For further information about this Eurofinas position, please contact:

Transcription

1 Eurofinas observations on the Commission s Proposal for a revised Directive of the European Parliament and of the Council on Payment Services (COM(2013) 547 final) December 2013 ABOUT EUROFINAS Eurofinas, the European Federation of Finance House Associations, is the voice of the specialised consumer credit providers in the EU. As a Federation, Eurofinas brings together associations throughout Europe that represent finance houses, universal banks, specialised banks and captive finance companies of car, equipment, etc. manufacturers. The scope of products covered by Eurofinas members includes all forms of consumer credit products such as personal loans, linked credit, credit cards and store cards. Consumer credit facilitates access to assets and services as diverse as cars, education, furniture, electronic appliances, etc. Eurofinas members financed over 312 billion euro worth of new loans during 2012 with outstandings reaching 828 billion euros at the end of the year. For further information about this Eurofinas position, please contact: i.bengtzboe@eurofinas.org Eurofinas is entered into the European Transparency Register of Interest Representatives with ID n

2 INTRODUCTORY OBSERVATIONS Eurofinas, the voice of consumer credit providers at European level, takes note of the publication of the European Commission s Proposal for a Directive of the European Parliament and of the Council on payment services in the internal market (COM(2013) 547 final). The Commission s Proposal provides a good basis to further discuss the issues at stake in a European context. We support the Commission s efforts to achieve a further integrated and more efficient European payment market with greater innovation and competition. The increased level of harmonisation and the proposed extension of the scope are welcomed to achieve a more level playing field and greater legal certainty across the EU. However, we strongly believe that the definitions as well as other provisions related to Third Party Payment Service Providers (TPPs) must be further clarified and provide for a better balance as regards to responsibilities and contractual relationships. SPECIFIC OBSERVATIONS 1. Title 1 Article 2 Scope TPPs use existing online banking systems to offer Payment Initiation Services and Account Information Services to consumers. The issue of safety is of paramount importance. Through their activities, TPPs may gain full access to their customers online banking facilities. The issue of protection against fraud, hacking attacks and theft is therefore of the highest importance. Eurofinas therefore supports the inclusion of TPPs within the scope of the revised Payment Services Directive (PSD 2) as regards to supervisory and licensing regime. 2. Title II Articles 10 & 27 Granting of authorisation and Waivers-conditions The existing lighter regime for small payment institutions is essentially maintained under the PSD 2. This could lead to TPPs remaining unauthorised when their average of total amount of payment transactions executed is less than 1 million EUR on a monthly basis. We believe that the size of a party involved in the payment chain should be irrelevant. 3. Title II Article 29 Access to payment systems To enhance competition, it is proposed in Article 29 of the PSD 2 that TPPs are to be provided access to the existing payment systems. We believe that further clarification is needed to ensure that PSPs are free to accept TPPs of their choice into their systems. The principle of contractual freedom should be adhered to. 4. Chapter II Article 57 Consent The PSD 2 provides that consent to execute a payment transaction shall also be considered given where the payer authorises a third party payment service provider to initiate the payment transaction with the account servicing payment service provider. The right of access of TPPs in the payment chain creates additional legal and operational interactions between the account-holding PSPs, the TPPs and the customers. We believe that these relationships can only be properly governed by agreement between all the relevant parties, thus also between accountholding PSPs and TPPs. 2/5

