Speech by Director Hélder Rosalino at the 2018 UIA Congress: The revised Payment Services Directive
I would like to thank the organisers of this Congress, and especially Pedro Rebelo de Sousa and Paulo Bandeira, for inviting me to be here as a speaker, representing Banco de Portugal.
I am grateful also to all the other speakers and the audience.
As requested I will give a brief presentation about the revised Payment Services Directive (so called the PSD2) and the status of its implementation in Portugal.
And then I will be available to answer any questions you may have.
The establishment of the Single Euro Payments Area (SEPA), more than ten years ago, allowed for the harmonisation of credit transfers and direct debits across the euro area.
It was a big step towards reducing the cross-border fragmentation in the market for electronic retail payments in euro.
It required major involvement by all stakeholders and developments in two areas:
- in the technical area, where SEPA credit transfer and SEPA direct debit schemes replaced all domestic payment schemes in the euro area, using fully interoperable standards; and
- in the legal area, with the adoption of the first Payment Services Directive, among other legal initiatives. This Directive created a common framework for payments in the EU.
In that context, the initial Payment Services Directive (PSD1), approved in 2007 and transposed into Portuguese law in 2009, was published in order to set standards for the provision of payment services across the EU.
PSD1 has promoted transparency in regard to the conditions applying to payment services by defining information requirements, user rights and payment service provider’s obligations.
However, the increasing digitalization of financial services in recent years, the advent of new payment service providers (PSPs) and innovative payment solutions, along with increased user requirements, have also brought greater challenges to the provision and the security of payments.
The new paradigm led to an update to the regulatory framework that culminated in the publication, by the Commission, of the revised Payment Services Directive in 2015 (PSD2).
This new Payment Services Directive aims to promote competition, efficiency and security in the provision of payment services.
The directive will impact how payment service providers make their services available to users and how individuals and businesses make their payments on a day-to-day basis.
This new Directive comprises the following Key innovations:
PSD2 regulates the provision of payment services when only one of the Payment Service Providers is located in the European Union (the so called “one leg transactions”), irrespective of the currency used.
In this regard, PSD2 will apply to European Payment Service Providers, for instance, when a customer orders a credit transfer in dollars from an account based in the EU to an account opened at a bank located in any country outside the EU.
New payment services
The entry into force of the directive sets a new paradigm in the provision of payment services in the EU.
Payment accounts usually held by a bank can, with the consent of the user, be accessed by other Payment Service Providers, normally a Third Party Providers – for example a FinTech.
Based on this access, those Third Party Providers may make available two new payment services:
- Account information services, which will allow the user to combine information about accounts held in one or more banks in one application or website;
- Payment Initiation Services: which will enable the user to initiate online payment transactions directly to the payee without having to interact with their bank.
These changes in the payment value chain are expected to have a big impact on the payment market and the established players.
The Third Party Providers, normally FinTechs, may become the primary point of contact for users, as they can initiate payments and access information by interacting with the banks as if it were the user accessing the account directly.
The banks will have to open their interfaces to enable such payments, as well as enabling access to some of the client’s bank account details.
Additional security requirements
Concerning electronic payments, the banks and other Payment Service Providers will have to authenticate their clients using strong customer authentication mechanisms, requiring at least two elements from three categories:
- Firstly, something that only the user knows, for example a password;
- Secondly, something that only the user has, for example a mobile phone;
- Finally, something that only the user is, for example a biometric element (like a facial recognition);
Additionally, for remote payment transactions (for instance over the internet), strong customer authentication must include elements that dynamically link the transaction to a specific amount and payee (for example, by sending an SMS with the necessary information, namely a one-time password).
Besides the security requirements mentioned before, PSD2 also reinforces the safeguards for payment service users.
Let me conclude by telling you how the implementation is going in our country.
In Portugal, the transposition of PSD2 into the national legal system is still ongoing. It is awaiting promulgation by the Presidency and consequent publication in the near future, after long work involving Banco de Portugal, the Ministry of Finance and Parliament [promulgation by the President took place one day after this presentation].
It is clear that PSD2 represents a turning point in the provision of payment services in Portugal, as well as in other countries.
The adoption of PSD2 will promote a single market for more secure, efficient, innovative and competitive payment services (for payment service providers and users).
It will create conditions for the provision of services by new players, removing barriers to innovation and fostering higher levels of security.
In Europe, there are already several innovative solutions that make use of the opportunities created by PSD2, including payment initiation services and account information services.
These were initially provided by new entrants or FinTech companies, but banks are also assessing the possibility of becoming Third Party Providers.
There are opportunities for all players and challenges for regulators and legal experts such as yourselves.
This new Directive opens a New World in payments services.
Banco de Portugal is actively working with the banking system and the Fintech sector to create all the conditions for PSD2 to fully meet its objectives and expectations in Portugal.
I hope we will all be able to reap the full benefits of PSD2.
Thank you for your attention.