.svg)
The European Banking Authority (EBA) has issued a new set of clarifications regarding the revised Payment Services Directive (PSD2). This first of two insights, which VIXIO is looking at over the next two days, looks at fraud loss liability, different business models for regular payments and safeguarding of funds.
In a sign that the holidays are truly over, compliance teams will be pleased to know that PSD2 has become a bit clearer as the EBA offers up answers to another round of outstanding questions from stakeholders.
Payments players often complain that the EBA’s Q&As can be vague, and hard to understand.
That is not the case in answer to a question submitted by a Belgium government agency, the Federal Public Service Economy (FPS).
The EBA was asked: “In cases where the payer could not possibly detect the loss, theft or misappropriation of his instrument before it was used, is it correct to state that there can be no liability at all, including if the payer has acted with gross negligence?”
The FPS, which submitted the question in December 2021, states that it is seeing an increase in the number of phishing attacks and that payment service providers (PSPs) are not reimbursing losses to payment service users (PSUs).
The FPS says here that in Recital 7 of the PSD2, for example, the aim is to protect consumers, considering it refers to the need to “adequately protect” PSUs. Here, it says that Article 74, which sets out standards for reimbursing consumers, should be kept in mind.
“In Belgian national law, the case of loss, theft or misappropriation of a payment instrument refers, notably, to hacking, phishing or skimming of payment instrument,” the FPS points out.
In other words, misappropriation also covers cases where personalised security credentials have been stolen while the user is still in possession of the payment instrument.
“The aim is to protect the victim of the fraud. In this sense, the existence or not of gross negligence on the part of the victim of the fraud should therefore not be relevant in the case where the payer could not have detected the fraud, even if he committed gross negligence.”
“Any other interpretation would make this provision meaningless,” the FPS argues, asking whether this interpretation complies with the PSD2.
The EBA replied with an emphatic “no”.
“Gross negligence incurs payer's liability with no cap,” the EBA said. “In case the payer did not act with fraud or gross negligence, the payer may nevertheless be liable for lost, stolen or misappropriated payment instrument up to a maximum of 50 euros unless such a situation was not detectable to the payer or the loss was caused by acts of the PSP.”
Bank of Lithuania
The Bank of Lithuania has two submissions in the latest batch of answers.
In a 2020 submission, the Bank of Lithuania asked the EBA about the collection of fees for utilities and other regular services.
The central bank's two business model examples revolved around definitions in PSD2, which are set out in Article 4 of the directive. In particular, the Lithuanian regulator wanted clarification on the role of a money remittance service.
The first case probed the EBA on whether a business model where the contributions received from the payers are transferred to the payees in individual transfers, without opening or maintaining accounts on behalf of neither payers nor payees, nor issuing any payment instruments to them, but the company has contracts with the payees for accepting the transfers, constitute the provision of money remittance service as it is defined in Article 4.
Meanwhile, the second case asked whether a business model where the contributions received from the payers are being aggregated and then transferred to the payee, without opening or maintaining accounts on behalf of neither payers nor payees, nor issuing any payment instruments to them, constitute the provision of money remittance service to the payer and acquiring of payment transactions service to the payee, as money remittance and acquiring of payment transactions are defined in Article 4.
The EBA responded that, based on the information provided in the first case, it appears that the payment services are provided towards the payer in a simple way, meaning that the service provider just receives the funds and remits the corresponding amount to the payee, which qualifies as money remittance.
The EBA also stated that, in the second instance, it appears that the payment services are provided towards the payee on a contractual basis, where the payment service provider accepts and processes payment transactions from payers and transfers the aggregated amount to the payee on a daily basis.
“It is the responsibility of the service provider offering payment services to ensure that it has the necessary authorisation under PSD2 granted by the national competent authority according to the actual design of the business model,” the EBA concluded.
Safeguarding accounts
For its other submission, the Bank of Lithuania asked the EBA about access to safeguarding accounts via application programming interfaces (APIs), in a submission made in February 2021.
“In view of the use case envisaged by the submitter, we understand that the payment institution/e-money institution (PI/EMI) which has opened a safeguarding account with a credit institution wants to access it through a TPP [third party provider],” said the EBA in response, adding that this may be possible under certain conditions.
However, PSUs of the PI/EMI should not be able to access safeguarding accounts through TPPs, as these accounts are opened in the name of the PI/EMI, and not in the name of the PSUs of the PI/EMI.
“For an account to be considered as a 'payment account' within the meaning of PSD2, the account in question must be used for the execution of payment transactions,” said the EBA.
“Therefore, if the safeguarding account is used for the execution of payment transactions, it is then a payment account which, if accessible online, must be accessible to Third Party Providers (TPPs) through the relevant interface.”
The EBA has also looked to clarify safeguarding issues, responding to an unnamed question submitted in May 2020.
“Are payment institutions able to simultaneously adopt different safeguarding methods with respect to funds held?"
Here, the EBA’s answer points out that in Article 10 of the PSD2, a payment institution is required to safeguard funds in either of the two following ways: using the segregation possibility; or applying the insurance/guarantee possibility.
Taken literally, the word either would in principle suggest that one of the two methods must be chosen for all the funds. However, the directive does not explicitly prohibit that both methods be simultaneously applied.
“We consider therefore that it is up to the payment institution to decide whether it will fulfil the safeguarding requirement via one of the two methods or a combination of both,” the EBA concluded.
Either way, the regulator added, the payment institution must ensure that all funds are covered at any time by the safeguarding, and that the internal governance foresees proper documentation regarding the safeguarding approach itself and, in particular, how and through which method the funds are safeguarded.
Watch out for our Wednesday 11 daily update, when we will look at the EBA's answers to questions regarding strong customer authentication and the calculation of funds.
