Directive (EU) 2015/2366 of the European Parliament and of the Council
of 25 November 2015
on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Central Bank1,
Having regard to the opinion of the European Economic and Social Committee2,
Acting in accordance with the ordinary legislative procedure3,
Whereas:
In recent years, significant progress has been achieved in integrating retail payments in the Union, in particular in the context of the Union acts on payments, in particular through Directive 2007/64/EC of the European Parliament and of the Council4, Regulation (EC) No 924/2009 of the European Parliament and of the Council5, Directive 2009/110/EC of the European Parliament and of the Council6, and Regulation (EU) No 260/2012 of the European Parliament and of the Council7. Directive 2011/83/EU of the European Parliament and of the Council8 has further complemented the legal framework for payment services by setting a specific limit on the ability of retailers to surcharge their customers for the use of a given means of payment.
The revised Union legal framework on payment services is complemented by Regulation (EU) 2015/751 of the European Parliament and of the Council9. That Regulation introduces, in particular, rules on the charging of interchange fees for card-based transactions and aims to further accelerate the achievement of an effective integrated market for card-based payments.
Directive 2007/64/EC was adopted in December 2007 on the basis of a Commission proposal of December 2005. Since then, the retail payments market has experienced significant technical innovation, with rapid growth in the number of electronic and mobile payments and the emergence of new types of payment services in the market place, which challenges the current framework.
The review of the Union legal framework on payment services and, in particular, the analysis of the impact of Directive 2007/64/EC and the consultation on the Commission Green Paper of 11 January 2012, entitled, ‘Towards an integrated European market for card, internet and mobile payments’, have shown that developments have given rise to significant challenges from a regulatory perspective. Significant areas of the payments market, in particular card, internet and mobile payments, remain fragmented along national borders. Many innovative payment products or services do not fall, entirely or in large part, within the scope of Directive 2007/64/EC. Furthermore, the scope of Directive 2007/64/EC and, in particular, the elements excluded from its scope, such as certain payment-related activities, has proved in some cases to be too ambiguous, too general or simply outdated, taking into account market developments. This has resulted in legal uncertainty, potential security risks in the payment chain and a lack of consumer protection in certain areas. It has proven difficult for payment service providers to launch innovative, safe and easy-to-use digital payment services and to provide consumers and retailers with effective, convenient and secure payment methods in the Union. In that context, there is a large positive potential which needs to be more consistently explored.
The continued development of an integrated internal market for safe electronic payments is crucial in order to support the growth of the Union economy and to ensure that consumers, merchants and companies enjoy choice and transparency of payment services to benefit fully from the internal market.
New rules should be established to close the regulatory gaps while at the same time providing more legal clarity and ensuring consistent application of the legislative framework across the Union. Equivalent operating conditions should be guaranteed, to existing and new players on the market, enabling new means of payment to reach a broader market, and ensuring a high level of consumer protection in the use of those payment services across the Union as a whole. This should generate efficiencies in the payment system as a whole and lead to more choice and more transparency of payment services while strengthening the trust of consumers in a harmonised payments market.
In recent years, the security risks relating to electronic payments have increased. This is due to the growing technical complexity of electronic payments, the continuously growing volumes of electronic payments worldwide and emerging types of payment services. Safe and secure payment services constitute a vital condition for a well-functioning payment services market. Users of payment services should therefore be adequately protected against such risks. Payment services are essential for the functioning of vital economic and social activities.
The provisions of this Directive on transparency and information requirements for payment service providers and on rights and obligations in relation to the provision and use of payment services should also apply, where appropriate, to transactions where one of the payment service providers is located outside the European Economic Area (EEA) in order to avoid divergent approaches across Member States to the detriment of consumers. Where appropriate, those provisions should be extended to transactions in all official currencies between payment service providers that are located within the EEA.
Money remittance is a simple payment service that is usually based on cash provided by a payer to a payment service provider, which remits the corresponding amount, for example via a communication network, to a payee or to another payment service provider acting on behalf of the payee. In some Member States, supermarkets, merchants and other retailers provide to the public a corresponding service enabling them to pay utilities and other regular household bills. Those bill-paying services should be treated as money remittance, unless the competent authorities consider the activity to fall under another payment service.
This Directive introduces a neutral definition of acquiring of payment transactions in order to capture not only the traditional acquiring models structured around the use of payment cards, but also different business models, including those where more than one acquirer is involved. This should ensure that merchants receive the same protection, regardless of the payment instrument used, where the activity is the same as the acquiring of card transactions. Technical services provided to payment service providers, such as the mere processing and storage of data or the operation of terminals, should not be considered to constitute acquiring. Moreover, some acquiring models do not provide for an actual transfer of funds by the acquirer to the payee because the parties may agree upon other forms of settlement.
The exclusion from the scope of Directive 2007/64/EC of payment transactions through a commercial agent on behalf of the payer or the payee is applied very differently across the Member States. Certain Member States allow the use of the exclusion by e-commerce platforms that act as an intermediary on behalf of both individual buyers and sellers without a real margin to negotiate or conclude the sale or purchase of goods or services. Such application of the exclusion goes beyond the intended scope set out in that Directive and has the potential to increase risks for consumers, as those providers remain outside the protection of the legal framework. Differing application practices also distort competition in the payment market. To address those concerns, the exclusion should therefore apply when agents act only on behalf of the payer or only on behalf of the payee, regardless of whether or not they are in possession of client funds. Where agents act on behalf of both the payer and the payee (such as certain e-commerce platform), they should be excluded only if they do not, at any time enter into possession or control of client funds.
This Directive should not apply to the activities of cash-in-transit companies (CITs) and cash management companies (CMCs) where the activities concerned are limited to the physical transport of banknotes and coins.
Feedback from the market shows that the payment activities covered by the limited network exclusion often comprise significant payment volumes and values and offer to consumers hundreds or thousands of different products and services. That does not fit the purpose of the limited network exclusion as provided for in Directive 2007/64/EC and implies greater risks and no legal protection for payment service users, in particular consumers, and clear disadvantages for regulated market actors. To help limit those risks, it should not be possible to use the same instrument to make payment transactions to acquire goods and services within more than one limited network or to acquire an unlimited range of goods and services. A payment instrument should be considered to be used within such a limited network if it can be used only in the following circumstances: first, for the purchase of goods and services in a specific retailer or specific retail chain, where the entities involved are directly linked by a commercial agreement which for example provides for the use of a single payment brand and that payment brand is used at the points of sale and appears, where feasible, on the payment instrument that can be used there; second, for the purchase of a very limited range of goods or services, such as where the scope of use is effectively limited to a closed number of functionally connected goods or services regardless of the geographical location of the point of sale; or third, where the payment instrument is regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services.
Payment instruments covered by the limited network exclusion could include store cards, fuel cards, membership cards, public transport cards, parking ticketing, meal vouchers or vouchers for specific services, which are sometimes subject to a specific tax or labour legal framework designed to promote the use of such instruments to meet the objectives laid down in social legislation. Where such a specific-purpose instrument develops into a general-purpose instrument, the exclusion from the scope of this Directive should no longer apply. Instruments which can be used for purchases in stores of listed merchants should not be excluded from the scope of this Directive as such instruments are typically designed for a network of service providers which is continuously growing. The limited network exclusion should apply in combination with the obligation of potential payment service providers to notify activities falling within its scope.
