Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 200 (2023)

Article 5U.K.Applications for authorisation

1.For authorisation as a payment institution, an application shall be submitted to the competent authorities of the home Member State, together with the following:

(a)a programme of operations setting out in particular the type of payment services envisaged;

(b)a business plan including a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly;

(c)evidence that the payment institution holds initial capital as provided for in Article 7;

(d)for the payment institutions referred to in Article 10(1), a description of the measures taken for safeguarding payment service users’ funds in accordance with Article 10;

(e)a description of the applicant’s governance arrangements and internal control mechanisms, including administrative, risk management and accounting procedures, which demonstrates that those governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate;

(f)a description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints, including an incidents reporting mechanism which takes account of the notification obligations of the payment institution laid down in Article 96;

(g)a description of the process in place to file, monitor, track and restrict access to sensitive payment data;

(h)a description of business continuity arrangements including a clear identification of the critical operations, effective contingency plans and a procedure to regularly test and review the adequacy and efficiency of such plans;

(i)a description of the principles and definitions applied for the collection of statistical data on performance, transactions and fraud;

(Video) PSD2 Explained

(j)a security policy document, including a detailed risk assessment in relation to its payment services and a description of security control and mitigation measures taken to adequately protect payment service users against the risks identified, including fraud and illegal use of sensitive and personal data;

(k)for payment institutions subject to the obligations in relation to money laundering and terrorist financing under Directive (EU) 2015/849 of the European Parliament and of the Council(1) and Regulation (EU) 2015/847 of the European Parliament and of the Council(2), a description of the internal control mechanisms which the applicant has established in order to comply with those obligations;

(l)a description of the applicant’s structural organisation, including, where applicable, a description of the intended use of agents and branches and of the off-site and on-site checks that the applicant undertakes to perform on them at least annually, as well as a description of outsourcing arrangements, and of its participation in a national or international payment system;

(m)the identity of persons holding in the applicant, directly or indirectly, qualifying holdings within the meaning of point (36) of Article 4(1) of Regulation (EU) No 575/2013, the size of their holdings and evidence of their suitability taking into account the need to ensure the sound and prudent management of a payment institution;

(n)the identity of directors and persons responsible for the management of the payment institution and, where relevant, persons responsible for the management of the payment services activities of the payment institution, as well as evidence that they are of good repute and possess appropriate knowledge and experience to perform payment services as determined by the home Member State of the payment institution;

(o)where applicable, the identity of statutory auditors and audit firms as defined in Directive 2006/43/EC of the European Parliament and of the Council(3);

(p)the applicant’s legal status and articles of association;

(q)the address of the applicant’s head office.

For the purposes of points (d), (e) (f) and (l) of the first subparagraph, the applicant shall provide a description of its audit arrangements and the organisational arrangements it has set up with a view to taking all reasonable steps to protect the interests of its users and to ensure continuity and reliability in the performance of payment services.

The security control and mitigation measures referred to in point (j) of the first subparagraph shall indicate how they ensure a high level of technical security and data protection, including for the software and IT systems used by the applicant or the undertakings to which it outsources the whole or part of its operations. Those measures shall also include the security measures laid down in Article 95(1). Those measures shall take into account EBA’s guidelines on security measures as referred to in Article 95(3) when in place.

2.Member States shall require undertakings that apply for authorisation to provide payment services as referred to in point (7) of Annex I, as a condition of their authorisation, to hold a professional indemnity insurance, covering the territories in which they offer services, or some other comparable guarantee against liability to ensure that they can cover their [X1liabilities as specified in Articles73, 90 and92.]

(Video) PSD2 jeb Maksājumu pakalpojumu direktīva

3.Member States shall require undertakings that apply for registration to provide payment services as referred to in point (8) of Annex I, as a condition of their registration, to hold a professional indemnity insurance covering the territories in which they offer services, or some other comparable guarantee against their liability vis-à-vis the account servicing payment service provider or the payment service user resulting from non-authorised or fraudulent access to or non-authorised or fraudulent use of payment account information.

4.By 13 January 2017, EBA shall, after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, issue guidelines, addressed to the competent authorities, in accordance with Article 16 of Regulation (EU) No 1093/2010 on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee referred to in paragraphs 2 and 3.

