The second Payment Services Directive adopted on 25 November 2015 (PSD2) aims to address issues generated around the digital revolution with respect to making payments online. The widely discussed changes introduced by PSD2 will have a significant impact on, amongst other things, the payment institutions, legal entities that have already been authorised to provide and execute payment services (PIs) under the respective national laws implementing the first Payment Services Directive (PSD1). These institutions will have to adapt their activities to PSD2 requirements, including those applicable to authorisation as PIs.
In comparison with the PSD1, the list of documents that have to be submitted to the competent authorities for authorisation as PIs has been considerably expanded. To illustrate, an undertaking seeking an authorisation as a PI, shall provide a competent authority with, amongst other documents that had already been required by the PSD1:
1. The procedure for monitoring, handling and following up on security incidents and security-related customer complaints (including an incidents reporting mechanism in line with the EBA Guidelines on Incident Reporting (draft). Even when the incidents reporting mechanism is already in place, under the new regulation:
- the scope of major operational or security incidents has been broadened under the aforementioned EBA Guidelines (these Guidelines establish the qualitative and quantitative criteria that payment service providers should use to assess the materiality of an operational or security incident); and
- should the incident impact on the financial interests of the customer, the PI will also be required to inform the customer without undue delay and advise them of measures to mitigate any adverse consequences. Such disclosure requirement would indefinitely have an impact on the PIs reputation.
2. The process in place to file, monitor, track and restrict access to sensitive payment data.
Until the adoption of the PSD2, the definition of “sensitive payment data” had been set out in the European Central Bank Recommendations for the Security of Internet Payments. The definition “sensitive payment data” has not been materially amended, however for the activities of payment initiation service providers and account information service providers, the name of an account owner and the account number do not constitute sensitive payment data.
3. The business continuity arrangements, including a clear identification of the critical operations, effective contingency plans and a procedure to regularly test and review the adequacy and efficiency of such plans.
4. The principles and definitions applied to the collection of statistical data on performance, transactions and fraud.
5. The security policy document, including a detailed risk assessment in relation to its payment services and a description of the security control and mitigation measures taken to adequately protect payment service users against the risks identified, including fraud and illegal use of sensitive and personal data.
A requirement to have such a security policy document is not a new one, however, such a document had not been required for authorisation purposes under the PSD1. The PSD2, on the other hand, imposes such a requirement, and, further, the content of such a security policy document is wider if compared with current regulations.
At this stage, the market participants await the secondary legislation which will implement the PSD2 requirements, however, it is clear that PIs will definitely have to allocate additional human and financial resources to be ready to comply with new requirements and amend the internal rules and procedures before the deadline (13 July 2018).