3 In order to pay appropriate respect to security requirements, to allocate the various responsibilities between the parties as well as to address other legal obligations (such as banking secrecy and data protection obligations), the consent of the account-holding PSP should also be necessary. 5. Chapter I Articles 58 & 59 Access to and use of payment account information by third party Under the proposed PSD 2, consumers may provide TPPs with their personal online banking details. The authentication systems offered by banks provides for wider services than only payments and banking services, for example e-identity solutions. We therefore believe that this should not be authorised under the Directive. TPPs should not be allowed to rely on the bank credentials provided by their customers. It creates uncertainty as to who is using the banking system and also increases the risks for identity theft and digital fraud/crime, which are already substantial and growing. According to Article 84 of the PSD 2, TPPs will have to comply with the standards of the EU Data Protection Directive, not least the principle of purpose limitation in Article 6(1)(b). TPPS will likely try extend their business model from acting as releaser of a payment to other services/activities, which may cause privacy risks for the consumer. To achieve greater certainty, the article should provide for a clear limitation on the use the account information. As to the responsibility of the account-holding PSP to provide information on the availability of sufficient funds for the specified payment transaction, the information should, with respect to the principle of proportionality, be limited to yes/no. Information on the actual balance on the account is not necessary for the TPP to obtain in order for it to perform its services. 6. Chapter II Articles Liability Liability vis-à-vis TPPs The obligations of TPPs as well as roles and (shared) responsibilities between account-holding PSPs and TPPs should be further clarified. A number of the provisions of the proposal (not least Articles 60(2), 62(1), 63(2), 65) remains ambiguous and it should be made clear that TPPs are subject to the full PSD 2, and are fully liable e.g. for any errors or fraud assignable to them. The Articles fail to adhere to the principle set out in recital 52 which states that: Rights and obligations of the payment service users and payment service providers should be appropriately adjusted to take account of the TPP involvement in the transaction whenever the payment initiation service is used. Specifically, a balanced liability repartition between the payment service provider servicing the account and the TPP involved in the transaction should compel them to take responsibility for the respective parts of the transaction that are under their control and clearly point to the responsible party in case of incidents. The TPPs should be responsible to act in relation to payers using their services. An account-holding PSP should not be forced to take responsibility nor liability when a payer has utilised the services of a TPP. The latter should assume the full responsibility for its services and the duty to act/refund payers in relation to their provided services. Furthermore, we stress the necessity for governing contract between account-holding PSPs. Unjustified legal uncertainty will otherwise persists as to how TPPs are to provide compensation to the accountholding PSPs. PSPs liability for unauthorised payment transactions Eurofinas wants to stress the issues with the demand for immediate actions in relation to requests for refund (Article 65(1). To adequately assess requested refunds against possible fraudulent or wholly unjustified attempts, PSPs must be given the appropriate time to handle these requests. 3/5

4 In relation to unauthorised transactions involving TPPs, Article 65(2) provides that account-holding PSPs shall refund the payer and seek a resolution with an involved TPP. Such request should rather be directed to the involved TPP as the PSD 2 does not allow the account-holding PSP to interfere in the transaction. Account-holding PSPs may not control and are not allowed to stop the use of the payment initiation services. TPPs may be used on the initiative by payers, not the account-holding PSPs, and the TPPs should therefore take on this task and the accompanying insolvency risk for the services they have provided. Personal liability for unauthorised payment transactions Eurofinas warns against the proposed lowering of the maximum loss that is carried by the payer. Article 66 provides that the payer is only to carry a maximum loss of 50 EUR (lowered from the current amount 150 EUR). We believe that the current level is adequate as to not discourage consumers from the use of payment instruments and equally provides the payer with the incentive to act responsibly and act with the appropriate care. 7. Chapter III Article 80 Non-execution, defective or late execution As stated above, we believe that a better balance of responsibilities and duties needs to be struck between TPPs and account-holding PSPs. We firmly object against any liability for account-holding PSPs in relation to non-executed or defective payment transactions where TPPs are responsible. The TPP should in such a situation take its full responsibility and refund the user of its services. Furthermore, Article 80(1) provides that the [account-holding] payment service provider shall regardless of liability under this paragraph, on request, make immediate efforts to trace the payment transaction and notify the payer of the outcome. Such an obligation must be further clarified to ensure that accountholding PSPs receive adequate compensation for the tasks carried out. 8. Chapter IV Article 84 Data Protection The current PSD (Article 79) explicitly allows the exchange of data necessary to safeguard the prevention, investigation and detection of payment fraud. The provision has unfortunately been withdrawn from the PSD 2. However, the effective detection and prevention of fraud are very important, not only for PSPs and the payment systems but also for consumers, (e.g. identity theft). Therefore, the current content should be retained in Article 84. It is unlikely that a simple reference to the current Data Protection Directive and the respective national rules would achieve the same effect. Because the current EU data protection legal framework is under review, clarity is needed to ensure the prevention, detection and investigation of payment fraud by PSPs and payment systems. 9. Chapter V Articles 85 & 86 Security NIS Directive Articles 85 and 86 of the PSD 2 make references to the proposed, but yet to be adopted Network and Information Security Directive (NIS Directive). Eurofinas believes that it is inappropriate to interconnect the legislative acts as there is great uncertainty related to the final outcome of the NIS Directive and, as a consequence, the national transpositions. The NIS Directive cannot be applied as such until the whole process is completed. Authentication systems 4/5

5 Eurofinas believes it is unclear how Article 86 of the PSD 2 would work in practice. The PSPs should rely on their respective authentication methods and be liable for the quality of these methods. A level playing field should be ensured as to security and costs. The TPPs should therefore not be allowed to use the account-holding PSPs authentication instruments unless there is an agreement between the parties and adequate remuneration for the used services. 10. Chapter V Article 90 Internal dispute resolution Article 90 of the PSD 2 provides that PSPs are to respond, addressing all points raised, within 15 business days of receipt of a complaint. However, such a timeframe would not be sufficient to deal with, for example, cross-border payments. Eurofinas therefore believes that the timeframe should be extended to 30 business days. 5/5