In developing the guidelines referred to in the first subparagraph, EBA shall take account of the following:

(a)the risk profile of the undertaking;

(b)whether the undertaking provides other payment services as referred to in Annex I or is engaged in other business;

(c)the size of the activity:

(i)

for undertakings that apply for authorisation to provide payment services as referred to in point (7) of Annex I, the value of the transactions initiated;

(ii)

for undertakings that apply for registration to provide payment services as referred to in point (8) of Annex I, the number of clients that make use of the account information services;

(d)the specific characteristics of comparable guarantees and the criteria for their implementation.

EBA shall review those guidelines on a regular basis.

5.By 13 July 2017, EBA shall, after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 concerning the information to be provided to the competent authorities in the application for the authorisation of payment institutions, including the requirements laid down in points (a), (b), (c), (e) and (g) to (j) of the first subparagraph of paragraph 1 of this Article.

EBA shall review those guidelines on a regular basis and in any event at least every 3 years.

6.Taking into account, where appropriate, experience acquired in the application of the guidelines referred to in paragraph 5, EBA may develop draft regulatory technical standards specifying the information to be provided to the competent authorities in the application for the authorisation of payment institutions, including the requirements laid down in points (a), (b), (c), (e) and (g) to (j) of paragraph 1.

Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.

7.The information referred to in paragraph 4 shall be notified to competent authorities in accordance with paragraph 1.

Editorial Information

X1 Substituted by Corrigendum to Directive (EU) 2015/2366 of the European Parliament and of the Council of 25November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010 and repealing Directive 2007/64/EC (Official Journal of the European Union L 337 of 23December 2015).

(1)

Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73).

(2)

Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (OJ L 141, 5.6.2015, p. 1).

(3)

Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC (OJ L 157, 9.6.2006, p. 87).

FAQs

What is the Payment Services Directive 2? ›

The directive contains two key elements of particular importance for e-commerce merchants – Strong Customer Authentication (SCA) and the emergence of two types of new regulated payment providers designed to promote increased competition and innovation in banking and finance.

What does PSD2 stand for? ›

Put simply, Payment Services Directive Two (PSD2) is a piece of legislation designed to force providers of payment services to improve customer authentication processes and to also bring in new regulation around third-party involvement.

Is PSD2 applicable in the UK? ›

PSD2 Timetable

The SCA requirements and third-party access framework came in to force in September 2019. The SCA enforcement date is 14 March 2022 in the UK, and the EEA deadline was 31 December 2020.

What is the PSD2 deadline? ›

Monday 14 March 2022.

Who does the Payment Services Directive apply to? ›

7. What is the scope of the Directive? The Directive applies to payment services in the European Union. The Directive focuses on electronic payments, which are more cost-efficient than cash and which also stimulate consumption and economic growth.

Why is PSD2 important? ›

PSD2 brings several major consumer benefits, such as: PSD2 tackles fraud in online payments: PSD2 introduces strong security requirements for electronic payments and for the protection of consumers' financial data to ensure their privacy is respected by all market operators.

What is PSD2 regulation and what is the impact? ›

PSD2 is a European regulation for electronic payment services. It seeks to make payments more secure in Europe, improve innovation and help banking services adapt to new technologies.

What countries does PSD2 apply to? ›

The PSD2 applies directly to consumers in all EU member nations. While the primary focus is on EU banks and payment processors, companies whose headquarters are outside the EU may be subject if they have customers or users within EU jurisdiction.

Is PSD2 the same as open banking? ›

The main driver for open banking was EU legislation known as PSD2. This introduced new regulated activities of 'account information' and 'payment initiation' and gave consumers the right to use the services.

Is PSD2 a law? ›

PSD2 requires all payment account providers across the EU to provide certain regulated firms access to customers' accounts, subject to their explicit consent.

Does PSD2 apply to debit cards? ›

PSD2 prohibits surcharging, which is additional charges for payments with consumer credit or debit cards, both in shops or online.

Is 3DS mandatory? ›

3DS is not yet mandatory everywhere. Only the countries that complied with the PSD2 are compulsory to have 3DS. All the 44 countries in Europe are required by laws to use 3DS as their layer of protection. Australia and Singapore are also demanded by their governments to use 3D Secure.

