Irish small to medium enterprises (SMEs) are in for a big year of changes in 2018. The new Payment Services Directive 2 (PSD2) updates the PSD1 to become Irish law on January 13. It updates current payment service regulations and has new requirements.
What changes can you expect with PSD2?
Most of the original PSD1 remains the same. It broadens the extent of the legislation to cover new services and newcomers to the market. The PSD2 adds new obligations onto payment service providers (PSPs). This means SMEs will need to conduct review of their processes and procedures to ensure compliance. Key features of the PSD2 include:
extending the range of transactions
payment service provider exemptions
third party payment service provider scope
stricter authorisation requirements
security authentication management.
Range of transactions extended
PSD1 only applies to transactions within the European Union (EU). PSD2 extends this and introduces a three-tier system:
Top Tier.The top tier has the most stringent regulations. These apply to payment transactions where the merchant and customer PSPs are within the EU. And, where the customer makes payment in a member state’s currency.
Middle Tier. The middle tier has less stringent regulations. It applies to transactions, where the merchant and customer’s PSP is within the EU, but payment in a non-member EU state’s currency.
Bottom Tier. The bottom tier covers regulations where only one of the PSPs is in the EU, and where payment transactions are in all currency types. (These types of payment transactions were not part of the PSD1.) This means market operators in this space have new rules about transparency, providing information, and how they do business.
Payment service provider exemptions
There are changes to the PSP exemptions under PSD1. The new legislation keeps most of the exemptions, but has revised them as follows:
Limited Network Exemption. The Limited Network Exemption applied where the consumer’s payment method, for example, a card, limits them to what they can buy. Under the PSD2, this applies to goods and services bought within a specific store or chain of stores.
Commercial Agent Exemption. Where PSPs avoided authorisation requirements under PSD1, this changes under PSD2. Acting as a commercial agent, PSPs could avoid authorisations when acting on behalf a payer and payee. The exemption now only applies when acting for either the payer or payee, not both.
Third party payment service provider scope
Under PSD2, PSP categories remain the same, but there are two extra categories. These are for third-party PSPs not regulated under the PSD1. These categories are:
Payment Initiation Service Provider. A payment initiation service provider (PISP) starts the payment process between the customer’s PSP. Online banking is a good example. A customer enters their payment details using a third party, so the PISP does not handle any part of the transaction. These transactions are now regulated under PSD2.
Account Information Services Provider. An account information service provider (AISP) provides information about account holders and their financial accounts when held by more than one PSP.
Stricter authorisation requirements
While PSD2 keeps the authorisation requirements of PSD1, it requires further documentation. PSPs must have a security policy document. This will include security control and mitigation processes and procedures to protect user information against any identified risks. It also needs to identify continuity arrangements and emergency plans if there is a breach in security.
Security authentication management
The PSD2 brings in regulations for cyber security. PSPs must have strong authentication procedures when a customer checks out and pays. PSPs must also report any major breaches or security incidents to the national authority. They also need to inform the customer if the breach affects a customer's financial interests.
Are you ready for PSD2?
With less than 2 months until the legislation becomes law, is your business prepared? SMEs need to assess their processes and procedures to meet PSD2 compliance:
to ensure they meet new exemption criteria
have data protection and security in place if the business provides payment initiation or account information
assess internal software, and processes and procedures to remove any barriers for PISPs and AISPs
PSPs should have contracts with third parties to formalise service agreements
review all compliance policies to meet additional authorisation requirements
implement consumer authentication procedures and be able to provide the national regulator with an annual assessment of its risk mitigation strategy.
Are you ready for the new PSD2 legislation? If not, now is the time to make sure you can comply with the new regulations in January 2018.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.