Directive 2007/64/EC excludes from its scope certain payment transactions by means of telecom or information technology devices where the network operator not only acts as an intermediary for the delivery of digital goods and services through the device in question, but also adds value to those goods or services. In particular, that exclusion allows for so-called operator billing or direct to phone-bill purchases which, starting with ringtones and premium SMS services, contribute to the development of new business models based on the low-value sale of digital content and voice-based services. Those services include entertainment, such as chat, downloads such as video, music and games, information such as on weather, news, sports updates, stocks and directory enquiries, TV and radio participation such as voting, competition entry, and provision of live feedback. Feedback from the market shows no evidence that such payment transactions, trusted by consumers as convenient for low-threshold payments, have developed into a general payment intermediation service. However, due to the ambiguous wording of the relevant exclusion, it has been implemented differently across Member States, leading to a lack of legal certainty for operators and consumers and occasionally allowing payment intermediation services to claim eligibility for an unlimited exclusion from the scope of Directive 2007/64/EC. It is therefore appropriate to clarify and narrow the scope of eligibility for that exclusion for such service providers by specifying the types of payment transactions to which it applies.
The exclusion relating to certain payment transactions by means of telecom or information technology devices should focus specifically on micro-payments for digital content and voice-based services. A clear reference to payment transactions for the purchase of electronic tickets should be introduced to take into account the development in payments where, in particular, customers can order, pay for, obtain and validate electronic tickets from any location and at any time using mobile phones or other devices. Electronic tickets allow and facilitate the delivery of services that consumers could otherwise purchase in paper ticket form and include transport, entertainment, car parking, and entry to venues, but exclude physical goods. They thus reduce the production and distribution costs connected with traditional paper-based ticketing channels and increase customer convenience by providing new and simple ways to purchase tickets. In order to ease the burden on entities that collect charitable donations, payment transactions in relation to such donations should also be excluded. Member States should, in accordance with national law, be free to limit the exclusion to donations collected in favour of registered charitable organisations. The exclusion as a whole should apply only where the value of payment transactions is below a specified threshold in order to limit it clearly to payments with a low risk profile.
The Single Euro Payments Area (SEPA) has facilitated the creation of Union wide -‘payment factories’ and ‘collection factories’, allowing for the centralisation of payment transactions of the same group. In that respect payment transactions between a parent undertaking and its subsidiary or between subsidiaries of the same parent undertaking provided by a payment service provider belonging to the same group should be excluded from the scope of this Directive. The collection of payment orders on behalf of a group by a parent undertaking or its subsidiary for onward transmission to a payment service provider should not be considered to be a payment service for the purposes of this Directive.
Directive 2007/64/EC excludes from its scope payment services offered by deployers of automated teller machines (ATMs) independent from account servicing payment service providers. That exclusion has stimulated the growth of independent ATM services in many Member States, in particular in less populated areas. Excluding that fast-growing part of the ATM market from the scope of this Directive completely could, however, lead to confusion about withdrawal charges. In cross-border situations, this could lead to double charging for the same withdrawal by the account servicing payment service provider and by the ATM deployer. Consequently, in order to maintain the provision of ATM services while ensuring clarity with regard to withdrawal charges, it is appropriate to maintain the exclusion but to require ATM operators to comply with specific transparency provisions of this Directive. Moreover, charges applied by ATM operators should be without prejudice to Regulation (EC) No 924/2009.
Service providers seeking to benefit from an exclusion from the scope of Directive 2007/64/EC often have not consulted authorities on whether their activities are covered by, or excluded from, that Directive, but have relied on their own assessments. This has led to a differing application of certain exclusions across Member States. It also appears that some exclusions may have been used by payment service providers to redesign business models so that the payment activities offered would be outside the scope of that Directive. This may result in increased risks for payment service users and diverging conditions for payment service providers in the internal market. Service providers should therefore be obliged to notify relevant activities to competent authorities so that the competent authorities can assess whether the requirements set out in the relevant provisions are fulfilled and to ensure a homogenous interpretation of the rules throughout the internal market. In particular, for all exclusions based on the respect of a threshold, a notification procedure should be provided in order to ensure compliance with the specific requirements.
Moreover, it is important to include a requirement for potential payment service providers to notify competent authorities of the activities that they provide in the framework of a limited network on the basis of the criteria set out in this Directive if the value of payment transactions exceeds a certain threshold. Competent authorities should assess whether the activities so notified can be considered to be activities provided in the framework of a limited network.
The definition of payment services should be technologically neutral and should allow for the development of new types of payment services, while ensuring equivalent operating conditions for both existing and new payment service providers.
This Directive should follow the approach taken in Directive 2007/64/EC, which covers all types of electronic payment services. It would therefore not be appropriate for the new rules to apply to services where the transfer of funds from the payer to the payee or their transport is executed solely in bank notes and coins or where the transfer is based on a paper cheque, paper-based bill of exchange, promissory note or other instrument, paper-based vouchers or cards drawn upon a payment service provider or other party with a view to placing funds at the disposal of the payee.
This Directive should not apply to payment transactions made in cash since a single payments market for cash already exists. Nor should this Directive apply to payment transactions based on paper cheques since, by their nature, paper cheques cannot be processed as efficiently as other means of payment. Good practice in that area should, however, be based on the principles set out in this Directive.
It is necessary to specify the categories of payment service providers which may legitimately provide payment services throughout the Union, namely, credit institutions which take deposits from users that can be used to fund payment transactions and which should continue to be subject to the prudential requirements laid down in Directive 2013/36/EU of the European Parliament and of the Council10, electronic money institutions which issue electronic money that can be used to fund payment transactions and which should continue to be subject to the prudential requirements laid down in Directive 2009/110/EC, payment institutions and post office giro institutions which are so entitled under national law. The application of that legal framework should be confined to service providers who provide payment services as a regular occupation or business activity in accordance with this Directive.
This Directive lays down rules on the execution of payment transactions where the funds are electronic money as defined in Directive 2009/110/EC. This Directive does not, however, regulate the issuance of electronic money as provided for in Directive 2009/110/EC. Therefore, payment institutions should not be allowed to issue electronic money.
Directive 2007/64/EC established a prudential regime, introducing a single licence for all providers of payment services which are not connected to taking deposits or issuing electronic money. To that end, Directive 2007/64/EC introduced a new category of payment service providers, namely ‘payment institutions’, by providing for the authorisation, subject to a set of strict and comprehensive conditions, of legal persons outside the existing categories to provide payment services throughout the Union. Thus, the same conditions should apply Union wide to such services.
Since the adoption of Directive 2007/64/EC new types of payment services have emerged, especially in the area of internet payments. In particular, payment initiation services in the field of e-commerce have evolved. Those payment services play a part in e-commerce payments by establishing a software bridge between the website of the merchant and the online banking platform of the payer’s account servicing payment service provider in order to initiate internet payments on the basis of a credit transfer.
Moreover, technological developments have given rise to the emergence of a range of complementary services in recent years, such as account information services. Those services provide the payment service user with aggregated online information on one or more payment accounts held with one or more other payment service providers and accessed via online interfaces of the account servicing payment service provider. The payment service user is thus able to have an overall view of its financial situation immediately at any given moment. Those services should also be covered by this Directive in order to provide consumers with adequate protection for their payment and account data as well as legal certainty about the status of account information service providers.
