PSD2 will implement a common European-wide legal framework for businesses and consumers when making and receiving payments both within and outside of the European Economic Area (the EEA comprises the 28 EU member states plus Norway, Iceland and Liechtenstein).
The main goals of the legislation are to develop more secure and integrated European payments, improve consumer protection, and encourage lower payment costs. Although the regulations primarily apply to payment service providers (entities included by the FCA in the Financial Services Register as an authorised payment institution), all businesses that make and receive payments have a responsibility to ensure they are compliant.
One of the key changes is a ban on applying surcharges to transactions made with consumer cards issued in the EEA. The ban will apply to both domestic and cross-border payments. This may require businesses to make fundamental changes to pricing, negotiate new terms with commercial partners, or to stop taking certain card payments all together. Businesses may also need to work with technology providers to update the configuration of payment charges in core systems and update reports that reference card charges. The European Commission estimates that this ban will apply to around 95% of all card payments in Europe, saving consumers €730 million per year.
Additional consumer protections relate to payment authorisations and refunds. In broad terms, payers will have lower financial obligations in an unauthorised payment scenario and have greater control over the pre-authorisation of card payments.
Payment service providers in turn have greater obligations when it comes to issuing refunds and unblocking ring-fenced funds. Payment service providers must also respond to payment complaints within 15 business days.
Security is an important aspect of PSD2, although some security measures will not be fully implemented until the European Commission has approved the European Banking Authority’s regulatory technical standards. This final implementation is expected to occur later in 2018 or 2019.
In broad terms, payment service providers will be required to establish frameworks and supply reports on their security risks, and will be obliged to notify financial authorities and customers when major security incidents occur.
PSD2 will undoubtedly have organisational implications for all e-commerce businesses. We encourage our customers to ensure they have the necessary provisions in place for PSD2, and to contact us for advice on keeping their systems in compliance with the regulations moving forward.