PSD2 - Frequently Asked Questions

The first Payment Services Directive (EU) 2007/64/EC (PSD1), which came into force in 2009, established common rules for certain types of electronic payments, such as credit transfers, direct debits, card payments, and mobile and online payments. Directive 2015/2366/EU on payment services (PSD2) updates and complements the rules set out in PSD1 and takes new providers of innovative payment services into account. The new rules seek to:

• Make it easier and safer to use internet payment services
• Better protect consumers against fraud, abuse, and payment problems
• Promote innovative mobile and internet payment services
• Strengthen consumer rights.

The European Union (Payment Services) Regulations 2018 S.I. No.6 of 2018 (Payment Services Regulations 2018), which transpose PSD2 into Irish law, are applicable from 13 January 2018.

PSD2 aims to provide for the further development of a better-integrated internal market for electronic payments within the EU. It puts in place a comprehensive framework for payment services, with the goal of making payments within the EU more efficient and secure. It aims to provide greater protection for consumers by enhancing security measures for electronic payments. It seeks to open up payment markets to new entrants, with a view to encouraging more competition, greater choice and better prices for consumers.

PSD2 opens the EU payment market for companies offering consumer or business-oriented payment services based on the access to the information from the payment account – so called "payment initiation service providers" and "account information service providers".

• Payment Initiation Service Providers

  Payment Initiation Service Providers typically help consumers to make online credit transfers and inform the merchant immediately of the payment initiation. This allows for the immediate dispatch of goods or immediate access to services purchased online. For online payments, they constitute an alternative to credit card payments as they offer an easily accessible payment service, as the consumer only needs to possess an online payment account.

• Account Information Service Providers

  Account Information Service Providers allow consumers and businesses to have a global view on their financial situation. For instance, by enabling consumers to consolidate the different current accounts they may have with one or more banks and to categorise their spending according to different typologies (food, energy, rent, leisure, etc.), thus helping them with budgeting and financial planning.

The Central Bank of Ireland is the competent authority in Ireland for the authorisation and supervision of Payment Institutions (PIs) and Electronic Money Institutions (EMIs) under the Payment Services Directive (PSD1) and the Electronic Money Directive (EMD). Regulation 33 of the Payment Services Regulations 2018 appoints the Central Bank as the competent authority in the State for the purposes of PSD2. As competent authority, the Central Bank’s role is to ensure and monitor effective compliance with PSD2.

You will require authorisation/registration under the Payment Services Regulations 2018 if you provide one of the payment services listed in the schedule to those Regulations, unless you are either excluded from the scope of PSD2 or are one of the institutions referred to in Article 1(1) of PSD2¹.

An authorisation/registration under PSD2 is valid in all Member States and allows the payment institution concerned to provide the payment services covered by the authorisation throughout the Union, pursuant to the freedom to provide services or the freedom of establishment.

In advance of submitting an application for authorisation/registration under PSD2, a firm should satisfy itself that its proposed business model requires authorisation/registration.

Firms are strongly advised to seek legal advice if they are unsure as to whether their proposed activities require authorisation/registration or if they are unsure as to how they should comply with the authorisation/registration requirements. If, after having received and considered such advice, firms continue to have any doubt about their status, they are advised to submit an application for authorisation/registration.

¹For example credit institutions as defined in point (1) of Article 4(1) of Regulation (EU) No 575/2013, electronic money institutions within the meaning of point (1) of Article 2 of Directive 2009/110/EC or post office giro institutions.

 

The Regulation section of the Central Bank’s website has specific authorisation process pages for both Payment Institutions and Electronic Money Institutions.

With the transposition of PSD2, the Central Bank is now updating the various application documents to reflect the implementing Regulations. Updated documents reflecting the Regulations will be available shortly.

The Central Bank has published a guidance note on completing an application for:

• Authorisation as a Payment Institution
• Authorisation as an Electronic Money Institution
• Registration as an Account Information Service Provider
• Registration as a Small Electronic Money Institution

Firms are advised to read the Guidance Note before completing any of the PSD2 application forms listed above.

The Central Bank also offers the facility of an optional pre-application meeting to firms to answer specific questions about any aspect of the application process, and completing the application form. Firms that wish to avail of this facility should ensure application material is completed to an advanced state before requesting such a meeting and have any specific questions prepared in advance in order to make the meeting as productive as possible. Such meetings will typically be no longer than one hour.

Regulation 4(1)(a)-(o) of the Payment Services Regulations 2018 provides for a number of exclusions from the scope of the Regulations, i.e. certain services and payment transactions to which the Regulations do not apply.

Credit unions please refer to specific question below on whether credit unions are exempt from the scope of PSD2.

Certain service providers availing of the Limited Network Exclusion provided for under Regulation 4(1)(k)(i) or (ii) and all service providers availing of the Electronic Communications Exclusion provided for under Regulation 4(1)(l) of the Payment Services Regulations 2018 are required to make a notification to the Central Bank.

