Dissertation_Egertz_PSD2

1
Submitted by:
Candidate number V31767
Dissertation submitted for the degree of
Master of Arts in European Union Law
King’s College London
2015
Word Count: 12,302.
SECURITY VS. INNOVATION
An Analysis of the Regulatory Change in
the European Payment Services Industry

2
ABSTRACT
While writing this thesis the EU was at the end of the process of updating its regulatory
regime for payment services to reflect the ever changing nature of the payment services
market. On 2nd
of June 2015 the EU Council finally published the final compromise text
of the recast Payment Services Directive (PSD2) following a provisional agreement
reached between the EU Council, the EU Parliament and the EU Commission in May
2015. The Parliament’s agenda released on 10th
of September, scheduled PSD2 for a
vote on 6th
of October, 2015. Although the final text is set many questions lack clear
answers and need to be addressed accordingly.
This paper attempts to address the main concerns regarding the innovations of PSD2
and testing the directive’s wording against existing payment schemes while evidencing
a number of disputable issues. Furthermore, although CJEU case law resources are
very limited on PSD, this paper looks at the challenging exercise of putting PSD2 in the
context of the fundamental freedoms.
Since the subject of the present paper is based on current technological inventions and
the most up-to date regulatory change that tries to keep up with this rapid development,
the secondary resources include several articles that can be found on the internet and
on different e-commerce platforms. These were elaborately referenced in the
bibliography.

3
Due to the fact that legislation is under voting process, this paper is based on the final
compromise text of PSD2 dated 2nd
of June, 2015.

4
LIST OF CONTENTS
Contents
ABSTRACT.................................................................................................................................... 2
LIST OF CONTENTS.................................................................................................................... 4
ABBREVIATIONS ........................................................................................................................ 7
INTRODUCTION .......................................................................................................................... 9
FINANCIAL INTEGRATION IN THE EU: FROM SEPA TO A HARMONIZED LEGAL
FRAMEWORK............................................................................................................................. 12
NEED FOR FURTHER REGULATION..................................................................................... 16
Electronic payments.................................................................................................................. 16
Regulatory Difficulties.............................................................................................................. 17
Drivers for Change: the Payment Services Reform.................................................................. 18
OVERWIEW OF THE PAYMENT SERVICES DIRECTIVE 2 ................................................ 21
Review of PSD1........................................................................................................................ 21
The scope of PSD2.................................................................................................................... 23
Geographical scope............................................................................................................... 23
Material scope....................................................................................................................... 24
NAROWING EXCLUSIONS ...................................................................................................... 25
Commercial agents.................................................................................................................... 25
Limited network exemption...................................................................................................... 27
BROADENING THE SCOPE OF PAYMENT SERVICES........................................................ 33
Payment Initiation Services ...................................................................................................... 34
Account Information services................................................................................................... 37
ACCESS TO PAYMENT’S ACCOUNTS................................................................................... 39
SECURITY OF PAYMENTS ...................................................................................................... 44
Payment Card Fraud: Examples from Recent Cases ................................................................ 45
Strong Customer Authentication in PSD2 and in the EBA Guidelines.................................... 47
PSD2 AND THE FUNDAMENTAL FREEDOMS..................................................................... 51
PSD2 and the Free Movement of Services and Capital and Payments..................................... 52
Applicability of Several Freedoms ........................................................................................... 55
PSD2 and the Freedom of Establishment: Passporting ............................................................ 56
CONCLUSION............................................................................................................................. 58

5
BIBLIOGRAPHY......................................................................................................................... 62
Legislation................................................................................................................................. 62
Books ........................................................................................................................................ 63
Journal Articles......................................................................................................................... 64
Cases ......................................................................................................................................... 65
CJEU..................................................................................................................................... 65
European National Courts..................................................................................................... 65
Further sources.......................................................................................................................... 66

7
ABBREVIATIONS
ACP French Financial Authority
ATM Automated Teller Machine
BaFin The German Federal Financial Supervisory Authority
CNP Card not present transaction
EBA Euro Banking Association
EC European Commission
ECB European Central Bank
EEA European Economic Area
EMV EuroPay, MasterCard and Visa
EPC European Payments Council
EPIF European Payment Institutions Federation
EU European Union
FCA British Financial Conduct Authority
POS Point of sale terminals
PSD1 Directive 2007/64/EC of the European Parliament and of the Council of 13
November 2007 on payment services in the internal market amending
Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and
repealing Directive 97/5/EC
PSD2 Proposal for a Directive of the European Parliament and of the Council on
payment services in the internal market and amending Directives
2002/65/EC, 2013/36/EU and 2009/110/EC and repealing

8
Directive 2007/64/EC - Confirmation of the final compromise text with a
view to agreement –text dated 2 June 2015
PSP Payment Services Provider
SEPA Single Euro Payments Area
TPP Third Party Payment Service Provider

9
INTRODUCTION
In the 1990s some products were still unavailable in shops especially in isolated areas.
Today products can be ordered quickly and simply online from anywhere and shipments
are made across borders. It is now hard to imagine life without internet shopping. As a
result there is a demand for simple and secure online payment processes. Merchants
want to receive payments immediately, while customers want their goods without delay.
A wide variety of payment services are offered to meet these needs. However these
methods currently expose customers, merchants and their banks to various risks. The
extent to which they are regulated also differs.
The regulations governing payment services throughout the EU have progressed
constantly in recent years with the regulators’ intention to take account of e-payment
developments and to make better use of the opportunities offered by the internal
market. In order to create a harmonised legal framework for payment services and
simultaneously encourage innovation, the first Payment Services Directive (PSD1) was
adopted in 2007 to lay down the foundations for a more secure, efficient and open
market.
Since then technological innovations and new payment practices have emerged
together with new service providers outside the scope of PSD1. Nowadays if someone
forgets his wallet it does not matter, he can still pay in stores via PayQwiq, a new UK

10
service that lets customers pay and earn Tesco Clubcard points using just the
customer’s phone1
. New technologies, new business models, new players:
developments are accelerating and interacting. They are changing the world of financial
services especially that of payments. By creating new types of status, the regulations
have favoured the emergence of non-banking players on the payment market.
Combined with changing consumer needs and technologies, they have therefore called
into question existing balances.
On 24 July 2013, the Commission adopted a legislative package for the EU payments
framework. According to the Commission the package including the revised Payments
Services Directive (PSD2) will help the payments framework to better serve the needs
of an effective European payments market, fully contributing to a payments environment
which nurtures competition, innovation and security to the benefits of all stakeholders
and consumers in particular2
.
1
http://www.thegrocer.co.uk/channels/supermarkets/tesco/tesco-digital-wallet-to-speed-up-checkout-
process/355060.article
2
http://ec.europa.eu/finance/payments/framework/index_en.htm

11
Recital 5 PSD2 shortly summarizes those drivers that made the Commission adopt a
new directive:
“New rules should be provided in order to close the regulatory gaps while at the same
time providing for more legal clarity and ensuring a consistent application of the
legislative framework across the Union. Equivalent operating conditions should be
guaranteed to both existing and new players on the market, facilitating new means of
payment to reach a broader market and ensuring a high level of consumer protection in
the use of these payment services across the whole of the Union. This should generate
efficiencies in the payment system as a whole and should lead to more choice and
transparency of payment services, while strengthening the trust of consumers in a
harmonized payments market”.3
This paper attempts to address the main concerns regarding the innovations of PSD2
and to assess whether and how the European Commission’s proposal for amending this
legal framework will provide for the necessary legal certainty for market players.
3
Recital 5 of PSD2

12
FINANCIAL INTEGRATION IN THE EU: FROM SEPA TO A HARMONIZED LEGAL
FRAMEWORK
Harmonisation of payments in the EU started with the introduction of the euro in 1999
which was followed by the euro cash changeover in 2002. The introduction of the euro
however did not solve the gap that existed between domestic and cross-border retail
payment systems with different rules being applicable for domestic and cross border
euro and national currency payments. Therefore the launching of the Single Euro
Payments Area (SEPA) in 2002 represented a further major step in financial integration
through creating a single market for all euro payments that drives competition and
innovation and thus brings better services for customers4
.
In 2008 and 2009 the European Payments Council (EPC) introduced the so called
SEPA schemes with the intention to harmonize national and cross border payments in
the EU. These schemes however were merely self-regulatory initiatives as the initiator -
not being an EU legislative body - has no role in the adoption of EU legislation
establishing SEPA compliance requirements. These EPC SEPA schemes covered
rulebooks, practices and standards applicable to euro payments which provided a
common understanding on how to move funds from account A to account B within
SEPA.
4
The SEPA project started when the banking industry created the EPC in response to the European regulation on
cross-border payments in euro (Regulation (EC) No. 2560/2001 of the European Parliament and of the Council of
19 December 2001). This regulation established that payment charges for cross-border euro payments within the
EU should be the same as those applied to corresponding domestic euro payments, for instance credit transfers
and card payments. European Central Bank, (2013) “SEPA, an Integrated retail Payments Market”.

