Payment Services Directive 2Introduction What is PSD2? What is a Third-Party Payment Service Provider? For customers, what are the most important changes introduced by PSD2? The possibilities of PSD2 for BNP Paribas Fortis FAQ
PSD 2, the second Directive regulates the payment services in the European Union and strengthens customer protection.
The Second Payment Services Directive (PSD2) is a new European directive on payment services that came into force on 13 January 2018 and the Belgian transition took place on 26 March 2018. This directive regulates the payment services market in the European Union, strengthens customer protection, and is designed to promote innovation and competition. This is leading to the emergence of new service providers on the European payment services market. The new directive applies equally to private individuals and to legal entities.
It is for the customer to decide whether to grant access to their payment accounts. The customer retains full control.
What is PSD2?
PSD2 replaces PSD1. The first directive had already expanded the payment services market and opened it up to new payment service providers. After PSD1, non-banking institutions were able to request special authorisation to act as a payment institution in order to offer payment services within the EU.
PSD2 retains the guiding principles of PSD1, but goes further and adds a number of measures. It strengthens the rules governing payment services within the EU and regulates the rights and obligations of both users and payment service providers.
PSD2 expands the scope of application in relation to payment services to include new non-banking operators. These payment service providers are known as Third-Party Providers (TPP).
What is a Third-Party Payment Service Provider?
Through banks, third-party providers will be able to access customers' payment accounts (provided that the customer grants them explicit permission to do so, and exclusively in connection with the payment services offered).
Under PSD2, customers can do business with two types of third-party payment service providers:
- providers that can access customer account data, with the customer's consent (also known as account information service providers);
- providers that can initiate payments on behalf of the customer, with the customer's consent (also known as payment initiation service providers).
Third-party providers must be authorised by the national supervisory authority (in Belgium, this is the NBB) depending on the nature of the services provided.
This authorisation will be recorded in a central public register that can be freely consulted by anybody – including customers.
Please note that traditional operators (credit and payment institutions) will also be able to provide their own versions of services offered by third-party providers.
For customers, what are the most important changes introduced by PSD2?
Access to customer account data
Customers can grant third-party providers access to information relating to their payment accounts. This decision belongs to the customer, who is free to choose any third-party provider (including a non-banking provider or another bank). The customer may revoke their authorisation at any time.
It will therefore be possible for a payment service provider to market an app that gives customers an overview of all their payment accounts held with different banks.
Ban on surcharging
Surcharging is forbidden. This means that retailers will no longer be able to charge additional fees to customers paying by card, whether they pay online or in-store.
Limitation of customer liability
Under PSD2, if a customer's payment instrument is lost, stolen or used unlawfully and an unauthorised payment is made using that instrument as a result, the customer's liability will henceforth be limited to 50 EUR except in cases of fraud or gross negligence. Under PSD1, the corresponding limit was 150 EUR.
Protection of customer privacy
All payment service providers are responsible for protecting their customers' privacy in relation to their account and payment data.
It is also important to note that third-party providers cannot access customers' payment and account data in any way whatsoever: only if a customer grants their explicit consent can third-party providers request the customer's account data from their bank.
PSD2 guarantees secure payments. All payment service providers must demonstrate that they have taken adequate measures to ensure that payments are made completely securely. These providers are also subject to the oversight of their national supervisory authority. In Belgium, the supervisory authority is the National Bank of Belgium (NBB).
Furthermore, PSD2 introduces the principle of strong customer authentication, which already applies to online payments.
The possibilities of PSD2 for BNP Paribas Fortis
The opening up of this type of market represents an opportunity for BNP Paribas Fortis. To use it to our advantage, we need to ensure we offer an optimal customer experience and reassure customers that their data are safe with us. Today we start that work on site, where we need to advise and guide our customers through the global digital transformation currently under way.