Service providers availing of other exclusions provided for under (Article 3 PSD2) Regulation 4(1) (i.e. (a) – (j), (k)(iii) or (m)-(o)) of the Payment Services Regulations 2018 are not required to make a notification to the Central Bank.

The onus is on the service provider availing of an exclusion to ensure that they are satisfied that the relevant exclusion criteria are met. If the service provider is unsure as to whether an exclusion applies, it should seek legal advice. If, after having received and considered such advice, service providers have any doubt about their status, they are advised to submit an application for authorisation/registration.

The Limited Network Exclusion (provided for under Regulation 4(1)(k) (i) or (ii) of the Payment Services Regulations 2018) applies to services based on specific payment instruments that can be used only in a limited way (subject to certain conditions). It includes services based on payment instruments that can only be used in a limited way, that meet one of the following conditions:

• Instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a professional issuer.
• Instruments that can only be used to acquire a very limited range of goods or services.

Examples of services that potentially fall within the scope of the Limited Network Exclusion include providers of limited network payment instruments, such as gift cards, fuel cards or shopping centre cards.

Service providers that benefit from the Limited Network Exclusion provided for under Regulation 4(1)(k)(i) and (ii) of the Payment Services Regulations 2018 will have to notify the Central Bank if the total value of payment transactions are either over €1m in any 12 month period or for any given period shorter than 12 months when the total value of payment transactions executed exceeds the amount of €1m for that period. They will also have to provide a description of such activities, using the notification form on the Central Bank website.

When the Central Bank receives this notification, it will decide, based on the information provided to it, if these services meet the relevant exclusion criteria and such persons will be entered on the public registers maintained by the Central Bank.  The Central Bank’s decision on whether a notification meets the relevant exclusion criteria will be based on the clarifications provided in the EBA Guidelines on limited network exclusion under PSD2. Service providers are, therefore, required to  submit notifications to the Central Bank based on the requirements set out in the EBA Guidelines.

The Electronic Communications Exclusion (provided for under Regulation 4(1)(l) of the Payment Services Regulations 2018) applies to certain payment transactions by providers of electronic communications networks. It includes services provided in addition to electronic communications services for a subscriber to the network or service. An example of a service provider who would potentially be availing of this exclusion would be a mobile network operator who enables payment transactions for digital goods and services using a telecom, digital or IT device.

All service providers relying on the Electronic Communications Exclusion provided for under Regulation 4(1)(l) of the Payment Services Regulations 2018 must notify and provide the Central Bank with a description of the service offered, using the notification form on the Central Bank website.  

Upon receipt of a complete notification, such service providers will be entered on the public registers maintained by the Central Bank.

Service providers must also provide the Central Bank with an annual audit opinion that the payment transactions continue to fall within the financial limits prescribed in the exclusion. 

Further information on the notification process for firms availing of the Limited Network and Electronic Communication exclusions is available on the Payment Institutions section of the Central Bank website.

In line with PSD1, credit unions have the right to provide payment services and are exempt from the requirement to be authorised as a payment institution. The provision of payment services by credit unions is also subject to provisions of the Credit Union Act, 1997 and the Credit Union Act 1997 (Regulatory Requirements) Regulations 2016 (as amended). Credit unions may apply to the Central Bank to offer additional payment services in accordance with section 48-52 of the Credit Union Act, 1997. Further information on this approval process is available on the Central Bank website.

PSD2 applies to credit unions when providing payment services in the same way as PSD1 did, though with a broader scope, as PSD2 extends to “one-leg transactions”¹and non-EU currency transactions. However, credit unions are exempt from the requirements to provide confirmation of the availability of funds and access to members' accounts to third party providers.

¹"One-leg transactions" are payment transactions where only one of the payment service providers is located within the European Economic Area.

While the Central Bank is the competent authority to consider alleged infringements of the Payment Services Regulations 2018 by payment service providers, the Financial Services and Pensions Ombudsman (FSPO) is the independent service that helps resolve complaints between customers and regulated financial services providers, including payment service providers.

Where a person wishes to report an actual or potential alleged infringement under the Payment Services Regulations 2018, the report may be sent as a protected disclosure to the Central Bank using the following methods:

- E-mail: [email protected]
- Telephone: 1800 130 014: Calls are answered Monday to Friday 9.30am - 5.00pm
- Post: PSD2 Disclosures Desk, Central Bank of Ireland, PO Box 11517, Spencer Dock, Dublin 1, D01 W920.

Please ensure that “PSD2 Alleged Infringement” is in the subject line of your correspondence with the Central Bank.