13
At the beginning of 2012 the Commission declared that with the adoption of a regulation
establishing technical requirements for credit transfers and direct debits in euros a more
active involvement of the EU institutions in the SEPA governance may be useful5
In
March 2012 the SEPA Regulation was adopted that laid down rules for the initiation and
processing of credit transfer (SCT) and direct debit transactions (SDD) in euro within the
EU6
. With this regulation the schemes have to comply with the technical requirements
detailed in Article 5 and in the Annex of the regulation. Further, the European
Commission is empowered to amend the technical requirements set out in the Annex
through “delegated acts”. The SEPA regulation determined a timeline of
implementation. For the euro area, the final deadline was 1 February 20147
. The
migration deadline for euro-denominated payments in non-euro area countries is 31st
of
October 2016. As of these dates, existing national retail credit transfers and direct debit
schemes in euro will have to be terminated and replaced by SEPA alternatives.
On 1st of November 2009 PSD1 was transposed into legislation in most EU member
states and thus the necessary legal framework for SEPA has been established. PSD1
was intended to help develop SEPA, to set common standards for payment services
terms and conditions and most importantly to regulate payment institutions in order to
5
Green Paper of the European Commission on “Towards an integrated European market for card, internet and
mobile payments” (COM/2011/0941 final)
6
Regulation (EU) No 260/2012 of the European Parliament and of the Council of 14 March 2012 establishing
technical and business requirements for credit transfers and direct debits in euro and amending Regulation (EC)
No 924/2009. Under a credit transfer the payer sends a payment instruction to his payment service provider who
then moves the funds to that of the payee. This can be carried out via several intermediaries. Under a direct debit,
which requires the payer’s authorization, the payee through his service provider initiates a transfer from the
payer’s account (e.g. utility bills). Under SEPA credit transfers are abbreviated SCT and direct debits SDD.
7
The Commission introduced an additional transition period of 6 months so SEPA became fully operational on 1st
of August 2014 in the Eurozone.

14
encourage non-banks to enter the market8
Additionally PSD1 provided increased
consumer protection and transparency and established maximum processing times for
payments in euro and other EU currencies. Additionally PSD1 was unique in the sense
that it was the first European law to affect payments in EU currencies other than the
Euro.
So what is the relation between the SEPA Regulation and PSD1?
The SEPA project and the development of the related payment instruments were purely
market-led initiatives9
. SEPA payments and related services are subject to a
harmonized legal framework in the EU irrespective of the countries involved in the
transaction. PSD1 and PSD2 on the other hand provide a harmonized legal framework
for payments; however it is not restricted to euro transactions only. PSD1 applies to all
payment services in all EU currencies within the EU, at both the cross-border and
national levels. PSD2 goes further covering non-EEA currencies and in some respect
including transactions with non-EU service providers which eventually means that
regarding material scope PSD2 goes beyond EEA borders.
Figure 1 shows the differences between the SEPA regulation scheme, the now effective
PSD1 and SD2, which is under voting process.
8
According to Memo/07/152 of the Commission dated 24 April 2007, the diverging legal rules in 27 different
Member States represent a significant impediment to new payment service providers (such as supermarkets,
telecom or IT providers), and effectively block them from competing and offering their services throughout the
Internal Market.
9
Noah Vardi, „The Integration of European Financial Markets: The Regulation ofMonetary Obligations.” (The
University of Texas at Austin, 2010)

15
Figure 1.
SEPA PSD1 PSD2
Legal status Until the SEPA
Regulation adopted
in March 2012
SEPA was only self-
regulatory. The
technical
requirements of the
SEPA regulation
can be modified
through delegated
acts of the
Commission.
Directive Directive
Geographical scope EU/EEA and
Switzerland
EU/EEA EU/EEA10
Material scope Technical and
business
requirements for
SCT, SDD, card
payments
Payment services Payment
services
Personal scope11
PSP to PSP PSP to customer PSP to customer
Currency Euro Euro and non-euro
currencies of the
EU/EEA
any currency
PSP Payment Service Provider
10
PSD2 in some respects also covers those transactions where funds are sent to or received from a PSP established
outside of the EEA in respect of those parts of the payment transaction which are carried out in the Union.
11
In this context personal scope means the personal relation whererules apply.

16
NEED FOR FURTHER REGULATION
Electronic payments
Electronic payments are carried out between the payer and the payee through
intermediaries, i.e. banks or payment service providers (PSPs) who control the chosen
type of e-payment to check payment validity and to carry out the transaction on behalf
of the payer. Compared to cash payments lacking any intermediaries, electronic
payments can cross borders. The intermediary is not necessarily located in the payer’s
or the payee’s country. Electronic payments require intermediaries even if the payment
is carried out between two natural persons and even in cases where payment is initiated
via mobile phones where only the payee’s mobile number or email address is given.
E-payments are a non cash means of payment made online. All those payments that
are made through an electronic device could be regarded as electronic payments.
Electronic payments can be categorized in numerous ways. The narrower definition
covers only those transactions that are linked to a contract concluded online, being a
part of e-commerce. The broader definition includes electronic payments that are not
linked to a specific good or service ordered via the internet. This group covers bank
transfers, direct debits, internet banking, telebanking, mobile banking and card
payments via POS terminals. Further categorization is possible on the basis of
technology (internet payment, mobile payments), the amount of transaction (micro,
macro payments), the parties involved (B2B-business to business, P2P – person to

17
person), payment conditions (pre-paid, direct paid, post-paid) or whether the transaction
is linked to a payment account (not necessarily a bank account).12
Regulatory Difficulties
Competition fosters technological development which is market driven and the market
decides whether a technology is acceptable or not. The competition between mobiles
and PCs resulted in the invention of notebooks, and then mobile manufacturers came
forward with smartphones which was followed by tablets and smarter phones.
Technological convergence is the process by which existing technologies merge into
new forms that bring together different types of media and applications. The internet is
perhaps the most widespread example of technological convergence: virtually all
entertainment technologies, from radio and television to books and games, can be
viewed and played online.13
Technology now makes it possible to work out of office.
This development - although it recovers economy and increases competition - has a
serious sociological impact: office hours merge with out of office hours and it is
becoming more and more difficult to determine the time spent with work.
The now effective European law tries to regulate this continually changing field to
increase competition and to protect consumers. It is very difficult to give a unified
regulation for e-payments bearing in mind the disparities in various European markets
and regulation has to cover non-EU countries as well. Legislature faces the following
12
OECD (2006) „Online Payment systems for E-commerce”,http://www.oecd-ilibrary.org/science-and-
technology/online-payment-systems-for-e-commerce_231454241135
13
http://www.wisegeek.org/what-is-technological-convergence.htm

18
extremities: overregulation in order to eliminate fraud on one side and inadequate
regulation on the other. Nevertheless poor regulation could be better than having no
regulation at all. Market will price both legal uncertainty and the risk of possible fraud. In
order to regulate electronic payment transactions, it is necessary to harmonize various
directives relating to e-commerce, payment services, distance contracts, e-money
institutions, credit institutions and consumer and data protection. This legislation should
seek to enhance trust in electronic transactions on the internal market, i.e. to ensure
that the consumer can acquire ownership over the goods or services he bought via the
internet, that the seller receives the counter value of the goods or services he sold, that
the data of the payer are not disclosed and he pays exactly the same amount and not
more than the counter value of the goods or services and last but not least that the
technology used for the transaction is safe and secure.
Drivers for Change: the Payment Services Reform
In July 2013 the EC submitted a keynote legislative proposal for the EU payment
services industry when issuing its review of PSD1.14.
The proposal caused heated
debates as it pointed out that due to technological innovation, new entrants appeared
on the payment market, who offered cheaper payment solutions while falling outside the
scope of regulatory supervision. The reason behind lack of regulation was that these
service providers were at no time in the possession of either the payers’ or the payees’
14
Report from the Commission to the European Parliament and the Council on the application of Directive
2007/64/EC on payment services in the internal market and on Regulation (EC) No. 924/2009on cross-border
payments in the Community COM(2013) 549

19
funds. Although the provision of cheaper solutions was welcomed, the lack of
supervision raised security, data protection and liability issues.
One of the most striking features of PSD2 is that payment services no longer fall under
the scope of banking monopoly. Regulators had to respond to recent transformations in
the payment market, driven by new technologies, changing customer behaviour and the
need to cut costs. Some years ago the market was dominated by banks mostly but now
new entrants, so far outside the umbrella of European regulatory provisions, are
attacking their positions, challenging their role in payments. According to some experts
banks welcome the fact that new entrants providing payment initiation services will fall
within the scope of PSD215
. This could be disputable as banks operate on a cartelised
and sensitive market in the sense that banks are under strict regulatory control and they
enjoy exclusivity regarding payment services and therefore are obviously unwilling to
give a fraction of their market to newcomers on one hand, and open up data on
payment accounts on the other, which would definitely undermine customers’ trust.
There is no doubt that banks will definitely respond to such a market division and they
will come forward with new services or enter into cooperation agreements with such
new service providers.
With digitalization and mobility, banks are changing the way customers can access
banking services. Now there is no need to go to the nearby branch for banking services
1515
Desmares, B. Ramé, “Banks Faced with PSD2: around payments and beyond, digital wallets and new services”
(2014 September) Efma Report

