A new law introduces additional requirements for providers of payment services
A law amending the Payment Institutions and E-money Institutions Act and other related acts came into force on 13 January 2018. The law transposes the new version of the payment services directive, known as PSD2, which is designed to ensure business continuity in the market, allowing existing and new service providers to operate in a clear and harmonised legal framework whatever their business model.
“The payment services directive is intended to create a level playing field for competition between different providers of payment services, and so to encourage innovation. It is also designed to minimise the security risks of payments and ensure the rights of consumers”, said Kilvar Kessler, chair of the board of the Financial Supervision Authority. “Implementing the payment services directive is clearly both a challenge and an opportunity for market participants that provide payment services, and it will simplify operations for those providing payment initiation and account information services and improve the use of services relating to client payment accounts”.
Two new payment services will now need activity licences. These are payment initiation services and account information services. To make it possible to provide payment initiation and account information services, the payment account managers must ensure that those that have the right to offer such services can access client payment accounts.
The conditions of access must be objective and proportional for providers of payment services and must ensure equal treatment of them. There must be sufficient access for the payment service providers to be able to supply services to their clients efficiently and without interruption. If the manager of a payment account decides to refuse access to a payment service provider that has the right to it, the decision will need to be justified to the Financial Supervision Authority.
The set of requirements that apply to existing payment service providers will equally be enlarged to take in areas like operational and security risk management, notification of operational risk incidents and security incidents, access to payment data, processing of personal data, and submission of data on frauds. On top of this, payment service providers with an exceptional licence will need to abide by additional requirements covering general internal regulation, internal audit and transfer of activities among other things.
The requirement for strong authentication
For authentication purposes and for the provision of services, payment service providers will need to exchange information securely and take steps to ensure the confidentiality of non-anonymised data and data integrity. More precise requirements for information exchange and the security of authentication methods will be introduced separately in the implementing regulation of the European Commission, which will come into force later this year.
This will call on payment service providers to require strong authentication using at least two security factors from their clients when they provide services or other transactions where there is a danger of the data for the payment service being misused or of fraud. The implementing regulation also allows some exceptions or exclusion clauses to the strong authentication requirements. The European Banking Authority (EBA) has issued its own recommendations for the part of the implementing regulation that is not yet in force in its general guidelines for PSD2.
Alongside the changes for the activities of payment service providers, the new law will require parties that provide services that are excluded from payment services and do not need an activity licence to start informing the Financial Supervision Authority about their services. Such parties are those that provide services based on a payment instrument with restricted use, known as the limited network exemption, and some electronic communications companies that work with certain payment transactions.
It became necessary to change the payment services directive primarily because of the practical needs of the payment services market, as many innovative payment products and services are not covered by it, wholly or in part. This has caused legal uncertainty, potential security risks in the payment chain, and a lack of protection for consumers of financial services in certain areas.
Four laws needed to be amended for the directive to be transposed: the Payment Institutions and E-money Institutions Act, the Law Of Obligations Act, the Financial Supervision Authority Act, and the