Directive on payment services – PSD 2
The new Payment Services Directive (“PSD 2“) is to reform the European payment market. The scope of the directive is to harmonize regulations within EU and push for a more open payment market, but also to strengthen the payment services user’s rights. PSD 2 will affect all operators offering payment services which consists of both credit institutions and more specialist payment institutions. In addition to affect current authorized operators does PSD 2 also extends the definition of payment services to include operators that today operates without authorization. This means that these operators must authorize themselves through the FSA.
PSD 2 contains the following essential news:
- Payment initiation services and account information services becomes licensable.
- Strengthened rights for payment service providers to be granted access to payment accounts and payment systems provided by credit institutions.
- Strengthened protection of payment services user’s and increased obligations for payment service providers.
- Processes and procedures for managing operational and security risks are required.
- Operational and security incidents must be reported.
- Demand to use strong customer authentication when identifying a client remotely.
The new requirements mean that operators subject to PSD 2 needs to:
- Review support systems and business models in order for account servicing payment service providers to convey information to the other payment service providers and for non-account servicing payment service providers to receive, manage, and use information.
- Review business model to ensure that the right authorization is held.
- Review and revise internal rules for granting access to payment accounts and payment systems.
- Analyze fees, timelines and information disclosure in relation payment service users to ensure that these are compliant with PSD 2.
- Establish internal rules and systems to identify, manage and report operational and security risks.
- Ensure that strong customer authentication is applied when identifying customers remotely.
PSD 2 was adopted the 25th of November 2015 and shall have been implemented in the member states the 13th of January 2018. Below follows a timeline of the implementation process.
FCG provides the following services within PSD 2
- GAP-analysis and implementation
- Identification and analysis of an organization’s current status in relation to PSD 2.
- Identification of GAPs and proposals for concrete actions.
- Implementation of measures, for example establishment of processes and procedures or technological solutions for operational and security risks.
- Training and advice
- Training and advice on payment services and authorizations.
- Training and advice on new routines and processes, e.g. regarding information requirements in relation to payment service users.
- Training and advice on the changes in PSD 2 for operational and security risk functions.
- Pilot study
- Brief analysis of PSD 2’s effect on a business, for example, identification of new requirements and obligations for payment service providers.
- Analysis of previously non-licensed operations in order to investigate possible authorization requirements.
- Analysis of potential opportunities arising from PSD 2 from a business and regulation perspective, for example, how PSD 2 can allow access to more information and how the information can be utilized and optimized.
- Project management
- Development of implementation plan.
- Operational project management team specialized in managing existing and future regulations.
- Processes and routines or technical assistance in implementation of incident reporting and strong customer authentication requirements.
- Management of risk and compliance functions
- Ongoing advice, support and controls of the business compliance with the requirements of PSD 2 after implementation.
- Ongoing advice, support and control of operational and/or security risk functions.
- Advice on introduction of systems for operational and security risks.
- Authorization projects
- Advice and support on applications for authorization of payment institution or registration of payment service providers.
- Development of the authorization application including the necessary regulatory documents and business plan.