It has been a while since I last spoke about myths, relating to GDPR. Now it is time to do the same for PSD2. Over the last months I have come across many misinterpretations, specifically around access to accounts (XS2A), who has the give access and for what.
Let’s discuss some myths (or at least inconsistencies) again!
1. EMIs have to give access?
So this one might stir the pot as many have different beliefs. Who should provide access to its accounts seems to be passed through differently by (local) regulators.
Especially in the UK, there seems to be a common understanding under electronic money institutions that they need to open up their payment accounts to Third Party Providers (TPPs). This probably has to do with the wider interpretation by the FCA of what constitutes a payment account. This also means a broader interpretation of which parties are Account Servicing Payment Service Providers (ASPSPs). The FCA speaks about “providers of payment accounts” that must allow TPPs access. “Businesses that provide ‘payment accounts’ that are accessible online to their customers will have to give AISPs and PISPs access to these accounts, with the user’s consent and authentication. Under PSD2, providers of payment accounts are referred to as ‘account servicing payment service providers’.”
On the contrary, the Dutch Central Bank does refer to banks as the parties that need to provide access: “Under PSD2, banks must allow these new payment service providers access to payment accounts, subject to the account holders’ consent.” This also follows from the historic narrow interpretation of the central bank of what institutions provide payment accounts.
You may wonder if this was intended by the legislator, what has been the need for payment initiation with an electronic money account? Recital 29 stipulates that it provides comfort to payees and an incentive to release goods without undue delay. To me, this looks like it is meant to decrease risks involved with “pull payments” by introducing “push payments” options. It is uncertain whether this benefits electronic money accounts, I believe this was initially thought to be of relevance to accounts held at credit institutions. Perhaps it would make most sense for account information services only.
The EBA seems to give no clear and concise approach across EU, as they referenced in previous communications with one of my customers the relevance of the European Court of Justice (ECJ) 2018 ruling on interpretation of payment accounts in the context of sharing of payment accounts data under PSD2. Still this ruling has not resulted in a EU-wide conform approach.
I would be curious to see the opinions of regulators in other member states, leave a comment below to share!
2. Business accounts are out of scope?
The driver of XS2A and PSD2 mainly comes from technological developments and the emergence of complementary services that were already offering account information or payment initiation services. As per PSD2 considerations, the reason to include these parties in scope of PSD2 was to provide consumers with adequate protection for their payment and account data as well as legal certainty about such parties’ status (recital 28 PSD2). It therefore seems that XS2A has been mostly based upon driving innovation in the retail payments market.
While the overarching focus has been on consumer-focused offering, PSD2 itself does not exclude business accounts held at credit institutions from XS2A. Neither does the legal text indicate that they should not be in scope. A business account falls under the definition of a ‘payment account’ (definition and criteria already discussed above) and corporate clients of banks also fall under the definition of ‘payment service users’: “a natural or legal person making use of a payment service in the capacity of payer, payee, or both.”
Article 36 of PSD2 does not make any distinctions there. XS2A is meant for “access to credit institutions’ payment accounts services.” The RTS also refer to the broader definition of payment service users throughout the entire document, by way of example: “…to ensure the right of payment service users to make use of payment initiation service providers and of services enabling access to account information…” (recital 16).
Also, the most notorious articles around TPP services, articles 66 and 67, make no distinction as such. Article 66 provides that “a payer has the right to make use of a payment initiation service provider to obtain payment services as referred to in point (7) of Annex I.” Article 67 states that “a payment service user has the right to make use of services enabling access to account information as referred to in point (8) of Annex I.” Besides the PSU definition, also the ‘payer’ definition refers to natural or legal persons: “a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order.”
As per the legal wording above, it can be concluded that business accounts are subject to XS2A as well. It might be that confusion has arisen because some types of corporate payments are excluded from the SCA requirements. But let’s remember that XS2A and SCA do not necessarily correlate and are two separate regulatory requirements.
3. Cards not connected to a payment account are in scope?
It is important that a company first defines its actual service offering and what that means from a regulatory perspective. Issuing a card (which is a payment instrument) does not necessarily mean you have to give access to TPPs. Is even a payment account involved? This is not always necessarily the case. The market has seen an expansion of card solution offerings by (mostly) EMIs to customers of their agents, like I said before EMIs do not necessarly have to offer XS2A though. Apart from this, a distinction in what regulated activity is truly offered through the agent is required. The (prepaid) card would be used to make payments. However, it does not always involve a payment account. As per the earlier referenced ECJ court ruling, a payment account is an account (that also needs to be accessible online for XS2A to apply) that allows the account holder to make payments to or to receive payments from third parties. If the making payments is only accomplished by use of the card, there is no payment account, only a personalized device to initiate payment orders. They are very distinct from each other and constitute two separate regulated activities. If there is no login provided by the regulated institution to check balance and make payments through a portal, there is only the card and there is no online account to give access to.
Do you know any other myth or inconsistency that needs to be addressed? Leave a comment below.