The following details should be included, where possible, when sending a report to the Central Bank:

• our identity and contact details
• Confirmation of whether you are a natural or a legal person
• Confirmation of whether or not you are a payment service user
• The identity of the payment service provider(s) that has/have given rise to the complaint of an alleged infringement of PSD2. In this instance identity refers to the name of the regulated entity and the type of service provided by the regulated entity
• A description of the situation that gave rise to the complaint of an alleged infringement of PSD2
• Where known, the PSD2 Article or Regulation upon which the complaint is made.

The person making the report can also seek to have a meeting with dedicated staff members of the Central Bank.

Complainants should submit documentary evidence to support their complaint. Examples of documentary evidence include:

• A copy of their contract with the payment service provider
• Correspondence exchanged with the payment service provider(s) or with any other entity
• Information related to the payment account.

Complaints related to alleged infringements of PSD2 will be treated as protected disclosures. For information in relation to the process and procedures surrounding protected disclosures please see Protected Disclosures including Whistleblowing and Infringement Reports.

The Central Bank will ensure and monitor effective compliance with the Payment Services Regulations 2018 through its existing supervision process. This includes for example:

• Assessing applications from payment institutions and payment service providers for authorisation in Ireland
• Examining prudential returns and reports, conducting regular review meetings and on-site inspections
• Deploying systems and procedures to monitor activities and detect non-compliance by financial service providers.

For more information on the Central Bank’s approach to supervision of financial service providers see How we regulate.

Regulation 118(3) of the Payment Services Regulations 2018 set out that a payment service provider is required to provide the Central Bank of Ireland with an updated and comprehensive assessment of operational and security risks relating to the payment services provided by the payment service provider and the adequacy of the mitigation measures and control mechanisms implemented in response to those risks, on an annual basis or at shorter intervals as determined by the Central Bank.

The operational and security risk assessment should reflect requirements contained in the EBA Guidelines on ICT and security risk management.

These include:

• High level description of business functions, processes and information assets supporting payment services provided with a focus on the most critical.
• A summary risk assessment of functions, processes and assets against most significant threats and vulnerabilities.
• A summary description of security measures to mitigate security and operational risks identified as a result of the above assessment; and
• Conclusions of the results of the risk assessment and summary of actions required as a result of this assessment.

Payment service providers will be required to complete and submit a reporting template to the Central Bank via the Online Reporting System (ONR) in order to ensure compliance with the requirements of Regulation 118(3) of the Payment Services Regulations 2018. The reporting template and a detailed user guide for transmission of these reports is currently available on the ONR system. A guidance document providing instructions for completion of the reporting template will be made available to payment service providers.

• The Central Bank requires payment service providers to use the following template when reporting the operational and security risk assessment.
• Guidance on PSD2 Operational and Security Risk Assessment Return.

ASPSPs that opt to establish a dedicated interface as provided for under Article 31 of the RTS can request an exemption from the obligation to establish a contingency mechanism under Article 33(4). This application form will need to be submitted to the relevant supervisory team to commence the application process.

Article 33(6) of the RTS provides that the Central Bank, as the competent authority, in consultation with the EBA, shall exempt ASPSPs from the obligation to set up the contingency mechanism if the ASPSP can demonstrate that it meets the four conditions set out in Article 33(6)(a-d) of the RTS.

Following receipt of the application form the Central Bank may request further information from the ASPSP to facilitate the assessment.

Payment Service Providers (“PSPs”) that wish to avail of the exemption under Article 17 of the RTS must identify all of the processes/protocols for which they propose to apply the exemption, and communicate that list to the Central Bank.

The Central Bank expects that all such processes/protocols should comply with Article 17, meeting at a minimum, all of the following criteria:

1. The processes/protocols identified are used in respect of payment transactions initiated by legal persons that are only made available to payers who are not consumers.
2. A transaction monitoring mechanism must be in place. Firms should also retain information on the fraud rate levels applying to the processes/protocols.
3. A secure communication mechanism must be in place that complies with the RTS (including encryption and maintaining the confidentiality and integrity of the payment service users’ personalised credentials).
4. A secure authentication mechanism must be in place which guarantees at least equivalent levels of security to those provided for in the RTS, to ensure that the risk of authentication carried out by an unauthorised party is mitigated.

PSPs will be required to maintain, on an ongoing basis, evidence that their corporate payments processes/protocols guarantee an equivalent level of security to that provided for under the RTS.

As part of the Annual Operational & Security Risk Assessments from 2019 onwards, PSPs will be required to submit evidence as to how their corporate payment processes/protocols meet the criteria set out above.

In the event that the Central Bank is not satisfied with a proposed or existing exemption under Article 17, it retains the right to refuse to allow the use of the exemption.

If your firm wishes to avail of the exemption under Article 17, please submit a list of the processes/protocols for which you propose to apply the exemption, along with written confirmation, signed at executive level, that those processes/protocols meet the above criteria, to your supervisory team.