20
as one can fulfil his banking needs right on his iPad16
. According to a recent report, a
total 2,000 physical UK branches have been shut over the past five years17
and the
same trend is experienced all over the EU.
ECB’s fourth report on card fraud shows that the total value of card fraud using cards
issued in SEPA amounted to €1.44 billion in 201318
. It is striking though that compared
with 2012, card not present (CNP) fraud (payments using credit card credentials
through the internet, phone or mail) has become an even more important channel for
fraud, whereas ATMs and POS terminals have become less important. According to
ECB, CNP accounted for 66%, POS for 20% and ATM for only 14% of the total value of
fraud. Fraudsters are becoming more sophisticated therefore regulators must always go
one step keep further in order to ensure the security of electronic payments, the
protection of users and the development of a sound environment for e-commerce.19
Taking into account the above drivers for changes, PSD2 introduces the following major
changes:
1. Expands the territorial scope provisions;
2. Narrows down the exemptions (i.e. tightens negative scope)
3. Expands the market by regulating new service providers;
4. Allows access to payment accounts;
16
http://letstalkpayments.com/10-banking-concepts-put-branch-ipad/
17
http://www.telegraph.co.uk/finance/newsbysector/banksandfinance/11863736/Thousands-more-UK-bank-
branches-could-face-closure.html
18
ECB (July 2015) „Fourth Report on Card Fraud”
19
Recital 51(aa) of PSD2

21
5. Strengthens EBA’s role in regulation and coordination;
6. Harmonizes the “passporting” rules;
7. Defines new service providers’ liability and
8. Introduces strong customer authentication.
OVERWIEW OF THE PAYMENT SERVICES DIRECTIVE 2
Review of PSD1
In accordance with Article 87 of PSD1, the European Commission must carry out a
review of PSD1 and report its findings to the European Parliament and the European
Council. The Commission issued its report in the middle of 2013 and highlighted that “a
number of changes could be envisaged to the PSD to enhance its effect, clarify a
number of its aspects, and provide a level playing field and to take into account
technological developments.”20
The Commission’s review and its Green Paper cited above led to the conclusion that
further measures and regulatory updates, including adjustments to PSD1, are required.
This would help the payments framework to better serve the needs of an effective
European payments market, fully contributing to a payments environment which
nurtures competition, innovation and security21
.
20
Report from the Commission - COM(2013) 549
21
http://europa.eu/rapid/press-release_IP-13-730_en.htm

22
PSD2 will impact credit institutions already operating within the scope of PSD1. As
mentioned above, with the advancement of technology, e-commerce marketplaces, gift
card and loyalty schemes, public communication networks, account access services,
mobile wallets will come under the scope as PSD2 intends to regulate anyone who
receives payment by credit transfer of direct debit within SEPA. Some of these new
entrants called third party payment service providers (TPPs) gaining access to bank
accounts that they do not manage to offer payment initiation services or account
information services shall adopt the status of payment institution and comply with EU
regulations.22
PSD2 does not contain a definition of a TPP. The Commission proposed in mid-2013
that a new set of business models be expressly regulated under PSD, what it
collectively referred to as “third party payment service providers”. These include
services based on access to payment accounts provided by a payment service provider
who is not the account servicing payment service provider, in the form of payment
initiation services and account information services23.
Although PSD2 includes a
detailed definition section under Article 4, the TPP is not defined. The wording of Article
58 (4)a on the other hand declares that TPPs can operate independently, as third
parties of banks:
22
PSD2 Recital 18
23
Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on payment services in the
internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive
2007/64/EC

23
“The provision of payment initiation services shall not be made dependent on the
existence of a contractual relationship between the payment initiation service providers
and the account servicing payment service providers for that purpose.”
The scope of PSD2
Compared to PSD1, the scope of the PSD2 is extended, both as regards the
geographical scope as well as the material scope.
Geographical scope
PSD1 applies only where both the payer’s and the payee’s PSP are, or the sole PSP in
the payment transaction is, located in the EU. Therefore it was possible for businesses
outside the EU to provide payment services to EU citizens without being subject to the
requirements of PSD1.
Malaguti emphasized in her paper on PSD1 that no definition exists of when a payment
service is provided within the Community; since the definition of payment services refers
to the business activities enabling the customer to execute either a deposit, a
withdrawal or a payment and therefore under PSD1 it could be reasonably assumed
that the relevant location of the service should be where the PSP renders the service to
its customer24
.
24
Maria Chiara Malaguti, The Payment Services Directive, Pitfalls between the Acquis Communautaire and
National Implementation, (2009) ECRI Research Reports No. 9 p 21

24
PSD2 is unique in the sense that transactions in non-European currencies where both
the payer’s and the payee’s PSP (or the sole PSP in the transaction) are located in the
EU will be caught, as will the so called “one leg out” payment transactions in all
currencies, i.e. where only one PSP is located in the EU25
. PSD2 will not extend its
geographical scope outside of the EEA because only those parts of the payment
transaction will be affected that are sent to or received from a non-EEA PSP and are
carried out in the EU26
. One leg out transactions will be explained in more detail below.
Material scope
Like PSD1,the PSD2 contains a positive and a negative scope provision. This latter
outlines the conditions under which the directive will not apply. These exemptions have
been redrafted in PSD2 as former were too general or outdated and led to different
interpretation at national levels. PSD2 narrows negative scope and extends positive
scope thus covering more payment services than PSD1.
25
Indeed the 2005 Commission proposal had defined the scope of PSD1 as to apply when at least one of the
payment service providers is located in the Community. (Malaguti, The Payment Services Drective... p. 21)
26
Article 2.1b)

25
NAROWING EXCLUSIONS
Commercial agents
In payment transactions where a commercial agent acts as an intermediary in the usual
scenario (payee – payer - commercial agent), the risks against which PSD1 secures the
market and users do not arise in principle27
. However the picture becomes different if
we take into account such huge online marketplaces like eBay or Amazon. Under PSD1
it was possible to get an exemption in order to avoid from requiring a payment institution
license:
“Payment transactions from the payer to the payee through a commercial agent
authorized to negotiate or conclude the sale or purchase of goods or services on behalf
of the payer or the payee.”28
The exclusion was made available for payment transactions carried out from the payer
(buyer) to the payee (seller/merchant) through a commercial agent authorized to
negotiate or conclude the sale or purchase of goods or services on behalf of the payer
or the payee.
Lieferheld, a German platform for the delivery of meals was sued by a competitor
because it offered online payment for its clients. A German court decided that Lieferheld
27
Study on the Impact of Directive 2007/64/EC on Payment Services in the Internal Market, London Economics,
2013 February p.124
28
Article 3(b) of PSD1:

26
unlawfully offered payment services. Subsequently, Lieferheld changed its contract
terms with restaurants in order to comply with the commercial agent exemption and to
continue to offer its payment services without a payment institution license.29
Even though many online platforms have sought to rely on the above exemption, not
every EU regulator has accepted it for this purpose. Particularly, the German regulator,
BaFin has issued public guidance discouraging its use30
.
The Study on the impact of PSD1 has also confirmed that based on the insufficient
clarity of PSD1 regarding a situation where the provider acts for both parties at the
same time, providers facilitating the trade of goods or services between a payer and
payee may seek to rely on the exemption for commercial agents to remain outside the
PSD regime31
.
Although the language of Article 3(b) has not materially changed in PSD2, reference to
the word “agreement” became important. According to the Study on the Impact of
Directive 2007/64/EC, businesses providing mere communication with no specific focus
on any of the participants should not benefit from the exemption because active
solicitation is required32
. The second important feature of this Article is that the
exemption applies when agents act only on behalf of the payer or payee but not both:
29
LG Köln, Urteil v. 29.09.2011, Az. 81 O 91/11, http://tlmd.in/u/1307
30
Merkblatt - Hinweise zum Zahlungsdiensteaufsichtsgesetz (ZAG), December 2011
http://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Merkblatt/mb_111222_zag.html
31
Study on the impact... p.125
32

27
“Payment transactions from the payer to the payee through a commercial agent
authorized via an agreement to negotiate or conclude the sale or purchase of goods or
services on behalf of only the payer or only the payee.”33
.
Where agents act on behalf of both parties (e.g. eBay) the exemption will only apply in
cases where the agent does not come into possession, or have control of, clients’
funds34
.
It seems though that PSD2 does not exclude totally its applicability from the e-
commerce marketplace providers. These could still rely upon this exemption if they act
as agents of their customers, that is merchants, although the transaction is carried out
to the benefit of both merchants and buyers. This will be left to the national law to
decide whether to exempt such marketplaces or to apply a strict approach and deny
exemption.
Limited network exemption
The PSD1 exempts payment transactions based on payment instruments accepted only
within the issuer's premises or certain limited networks:
33
“Article 3(b) of PSD2
34
Recital 18 of PSD2

28
“Services based on instruments that can be used to acquire goods or services only in
the premises used by the issuer or under a commercial agreement with the issuer
either within a limited network of service providers or for a limited range of goods or
services.”35
.
This applies e.g. to store cards, gift cards, fuel cards and loyalty programs. There are
four joint conditions of this exemption:
1. the service should involve an instrument,
2. the service shall be designed for paying for goods or services,
3. the goods or services are purchased on the issuer’s premises and finally
4. the limited nature of either the service provider network (regardless of the range
of goods or services) or of the range of goods or services affected by the
payment.
So the question arises whether loyalty cards valid for certain stores and their
subsidiaries which are used to acquire an unlimited range of goods are caught or not?
What does a limited network actually mean? Do premises include the internet?
The French financial regulator, ACP tried to interpret the above exemption of PSD1
restrictively. Thus the above exemption was limited to a network of stores operating
under the same brand. It explicitly excluded subsidiaries and other third parties within
the network using other brands. Interestingly, the Conseil d’Etat has overruled this
35
Article 3(k) of PSD1

