to submit a notification.
Help is at hand
If you would like to discuss any of the above points, please do get in touch.
If you have any questions on this article please contact us.