Is PSD2 the same as 3DS? ›

Payments Service Directive PSD2 is one of the reasons why 3DS2 is now being rolled out as a substitute for 3DS1. The acronym plus the number 2 is essentially the amended successor to the original Payment Service Directive that was first implemented by the governments of the European Union in 2007.

Who should comply with PSD2? ›

Who is Impacted? The rules and guidelines of PSD2 apply to modern payment services, including banks, credit unions, fintech companies and payment companies (e.g., third party payment service providers, account servicing payment service providers and payment information service providers) based in the European Union.

What new types of new payment actors do PSD2 regulation? ›

PSD2 introduces two categories of TPPs: AISPs and PISPs. AISPs allow customers to see integrated information from various service providers. PISPs allow customers to initiate online payments directly from their personal bank accounts.

Are payment service providers regulated? ›

All non-bank payment service providers (ie APIs, EMIs and SPIs) must be authorised or registered with us. You can contact us for more information about regulated firms. Some of these non-bank providers may trade under different names than the one authorised or registered with us.

What is a major concern about PSD2? ›

Transaction fraud risk. The market changes that we anticipate as a result of PSD2 will likely create new opportunities for fraud because banks will be required to open up their infrastructure and allow third-party providers access to customer account information.

Why is PSD2 being introduced? ›

PSD2 was designed to improve the customer payment experience, so it should have positive implications for those who make transactions online. For customers, PSD2 brings more confidence in staying safe online, while also benefiting from the ease of a more streamlined transaction process.

Does PSD2 apply to prepaid cards? ›

Notably, this amendment broadens the Open Banking solution to include all payment account types covered by PSD2, which means that additional products are now included in the scope of Open Banking, such as credit cards, e-wallets, currency accounts, charge cards, prepaid accounts and payments enabled savings, deposit, ...

Is PSD2 in the US? ›

Although the PSD2 regulation is enforced by the European Union, companies based in North America need to pay attention too, as it will start to have an impact on U.S. businesses in the near future.

What is the key disruptive part of PSD2 regulation? ›

Optimise your finance/tax

As the trend towards Open Banking gathers pace, PSD2 is set to accelerate industry disruption by regulating new forms of Payment Institutions, introducing new interaction models, and mandating the opening of banks' application programming interfaces (APIs) to third parties.

What is 3DS secure payment? ›

For extra fraud protection, 3D Secure (3DS) requires customers to complete an additional verification step with the card issuer when paying. Typically, you direct the customer to an authentication page on their bank's website, and they enter a password associated with the card or a code sent to their phone.

What is PSD2 open banking? ›

What is PSD2? PSD2 (Payment Services Directive Two) is EU legislation designed to make open banking possible and secure, by: Enforcing higher standards of security around online transactions through multi-factor authentication (MFA).

Does PSD2 apply to UK after Brexit? ›

1) With the UK no longer part of both the EU and EEA, payments between the UK and countries within the EEA can no longer be defined as intra-EEA payments under PSD2.

What are the PSD to mandated use cases under the open API initiative? ›

PSD2 specifies that consumers have the right to use any third-party provider for their online banking services. As a result, banks are mandated to provide open Application Programming Interfaces or APIs to allow software at one company to access payment account information and payment initiation from another.

What is the difference between PSD1 and PSD2? ›

PSD1 only addresses transfers inside the EU and is limited to the currencies of the Member States. PSD2 will extend the application of PSD1 rules on transparency to "one-leg transactions", hence covering payment transactions to persons outside the EU as regards the “EU part” of the transaction.

Is PayPal PSD2 compliant? ›

PayPal complies with PSD2's SCA mandate; however, as a business owner, you must take extra steps to ensure your PayPal payment process is compliant.

Does PSD2 apply to business accounts? ›

PSD1 and PSD2 are written with customer protection in mind, and as such, apply to both retail customers and corporate companies. Since retail customers and corporate companies have different needs and requirements, PSD2 allows banks the option to use a 'corporate opt-out' for certain provisions.

How do I get a PSD2 license? ›

How do I apply for a PSD2 licence? You can submit an application for a licence to operate as a payment service provider to DNB. You must submit your application through our Digital Supervision Portal.