29
decision but has specified that a network may be considered as limited if it meets other
objective criteria, such as "a limited geographical area, significant financial relations, or
close commercial relations, between members of the network." The French court
highlighted that anyone providing payment services, even if it is exempted from a
license is involved in the financial system, therefore the ACP can impose any conditions
"which are designed to safeguard the security of means of payment and protect their
users.”36
The German BaFin also applied the strict approach: no authorization was needed for
local public transport cards even when used for the purchase of travel supplies and
petrol cards were exempted only when issued by local petrol stations37
. Where the
choice of products was particularly limited (i.e. only transport service), BaFin has shown
willingness to accept a nationwide scope. Department store cards usable in multiple
stores belonging to one concern were considered to require authorisation by BaFin.
Discount cards may thus only be issued without authorisation where their application is
regionally limited38
.
According to the Recital of PSD2 the main reason for re-regulating this exemption was
to catch those unregulated service providers whose payment activities often comprise
36
Case No.354957 ECLI:FR:CESSR:2013:354957.20130424 of the Conseil d’ Etat,
http://www.legifrance.gouv.fr/affichJuriAdmin.do?oldAction=rechJuriAdmin&idTexte=CETATEXT000027353547&f
astReqId=1333016665&fastPos=1
37
Dr. Matthias Terlau, Dr. Daniel Walter, „PSD2 – Future authorisation requirements for department store cards,
gift vouchers, petrol cards and stadium cards? The new limited network exception“ (2013) Payment Services Law
Blog
38

30
significant payment values but escaped regulation due to PSD1’s vague and too
general wording:
“Feedback from the market shows that the payment activities covered by the limited
network exception often comprise significant payment volumes and values and offer to
consumers hundreds or thousands of different products and services, which does not fit
the purpose of the limited network exemption as provided for in Directive 2007/64/EC.
That implies greater risks and no legal protection for payment service users, in
particular for consumers and clear disadvantages for regulated market actors. To help
limit these risks, the same instrument cannot be used to make payment transactions to
acquire goods and services within more than one limited network or to acquire an
unlimited range of goods and services.”39
These players are now competing regulated institutions and therefore enjoy unjustified
competitive advantages in terms of initial capital and liabilities40
.
Although PSD2 tried to make the wording precise this was not very successful as the
current text contains some undefined legal terms which are subject to interpretation.
This causes legal uncertainty and results in an approach that PSD2 tried to aviod:
different national interpretations will co-exist and the application of the exemption will
need to be decided on a case-by-case basis.
39
Recital 12 of PSD2
40
Recital 12 of PSD2

31
On the bais of PSD2 the directive shall not apply to
„ (k) services based on specific payment instruments that can be used in a limited way
should be excluded if one of the following conditions is met:
1. instruments allowing the holder to acquire goods or services only in the
premises of the issuer or within a limited network of service providers
under direct commercial agreement with a professional issuer;
2. instruments which can be used only to acquire a very limited range of goods or
services;
3. instruments valid only in a single Member State provided at the request of an
undertaking or a public sector entity and regulated by a national or regional
public authority for specific social or tax purposes to acquire specific goods or
services from suppliers having a commercial agreement with the issue41
r”.
The main criticism of PSD1’s limited network exemption was that there were no clear
guidelines on what is meant by limited other than some domestic regulator’s case by
case guidance42
. PSD2 does nothing to further clarify the criteria of this exemption.
Reference to premises is insufficient as a lease relationship between the issuer and
seller could be an adequate substitute. The wording of “limited networks of service
providers that are under direct commercial agreement with a professional issuer“ is not
41
Article 3(k) of PSD2
42
Recital 12 of PSD2

32
explicit enough. Direct could mean the exclusion of subcontractors, therefore PSPs in a
limited network must conclude commercial contracts with the issuer directly but not with
its subcontractors. The term professional issuer remains equally undefined.
Let’s compare (a) a card issued by a large department store with nationwide presence
for acceptance in its own stores (e.g. Tesco’s clubcards) and (b) a card ssued by
several merchants (i.e. a group of companies) (e.g the Hungarian SuperShop card43
)
While (a) will not require authorization, in case of (b) it seems that authorization would
be necessary on the basis of the term that the network is not very limited.
The new expression of PSD2 “very limited” is not explicit. Instruments for the acquisition
of only one range of goods are definitely covered but what about 3, 5 or 20 ranges?
Unlike PSD1, PSD 2 under Article 30 provides for mandatory notification by PSP’s if
they intend to offer activities within a limited network44
. Accordingly, PSPs cannot
commence operations and then decide whether the preconditions have been met. On
the contrary, they shall ask for a mandatory review by the authorities before
commencing their activity if their payment transactions exceed a threshold of EUR 1
million of the preceding 12 months. The description of services shall be made publicly
available on EBA’s website45
.
43
SuperShop is not a prepaid card. Certain % of each purcahse is credited to the card. The cardholder can use this
card for purchases within a limited network of merchants, e.g. Spar, OMV, Burger King. www.supershop.hu
44
Article 30(2)of PSD2
45
Article 30(4) of PSD2

33
This concept again would go contrary to the principle of the internal market as the
procedure could imply divergent interpretation and also could distort competition.
Furthermore, the public disclosure of the decision could persuade how certain
regulators may approach its review. Given the uncertainty of the scope of this
exemption, PSPs would be prudent to seek regulatory approval regardless of the
payment transactions volumes carried out.
BROADENING THE SCOPE OF PAYMENT SERVICES
Since the adoption of PSD1 new types of payment services have emerged, especially in
the area of internet payments. According to Recital 18 of PSD2 “these services play a
part in e-commerce payments by establishing a software bridge between the website of
the merchant and the online banking platform of the payer’s bank in order to initiate
internet payments on the basis of a credit transfer. The payment initiation service
provider, when providing exclusively payment initiation service, does not in any stage of
the payment chain hold user’s funds”.”46
These new e-commerce payments are made over the internet, usually in one of these
three ways47
:
1. via a remote payment card transaction through the internet;
46
Recital 18 of PSD2
47
Green Paper of the European Commission…

34
2. in the form of online credit transfers or direct debits by using either the payer’s
online banking system directly, or that of a third party’s (e.g. Sofort);
3. payments through e-payment providers, with which the consumer has set up an
individual account that has been funded through “traditional” payment methods,
e.g. bank transfers or credit card payments (e.g. PayPal, PayU).
Annex 1 of PSD2 includes those payment services that are within the scope of the
directive. Two new services were added to this list with PSD2: payment initiation
services and account information services. The first includes those services under point
2 above that are provided by third parties other than banks. The second is only a
complementary service providing the user with aggregated online information on one or
more payment accounts.
Payment Initiation Services
The German Sofort, the largest bank-independent TPP in Europe offers payers the
option of paying merchants directly from the payer’s bank account. The payer
authorizes the specific payment and personally carries through and completes the
necessary steps for executing it, including selecting from which of his or her bank
account the payment should be made. The payer then signs the transaction using his or
her existing online bank credentials. The payer retains full control of the completion of
the payment and uses bank issued security credentials to carry it out. The whole
process is carried out using Sofort’s software but Sofort is not able to initiate a payment

35
without the payer actively participating and going through the same steps as if initiating
an online bank payment. This makes this payment one of the safest online methods,
and the risk for the payer to be exposed to fraud is minimized48
.
Although Sofort has not faced one single case of data fraud affecting the consumer
since its launch in 2004, payment initiation services do imply an increased risk for the
user. The Study on the Impact of PSD1 also highlighted some security concerns:
“To put it simply, under payment initiation services, the historically basic concept of the
payment process “give me EUR X from your wallet” turns into “give me your wallet” (out
of which the payee or its provider takes EUR X). This triggers security concerns which
are broader than the mere fear of the risk of one-off fraud.”49
Figure 2 shows that in the new, five member process the payer initiates payment via the
TPP which in turn passes the instruction to the payer’s bank.
48
Sofort has not faced one single case of data fraud affecting the consumer since its launch in 2004 according to
EPIF’s Report on Payment Initiation Services, July, 2013.
49

36
Figure 2.
PSD2 relation
PSD2 does not use the term bank. Instead it uses the definition: “account servicing
payment service provider”. This wording basically covers banks as it means a payment
service provider providing and maintaining payment accounts for a payer50
.
The service provided by Sofort and of other similar banking services (e.g iDeal or
Trustly) was not covered by PSD1. PSD1 exempted those technical operators who
support PSPs on the ground that these do not come into the possession of the payer’s
funds51
. Article 3(j) of PSD2 upholds this exemption however specifically excludes
payment initiation services and account information services thus extending scope to
such TPPs.
It is therefore inevitable for those technical operators who relied upon the above
exemption to carry out a careful analysis as to whether they will now need to become
50
Article 4(10) of PSD2
51
Article 3(j) of PSD1
Payer
Payer’s bank
TPP
(Payment initiator)
Payee
Payee’s bank