Technical developments have begun in relation to IT that will allow integration of this new functionality into our Hello and Easy Banking App applications. An initial test will begin this summer for Hello bank! customers, and we will then go on to offer these new kinds of services to all BNP Paribas Fortis customers during the fourth quarter of 2018.
Account Information Service
A service which – upon request from a user – enables a Third-Party Provider to collect and aggregate information from the user's payment accounts (e.g. account balances, transaction history), which is accessible online.
Access to Accounts
The obligation to enable a Third-Party Provider, upon request from a user, to initiate a payment or to consult information from the user's payment account.
Payment Initiation Service
A service which – upon request from a user – enables a Third-Party Provider to initiate a payment from the user's payment account, which is accessible online.
Payment Service Provider
A credit institution (e.g. BNP Paribas Fortis) or payment institution which provides payment services.
Payment Service User
A customer of a payment service provider. This may or may not be a consumer (e.g. a person, a company, a public authority, etc.).
The European Payment Services Directive adopted in 2015 (known as PSD2 for short).
Third-Party Provider or Third-Party Payment Service Provider
A payment service provider that is accredited or registered to provide a payment initiation service or an account information service.
1. What is the first European Payment Services Directive (PSD1)?
In 2007, PSD1 created a harmonised framework of rules for payment services in order to make payments simple, efficient and safe throughout the European Union and the European Economic Area (EEA).
In particular, it sets out the information that payment service providers (such as banks or payment institutions) must provide to their customers, along with the respective rights and obligations of users (consumers and non-consumers) and payment service providers.
2. What is the second European Payment Services Directive (PSD2)?
PSD2 is a European Union Directive from 2015. PSD2 follows on from PSD1, which came into force in 2007.
It strengthens the harmonised rules applicable to payment services within the European Union. These rules define the rights and obligations of users (consumers and non-consumers) and payment service providers (for example, BNP Paribas Fortis).
The new elements introduced by PSD2 are described in these FAQs.
3. Which other developments have been introduced by PSD2?
PSD2 introduces further new elements. These came into force in Belgian law on March 26, 2018. Customers were informed through their bank statements on March 28, 2018.
Three new features are already in place:
(I) a ban on surcharging
PSD2 bans retailers from applying a surcharge for use of the vast majority (95%) of debit or credit cards, either online or in-store.
(II) customer liability limited to 50 EUR in the event of unauthorised payments
The current limit of 150 EUR is reduced to a maximum of 50 EUR, except in cases of fraud or gross negligence on the part of the customer.
(III) response to customer complaints within 15 working days
The Bank will respond to customer complaints within this time period or, in the event of causes beyond the Bank's control, within a time frame specified by the Bank in a holding letter to the customer, provided that this time frame does not exceed 35 working days.
4. When will this affect the customer?
Access to accounts as structured by PSD2 came into effect in Belgium on March 26, 2018, the day the law was published.
III. Third-party payment service providers
5. What is meant by third-party payment service providers?
One core element of PSD2 makes changes to Belgian law. This relates to the user's right to use certain new services provided by a new category of service provider.
Customers were informed of this through their bank statements on March 28, 2018.
Provided that they have obtained the user's consent (see IV. 9.), these new service providers – commonly referred to as 'Third-Party Providers' or 'Third-Party Payment Service Providers' – will be able to:
- collect and aggregate information (e.g. account balances, transaction history) from all accounts held by the user with different banks. This is an account information service, sometimes referred to as an 'aggregation service'. For example, it enables users to gain a full overview of their financial situation at any time, covering all their accounts held with different banks.
- initiate payments on behalf of the user. This is a payment initiation service. For example, it gives users access to an alternative payment method and allows them to pay for their online purchases from a retailer via bank transfer, removing the need to use a credit card.
In other words, the third-party provider acts on the customer's behalf, and the customer has the right to use the services of a third-party provider.
In order to offer their services, third-party providers must:
(1) be accredited or registered (see III.8.) and
(2) have access to the customer's account(s) (see IV.9. & IV.10.)