What is PSD2 strong customer authentication? ›

Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments.

What is the difference between PSD1 and PSD2? ›

PSD1 only addresses transfers inside the EU and is limited to the currencies of the Member States. PSD2 will extend the application of PSD1 rules on transparency to "one-leg transactions", hence covering payment transactions to persons outside the EU as regards the “EU part” of the transaction.

What is the revised payment services directive? ›

The Revised Payment Services Directive (PSD2) is a European electronic element payment services regulation intended to make electronic and online payments more secure throughout the European Union.

Why was PSD2 introduced? ›

PSD2 was designed to improve the customer payment experience, so it should have positive implications for those who make transactions online. For customers, PSD2 brings more confidence in staying safe online, while also benefiting from the ease of a more streamlined transaction process.

What is PSD2 open banking? ›

What is PSD2? PSD2 (Payment Services Directive Two) is EU legislation designed to make open banking possible and secure, by: Enforcing higher standards of security around online transactions through multi-factor authentication (MFA).

What countries does PSD2 apply to? ›

The PSD2 applies directly to consumers in all EU member nations. While the primary focus is on EU banks and payment processors, companies whose headquarters are outside the EU may be subject if they have customers or users within EU jurisdiction.

Why was PSD1 introduced? ›

Adopted in 2007 and implemented in 2009, the Payment Services Directive (PSD1) aimed to create a single market for payments in the European Union, as well as provide a foundation for the Single Euro Payments Area (SEPA).

Does PSD2 apply to Norway? ›

As a member of the EEA, EU legislation, such as PSD2, does not automatically become Norwegian law, but must be incorporated into the EEA Agreement and subsequently be transposed into Norwegian law by an enactment of the Norwegian parliament.

When was PSD2 first introduced? ›

The revised Payment Services Directive (PSD2) updates and enhances the EU rules put in place by the initial PSD adopted in 2007. The PSD2 entered into force on 12 January 2016 and EU Member States were given until 13 January 2018 to transpose it into national law.

Is PSD2 the same as 3ds? ›

Payments Service Directive PSD2 is one of the reasons why 3DS2 is now being rolled out as a substitute for 3DS1. The acronym plus the number 2 is essentially the amended successor to the original Payment Service Directive that was first implemented by the governments of the European Union in 2007.

What is PSD2 regulation and what is the impact? ›

PSD2 is a European regulation for electronic payment services. It seeks to make payments more secure in Europe, improve innovation and help banking services adapt to new technologies.

What new types of new payment actors do PSD2 regulation? ›

PSD2 introduces two categories of TPPs: AISPs and PISPs. AISPs allow customers to see integrated information from various service providers. PISPs allow customers to initiate online payments directly from their personal bank accounts.

Is PSD2 the same as open banking? ›

The main driver for open banking was EU legislation known as PSD2. This introduced new regulated activities of 'account information' and 'payment initiation' and gave consumers the right to use the services.

What is the key disruptive part of PSD2 regulation? ›

Optimise your finance/tax

As the trend towards Open Banking gathers pace, PSD2 is set to accelerate industry disruption by regulating new forms of Payment Institutions, introducing new interaction models, and mandating the opening of banks' application programming interfaces (APIs) to third parties.

What are the PSD to mandated use cases under the open API initiative? ›

PSD2 specifies that consumers have the right to use any third-party provider for their online banking services. As a result, banks are mandated to provide open Application Programming Interfaces or APIs to allow software at one company to access payment account information and payment initiation from another.

Top Articles
Latest Posts
Article information

Author: Amb. Frankie Simonis

Last Updated: 03/07/2023

Views: 5925

Rating: 4.6 / 5 (76 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Amb. Frankie Simonis

Birthday: 1998-02-19

Address: 64841 Delmar Isle, North Wiley, OR 74073

Phone: +17844167847676

Job: Forward IT Agent

Hobby: LARPing, Kitesurfing, Sewing, Digital arts, Sand art, Gardening, Dance

Introduction: My name is Amb. Frankie Simonis, I am a hilarious, enchanting, energetic, cooperative, innocent, cute, joyous person who loves writing and wants to share my knowledge and understanding with you.