The
SEPA (Single Euro Payments Area) is a self-regulatory initiative by the European banking sector represented in the
European Payments Council, which defines the harmonization of payment products, infrastructures and technical standards (Rulebooks for
credit transfer/
direct debit,
BIC,
IBAN,
ISO 20022 XML message format,
EMV chip cards/terminals). The PSD provides the legal framework within which all payment service providers must operate. The PSD's purpose in regard to the payments industry was to increase pan-European competition with participation also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users. Although the PSD was a
maximum harmonisation directive, certain elements allowed for different options by individual countries. Both PSD1 and PSD2 set out to help open the payments ecosystem to new providers and play a significant role in enabling the development of
open banking. The final adopted text of PSD went into force 25 December 2007 and was transposed into national legislation by all EU and EEA member states by 1 November 2009.
Technical overview The PSD contained two main sections: • The "market rules" described which type of organisations could provide payment services. Next to credit institutions (i.e. banks) and certain authorities (e.g. central banks, government bodies), the PSD mentioned electronic money institutions (EMI), created by the
E-Money Directive in 2000, and created the new category of "payment institutions" (PI) with its own prudential regime rules. Organisations that are neither credit institutions nor EMIs could apply for an authorisation as a payment institution if they met certain capital and risk management requirements. The application could be made in any EU country where they are established and they could then "passport" their payment services into all other EU member states without additional PI requirements. • The "business conduct rules" specified what transparency of information payment service institutions needed to provide, including any charges, exchange rates, transaction references and maximum execution time. It stipulated the rights and obligations for both payment service providers and users, how to authorise and execute transactions, liability in case of unauthorised use of payment instruments, refunds on payments, payment orders, and value dating of payments. Each country had to designate a "competent authority" for prudential supervision of the PIs and to monitor compliance with business conduct rules, as transposed into national legislation.
Updates The PSD was updated in 2009 (EC Regulation 924/2009) and 2012 (EU Regulation 260/2012). An implementation report from 2013 found the PSD facilitated "provision of uniform payment services across the EU" and reduced legal and production costs for many payment service providers and that "the expected benefits have not yet been fully realised". The same report found the 2009 update "to be functioning well. For example, charges for €100 transfers followed a further downward trend to €0.50 euro-area average for transfers initiated online and remained low, at €3.10 for transfers initiated at the bank counter". In the UK, the FCA published PS 21/19 (“policy statement”) for “Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual” . This document proposed a number of modifications including to Article 10 of the UK- RTS, by replacing the requirement for the PSU to re-authenticate with their ASPSP every 90 days to allow AISP access with the requirement for the PSU to reconfirm their consent with their AISP directly.
Remaining issues • The PSD only applied to payments within the European Economic Area, but not to transactions to or from third countries. • PSD exemptions related to payment activities left users unprotected. • The PSD option for merchants to charge a fee or give a rebate, combined with the option for countries to limit this, led to "extreme heterogeneity in the market". • So-called "third party payment service providers" emerged, which facilitated online shopping by offering low cost payments on the Internet by using the customers' home
online banking application with their agreement, and informing merchants that the money is on its way. Other "account information services" offer consolidated information on different accounts of a payments service user. Harmonisation of refund rules regarding direct debits, a reduction of the scope of the "simplified regime" for so-called "small payment institutions" and addressing security, access to information on payment accounts or data privacy with possible licensing and supervision were proposed. Then-Commissioner
Jonathan Hill, responsible for Financial Stability, Financial Services and
Capital Markets Union, said, "This legislation is a step towards a digital single market; it will benefit consumers and businesses, and help the economy grow." On 27 November 2017, Commission delegated Regulation (EU) 2018/389 supplemented PSD2 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication. The EU and many banks pushed this development with the new Payments Service Directive 2 (PSD2), which came into force on 13 January 2018. Banks then adapted to these changes which opened many technical challenges, but also many strategic opportunities, such as collaborating with fintech providers, for the future. An important element of PSD2 is the requirement for
strong customer authentication on the majority of electronic payments. Another important element of the directive is the demand for common and secure communication (CSC). eIDAS-defined qualified certificates for are demanded for website authentication and electronic seals used for communication between financial services players. The technical specification ETSI TS 119 495 defines a standard for implementing these requirements. PSD2 went into full effect on 14 September 2019, but due to delays in the implementation, the
European Banking Authority allowed for a time extension of the
strong customer authentication (SCA) until 31 December 2020.
Third Payment Services Directive A Third Payment Services Directive (PSD3) has been proposed by the European Commission. Building upon the achievements and lessons learned from its predecessor, PSD2, PSD3 seeks to enhance and broaden the open banking ecosystem. ==Key dates==