Payment initiation services enable the payment initiation service provider to provide comfort to a payee that the payment has been initiated in order to provide an incentive to the payee to release the goods or to deliver the service without undue delay. Such services offer a low-cost solution for both merchants and consumers and provide consumers with a possibility to shop online even if they do not possess payment cards. Since payment initiation services are currently not subject to Directive 2007/64/EC, they are not necessarily supervised by a competent authority and are not required to comply with Directive 2007/64/EC. This raises a series of legal issues, such as consumer protection, security and liability as well as competition and data protection issues, in particular regarding protection of the payment service users’ data in accordance with Union data protection rules. The new rules should therefore respond to those issues.
The personalised security credentials used for secure customer authentication by the payment service user or by the payment initiation service provider are usually those issued by the account servicing payment service providers. Payment initiation service providers do not necessarily enter into a contractual relationship with the account servicing payment service providers and, regardless of the business model used by the payment initiation service providers, the account servicing payment service providers should make it possible for payment initiation service providers to rely on the authentication procedures provided by the account servicing payments service providers to initiate a specific payment on behalf of the payer.
When exclusively providing payment initiation services, the payment initiation service provider does not at any stage of the payment chain hold the user’s funds. When a payment initiation service provider intends to provide payment services in relation to which it holds user funds, it should obtain full authorisation for those services.
Payment initiation services are based on direct or indirect access for the payment initiation service provider to the payer’s account. An account servicing payment service provider which provides a mechanism for indirect access should also allow direct access for the payment initiation service providers.
This Directive should aim to ensure continuity in the market, enabling existing and new service providers, regardless of the business model applied by them, to offer their services with a clear and harmonised regulatory framework. Pending the application of those rules, without prejudice to the need to ensure the security of payment transactions and customer protection against demonstrable risk of fraud, Member States, the Commission, the European Central Bank (ECB) and the European Supervisory Authority (European Banking Authority), established by Regulation (EU) No 1093/2010 of the European Parliament and of the Council11 (EBA), should guarantee fair competition in that market avoiding unjustifiable discrimination against any existing player on the market. Any payment service provider, including the account servicing payment service provider of the payment service user, should be able to offer payment initiation services.
This Directive does not substantially change the conditions for granting and maintaining authorisation as payment institutions. As in Directive 2007/64/EC, the conditions include prudential requirements proportionate to the operational and financial risks faced by such bodies in the course of their business. In that connection, there is a need for a sound regime of initial capital combined with on-going capital which could be elaborated in a more sophisticated way in due course depending on the needs of the market. Due to the range of variety in the payment services area, this Directive should allow various methods combined with a certain range of supervisory discretion to ensure that the same risks are treated the same way for all payment service providers. The requirements for the payment institutions should reflect the fact that payment institutions engage in more specialised and limited activities, thus generating risks that are narrower and easier to monitor and control than those that arise across the broader spectrum of activities of credit institutions. In particular, payment institutions should be prohibited from accepting deposits from users and should be permitted to use funds received from users only for rendering payment services. The required prudential rules including the initial capital should be appropriate to the risk relating to the respective payment service provided by the payment institution. Payment service providers that provide only payment initiation services should be considered to be of a medium risk with regard to the initial capital.
Payment initiation service providers and account information service providers, when exclusively providing those services, do not hold client funds. Accordingly, it would be disproportionate to impose own funds requirements on those new market players. Nevertheless, it is important that they be able to meet their liabilities in relation to their activities. They should therefore be required to hold either professional indemnity insurance or a comparable guarantee. EBA should develop guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 on the criteria to be used by Member States to establish the minimum monetary amount of professional indemnity insurance or comparable guarantee. EBA should not differentiate between professional indemnity insurance and a comparable guarantee, as they should be interchangeable.
In order to avoid abuses of the right of establishment, it is necessary to require that the payment institution requesting authorisation in the Member State provide at least part of its payment services business in that Member State.
Provision should be made for payment service user funds to be kept separate from the payment institution’s funds. Safeguarding requirements are necessary when a payment institution is in possession of payment service user funds. Where the same payment institution executes a payment transaction for both the payer and the payee and a credit line is provided to the payer, it might be appropriate to safeguard the funds in favour of the payee once they represent the payee’s claim towards the payment institution. Payment institutions should also be subject to effective anti-money laundering and anti-terrorist financing requirements.
This Directive does not change the account reporting obligations of payment institutions or their obligation to carry out audits on their annual and consolidated accounts. Payment institutions are required to draw up their annual and consolidated accounts in accordance with Council Directive 86/635/EEC12 and Directive 2013/34/EU of the European Parliament and of the Council13. The annual accounts and consolidated accounts are to be audited, unless the payment institution is exempted from that obligation under those Directives.
When engaging in the provision of one or more of the payment services covered by this Directive, payment service providers should always hold payment accounts used exclusively for payment transactions. In order to enable payment service providers to provide payment services, it is indispensable that they have the possibility to open and maintain accounts with credit institutions. Member States should ensure that access to such accounts be provided in a manner that is not discriminatory and that is proportionate to the legitimate aim it intends to achieve. While access can be basic, it should always be sufficiently extensive for the payment institution to be able to provide its services in an unobstructed and efficient way.
This Directive should regulate the granting of credit by payment institutions, namely the granting of credit lines and the issuance of credit cards, only where it is closely linked to payment services. Only if credit is granted in order to facilitate payment services and such credit is of a short-term nature and is granted for a period not exceeding 12 months, including on a revolving basis, is it appropriate to allow payment institutions to grant such credit with regard to their cross-border activities, on condition that it is refinanced using mainly the payment institution’s own funds, as well as other funds from the capital markets, and not the funds held on behalf of clients for payment services. Such rules should be without prejudice to Directive 2008/48/EC of the European Parliament and of the Council14 or other relevant Union law or national measures regarding conditions for granting credit to consumers that are not harmonised by this Directive.
Overall, the functioning of cooperation between the national competent authorities responsible for granting authorisations to payment institutions, carrying out controls and deciding on the withdrawal of any authorisations granted, has proven to work satisfactorily. However, cooperation between competent authorities should be enhanced, both with regard to the information exchanged as well as a coherent application and interpretation of this Directive, where an authorised payment institution would like to provide payment services in a Member State other than its home Member State, in exercise of the right of establishment or the freedom to provide services (‘passporting’), including through the internet. EBA should assist in resolving disputes between competent authorities in the context of cross-border cooperation in accordance with Regulation (EU) No 1093/2010. It should also prepare a set of draft regulatory technical standards on cooperation and data exchange.
In order to enhance transparency of the operation of payment institutions that are authorised by, or registered with, competent authorities of the home Member State, including their agents, and to ensure a high level of consumer protection in the Union, it is necessary to ensure easy public access to the list of the entities providing payment services. EBA should therefore develop and operate a central register in which it publishes a list of the names of the entities providing payment services. Member States should ensure that the data that they provide is kept up to date. Those measures should also contribute to the enhancement of the cooperation between the competent authorities.
The availability of accurate, up-to-date information should be enhanced by requiring payment institutions to inform the competent authority of their home Member State without undue delay of any changes affecting the accuracy of the information and evidence provided with regard to the authorisation, including additional agents or entities to which activities are outsourced. Competent authorities should also, in the event of doubt, verify that the information received is correct.
Member States should be able to require that payment institutions operating on their territory, whose head office is situated in another Member State, report to them periodically on their activities in their territories for information or statistical purposes. Where those payment institutions operate pursuant to the right of establishment, it should be possible for that information also to be used for monitoring compliance with Titles III and IV of this Directive and Member States should be able to require those payment institutions to appoint a central contact point in their territory in order to facilitate the supervision of networks of agents by competent authorities. EBA should develop draft regulatory standards setting out the criteria to determine when the appointment of a central contact point is appropriate and what its functions should be. The requirement to appoint a central contact point should be proportionate to achieving the aim of adequate communication and information reporting on compliance with Titles III and IV in the host Member State.
