Payment Services Directive 2

6

Broadening the Scope of Payment Services
The European Parliament accepted the second Payment Services Directive (PSD2) on 8th of October, 2015. Although the final text is set many questions lack clear answers and need to be addressed accordingly.
Since the adoption of PSD1 (Directive 2007/64/EC on payment services in the internal market) new types of payment services have emerged, especially in the area of internet payments. According to Recital 18 of PSD2 "these services play a part in e-commerce payments by establishing a software bridge between the website of the merchant and the online banking platform of the payer's bank in order to initiate internet payments on the basis of a credit transfer. The payment initiation service provider, when providing exclusively payment initiation service, does not in any stage of the payment chain hold user's funds"."[1]
 These new e-commerce payments are made over the internet, usually in one of these three ways[2]:
via a remote payment card transaction through the internet;
in the form of online credit transfers or direct debits by using either the payer's online banking system directly, or that of a third party's (e.g. Sofort);
payments through e-payment providers, with which the consumer has set up an individual account that has been funded through "traditional" payment methods, e.g. bank transfers or credit card payments (e.g. PayPal, PayU).
 Annex 1 of PSD2 includes those payment services that are within the scope of the directive. Two new services were added to this list with PSD2: payment initiation services and account information services. The first includes those services under point 2 above that are provided by third parties other than banks. The second is only a complementary service providing the user with aggregated online information on one or more payment accounts.
Payment Initiation Services 
The German Sofort, the largest bank-independent TPP in Europe offers payers the option of paying merchants directly from the payer's bank account. The payer authorizes the specific payment and personally carries through and completes the necessary steps for executing it, including selecting from which of his or her bank account the payment should be made. The payer then signs the transaction using his or her existing online bank credentials. The payer retains full control of the completion of the payment and uses bank issued security credentials to carry it out. The whole process is carried out using Sofort's software but Sofort is not able to initiate a payment without the payer actively participating and going through the same steps as if initiating an online bank payment. This makes this payment one of the safest online methods, and the risk for the payer to be exposed to fraud is minimized[3].
Although Sofort has not faced one single case of data fraud affecting the consumer since its launch in 2004, payment initiation services do imply an increased risk for the user. The Study on the Impact of PSD1 also highlighted some security concerns:
"To put it simply, under payment initiation services, the historically basic concept of the payment process "give me EUR X from your wallet" turns into "give me your wallet" (out of which the payee or its provider takes EUR X). This triggers security concerns which are broader than the mere fear of the risk of one-off fraud."[4]
 Figure 2 shows that in the new, five member process the payer initiates payment via the TPP which in turn passes the instruction to the payer's bank.

 ---- PSD2 relation
PSD2 does not use the term bank. Instead it uses the definition: "account servicing payment service provider". This wording basically covers banks as it means a payment service provider providing and maintaining payment accounts for a payer[5].
The service provided by Sofort and of other similar banking services (e.g iDeal or Trustly) was not covered by PSD1. PSD1 exempted those technical operators who support PSPs on the ground that these do not come into the possession of the payer's funds[6]. Article 3(j) of PSD2 upholds this exemption however specifically excludes payment initiation services and account information services thus extending scope to such TPPs.
It is therefore inevitable for those technical operators who relied upon the above exemption to carry out a careful analysis as to whether they will now need to become regulated under PSD2. It will be particularly important for determining whether a payment service provider enjoying exemption as a support operator under PSD1 now falls within the scope of providing "payment initiation services" or not.
Under PSD2, payment initiation service providers are required to be authorised but are subject to a reduced minimum own funds requirement of 50,000 euros[7]. Account information service providers are expressly exempt from authorisation, but are subject to a registration requirement[8].