37
regulated under PSD2. It will be particularly important for determining whether a
payment service provider enjoying exemption as a support operator under PSD1 now
falls within the scope of providing “payment initiation services” or not.
Under PSD2, payment initiation service providers are required to be authorised but are
subject to a reduced minimum own funds requirement of 50,000 euros52
. Account
information service providers are expressly exempt from authorisation, but are subject
to a registration requirement53
.
Account Information services
According to Recital 18(a) of PSD2 “…with technological developments, a range of
complementary services have also emerged in recent years, such as account
information services. These services provide the payment service user with aggregated
online information on one or more payment accounts held with one or more other
payment service providers and accessed via online interfaces of the account servicing
payment service provider, thus enabling the payment service user to have an overall
view of his financial situation immediately at a given moment.”
PSD1 was silent about such services, that raise several legal issues such as consumer
protection, security and liability as well as competition and data protection issues.
52
Article 68(b) of PSD2
53
Article 27(a)of PSD2

38
This service used to be the monopoly of the consumer’s bank and was limited only to
one bank account. Now the user authorizes this TPP to process information available in
the user’s online banking facility and then provides financial information and new
functionalities not available from the bank (e.g. eWise).
Figure 3 shows how account information service would work under PSD2.
Figure 3.
PSD2 relation
Some argue that PSD2 does not contain clear definitions as to the content of the
account information services54
. They claim that PSD2 remains neutral about the
technology of such services and refers only to “services requested by the user55
” or
“information requested through an account information service provider56
” and “access
54
http://prudentiz.eu/payment-services-directive-ii
55
Article 59(2)f o PSD2
56
Article 87(1)c) of PSD2
User
Payer’s bank
TPP
(Account information provider)
Payer’s bankPayer’s bank

39
and use the information on the payment services user account57
”. This argument is
however is not well founded, since PSD2 is a directive, its goal is to set out minimum
requirements that each EU members must achieve. It is up to national legislation how
this goal is achieved. This is somewhat contrary to the above where emphasis was
made on the unprecise definitions used by PSD2. Nevertheless it is not this directive’s
task to solve technicalities.
In the earlier draft version of PSD2 the wording of account information service included
references to a payment service. However the EPC was of the opinion that such
services should not be presented as a “payment service” as these are not necessarily
linked to payment transactions58
.The EPC reasoned that such services would only
comprise historical payment transaction data, or “aggregation services”, but would
never lead to a payment initiation. The EPC even questioned if it should be included in
PSD2. The reason that these services should not be left without appropriate
authorization resulted in their inclusion under the scope of PSD2.
ACCESS TO PAYMENT’S ACCOUNTS
Access to payment accounts is one of the most controversial territories of PSD2. A
payment initiation service or an account information service would not work if banks
57
Recital 51 of PSD2
58
Gijs Boudewijn, “PSD2: EPC Identifies Considerable Scope for Amendments of the Proposed New Set of Rules
Related to the Activity of Third Party Payment Service Providers Offering Payment Initiation or Payment Account
Information Services” (2014) EPC Newsletter

40
would not grant access to payment accounts. This is a very sensitive territory, touching
banking secrecy, anti-money laundering and data protection issues.
The Study on the Impact of PSD1 highlighted that with payment initiation services the
concept of the access to accounts has shifted:
“Existing online access relies on the as-assumption that the user is the only person to
access the account. Indeed, to tackle concerns with payment initiation services, while
still preserving the innovative potential of those services, this basic assumption needs to
be shifted. Instead, the basic underlying assumption should hold that the user is one of
the persons to access the account, but remains the only person to decide on who else
may get access to the account. The concept under which the user is one of the persons
to access the account and the only one able to decide who gains access removes most
obstacles to the sustainable development of payment initiation services. Indeed, this
way of conceptualizing access to accounts ensures neutrality with regards to future
developments in this area.”
In accordance with Articles 58 and 59 of PSD2 a bank or a credit institution must give
TPPs access to customers' account information, provided that the customer has given
his explicit consent to that access. Although the right of a bank to reject account
applications on valid grounds (such as anti-money laundering concerns) would not be

41
affected, banks that decline to provide a bank account to another payment institution will
have to explain the rejection to the regulator59
.
Aren’t the above articles contrary to bank’s general terms and conditions? Could a
customer raise a concern that the general terms and conditions prohibit the disclosure
of confidential login details and the confirmation code to third parties? Would such
disclosure imply breach of contract?
Ross Anderson explained the Sofort case during the Security Protocols 20th
International Workshop in 2012 when the German banks sued Sofort on the basis
that it induced its customers to break the general terms and conditions of their
contract. However the Federal Competition Authority intervened and said that “they
actually liked these Sofort chaps because they were bringing some much needed
competition into a very, very cartelised payment business”.60
.In 2011 the authority
called upon the German banks to enable non-discriminatory access for online
payment systems that are independent of banks.
Contrary to the German practice, in 2014 the Polish competent authority for
payment service providers explicitly closed the market for service providers with its
decision on instructing banks not to allow access to bank accounts to Polish TPPs.61
59
Article 29a of PSD2
60
Ross Andreson: Protocol Governance: The Elite or the Mob? In: Security Protocols XX: 20th International
Workshop, Cambridge, UK, April 2012.
61
http://prudentiz.eu/payment-services-directive-ii

42
Simultaneously with the Polish approach, the District Court of Midden-Nederland ruled
that AFAS Software B.V. acted unlawfully and must desist from asking ING Bank’s
customers to enter their banking credentials on the website of AFAS so that it could log
on automatically to ING’s secure online banking interface62
.
The Dutch AFAS operates along the same principles as the German Sofort with the
difference that Sofort has been granted access to payer’s bank accounts, while AFA
hasn’t. Interestingly ING relied on the same reasons as the German banks when suing
Sofort. ING reasoned that its general terms and conditions and the Uniform Safety
Standards of the Dutch Banking Association prohibit customers to disclose their
personal internet banking credentials to third parties. Furthermore, AFAS created an
immediate online banking security risk by asking ING customers to supply their internet
banking credentials. The court ruled in favor of ING and said that in order to prevent
fraud, internet banking credentials should never be provided to third parties.
Most surprisingly the Dutch court rejected of the argument of AFAS that its services,
including the offer for an automatic connection between its third party applications and
online banking environments, will be regulated by PSD2. The court agreed with ING
saying that PSD2 is not yet in force and that the proposed text of the directive is still
under discussion, especially those provisions that AFAS could rely on.
The Dutch court eventually ruled that the final compromise text of a directive waiting for
voting cannot be relied on. This is in line with the CJEU’s case law. In Inter-Environment
62
ING BANK N.V. v. AFAS SOFTWARE B.V [2014] Rechtbank Midden-Nederland C/16/372291 / KG ZA 14-481

43
Wallonie the CJEU held that even within the implementation period the Member States
are not entitled to take any measures which would seriously compromise the result
required by the directive63
. This was later on strengthened in Mangold64
.
If PSD2 entered into force AFAS could challenge the Dutch court decision by invoking
Inter-Environment Wallonie and Mangold. But first it should be examined whether the
given Article of PSD2 is capable of direct effect using the test set out in Francovich.65
According to Article 58 Section 1.b (b) of PSD2:
“The account servicing payment service provider shall:
(b) immediately after the receipt of the payment order from a payment initiation service
provider provide or make available all information on the initiation of the payment
transaction and all information accessible to the account servicing payment
service provider regarding the execution of the payment transaction to the payment
initiation service provider;
(c) treat payment orders transmitted through the services of a payment initiation service
provider without any discrimination for other than objective reasons, in particular in
terms of timing, priority or charges vis-à-vis payment orders transmitted directly by the
payer himself.”
63
Case C-129/96 Inter-Environment Wallonie ASBL v Région Wallonie [1997] ECR I-7411 para 44
64
Case C-144/04 Mangold v Helm [2006] 1 CMLR 43 para 28
65
Case C-60/90 Frankovich [1991] ECR I-5357

44
Subsection b) of the above article seems capable of direct effect. Notwithstanding the
fact that the term all information is not precise enough, the preceding subsections of this
Article give some guidance on what information (personalized security credentials, other
information on the service user) banks should give access to. Subsection b) confers
rights on payment initiation service providers On the other hand subsection c) is not
precise enough. While it imposes a clear obligation and identifies who the subject of that
obligation is (the account servicing PSP) it does not seem that it confers rights on any
party in particular.
Horizontal or vertical direct effect in relation to AFAS would depend on the fact how the
Netherlands implements PSD2.
SECURITY OF PAYMENTS
According to Abrazhevic, one of the most crucial and well-researched issues in payment
systems is security. Since the Internet is an open network with no centralized control,
the infrastructure supporting electronic commerce and payment systems in particular,
must be resistant to attacks in the Internet environment66
.
66
Dennis Abrazhevich, Electronic Payment Systems: a User centered perspectiveand Interaction Design (Technische
Universiteit Eisndhoven, 2004) p.36