In emergency situations, where immediate action is necessary to address a serious threat to the collective interests of the payment service users in the host Member State, such as large scale fraud, it should be possible for the competent authorities of the host Member State, to take precautionary measures in parallel with the cross-border cooperation between competent authorities of the host and the home Member State and pending measures by the competent authority of the home Member State. Those measures should be appropriate, proportionate to the aim, non-discriminatory and temporary in nature. Any measures should be properly justified. The competent authorities of the home Member State of the relevant payment institution and other authorities concerned, such as the Commission and EBA, should be informed in advance or, if not possible in view of the emergency situation, without undue delay.
While this Directive specifies the minimum set of powers competent authorities should have when supervising the compliance of payment institutions, those powers are to be exercised while respecting fundamental rights, including the right to privacy. Without prejudice to the control of an independent authority (national data protection authority) and in accordance with the Charter of Fundamental Rights of the European Union, Member States should have in place adequate and effective safeguards where it is possible that the exercise of those powers could lead to abuse or arbitrariness amounting to serious interference with such rights, for instance, where appropriate, through the prior authorisation of the judicial authority of the Member State concerned.
It is important to ensure that all persons providing payment services be brought within the ambit of certain minimum legal and regulatory requirements. Thus, it is desirable to require the registration of the identity and whereabouts of all persons providing payment services, including of persons which are unable to meet the full range of conditions for authorisation as payment institutions. Such an approach is in line with the rationale of Special Recommendation VI of the Financial Action Task Force on Money Laundering which provides for a mechanism whereby payment service providers who are unable to meet all of the conditions set out in that Recommendation may nevertheless be treated as payment institutions. For those purposes, even where persons are exempt from all or part of the conditions for authorisation Member States should enter them in the register of payment institutions. However, it is essential to make the possibility of an exemption subject to strict requirements relating to the value of payment transactions. Payment institutions benefiting from an exemption should not benefit from the right of establishment or freedom to provide services and should not indirectly exercise those rights while being a member of a payment system.
In view of the specific nature of the activity performed and the risks connected to the provision of account information services, it is appropriate to provide for a specific prudential regime for account information service providers. Account information service providers should be allowed to provide services on a cross-border basis, benefiting from the ‘passporting’ rules.
It is essential for any payment service provider to be able to access the services of technical infrastructures of payment systems. Such access should, however, be subject to appropriate requirements in order to ensure integrity and stability of those systems. Each payment service provider applying for participation in a payment system should bear the risk of its own choice of system and provide proof to the payment system that its internal arrangements are sufficiently robust against all kinds of risk. Those payment systems typically include the four-party card schemes as well as major systems processing credit transfers and direct debits. In order to ensure equality of treatment throughout the Union as between the different categories of authorised payment service providers, according to the terms of their licence, it is necessary to clarify the rules concerning access to payment systems.
Provision should be made for the non-discriminatory treatment of authorised payment institutions and credit institutions so that any payment service provider competing in the internal market is able to use the services of the technical infrastructures of those payment systems under the same conditions. It is appropriate to provide for different treatment for authorised payment service providers and for those benefiting from an exemption under this Directive as well as from the exemption under the Article 3 of Directive 2009/110/EC, due to the differences in their respective prudential framework. In any case, differences in price conditions should be allowed only where that is motivated by differences in costs incurred by the payment service providers. This should be without prejudice to Member States’ right to limit access to systemically important systems in accordance with Directive 98/26/EC of the European Parliament and of the Council15 and without prejudice to the competence of the ECB and the European System of Central Banks concerning access to payment systems.
This Directive is without prejudice to the scope of application of Directive 98/26/EC. However, in order to ensure fair competition between payment service providers, a participant in a designated payment system subject to the conditions of Directive 98/26/EC which provides services in relation to such a system to an authorised or registered payment service provider should also, when requested to do so, grant access to such services in an objective, proportionate and non-discriminatory manner to any other authorised or registered payment service provider. Payment service providers that are granted such access should not, however be considered to be participants as defined in Directive 98/26/EC, and hence should not benefit from the protection granted under that Directive.
The provisions relating to access to payment systems should not apply to systems set up and operated by a single payment service provider. Such payment systems can operate either in direct competition to payment systems, or, more typically, in a market niche not adequately covered by payment systems. Such systems include three-party schemes, such as three-party card schemes, to the extent that they never operate as de facto four-party card schemes, for example by relying upon licensees, agents or co-brand partners. Such systems also typically include payment services offered by telecommunication providers where the scheme operator is the payment service provider both to the payer and to the payee, as well as internal systems of banking groups. In order to stimulate the competition that can be provided by such closed payment systems to established mainstream payment systems, it would not be appropriate to grant third parties access to those closed proprietary payment systems. However, such closed systems should always be subject to Union and national competition rules which may require that access be granted to the schemes in order to maintain effective competition in payments markets.
As consumers and undertakings are not in the same position, they do not need the same level of protection. While it is important to guarantee consumer rights by provisions from which it is not possible to derogate by contract, it is reasonable to let undertakings and organisations agree otherwise when they are not dealing with consumers. However, Member States should be able to provide that microenterprises, as defined in Commission Recommendation 2003/361/EC16, be treated in the same way as consumers. In any case, certain core provisions of this Directive should always apply, irrespective of the status of the user.
This Directive should specify the obligations on payment service providers as regards the provision of information to the payment service users who should receive the same high level of clear information about payment services in order to make well-informed choices and be able to choose freely within the Union. In the interest of transparency, this Directive lays down the harmonised requirements needed to ensure that necessary, sufficient and comprehensible information is given to the payment service users with regard to the payment service contract and the payment transactions. In order to promote the smooth functioning of the single market in payment services, Member States should adopt only those information provisions laid down in this Directive.
Consumers should be protected against unfair and misleading practices in accordance with Directive 2005/29/EC of the European Parliament and the Council17 as well as with Directives 2000/31/EC18, 2002/65/EC19, 2008/48/EC, 2011/83/EU20 and 2014/92/EU21 of the European Parliament and the Council. The provisions of those Directives continue to apply. However, the relationship between the pre-contractual information requirements laid down in this Directive and Directive 2002/65/EC should, in particular, be clarified.
In order to enhance efficiency the information required should be proportionate to the needs of users and should be communicated in a standard format. However, the information requirements for a single payment transaction should be different from those of a framework contract which provides for a series of payment transactions.
In practice, framework contracts and the payment transactions covered by them are far more common and economically significant than single payment transactions. If there is a payment account or a specific payment instrument, a framework contract is required. Therefore, the requirements for prior information on framework contracts should be comprehensive and information should always be provided on paper or on another durable medium, such as printouts by account printers, CD-ROMs, DVDs, the hard drives of personal computers on which electronic mail can be stored, and internet sites, provided that such sites are accessible for future reference, for a sufficient period of time for the purposes of accessing the information and provided that these sites allow the reproduction of the information stored there in an unaltered form. However, it should be possible for the payment service provider and the payment service user to agree in the framework contract on the manner in which subsequent information on executed payment transactions is to be given, for instance, that in internet banking, all information on the payment account be made available online.