6. Why does the Bank grant access to accounts?
Subject to the conditions set out below, the Bank has a legal obligation to grant a third-party service provider access to a customer's accounts, if the customer so wishes.
This applies to all payment service providers whose customers have opened an online payment account with them. It therefore affects every bank in the European Economic Area (EEA).
This change in legislation falls under the 'open banking' model, which is geared towards the emergence of innovative payment services.
Beyond access to accounts as structured by PSD2, the Bank also harbours ambitions of its own in terms of open banking.
7. Why would customers want to use services offered by third-party payment service providers?
This decision is entirely up to the customer. The Bank itself will also be offering its own account information service in the near future, enabling customers to view their balances and transaction histories for bank accounts held with other banks.
8. Who can be a third-party payment service provider? What should customers watch out for?
Third-party providers are service providers that are subject to the oversight of a supervisory authority. They must be accredited or registered with a national authority of a Member State of the European Union.
They must be covered by professional insurance, and they act under the supervision of their competent national authority. With a 'services passport', they can offer their services across the entire European Union.
PSD2 guarantees that access to a customer's account(s) is only granted with the customer's consent. However, customers are responsible for choosing the third-party service provider they wish to use (see IV.14.).
IV. Security guarantee and confidentiality policy
9. Can a third-party payment service provider gain access to a customer's accounts without the customer's knowledge?
No. A third-party payment service provider can only access a customer's account(s) if the customer decides to use their services.
Customers therefore do not have to take any action in order to prevent access to their account(s).
Nothing will happen if the customer takes no action.
The Bank cannot log any 'stop orders' made by the customer for the simple reason that customers may change their minds at a later date. When a customer uses a third-party service provider, the Bank is obliged to grant access and is unable to take into account any previous 'stop orders' submitted by the customer (See V.19)
10. How can a customer authorize a third-party payment service provider to access their account(s)?
In order for third-party providers to gain access, the customer will need to be authenticated by the Bank.
The customer authenticates their identity using their standard personal security information (e.g. M1 or M2) – in other words, the information used during the standard authentication procedures agreed between the Bank and the customer.
However, the customer may need to enter this security information on the third-party service provider's website or mobile application.
In other words, when this security information is requested, customers will not necessarily interact directly with a Bank interface (as has always been the case until now).
Customers have the right to reveal this security information to a third-party service provider, but the provider must then transmit this information securely to the Bank. Naturally, the provider may never save this information.
Customers should be particularly alert to the risk that a third party may request this information fraudulently (see IV.14.).
11. What should customers do if they are asked to enter an M1/M2 on a mobile application or a website?
First and foremost, customers must make sure that this request is connected to their own explicit application to use the services of a third-party service provider. If the customer has made no such application, there is no reason why they should be asked to disclose this information.
If the customer has made such an application to a third-party provider, he/she must then check that the third-party provider is accredited or registered (see IV.14.).
12. For how long will the third-party payment service provider have access to the customer's accounts?
If the service is a payment initiation service, each payment must be authorised by the customer. The third-party provider's access is therefore limited to the initiation of each individual payment.
There are certain exceptions to this need for customer authorisation in order to initiate payments; these include transactions made to saved beneficiaries, standing orders, transactions between customers' own accounts and low-risk transactions.
If the service is an account information service, the third-party provider maintains their access to the customer's accounts (without the need for renewed authorisation from the customer) for the term agreed between the customer and the provider, up to a maximum of 90 days (at the end of which the customer must give renewed authorisation to the third-party service provider). The third-party provider may access the account data up to four times per day on its own initiative, and as often as requested by the customer.
13. For how long can the third-party payment service provider retain information from the customer's account(s)?
This depends on the nature of the contractual relationship between the customer and the third-party provider. The Bank plays no part in this relationship and therefore has no knowledge of or control over the retention period; nor can it monitor compliance with the agreed term.