45
Payment Card Fraud: Examples from Recent Cases
Managing payment card fraud can be challenging for financial institutions. Chip based
or EMV67
payments were a big step forward from magnetic stripe card payments.
Magnetic stripes can easily be copied but it is impossible to clone the chip, therefore
chips based cards increase security and reduce fraud resulting from counterfeit, lost
and stolen cards. While almost all terminals in Europe are chip-enabled, the US is one
of the last countries to migrate to EMV chip technology68.
However chip cards will not
end fraud. As seen in Europe, where chip cards already are standard, fraudsters shift
focus to card-not-present69
transactions instead.70
In the middle of July 2015, parallel with launching Apple Pay in the UK, some UK
papers reported that contactless payment cards in our pocket might not be as secure as
we assumed71
. According to the article, a group of guys was able to use an “easily and
cheaply” acquired card reader to successfully retrieve the 12-digit card numbers and
expiry dates from 10 cards. Despite this, they weren’t able to obtain the three-digit
verification code on the back of the cards. Surprisingly with these data and with the help
of a fake name, they were able to put in an order on Amazon for a $4,000 TV.
67
EMV is an abbreviation for Europay, Mastercard and Visa. The EMV specifications were developed to define a set
of requirements to ensure interoperability between chip-based payment cards and terminals. EMV chip cards
contain embedded microprocessors that provide strong transaction security features and other application
capabilities not possible with traditional magnetic stripe cards. http://www.emvco.com/
68
http://www.emv-connection.com/emv-faq/
69
A card not present transaction is a payment card transaction where the holder cannot physically show the card
for visual examination when payment is effected (e.g transactions over the phone, the internet or by mail.)
70
ECB (July 2015) „Fourth Report on Card Fraud”
71
http://gizmodo.com/contactless-payment-cards-are-perhaps-not-as-secure-as-1719690656

46
Figure 4 below shows the credentials required when purchasing via Amazon.
Figure 4.
Cardholders will realize missing cards in a relatively short time, but it is almost
impossible to detect if card data are compromised i.e if someone got unauthorized
access to card data especially if the card is in our pocket. If the card is used for small
amount illegal purchases and the card holder is a regular user of Amazon the card
holder will not notice that money is siphoned out of his account.
Contactless payment cards cannot be switched off, it will give full customer details
unencrypted if a point of sale (POS) terminal or a smartphone initiates a question
without any validation or authorization. Someone with malicious intent could easily rake
a small fortune each day by brushing past people on a bus and skim lots of cards while
they are in the pockets and wallets. Many fraudulent transactions do not get noticed
until things have spiraled way out of control.
Two important liability issues should be mentioned regarding contactless payment
cards. Firstly, if the CVC2/CVV2 authentication procedure exists, why isn’t it obligatory

47
for all merchants? Secondly, if card issuers and banks regard bank account numbers
and expiration dates as a public data not requiring protection, then why not use a secret
password that would serve as a second factor to protect users’ money? Actually there is
the PIN, however this is not required during online transactions.
Strong Customer Authentication in PSD2 and in the EBA Guidelines
EBA gained importance in the surveillance of PSD2 requirements and is entitled in -
close cooperation with the ECB - to develop technical standards on the requirements of
strong customer authentication72
.
EBA published its final guidelines on the security of internet payments on 19th
December 201473
. These guidelines are based on the recommendations of the
European Forum on the Security of Retail Payments (SecuRe Pay) a voluntary
cooperative initiative set up by the ECB and comprising relevant authorities from the
EEA. Interestingly, these guidelines touched sensitive points including strong customer
authentication also covered by PSD2. Furthermore, EBA required that these guidelines
should be applicable as of 1st
of August 2015, before the acceptance of PSD2. This
raised some concerns between different stakeholders including MasterCard and small
firms in the UK. FCA even made public its views on its website: "We do not have the
power without legislative change to make binding rules requiring all payment service
providers (credit institutions, payment institutions and e-money institutions) to comply
72
Article 87a1.a of PSD2
73
http://www.eba.europa.eu/regulation-and-policy/consumer-protection-and-financial-innovation/guidelines-on-
the-security-of-internet-payments

48
with the EBA Guidelines”. MasterCard complied a FAQs on its website informing its
customers on the applicability of the EBA guidelines and their relation to PSD2 not yet
in force74
.
EBA is a regulatory agency of the Commission it does not possess legislative power.
The technical standards drafted by EBA (based on the empowerment in PSD2) only
have binding effect and direct applicability for Member States once endorsed by the
Commission. The EBA’s guidelines however are “binding” for those competent
authorities to whom the guidelines apply and they should comply by incorporating them
into their supervisory practices as appropriate75
. This procedure is often called
“implement or explain” meaning that it is possible for competent authorities to decide not
to comply with the guidelines. For example the UK opted out explaining that “it does not
have the power without legislative change to make binding rules requiring all payment
service providers (credit institutions, payment institutions and e-money institutions) to
comply with the EBA Guidelines”76
. The Swedish Financial Supervisory Authority
reported that it will comply with all guidelines, except the strong customer authentication
requirements for card payment schemes and providers of wallet solutions77
.
74
http://newsroom.mastercard.com/wp-content/uploads/2015/07/FAQ-EBA-guidelines.pdf
75
EBA, Final guidelines on the securty of internet payments p 8.
76
EBA,Compliance Table - Guidelines - Based on information supplied by them, the following competent
authorities comply or intend to comply with: EBA Guidelines EBA/GL/2014/12 on the security of internet
payments, published on 19th December 2014.
77
Ibidem.

49
In terms of PSD 2 and the EBA Guidelines strong customer authentication means an
authentication based on the use of two or more elements categorized as
1. knowledge (something only the user knows e.g. PIN),
2. possession (something only the user possesses e.g. token) and
3. inherence (something the user is e.g. fingerprint or retina)
that are independent, in that the breach of one does not compromise the reliability of the
others and is designed in such a way as to protect the confidentiality of the
authentication data78
A sophisticated technology may fail if the customer is not able to handle it with ease79
.
In 2014 during the EBA consultation period, MasterCard raised its concerns about the
strong customer authentication requirement in the draft EBA guidelines80
. MasterCard
highlighted that the EBA guidelines do not observe customer convenience in other
words “the guidelines impose additional heavy and awkward authentication procedures
for customers which may end up discouraging them from using internet payments”81
.
In MasterCard’s opinion strong customer authentication should be optional for payments
whose risk is not high. The reason for this is very simple. Generally it is the card issuer
78
Article 4 22. Of PSD2
79
Wen-Chen HU,Chung-wei Lee & Weidong Kou, Advances in Security and Payment Methods for Mobile Commerce
(Idea Group Publishing, 2005) p. 210
80
Mastercard (2014) „Mastercard’s comments on the EBA Consultation Paper on the implementation of draft EBA
guidelines on the security of internet payments prior to the transposition of the revised Payment Services Directive
(PSD2)”
81
Ibidem.

50
PSP which is liable in case of fraud. When a PSP is prepared to bear liability in case of
fraud that PSP should be permitted to decide which level of authentication to apply
(strong or risk based) provided that the card issuer respects some minimal
authentication guidelines. Therefore there is no need to mandate upon card issuing
PSPs a strong authentication requirement on every transaction when they bear the risk
of fraud82
Ecommerce Europe confirmed the above: “the new authentication rules could stifle
innovation in the area of digital payments. Multifactor authentication has a huge impact
on conversion for merchants, as many consumers will leave the check-out process
when payment becomes too complicated.”83
It seems that not only customer convenience but also liability and its financial
consequence was the real reason for MasterCard to vote for less stringent
authentication requirements. According to Article 66 1c of PSD2:
“Where the payer's payment service provider does not require strong customer
authentication, the payer shall only bear any financial consequences where
having acted fraudulently. Should the payee or the payment service provider of the
payee fail to accept strong customer authentication, they shall refund the financial
damage caused to the payer’s payment service provider.”
82
Ibidem.
83
Ecommerce Europe (2015) “Stronger consumer authentication for online payments needed as of 1 August 2015”

51
If PSPs fail to apply strong customer authentication they shall bear full liability except if
the payer acted fraudulently. According to Ecommerce Europe “if PSPs do not perform
strong authentication they are liable and liability does not shift to the merchant when he
chooses not to authenticate while the PSP is offering it. This is a change from today
where the merchant is liable when no authentication is used. However, failing to do so
might eventually lead to the merchant losing its contract with the PSP”84
.
Nevertheless it seems that EBA followed the above advice of stakeholders, because the
final guidelines were incorporated in such a way that it made possible the consideration
of alternative authentication measures for pre-identified categories of low-risk
transactions e.g. based on transaction risk analysis or involving low value payments85
.
PSD2 AND THE FUNDAMENTAL FREEDOMS
Both PSD1 and PSD2 provide a legal framework for the internal market payments by
establishing a comprehensive set of rules applicable to all payment services in the EU
to make cross-border payments easy, efficient and secure. The scope covers payment
services provided within the Union.86
Like PSD1, the first part of PSD2 concerns the
authorization requirements for payment institutions and is structured on the legal basis
of freedom of establishment87
. The second part that focuses on the regulation of rights
84
Ibidem.
85
EBA, Final guidelines on the securty of internet payments, Section 7.5
86
Article 2.1 of PSD 2
87
See: Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking
up, pursuit and prudential supervision of the business of electronic money institutions amending Directives
2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC

52
and obligations of the parties is legally based on the principle of the approximation of
laws (Article 114 of TFEU). Despite the fact that PSD2 is following full harmonization, it
explicitly allows Member States to regulate above minimum standards in some cases,
providing for mutual recognition.
On the basis of PSD2’s scope and its references to the freedom of establishment and
services it can be established that although it mainly concerns payments, the directive is
linked to the freedom to provide services and the right of establishment rather than to
the free movement of capital and payments. Annex I of Council Directive 88/361/EEC of
24 June 1988 for the implementation of Article 67 of the Treaty (EEC) includes a
nomenclature of capital movements. Although it says that capital movements cover the
“conclusion and performance of the transaction and related matters”, the explanation of
each notion of capital movements makes it clear that it covers investments, loan and
credit operations rather than payment services88
.
PSD2 and the Free Movement of Services and Capital and Payments
However it is clear that without financial liberalization or free movement of capital, the
other three fundamental freedoms would not work. Although the TFEU chapters on
services and capital are closely linked, there is a significant difference between their
personal scopes. While the freedom of capital and payments grants the same rights to
EU citizens and third country nationals, the freedom to provide services can only be
88
COUNCIL DIRECTIVE of 24 June 1988 for the implementation of Article 67 of the Treaty (88/361/EEC)

53
relied on by Union citizens.89
But how does this principle work in PSD2 especially taking
into account the called “one leg out payment transactions”?
Both PSD1 and PSD2 apply to payment services provided within the Union. Most
provisions of title III (Transparency of conditions and information requirements for
payment services), and title IV (Rights and obligations in relation to the provision and
use of payment services) of PSD2 will apply to a broader range of payment transactions
than that of PSD 1. Specifically, transactions in non-European currencies where both
the payer’s and the payee’s payment services provider (PSP) (or the sole PSP in the
transaction) are located in the Union will be caught, as will the so called “one leg out”
payment transactions in all currencies, where only one PSP is located in the EU.90
“One leg out” transactions were outside the scope of PSD1, but PSD2 now brings them
in scope: “in respect of those parts of the payment transaction which are carried out in
the Union”91
. PSD1 did not cover those transactions where funds were sent to or
received from a PSP established outside of the EEA. Now the information requirements
in Title III of PSD2 will apply to them, including requirements on provision of contract
terms and other information to customers, variation of such contract terms or
information, and termination of customer contracts.92
According to Troullinou, “this
wording operates as a limit to the reach of PSD2 and seeks to offer some comfort to
PSPs who would not be able to fulfil their obligations in respect of transactions (or
89
Article 63.(2) TFEU, Case C-452/04 Fidium Finanz v Bundesanstalt für Finanzdiensleistungaufsicht [2006] ECR I-
9521 para 25.
90
Article 2
91
Article 2.1b of PSD2
92
Article 2.1b of PSD2

54
components thereof) taking place outside of the EU over which they have no control
(e.g, because these are subject to foreign systems and rules).”93
With PSD2 PSPs will accordingly need to update their customer terms and conditions
and analyze those parts of their payment transactions which are carried out in the Union
so that they comply with information, variation and termination requirements. However
in the absence of guidance as to the precise meaning of this wording, this may not be a
straightforward exercise. Furthermore, as explained above Malaguti emphasized in her
paper on PSD1 that no definition exists of when a payment service is provided within
the Community94
. PSD2 continues to remain silent on this, since the definition of
payment services remained unchanged and it only refers to the business activities. This
again creates some legal uncertainties and does not help to shed light on that specific
part of the transaction which is carried out within the Union.
In Fidium Finanz he CJEU held that the chapter regulating the freedom to provide
services does not contain any provisions which enables service providers in non-
member countries and established outside the EU to rely on those provisions. Article 56
of TFEU cannot be relied on by a company in a non-member country.95
The personal scope of “one leg out transactions” covers the Union PSP that sends
funds to or receives funds from a third country PSP. As regards material scope the
93
Troullinou, Maria (2015) „An Update on Changes to the New Payment Services Directive (PSD2)” EPC Newsletter
94
Maria Chiara Malaguti, “The Payment Services Directive, Pitfalls between the Acquis Communautaire and
National Implementation” (2009) ECRI Research Reports No. 9
95
Fidium Finanz para 25.

55
transaction is split into two parts: a Union and a non-Union part, thus the material scope
is extended outside of the EU in order to avoid divergent approaches across member
States to the detriment of consumers96
. Consequently such transactions extend beyond
the EEA as material scope is concerned but eventually personal scope remains within
the EEA.
Applicability of Several Freedoms
It is important to note that although there are several cases that raise both the freedom
of services and capital, the court considered only the rules on services. According to
Mavromati97
, during the old provisions of the EC Treaty on free movement of capital, the
court applied the provisions “subsidiarily”, that is to say only when a capital transfer
could not be qualified as a movement of goods or services.98
The court thus avoided
possible cumulative application of the rules on the other freedoms and always preferred
the alternative qualification. However in recent cases the court applied principles in an
analogous manner. Thus if the court had to decide whether the national measure in
question restricted the freedom of capital it used its observations obtained from cases
in the area of the free movement of persons.99
In Fidium Finanz the CJEU held that “although in the definition of the notion of
“services” laid down in the first paragraph of Article 50 EC it is specified that the
96
Recital 9 of PSD2
97
D. Mavromati, The Law of Payment Services in the EU: The EC Directive on Payment Services in the Internal
Market (Kluwer Law International, 2008) p. 32
98
Case C-358/93 and C-416/93 Criminal proceedings against Aldo Bordessa and others [1995] ECR I-361, para. 15
99
D. Mavromati, The Law of Payment Services ... op. Cit., p 32.

56
services “are not governed by the provisions relating to freedom of movement for
goods, capital and persons”, that relates to the definition of that notion and does not
establish any order of priority between the freedom to provide services and the other
fundamental freedoms. The notion of “services” covers services which are not governed
by other freedoms, in order to ensure that all economic activity falls within the scope of
the fundamental freedoms.”
In this case the CJEU held that if a situation can only be assessed by reference to
services and capital, only one provision should apply. Therefore, where one freedom is
secondary to the other, the CJEU would consider the primary freedom. In this case the
rules were concerned with the freedom to provide services rather than the free
movement of capital, because this latter was “merely an inevitable consequence of the
restriction imposed on the provision of services”100
.
PSD2 and the Freedom of Establishment: Passporting
According to EPIF, PSD1 was a real success story of the Single Market as it has helped
to foster the development of non-bank payment services101
. PSD1 literally granted the
freedom of establishment was in its text with Article 25 of PSD1. It introduced the
passporting regime under which PSPs other than credit institutions, can apply for an
authorization as a payment institution if they meet certain capital and risk management
requirements. The application can be filed in in any EU country of their choice where
100
Fidium Finanz para 49.
101
EPIF (30 May 2013) „Paper on Payments”

57
they are established and then "passport" their payment services into other EU member
states without additional requirements.
Nevertheless this regime was later on criticized by payment institutions. They raised
their concern that the process is not working as effectively as it could be due to the fact
that the application diverges at the national level in terms of anti-money laundering,
consumer protection, and data protection matters and thus, specific requirements and
obligations have to be met before payment institutions can effectively passport their
services into EEA Member States outside their home country102
. It was also highlighted
that it is very difficult to establish a uniform product portfolio across EEA markets and
the process can take a long time with no clear information when it is likely to be
completed103
.
Taking into account the above concerns, Recital 29 of PSD2 confirms that the
cooperation between the competent authorities should be enhanced, both with regard to
the information exchanged as well as a coherent application and interpretation of the
directive, in cases where the authorized payment institution would like to provide
payment services also in a Member State other than its home Member State, in
exercise of the right of establishment or the freedom to provide services, including
through the internet (“passporting”).
102
Study on the Impact of Directive 2007/64/EC
103
Ibidem.

58
After the implementation of PSD2, EBA’s role will be crucial here as this body will assist
competent authorities to settle disagreements between each other in the context of
cross-border cooperation. EBA’s competence will also cover the preparation of a set of
regulatory technical standards on the cooperation and data exchange which once
approved by the Commission will be binding an directly applicable on Member States.
CONCLUSION
The above provides a summary of some of the key issues that payment service
providers will face when they would like to know whether their services will fall within the
scope of the new proposed PSD2.
Although the revision procedure of PSD1 tried to capture more participants with the aim
to enhance security and consumer protection, many questions have been left
unanswered that shall continue to cause legal uncertainty. The intention to give
technologically neutral definitions allows for the further development of new types of
payment services but it is questionable whether it will ensure equivalent operating
conditions. Therefore the trend will be the same as in case after the period of the
implementation of PSD1: the lack of precise definitions, ambiguous wording will end up
with different national application practices that are contrary to harmonization and
integration and will also distort competition in the payment market. The examples of
such ambiguities are e.g. the definition of very limited or the concept of limited in the
limited network exemption requirement, or the term professional issuer in the list of