In single payment transactions only the essential information should always be given on the payment service provider’s own initiative. As the payer is usually present when giving the payment order, it should not be necessary to require in every case that information be provided on paper or on another durable medium. The payment service provider should be able to give information orally over the counter or make it otherwise easily accessible, for example by keeping the conditions on a notice board on the premises. Information should also be given on where to find other, more detailed, information, for example on the website. However, if the consumer so requests, the essential information should also be given on paper or on another durable medium.
This Directive should provide for a right for consumers to receive relevant information free of charge before being bound by any payment service contract. Consumers should also be able to request prior information as well as the framework contract, on paper, free of charge at any time during the contractual relationship, so as to enable them both to compare the services and conditions offered by payment service providers and in the case of any dispute, to verify their contractual rights and obligations, thereby maintaining a high level of consumer protection. Those provisions should be compatible with Directive 2002/65/EC. The specific provisions on free information in this Directive should not have the effect of allowing charges to be imposed for the provision of information to consumers under other applicable directives.
The way in which the required information is to be given by the payment service provider to the payment service user should take into account the needs of the latter as well as practical technical aspects and cost-efficiency depending on the situation with regard to the agreement in the respective payment service contract. This Directive should therefore distinguish between two ways in which information is to be given by the payment service provider: either the information should be provided, i.e. actively communicated by the payment service provider at the appropriate time as required by this Directive without any prompting by the payment service user, or the information should be made available to the payment service user on the basis of a request for further information. In the second situation, the payment service user should take active steps in order to obtain the information, such as requesting it explicitly from the payment service provider, logging into a bank account mail box or inserting a bank card into a printer for account statements. For such purposes the payment service provider should ensure that access to the information is possible and that the information is available to the payment service user.
The consumer should receive basic information on executed payment transactions at no additional charge. In the case of a single payment transaction the payment service provider should not charge separately for that information. Similarly, subsequent information on payment transactions under a framework contract should also be provided on a monthly basis free of charge. However, taking into account the importance of transparency in pricing and differing customer needs, the parties should be able to agree on charges for more frequent or additional information. In order to take into account different national practices, Member States should be able to require that monthly statements of payment accounts on paper or in another durable medium are always to be given free of charge.
In order to facilitate customer mobility, it should be possible for consumers to terminate a framework contract without incurring charges. However, for contracts terminated by the consumer less than 6 months after their entry into force, payment service providers should be allowed to apply charges in line with the costs incurred due to the termination of the framework contract by the consumer. For consumers, the period of notice agreed should be no longer than 1 month, and for payment service providers no shorter than 2 months. This Directive should be without prejudice to the payment service provider’s obligation to terminate the payment service contract in exceptional circumstances under other relevant Union or national law, such as that on money laundering or terrorist financing, any action targeting the freezing of funds, or any specific measure linked to the prevention and investigation of crimes.
In order to ensure a high level of consumer protection, Member States should, in the interests of the consumer, be able to maintain or introduce restrictions or prohibitions on unilateral changes in the conditions of a framework contract, for instance if there is no justified reason for such a change.
Contractual provisions should not, as their object or effect, discriminate against consumers who are legally resident in the Union, on the grounds of their nationality or place of residence. For example, where a framework contract provides for the right to block the payment instrument for objectively justified reasons, the payment service provider should not be able to invoke that right merely because the payment service user has changed its place of residence within the Union.
With regard to charges, experience has shown that the sharing of charges between a payer and a payee is the most efficient system since it facilitates the straight-through processing of payments. Provision should therefore be made for charges to be levied, in the normal course, directly on the payer and the payee by their respective payment service providers. The amount of any charges levied may also be zero as the provisions of this Directive should not affect the practice whereby the payment service provider does not charge consumers for crediting their accounts. Similarly, depending on the contract terms, a payment service provider may charge only the payee (merchant) for the use of the payment service, in which case no charges are imposed on the payer. It is possible that the payment systems impose charges by way of a subscription fee. The provisions on the amount transferred or any charges levied have no direct impact on pricing between payment service providers or any intermediaries.
Different national practices concerning charging for the use of a given payment instrument (‘surcharging’) have led to extreme heterogeneity of the Union’s payments market and have become a source of confusion for consumers, in particular in the e-commerce and cross-border context. Merchants located in Member States where surcharging is allowed offer products and services in Member States where surcharging is prohibited and surcharges the consumer. There are also many examples of merchants surcharging consumers at levels much higher than the cost borne by the merchant for the use of a specific payment instrument. Moreover, a strong rationale for revising surcharging practices is supported by the fact that Regulation (EU) 2015/751 establishes rules for interchange fees for card-based payments. Interchange fees constitute the main component of merchant charges for cards and card-based payments. Surcharging is the steering practice sometimes used by merchants to compensate for the additional costs of card-based payments. Regulation (EU) 2015/751 imposes limits on the level of interchange fees. Those limits will apply before the prohibition set out in this Directive. Consequently, Member States should consider preventing payees from requesting charges for the use of payment instruments for which the interchange fees are regulated in Chapter II of Regulation (EU) 2015/751.
While this Directive recognises the relevance of payment institutions, credit institutions remain the principal gateway for consumers to obtain payment instruments. The issuing of a card-based payment instrument by a payment service provider, whether a credit institution or a payment institution, other than that servicing the account of the customer, would provide increased competition in the market and thus more choice and a better offer for consumers. Whilst today, most payments at the point of sale are card based, the current degree of innovation in the field of payments might lead to the rapid emergence of new payment channels in the forthcoming years. It is therefore appropriate that in its review of this Directive, the Commission gives particular consideration to those developments and to whether the scope of the provision on the confirmation on the availability of funds needs to be revised. For the payment service provider issuing the card based payment instrument, particularly debit cards, obtaining confirmation of availability of funds on the customer’s account from the account servicing payment service provider would enable the issuer to better manage and to reduce its credit risk. At the same time, that confirmation should not allow the account servicing payment service provider to block funds on the payer’s payment account.
The use of a card or card-based payment instrument for making a payment often triggers the generation of a message confirming availability of funds and two resulting payment transactions. The first transaction takes place between the issuer and the merchant’s account servicing payment service provider, while the second, usually a direct debit, takes place between the payer’s account servicing payment service provider and the issuer. Both transactions should be treated in the same way as any other equivalent transactions. Payment service providers issuing card-based payment instruments should enjoy the same rights and should be subject to the same obligations under this Directive, regardless of whether or not they are the account servicing payment service provider of the payer, in particular in terms of responsibility (e.g. authentication) and liability vis-à-vis the different actors in the payment chain. Since the payment service provider’s request and the confirmation on the availability of the funds can be made through existing secure communication channels, technical procedures and infrastructure for communication between payment initiation service providers or account information service providers and account servicing payment service providers, while respecting the necessary security measures, there should be no additional costs for payment services providers or cardholders. Furthermore, whether the payment transaction takes place in an internet environment (the merchant’s website), or in retail premises, the account servicing payment service provider should be obliged to provide the confirmation requested by the issuer only where accounts held by the account servicing payment service providers are electronically accessible for that confirmation at least online. Given the specific nature of electronic money, it should not be possible to apply that mechanism to payment transactions initiated through card- based payment instruments on which electronic money, as defined in Directive 2009/110/EC, is stored.