Account Information services
According to Recital 18(a) of PSD2 "…with technological developments, a range of complementary services have also emerged in recent years, such as account information services. These services provide the payment service user with aggregated online information on one or more payment accounts held with one or more other payment service providers and accessed via online interfaces of the account servicing payment service provider, thus enabling the payment service user to have an overall view of his financial situation immediately at a given moment."
PSD1 was silent about such services, that raise several legal issues such as consumer protection, security and liability as well as competition and data protection issues.
This service used to be the monopoly of the consumer's bank and was limited only to one bank account. Now the user authorizes this TPP to process information available in the user's online banking facility and then provides financial information and new functionalities not available from the bank (e.g. eWise).
Figure 3 shows how account information service would work under PSD2.

 Some argue that PSD2 does not contain clear definitions as to the content of the account information services[9]. They claim that PSD2 remains neutral about the technology of such services and refers only to "services requested by the user[10]" or "information requested through an account information service provider[11]" and "access and use the information on the payment services user account[12]". This argument is however is not well founded, since PSD2 is a directive, its goal is to set out minimum requirements that each EU members must achieve. It is up to national legislation how this goal is achieved. This is somewhat contrary to the above where emphasis was made on the unprecise definitions used by PSD2. Nevertheless it is not this directive's task to solve technicalities.
 In the earlier draft version of PSD2 the wording of account information service included references to a payment service. However the EPC was of the opinion that such services should not be presented as a "payment service" as these are not necessarily linked to payment transactions[13].The EPC reasoned that such services would only comprise historical payment transaction data, or "aggregation services", but would never lead to a payment initiation. The EPC even questioned if it should be included in PSD2. The reason that these services should not be left without appropriate authorization resulted in their inclusion under the scope of PSD2.
Access to Payment Accounts 
 Access to payment accounts is one of the most controversial territories of PSD2. A payment initiation service or an account information service would not work if banks would not grant access to payment accounts. This is a very sensitive territory, touching banking secrecy, anti-money laundering and data protection issues.
The Study on the Impact of PSD1 highlighted that with payment initiation services the concept of the access to accounts has shifted:
"Existing online access relies on the as-assumption that the user is the only person to access the account. Indeed, to tackle concerns with payment initiation services, while still preserving the innovative potential of those services, this basic assumption needs to be shifted. Instead, the basic underlying assumption should hold that the user is one of the persons to access the account, but remains the only person to decide on who else may get access to the account. The concept under which the user is one of the persons to access the account and the only one able to decide who gains access removes most obstacles to the sustainable development of payment initiation services. Indeed, this way of conceptualizing access to accounts ensures neutrality with regards to future developments in this area."
In accordance with Articles 58 and 59 of PSD2 a bank or a credit institution must give TPPs access to customers' account information, provided that the customer has given his explicit consent to that access. Although the right of a bank to reject account applications on valid grounds (such as anti-money laundering concerns) would not be affected, banks that decline to provide a bank account to another payment institution will have to explain the rejection to the regulator[14].
Aren't the above articles contrary to bank's general terms and conditions? Could a customer raise a concern that the general terms and conditions prohibit the disclosure of confidential login details and the confirmation code to third parties? Would such disclosure imply breach of contract?
Ross Anderson explained the Sofort case during the Security Protocols 20th International Workshop in 2012 when the German banks sued Sofort on the basis that it induced its customers to break the general terms and conditions of their contract. However the Federal Competition Authority intervened and said that "they actually liked these Sofort chaps because they were bringing some much needed competition into a very, very cartelised payment business".[15].In 2011 the authority called upon the German banks to enable non-discriminatory access for online payment systems that are independent of banks.