At any rate, the third-party provider must comply with personal data protection legislation, and therefore may not retain such data for longer than necessary.
14. How can customers make sure that a third-party payment service provider is not actually a fraudster?
Until the full implementation of the legal framework of PSD2 (in September 2019), it is the contractual obligation of the customer to ensure they are using an accredited or registered third-party service provider.
It is crucial that before disclosing any information whatsoever, the customer performs their own checks on the list of third-party providers who are accredited, registered or hold a services passport. Customers can check the list for Belgium by visiting the website of the National Bank of Belgium (NBB).
If the list is not available, customers should take the necessary steps in order to check that the information supplied by the third-party provider regarding its accreditation, registration or services passport (in Belgium or in any other country) is genuine. To do this, customers should visit the website of the competent national authority for the Member State of the European Union in which the third-party service provider obtained its accreditation or registration and its services passport.
If customers fail to carry out these prior checks, they may be held liable for payments initiated from their account by a fraudster.
Once the legal framework of PSD2 has been implemented in full, the Bank will be able to verify that the third-party service provider is properly accredited or registered before granting them access to the customer's account(s).
15. Are account payment initiation and information services secure?
Yes. All payment service providers – including banks, payment institutions and third-party providers – must be able to demonstrate that they have implemented effective security measures that guarantee secure payments.
Furthermore, online payments and access to account information require strong customer authentication, which means the customer must use at least two independent means of authentication drawn from the following three criteria: something that only the customer knows (such as a password or a PIN code); something that only the customer possesses (such as a payment card or a smartphone); or a feature that is unique to the customer (such as a digital fingerprint). This requirement applies to both payment initiation services and account information access services.
Strong customer authentication is nothing new in Belgium, and banks here have been using it for several decades.
16. Who is responsible if there is a problem?
The Bank's role is to grant third-party providers access to its customers' accounts where providers have obtained consent from the customers concerned.
As such, the Bank is responsible for any payments initiated by a third-party provider that have not been authorised by the customer, regardless of whether that provider is based in Belgium or in another Member State of the European Union (providing the customer uses an accredited or registered third-party provider – see IV.14.).
However, the Bank is not responsible for the third-party provider's use of the customer's data. In effect, the Bank is a third party to the contractual relationship between the customer and their chosen third-party provider(s).
V. Access to account data: other aspects
17. What information can the customer make available to the third-party payment service provider?
The customer can grant the third-party provider access to information relating to their online payment account(s).
This specifically refers to
(condition 1) the account balances and/or transaction histories
(condition 2) of their payment accounts (excluding investment accounts, for example),
(condition 3) which the customer can view online (e.g. via Easy Banking Web or Easy Banking App).
18. Can customers specify which of their accounts will be accessed by the third-party payment service provider, or only provide access to account balances and not to transaction histories?
This is up to the customer, within the terms of their relationship with the third-party provider(s) whose services they are using.
19. Can customers change their mind and withdraw permission from a third-party payment service provider to access to their account(s)?
Customers can revoke the third-party provider's access to their account(s) at any time.
In order to do so, they must contact the third-party provider directly.
20. How will the third-party payment service provider use the customer's information? Can the customer ask the provider to destroy their data?
The Bank is not party to the contractual relationship between the customer and the third-party provider(s) of their choice. The Bank is therefore unable to control or verify the third-party provider's use of the customer's data.
In any event, the third-party provider must comply with personal data protection legislation, and the customer may exercise the rights guaranteed to them by law in their capacity as a 'data subject' who can be identified using the personal data processed by the third-party provider.
21. How much do payment initiation services or account information access services cost the customer?
Despite the new legal obligations placed upon banks, the fees the Bank charges for its customers' online payment accounts will remain unchanged.
The services provided by the third-party providers chosen by the customer may be subject to a fee. Naturally, this is outside of the Bank's responsibilities.