The obligation to keep personalised security credentials safe is of the utmost importance to protect the funds of the payment service user and to limit the risks relating to fraud and unauthorised access to the payment account. However, terms and conditions or other obligations imposed by payment service providers on payment service users in relation to keeping personalised security credentials safe should not be drafted in a way that prevents payment service users from taking advantage of services offered by other payment service providers, including payment initiation services and account information services. Furthermore, such terms and conditions should not contain any provisions that would make it more difficult, in any way, to use the payment services of other payment service providers authorised or registered pursuant to this Directive.
In order to reduce the risks and consequences of unauthorised or incorrectly executed payment transactions, the payment service user should inform the payment service provider as soon as possible about any contestations concerning allegedly unauthorised or incorrectly executed payment transactions, provided that the payment service provider has fulfilled its information obligations under this Directive. If the notification deadline is met by the payment service user, the payment service user should be able to pursue those claims subject to national limitation periods. This Directive should not affect other claims between payment service users and payment service providers.
In the case of an unauthorised payment transaction, the payment service provider should immediately refund the amount of that transaction to the payer. However, where there is a high suspicion of an unauthorised transaction resulting from fraudulent behaviour by the payment service user and where that suspicion is based on objective grounds which are communicated to the relevant national authority, the payment service provider should be able to conduct, within a reasonable time, an investigation before refunding the payer. In order to protect the payer from any disadvantages, the credit value date of the refund should not be later than the date when the amount has been debited. In order to provide an incentive for the payment service user to notify, without undue delay, the payment service provider of any theft or loss of a payment instrument and thus to reduce the risk of unauthorised payment transactions, the user should be liable only for a very limited amount, unless the payment service user has acted fraudulently or with gross negligence. In that context, an amount of EUR 50 seems to be adequate in order to ensure a harmonised and high-level user protection within the Union. There should be no liability where the payer is not in a position to become aware of the loss, theft or misappropriation of the payment instrument. Moreover, once users have notified a payment service provider that their payment instrument may have been compromised, payment service users should not be required to cover any further losses stemming from unauthorised use of that instrument. This Directive should be without prejudice to payment service providers’ responsibility for technical security of their own products.
In order to assess possible negligence or gross negligence on the part of the payment service user, account should be taken of all of the circumstances. The evidence and degree of alleged negligence should generally be evaluated according to national law. However, while the concept of negligence implies a breach of a duty of care, gross negligence should mean more than mere negligence, involving conduct exhibiting a significant degree of carelessness; for example, keeping the credentials used to authorise a payment transaction beside the payment instrument in a format that is open and easily detectable by third parties. Contractual terms and conditions relating to the provision and use of a payment instrument, the effect of which would be to increase the burden of proof on the consumer or to reduce the burden of proof on the issuer should be considered to be null and void. Moreover, in specific situations and in particular where the payment instrument is not present at the point of sale, such as in the case of online payments, it is appropriate that the payment service provider be required to provide evidence of alleged negligence since the payer’s means to do so are very limited in such cases.
Provision should be made for the allocation of losses in the case of unauthorised payment transactions. Different provisions may apply to payment service users who are not consumers, since such users are normally in a better position to assess the risk of fraud and take countervailing measures. In order to ensure a high level of consumer protection, payers should always be entitled to address their claim to a refund to their account servicing payment service provider, even where a payment initiation service provider is involved in the payment transaction. This is without prejudice to the allocation of liability between the payment service providers.
In the case of payment initiation services, rights and obligations of the payment service users and of the payment service providers involved should be appropriate to the service provided. Specifically, the allocation of liability between the payment service provider servicing the account and the payment initiation service provider involved in the transaction should compel them to take responsibility for the respective parts of the transaction that are under their control.
This Directive aims to increase consumer protection in cases of card-based payment transactions where the exact transaction amount is not known at the moment when the payer gives consent to execute the payment transaction, for example at automatic fuelling stations, in car rental contracts or when making hotel reservations. The payer’s payment service provider should be able to block funds on the payer’s payment account only if the payer has given consent to the exact amount of the funds to be blocked and those funds should be released without undue delay after receipt of the information concerning the exact amount of the payment transaction and at the latest immediately after receipt of the payment order.
However, in parallel with SEPA, legacy non-euro direct debit schemes continue to exist in Member States whose currency is not the euro. Those schemes are proving to be efficient and ensure the same high level of protection to the payer by other safeguards, not always based on an unconditional right to a refund. In that case the payer should be protected by the general rule for a refund when the executed payment transaction exceeds the amount which could reasonably have been expected. In addition, it should be possible for Member States to lay down rules concerning the right to a refund that are more favourable to the payer. There is a genuine demand for specific euro-denominated direct debit products within SEPA, as illustrated by the continued existence of certain legacy payment services in euro in some Member States. It would be proportionate to permit the payer and the payer’s payment service provider to agree in a framework contract that the payer has no right to a refund in situations where the payer is protected either because the payer has given consent to execute a transaction directly to its payment service provider, including when the payment service provider acts on behalf of the payee, or because, where applicable, information on the future payment transaction was provided or made available in an agreed manner to the payer at least 4 weeks before the due date by the payment service provider or by the payee. In any event, the payer should always be protected by the general refund rule in the case of unauthorised or incorrectly executed payment transactions.
For financial planning and the fulfilment of payment obligations in due time, consumers and undertakings need to have certainty as to the length of time that the execution of a payment order will take. This Directive should therefore establish when rights and obligations take effect, namely, when the payment service provider receives the payment order, including when the payment service provider has had the opportunity to receive it through the means of communication agreed in the payment service contract, notwithstanding any prior involvement in the process leading up to the creation and transmission of the payment order, e.g. security and availability of funds checks, information on the use of the personal identity number or issuance of a payment promise. Furthermore, receipt of a payment order should occur when the payer’s payment service provider receives the payment order to be debited from the payer’s account. The day or moment when a payee transmits to the payment service provider payment orders for the collection e.g. of card payments or of direct debits or when the payee is granted a pre-financing on the related amounts by the payment service provider by way of a contingent credit to the account should have no relevance in that respect. Users should be able to rely on the proper execution of a complete and valid payment order if the payment service provider has no contractual or statutory ground for refusal. If the payment service provider refuses a payment order, the refusal and the reason for the refusal should be communicated to the payment service user at the earliest opportunity, subject to the requirements of Union and national law. Where the framework contract provides that the payment service provider may charge a fee for refusal, such a fee should be objectively justified and should be kept as low as possible.
In view of the speed with which modern fully automated payment systems process payment transactions, which means that after a certain point in time payment orders cannot be revoked without high manual intervention costs, it is necessary to specify a clear deadline for payment revocations. However, depending on the type of the payment service and the payment order, it should be possible to vary the deadline for payment revocations by agreement between the parties. Revocation, in that context, should apply only to the relationship between a payment service user and a payment service provider, thus being without prejudice to the irrevocability and finality of payment transactions in payment systems.
Such irrevocability should not affect a payment service provider’s rights or obligations under the laws of some Member States, based on the payer’s framework contract or national laws, regulations, administrative provisions or guidelines, to reimburse the payer with the amount of the executed payment transaction in the event of a dispute between the payer and the payee. Such reimbursement should be considered to be a new payment order. Except for those cases, legal disputes arising within the relationship underlying the payment order should be settled only between the payer and the payee.