Contrary to the German practice, in 2014 the Polish competent authority for payment service providers explicitly closed the market for service providers with its decision on instructing banks not to allow access to bank accounts to Polish TPPs.[16]
 Simultaneously with the Polish approach, the District Court of Midden-Nederland ruled that AFAS Software B.V. acted unlawfully and must desist from asking ING Bank's customers to enter their banking credentials on the website of AFAS so that it could log on automatically to ING's secure online banking interface[17].
The Dutch AFAS operates along the same principles as the German Sofort with the difference that Sofort has been granted access to payer's bank accounts, while AFA hasn't. Interestingly ING relied on the same reasons as the German banks when suing Sofort. ING reasoned that its general terms and conditions and the Uniform Safety Standards of the Dutch Banking Association prohibit customers to disclose their personal internet banking credentials to third parties. Furthermore, AFAS created an immediate online banking security risk by asking ING customers to supply their internet banking credentials. The court ruled in favor of ING and said that in order to prevent fraud, internet banking credentials should never be provided to third parties.
Most surprisingly the Dutch court rejected of the argument of AFAS that its services, including the offer for an automatic connection between its third party applications and online banking environments, will be regulated by PSD2. The court agreed with ING saying that PSD2 is not yet in force and that the proposed text of the directive is still under discussion, especially those provisions that AFAS could rely on.
The Dutch court eventually ruled that the final compromise text of a directive waiting for voting cannot be relied on. This is in line with the CJEU's case law. In Inter-Environment Wallonie the CJEU held that even within the implementation period the Member States are not entitled to take any measures which would seriously compromise the result required by the directive[18]. This was later on strengthened in Mangold[19].
If PSD2 entered into force AFAS could challenge the Dutch court decision by invoking Inter-Environment Wallonie and Mangold. But first it should be examined whether the given Article of PSD2 is capable of direct effect using the test set out in Francovich.[20]
According to Article 58 Section 1.b (b) of PSD2:
"The account servicing payment service provider shall: 
(b) immediately after the receipt of the payment order from a payment initiation service provider provide or make available all information on the initiation of the payment transaction and all information accessible to the account servicing payment service provider regarding the execution of the payment transaction to the payment initiation service provider; 
(c) treat payment orders transmitted through the services of a payment initiation service provider without any discrimination for other than objective reasons, in particular in terms of timing, priority or charges vis-à-vis payment orders transmitted directly by the payer himself."
Subsection b) of the above article seems capable of direct effect. Notwithstanding the fact that the term all information is not precise enough, the preceding subsections of this Article give some guidance on what information (personalized security credentials, other information on the service user) banks should give access to. Subsection b) confers rights on payment initiation service providers On the other hand subsection c) is not precise enough. While it imposes a clear obligation and identifies who the subject of that obligation is (the account servicing PSP) it does not seem that it confers rights on any party in particular.
Horizontal or vertical direct effect in relation to AFAS would depend on the fact how the Netherlands implements PSD2.
 Footnotes:
[1] Recital 18 of PSD2
[2] Green Paper of the European Commission…
[3] Sofort has not faced one single case of data fraud affecting the consumer since its launch in 2004 according to EPIF's Report on Payment Initiation Services, July, 2013.
[4] Study on the impact... p.4
[5] Article 4(10) of PSD2
[6] Article 3(j) of PSD1
[7] Article 68(b) of PSD2
[8] Article 27(a)of PSD2
[9] http://prudentiz.eu/payment-services-directive-ii
[10] Article 59(2)f o PSD2
[11] Article 87(1)c) of PSD2
[12] Recital 51 of PSD2
[13] Gijs Boudewijn, "PSD2: EPC Identifies Considerable Scope for Amendments of the Proposed New Set of Rules Related to the Activity of Third Party Payment Service Providers Offering Payment Initiation or Payment Account Information Services" (2014) EPC Newsletter
[14] Article 29a of PSD2
[15] Ross Andreson: Protocol Governance: The Elite or the Mob? In: Security Protocols XX: 20th International Workshop, Cambridge, UK, April 2012.
[16] http://prudentiz.eu/payment-services-directive-ii
[17] ING BANK N.V. v. AFAS SOFTWARE B.V [2014] Rechtbank Midden-Nederland C/16/372291 / KG ZA 14-481
[18] Case C-129/96 Inter-Environment Wallonie ASBL v Région Wallonie [1997] ECR I-7411 para 44
[19] Case C-144/04 Mangold v Helm [2006] 1 CMLR 43 para 28
[20] Case C-60/90 Frankovich [1991] ECR I-5357