Big Red Cloud

Irish small to medium enterprises (SMEs) are in for a big year of changes in 2018. The new Payment Services Directive 2 (PSD2) updates the PSD1 to become Irish law on January 13. It updates current payment service regulations and has new requirements.

What changes can you expect with PSD2?

Most of the original PSD1 remains the same. It broadens the extent of the legislation to cover new services and newcomers to the market. The PSD2 adds new obligations onto payment service providers (PSPs). This means SMEs will need to conduct review of their processes and procedures to ensure compliance. Key features of the PSD2 include:

extending the range of transactions
payment service provider exemptions
third party payment service provider scope
stricter authorisation requirements
security authentication management.

Range of transactions extended

PSD1 only applies to transactions within the European Union (EU). PSD2 extends this and introduces a three-tier system:

Top Tier.The top tier has the most stringent regulations. These apply to payment transactions where the merchant and customer PSPs are within the EU. And, where the customer makes payment in a member state’s currency.
Middle Tier. The middle tier has less stringent regulations. It applies to transactions, where the merchant and customer’s PSP is within the EU, but payment in a non-member EU state’s currency.
Bottom Tier. The bottom tier covers regulations where only one of the PSPs is in the EU, and where payment transactions are in all currency types. (These types of payment transactions were not part of the PSD1.) This means market operators in this space have new rules about transparency, providing information, and how they do business.

Payment service provider exemptions

There are changes to the PSP exemptions under PSD1. The new legislation keeps most of the exemptions, but has revised them as follows:

Limited Network Exemption. The Limited Network Exemption applied where the consumer’s payment method, for example, a card, limits them to what they can buy. Under the PSD2, this applies to goods and services bought within a specific store or chain of stores.
Commercial Agent Exemption. Where PSPs avoided authorisation requirements under PSD1, this changes under PSD2. Acting as a commercial agent, PSPs could avoid authorisations when acting on behalf a payer and payee. The exemption now only applies when acting for either the payer or payee, not both.

Third party payment service provider scope

Under PSD2, PSP categories remain the same, but there are two extra categories. These are for third-party PSPs not regulated under the PSD1. These categories are:

Payment Initiation Service Provider. A payment initiation service provider (PISP) starts the payment process between the customer’s PSP. Online banking is a good example. A customer enters their payment details using a third party, so the PISP does not handle any part of the transaction. These transactions are now regulated under PSD2.
Account Information Services Provider. An account information service provider (AISP) provides information about account holders and their financial accounts when held by more than one PSP.

Stricter authorisation requirements

While PSD2 keeps the authorisation requirements of PSD1, it requires further documentation. PSPs must have a security policy document. This will include security control and mitigation processes and procedures to protect user information against any identified risks. It also needs to identify continuity arrangements and emergency plans if there is a breach in security.

Security authentication management

The PSD2 brings in regulations for cyber security. PSPs must have strong authentication procedures when a customer checks out and pays. PSPs must also report any major breaches or security incidents to the national authority. They also need to inform the customer if the breach affects a customer's financial interests.

Are you ready for PSD2?

With less than 2 months until the legislation becomes law, is your business prepared? SMEs need to assess their processes and procedures to meet PSD2 compliance:

to ensure they meet new exemption criteria
have data protection and security in place if the business provides payment initiation or account information
assess internal software, and processes and procedures to remove any barriers for PISPs and AISPs
PSPs should have contracts with third parties to formalise service agreements
review all compliance policies to meet additional authorisation requirements
implement consumer authentication procedures and be able to provide the national regulator with an annual assessment of its risk mitigation strategy.

Are you ready for the new PSD2 legislation? If not, now is the time to make sure you can comply with the new regulations in January 2018.