It is essential, for the fully integrated straight-through processing of payments and for legal certainty with respect to the fulfilment of any underlying obligation between payment service users, that the full amount transferred by the payer should be credited to the account of the payee. Accordingly, it should not be possible for any of the intermediaries involved in the execution of payment transactions to make deductions from the amount transferred. However, it should be possible for payees to enter into an agreement with their payment service provider which allows the latter to deduct its own charges. Nevertheless, in order to enable the payee to verify that the amount due is correctly paid, subsequent information provided on the payment transaction should indicate not only the full amount of funds transferred, but also the amount of any charges that have been deducted.
Low-value payment instruments should be a cheap and easy-to-use alternative in the case of low-priced goods and services and should not be overburdened by excessive requirements. The relevant information requirements and rules on their execution should therefore be limited to essential information, also taking into account the technical capabilities that can justifiably be expected from instruments dedicated to low-value payments. Despite the lighter regime, payment service users should have adequate protection, having regard to the limited risks posed by those payment instruments, especially with regard to prepaid payment instruments.
In order to improve the efficiency of payments throughout the Union, all payment orders initiated by the payer and denominated in euro or the currency of a Member State whose currency is not the euro, including credit transfers and money remittances, should be subject to a maximum 1-day execution time. For all other payments, such as payments initiated by or through a payee, including direct debits and card payments, in the absence of an explicit agreement between the payment service provider and the payer setting a longer execution time, the same 1-day execution time should apply. It should be possible to extend those periods by 1 additional business day, if a payment order is given on paper, to allow the continued provision of payment services to consumers who are used only to paper documents. When a direct debit scheme is used the payee’s payment service provider should transmit the collection order within the time limits agreed between the payee and the payment service provider, enabling settlement on the agreed due date. In view of the fact that payment infrastructures are often highly efficient and in order to prevent any deterioration in current service levels, Member States should be allowed to maintain or establish rules specifying an execution time shorter than 1 business day, where appropriate.
The provisions on execution for the full amount and execution time should constitute good practice where one of the payment service providers is not located in the Union.
In order to strengthen the trust of consumers in a harmonised payment market, it is essential for payment service users to know the real costs and charges of payment services in order to make their choice. Accordingly, the use of non-transparent pricing methods should be prohibited, since it is commonly accepted that those methods make it extremely difficult for users to establish the real price of the payment service. Specifically, the use of value dating to the disadvantage of the user should not be permitted.
The smooth and efficient functioning of the payment system depends on the user being able to rely on the payment service provider executing the payment transaction correctly and within the agreed time. Usually, the payment service provider is in a position to assess the risks involved in the payment transaction. It is the payment service provider that provides the payments system, makes arrangements to recall misplaced or wrongly allocated funds and decides in most cases on the intermediaries involved in the execution of a payment transaction. In view of all of those considerations, it is appropriate, except under abnormal and unforeseeable circumstances, to impose liability on the payment service provider in respect of the execution of a payment transaction accepted from the user, except in respect of acts and omissions by the payee’s payment service provider, who was selected solely by the payee. However, in order not to leave the payer unprotected in the unlikely circumstances that it is not clear that the payment amount was duly received by the payee’s payment service provider, the corresponding burden of proof should lie on the payer’s payment service provider. As a rule, it can be expected that the intermediary institution, usually a neutral body such as a central bank or a clearing house, that transfers the payment amount from the sending to the receiving payment service provider, will store the account data and will be able to provide the latter where necessary. Where the payment amount has been credited to the receiving payment service provider’s account, the payee should immediately have a claim against the payment service provider for credit to the account.
The payer’s payment service provider, namely the account servicing payment service provider or, where appropriate, the payment initiation service provider, should assume liability for correct payment execution, including, in particular, the full amount of the payment transaction and execution time, and full responsibility for any failure by other parties in the payment chain up to the account of the payee. As a result of that liability, the payment service provider of the payer should, where the full amount is not credited or is only credited late to the payee’s payment service provider, correct the payment transaction or without undue delay refund the payer the relevant amount of that transaction, without prejudice to any other claims which may be made in accordance with national law. Due to the payment service provider’s liability, the payer or payee should not be burdened with any costs relating to the incorrect payment. In the case of non-execution, defective or late execution of payment transactions, Member States should ensure that the value date of corrective payments of payment service providers is always the same as the value date in the case of correct execution.
This Directive should concern only contractual obligations and responsibilities between the payment service user and the payment service provider. However, the proper functioning of credit transfers and other payment services requires that payment service providers and their intermediaries, such as processors, have contracts in which their mutual rights and obligations are laid down. Questions relating to liabilities form an essential part of those uniform contracts. To ensure the reliability among payment service providers and intermediaries taking part in a payment transaction, legal certainty is necessary to the effect that a non-responsible payment service provider is compensated for losses incurred or sums paid pursuant to the provisions of this Directive relating to liability. Further rights and details of content of recourse and how to handle claims towards the payment service provider or intermediary attributable to a defective payment transaction should be subject to agreement.
It should be possible for the payment service provider to specify unambiguously the information required to execute a payment order correctly. On the other hand, however, in order to avoid fragmentation and jeopardising the setting-up of integrated payment systems in the Union, Member States should not be allowed to require a particular identifier to be used for payment transactions. However, that should not prevent Member States from requiring the payment service provider of the payer to act with due diligence and to verify, where technically possible and without requiring manual intervention, the coherence of the unique identifier, and, where the unique identifier is found to be incoherent, to refuse the payment order and inform the payer thereof. The liability of the payment service provider should be limited to the correct execution of the payment transaction in accordance with the payment order of the payment service user. If the funds involved in a payment transaction reach the wrong recipient due to an incorrect unique identifier provided by the payer, the payment service providers of the payer and the payee should not be liable, but should be obliged to cooperate in making reasonable efforts to recover the funds including by communicating relevant information.
Provision of payment services by the payment services providers may entail processing of personal data. Directive 95/46/EC of the European Parliament and of the Council22, the national rules which transpose Directive 95/46/EC and Regulation (EC) No 45/2001 of the European Parliament and of the Council23 are applicable to the processing of personal data for the purposes of this Directive. In particular, where personal data is processed for the purposes of this Directive, the precise purpose should be specified, the relevant legal basis referred to, the relevant security requirements laid down in Directive 95/46/EC complied with, and the principles of necessity, proportionality, purpose limitation and proportionate data retention period respected. Also, data protection by design and data protection by default should be embedded in all data processing systems developed and used within the framework of this Directive.
This Directive respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, including the right to respect for private and family life, the right to protection of personal data, the freedom to conduct a business, the right to an effective remedy and the right not to be tried or punished twice in criminal proceedings for the same offence. This Directive must be implemented in accordance with those rights and principles.
Payment service providers are responsible for security measures. Those measures need to be proportionate to the security risks concerned. Payment service providers should establish a framework to mitigate risks and maintain effective incident management procedures. A regular reporting mechanism should be established, to ensure that payment service providers provide the competent authorities, on a regular basis, with an updated assessment of their security risks and the measures that they have taken in response to those risks. Furthermore, in order to ensure that damage to users, other payment service providers or payment systems, such as a substantial disruption of a payment system, is kept to a minimum, it is essential that payment service providers be required to report major security incidents without undue delay to the competent authorities. A coordination role by EBA should be established.
The security incidents reporting obligations should be without prejudice to other incident reporting obligations laid down in other legal acts of the Union and any requirements laid down in this Directive should be aligned with, and proportionate to, the reporting obligations imposed by other Union law.