59
exemptions. Furthermore, in case of “one leg out transaction” the concept of the part of
the transaction that is carried out within the Union will definitely cause some concerns
and will require PSPs to analyses their payment schemes in detail.
It will turn out after the implementation of PSD2 whether the new approach put forward
by the Commission will be successful or not. The most difficult part perhaps will be the
applicability of the exemptions. The broadness of any exemption has the potential to
cause a negative impact. Therefore in order to cut costs and save money, PSPs will
continue to attempt to align their products to match the exemptions in order to avoid a
regulatory burden and to save the costs of PSD2 compliance. This will leave customers
unprotected even under PSD2 and will deprive regulatory authorities of their powers.
Additionally, it will not enhance consumer protection either, since for consumers with
average financial capability it will be a real challenge to distinguish between those
products that are PSD2 compliant and those that are not.
PSD2 tries to catch those e-commerce platforms that were so far out of its scope. As a
result, e-commerce platforms in currently more relaxed jurisdictions might become
subject to payment services regulation. It can be predicted that such smaller e-
commerce platforms will initiate cooperation with banks if they are themselves not able
to apply for a license.
There is no doubt that banks will have to adhere to a new market division takin into
account the appearance of TPPs on a payment services’ market which used to be bank

60
dominated. This will indeed foster innovation and cooperation between banks and other
payment service providers. However PSPs shall overcome an obstacle in order to
compete on this market: access to payment accounts.
Access to payment accounts is one of the most controversial territories of PSD2. A
payment initiation service or an account information service would not work if banks
would not grant access to payment accounts. This is a very sensitive territory, touching
banking secrecy, anti-money laundering and data protection issues. Although resources
on CJEU or national case law touching rights granted by both PSDs is very limited,
access to payment accounts was the one which attracted national courts or national
financial authorities the most. Due to the discrepancies on national level, after that
PSD2 enters into force it can be anticipated that PSPs will turn to the CJEU if they won’t
be granted access to payment accounts and thereby they cannot pursue their activities
regardless of the fact that the Member State in concern implemented the directive or
not.
PSD2 is undoubtedly linked to the freedom to provide services and to the freedom of
establishment although some provisions may be seen as dependent on the freedom of
payments. On the basis of recent case law, if in the future the CJEU will face with cases
concerning provision of payments services that can only be assessed by reference to
services and payments/capital, the CJEU would consider the primary freedom.

61
Stakeholders welcomed the increased importance of EBA under PSD2 although the
requirement to implement the guidelines before PSD2 raised some concerns. There is
no doubt that for the consistent application of PSD2 in the future, the expertise and
support of EBA will be indispensable.
EU regulations governing payment services have progressed constantly in recent years
with the regulators’ intention to take account of e-payment developments. To create a
harmonised legal framework for payment services and simultaneously encourage
innovation is a really hard work. This paper has aimed at offering a first assessment of
this work in order to highlight the main areas of concern.

62
BIBLIOGRAPHY
Legislation
Regulation (EU) No 260/2012 of the European Parliament and of the Council of 14
March 2012 establishing technical and business requirements for credit transfers and
direct debits in euro and amending Regulation (EC) No 924/2009
Regulation (EC) No. 924/2009 on Cross Border Payments in the Community
Directive 2009/110/EC of the European Parliament and of the Council of 16 September
2009 on the taking up, pursuit and prudential supervision of the business of electronic
money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing
Directive 2000/46/EC
Council Directive of 24 June 1988 for the implementation of Article 67 of the Treaty
(88/361/EEC)
Directive 2007/64/EC of the European Parliament and of the Council of 13 November
2007 on payment services in the internal market amending Directives 97/7/EC,
2002/65/EC, 2005/60/EC, and 2006/48/EC and repealing Directive 97/5/EC

63
Proposal for a of the European Parliament and of the Council on payment services in
the internal market and amending Directives 2002/65/EC, 2013/36/EU and
2009/110/EC and repealing Directive 2007/64/EC
Books
Despina Mavromati, The Law of Payment Services in the EU: The EC Directive on
Payment Services in the Internal Market (Kluwer Law International, The Netherlands,
2008)
Ross, Andreson, Protocol Governance: The Elite or the Mob? Security Protocols XX:
20th International Workshop (Cambridge, 2012)
Noah Vardi, „The Integration of European Financial Markets: The Regulation of
Monetary Obligations.” (The University of Texas at Austin, 2010)
Wen-Chen Hu, Chung-wei Lee & Weidong Kou, Advances in Security and Payment
Methods for Mobile Commerce (Idea Group Publishing, 2005)
Dennis Abrazhevich, Electronic Payment Systems: a User centered perspectiveand
Interaction Design (Technische Universiteit Eisndhoven, 2004)

64
Journal Articles
Boudewijn, Gijs “PSD2: EPC Key Considerations Address Aspects Related to Third
Party Payment Service Providers and Article 67” (January 2014) EPC Newsletter Issue
21
Seibel, Helmut “PSD2: Analysis of the Selected Aspects of Recent European parliament
Report Raises More Questions for Clarification” (April 2014) EPC Newsletter 22
P. Desmares, B. Ramé, “Banks Faced with PSD2: around payments and beyond, digital
wallets and new services” (2014 September) Efma Report
Gijs Boudewijn, “PSD2: EPC Identifies Considerable Scope for Amendments of the
Proposed New Set of Rules Related to the Activity of Third Party Payment Service
Providers Offering Payment Initiation or Payment Account Information Services” (2014)
European Payments Council Blog and Discussion Board
Maria Troullinou, „An Update on Changes to the New Payment Services Directive
(PSD2)” EPC Newsletter 28.07.2015
Maria Chiara Malaguti, “The Payment Services Directive, Pitfalls between the Acquis
Communautaire and National Implementation” (2009) ECRI Research Reports No. 9

65
Dr. Matthias Terlau, Dr. Daniel Walter, „PSD2 – Future authorisation requirements for
department store cards, gift vouchers, petrol cards and stadium cards? The new limited
network exception“ (2013) Payment Services Law Blog
Cases
CJEU
Case C-452/04 Fidium Finanz v Bundesanstalt für Finanzdiensleistungaufsicht [2006]
ECR I-9521
Case C-358/93 and C-416/93 Criminal proceedings against Aldo Bordessa and others
[1995] ECR I-361
Case C-129/96 Inter-Environment Wallonie ASBL v Région Wallonie [1997] ECR I-7411
Case C-144/04 Mangold v Helm [2006] 1 CMLR 43
Case C-60/90 Frankovich [1991] ECR I-5357
European National Courts

66
Rechtbank Midden-Nederland C/16/372291 / KG ZA 14-481 ING BANK N.V. v. AFAS
SOFTWARE B.V [2014]
Landesgericht Köln, Urteil v. 29.09.2011, Az. 81 O 91/11, (Notwendige BaFin-Lizenz bei
Online-Zahlungsmöglichkeit) http://tlmd.in/u/1307
Conseil d’ Etat, Case No.354957, l'Autorité de contrôle prudentiel v la société Printemps
ECLI:FR:CESSR:2013:354957.20130424(http://www.legifrance.gouv.fr/affichJuriAdmin.
do?oldAction=rechJuriAdmin&idTexte=CETATEXT000027353547&fastReqId=1333016
665&fastPos=1)
Further sources
European Banking Authority (2014) “Final Guidelines on the Security of Internet
Payments”
European Banking Authority (2014) “Consultation Paper on the implementation of draft
EBA guidelines on the security of internet payments prior to the transposition of the
revised Payment Services Directive (PSD2)”
European Banking Authority (2015) “Compliance Table - Guidelines - Based on
information supplied by them, the following competent authorities comply or intend to

67
comply with: EBA Guidelines EBA/GL/2014/12 on the security of internet payments,
published on 19th December 2014”
European Central Bank (2013) “SEPA, an Integrated Retail Payments Market”
European Commission (2011) “Green Paper of the European Commission on towards
an integrated European market for card, internet and mobile payments”
(COM/2011/0941 final)
European Commission, (2007) “Payment Services Directive: Frequently Asked
Questions” Memo/07/152
European Commission, (2013) Report from the Commission to the European
Parliament and the Council on the application of Directive 2007/64/EC on payment
services in the internal market and on Regulation (EC) No. 924/2009 on cross-border
payments in the Community COM(2013) 549
OECD (2006) „Online Payment systems for E-Commerce”
European Central Bank (2015) „Fourth Report on Card Fraud”
London Economics and iff in association with PaySys (2013) “Study on the Impact of
Directive 2007/64/EC on Payment Services in the Internal Market and on the

68
Application of Regulation (EC) No. 924/2009 on Cross Border Payments in the
Community”
European Payment Institution Federation (2014) „EPIF Position on the Paymenet
Services Directive 2”
European Payment Institution Federation (2013) „EPIF Position Paper on
PaymentInitiation Services”
European Payment Institution Federation (2013) „EPIF Position on the Review of the
PSDand the Follow up to the Green Paper on Innovative Payments”
Jane Khodos (2015) Frequently Asked Questions with respect to the EBA Guidelines on
the Security of Internet Payments, Insights & Research
(http://newsroom.mastercard.com/documents/frequently-asked-questions-with-respect-
to-the-eba-guidelines-on-the-security-of-internet-payments/)
Prudentiz (2015), Council Publishes New Wording of PSD II
(http://prudentiz.eu/payment-services-directive-ii)

69
Mastercard (2014) „Mastercard’s comments on the EBA Consultation Paper on the
implementation of draft EBA guidelines on the security of internet payments prior to the
transposition of the revised Payment Services Directive (PSD2)”

Dissertation_Egertz_PSD2

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (8)

Similaire à Dissertation_Egertz_PSD2

Similaire à Dissertation_Egertz_PSD2 (20)

Dissertation_Egertz_PSD2