It is necessary to set up a clear legal framework which sets out the conditions under which payment initiation service providers and account information service providers can provide their services with the consent of the account holder without being required by the account servicing payment service provider to use a particular business model, whether based on direct or indirect access, for the provision of those types of services. The payment initiation service providers and the account information service providers on the one hand and the account servicing payment service provider on the other, should observe the necessary data protection and security requirements established by, or referred to in, this Directive or included in the regulatory technical standards. Those regulatory technical standards should be compatible with the different technological solutions available. In order to ensure secure communication between the relevant actors in the context of those services, EBA should also specify the requirements of common and open standards of communication to be implemented by all account servicing payment service providers that allow for the provision of online payment services. This means that those open standards should ensure the interoperability of different technological communication solutions. Those common and open standards should also ensure that the account servicing payment service provider is aware that he is being contacted by a payment initiation service provider or an account information service provider and not by the client itself. The standards should also ensure that payment initiation service providers and account information service providers communicate with the account servicing payment service provider and with the customers involved in a secure manner. In developing those requirements, EBA should pay particular attention to the fact that the standards to be applied are to allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services.
When developing regulatory technical standards on authentication and communication, EBA should systematically assess and take into account the privacy dimension, in order to identify the risks associated with each of the technical options available and the remedies that could be put in place to minimise threats to data protection.
Security of electronic payments is fundamental for ensuring the protection of users and the development of a sound environment for e-commerce. All payment services offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud. There does not seem to be a need to guarantee the same level of protection to payment transactions initiated and executed with modalities other than the use of electronic platforms or devices, such as paper-based payment transactions, mail orders or telephone orders. A solid growth of internet payments and mobile payments should be accompanied by a generalised enhancement of security measures. Payment services offered via internet or via other at-distance channels, the functioning of which does not depend on where the device used to initiate the payment transaction or the payment instrument used are physically located, should therefore include the authentication of transactions through dynamic codes, in order to make the user aware, at all times, of the amount and the payee of the transaction that the user is authorising.
The security measures should be compatible with the level of risk involved in the payment service. In order to allow the development of user-friendly and accessible means of payment for low-risk payments, such as low value contactless payments at the point of sale, whether or not they are based on mobile phone, the exemptions to the application of security requirements should be specified in regulatory technical standards. Safe use of personalised security credentials is needed to limit the risks relating to phishing and other fraudulent activities. In that respect, the user should be able to rely on the adoption of measures that protect the confidentiality and integrity of personalised security credentials. Those measures typically include encryption systems based on personal devices of the payer, including card readers or mobile phones, or provided to the payer by its account servicing payment service provider via a different channel, such as by SMS or email. The measures, typically including encryption systems, which may result in authentication codes such as one-time passwords, are able to enhance the security of payment transactions. The use of such authentication codes by payment service users should be considered to be compatible with their obligations in relation to payment instruments and personalised security credentials also when payment initiation service providers or account information service providers are involved.
Member States should determine whether the competent authorities designated for granting authorisation to payment institutions might also be the competent authorities with regard to alternative dispute resolution (ADR) procedures.
Without prejudice to the right of customers to bring action in the courts, Member States should ensure easily accessible, adequate, independent, impartial, transparent and effective ADR procedure between payment service providers and payment service users arising from the rights and obligations set out in this Directive. Regulation (EC) No 593/2008 of the European Parliament and of the Council24 provides that the protection afforded to consumers by the mandatory rules of the law of the country in which they have their habitual residence is not to be undermined by any contractual terms concerning the law applicable to the contract. With a view to establishing an efficient and effective dispute resolution procedure, Member States should ensure that payment service providers put in place an effective complaints procedure that can be followed by their payment service users before the dispute is referred to be resolved in an ADR procedure or before a court. The complaints procedure should contain short and clearly defined timeframes within which the payment service provider should reply to a complaint. Member States should ensure that ADR entities have sufficient capacity to engage in an adequate and efficient way in cross-border cooperation with regard to disputes concerning rights and obligations pursuant to this Directive.
It is necessary to ensure the effective enforcement of the provisions of national law adopted pursuant to this Directive. Appropriate procedures should therefore be established by means of which it will be possible to pursue complaints against payment service providers which do not comply with those provisions and to ensure that, where appropriate, effective, proportionate and dissuasive penalties are imposed. In view of ensuring effective compliance with this Directive, Member States should designate competent authorities which meet the conditions laid down in Regulation (EU) No 1093/2010 and which act independently from the payment service providers. For reasons of transparency, Member States should notify the Commission which authorities have been designated, with a clear description of their duties pursuant to this Directive.
Without prejudice to the right to bring action in the courts to ensure compliance with this Directive, Member States should also ensure that competent authorities are granted the necessary power, including the power to impose penalties, where the payment service provider does not comply with the rights and obligations laid down in this Directive, in particular if there is a risk of re-offending or another concern for collective consumer interests.
It is important that consumers be informed in a clear and comprehensible way of their rights and obligations under this Directive. The Commission should therefore produce a leaflet about those rights and obligations.
This Directive is without prejudice to provisions of national law relating to the consequences as regards liability of inaccuracy in the expression or transmission of a statement.
This Directive should be without prejudice to the provisions relating to the VAT treatment of payment services in Council Directive 2006/112/EC25.
Where this Directive makes reference to amounts in euro, these amounts have to be intended as the national currency equivalent as determined by each non-euro Member State.
In the interests of legal certainty, it is appropriate to make transitional arrangements allowing persons who have commenced the activities of payment institutions in accordance with the national law transposing Directive 2007/64/EC before the entry into force of this Directive to continue those activities within the Member State concerned for a specified period.
The power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of adapting the reference to Recommendation 2003/361/EC where that Recommendation is amended and updating the average amount of payment transactions executed by the payment service provider used as a threshold for Member States that apply the option to exempt (parts) of the authorisation requirements for smaller payment institutions to take account of inflation. It is of particular importance that the Commission carries out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.
In order to ensure consistent application of this Directive, the Commission should be able to rely on the expertise and support of EBA, which should have the task of elaborating guidelines and preparing draft regulatory technical standards on security aspects of payment services in particular with regard to strong customer authentication, and on cooperation between Member States in the context of the provision of services and establishment of authorised payment institutions in other Member States. The Commission should be empowered to adopt those draft regulatory technical standards. Those specific tasks are fully in line with the role and responsibilities of EBA as provided in Regulation (EU) No 1093/2010.
EBA should, when developing guidelines, draft regulatory technical standards and draft implementing technical standards pursuant to this Directive and in accordance with Regulation (EU) No 1093/2010, ensure that it consults all relevant stakeholders, including those in the payment services market, reflecting all interests involved. If necessary for getting a proper balance of views, EBA should make a particular effort to obtain the views of relevant non-bank actors.
Since the objective of this Directive, namely the further integration of an internal market in payment services, cannot be sufficiently achieved by the Member States because it requires the harmonisation of a multitude of different rules currently existing in the legal systems of the various Member States but can rather, because of its scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary in order to achieve that objective.
In accordance with the Joint Political Declaration of 28 September 2011 of Member States and the Commission on explanatory documents26, Member States have undertaken to accompany, in justified cases, the notification of their transposition measures with one or more documents explaining the relationship between the components of a Directive and the corresponding parts of national transposition instruments. With regard to this Directive, the legislator considers the transmission of such documents to be justified.
The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on 5 December 201327.
Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010 should therefore be amended accordingly.
Given the number of changes that need to be made to Directive 2007/64/EC it is appropriate to repeal and replace it,
HAVE ADOPTED THIS DIRECTIVE: