Welcome to the Holland FinTech PSD2 Web Guide
Holland FinTech has teamed up with 5 law firms from within our network to provide a detailed and comprehensive overview of the PSD2 legislation. We realise that most of us aren’t legal experts, but are affected by the legislation in our day to day business activities. Together with the contributing law firms, we created a resource where you can consult the legislation coupled with commentary, tips and tricks, applicability as well as information on where you can find the articles in Dutch Law. You can use filters to easily access the information you are looking for.
Holland FinTech would like to express its gratitude to the following firms for their contributions, in no particular order: Bird & Bird, Eversheds Sutherland LLC, CMS Derks Star Busmann, Baker Mckenzie and Ploum.
*This resource is intended for information purposes only and not to be construed as legal advice for individual cases. Every effort has been made to ensure that this information is up-to-date as of the date of publication (May 2019). It is not intended to be a full and exhaustive explanation of the law in any area, nor should it be used to replace the advice of your own legal counsel.
Article 1 - Subject Matter
1. This Directive establishes the rules in accordance with which Member States shall distinguish between the following categories of payment service provider:
(a) credit institutions as defined in point (1) of Article 4(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council (28), including branches thereof within the meaning of point (17) Article 4(1) of that Regulation where such branches are located in the Union, whether the head offices of those branches are located within the Union or, in accordance with Article 47 of Directive 2013/36/EU and with national law, outside the Union;(b) electronic money institutions within the meaning of point (1) of Article 2 of Directive 2009/110/EC, including, in accordance with Article 8 of that Directive and with national law, branches thereof, where such branches are located within the Union and their head offices are located outside the Union, in as far as the payment services provided by those branches are linked to the issuance of electronic money;
(c) post office giro institutions which are entitled under national law to provide payment services;
(d) payment institutions;
(e) the ECB and national central banks when not acting in their capacity as monetary authority or other public authorities;
(f) Member States or their regional or local authorities when not acting in their capacity as public authorities.
2. This Directive also establishes rules concerning:
(a) the transparency of conditions and information requirements for payment services; and
(b) the respective rights and obligations of payment service users and payment service providers in relation to the provision of payment services as a regular occupation or business activity.
All PSPs
PSD2 provides the legal foundation for the creation of an EU/EEA-wide single market for payments. PSD2 contributes to a more integrated and efficient European payments market and improves the level playing field for payment service providers (including new players). Furthermore it contributes to making payments safer and more secure and it protects consumers and other payment service users.
PSD2 makes a distinction between categories of payment service provider (PSP), which – amongst others – include credits institutions (banks), electronic money institutions and payment institutions.
These PSPs are acting in a regulated environment and should obtain authorisation to be able to conduct its business. A license to act as credit institution provides for a wide range of financial services to be provided to customers, while a license to act as payment institution provides for a more restricted range of services to be provided to customers. The business activities which are considered payment services are listed in Annex 1 to PSD2.
General rules applicable to payment institutions are to be found in Title II, Chapter I of PSD2 (articles 5 – 34). These include rules regarding the application for authorization and all formalities which should be taken into account in respect thereto.
Article 1 PSD2 also explains that rules are being established in respect of the transparency of conditions and information requirements for payment services. Such rules are to be found in Title III of PSD2 (articles 38 – 60). Furthermore it explains that rules are being established in respect of rights and obligations of payment service users and payment service providers in relation to the provision of payment services as regular occupation or business activity. Such rules are to be found in Title IV of PSD2 (articles 61 – 103).
Implementation in the Netherlands: artt. 1(1) (nieuw) en 1(2) PSDII does not need to be transposed into National Law.
Article 2 - Scope
1. This Directive applies to payment services provided within the Union.2. Titles III and IV apply to payment transactions in the currency of a Member State where both the payer’s payment service provider and the payee’s payment service provider are, or the sole payment service provider in the payment transaction is, located within the Union.
3. Title III, except for point (b) of Article 45(1), point (2)(e) of Article 52 and point (a) of Article 56, and Title IV, except for Articles 81 to 86, apply to payment transactions in a currency that is not the currency of a Member State where both the payer’s payment service provider and the payee’s payment service provider are, or the sole payment service provider in the payment transaction is, located within the Union, in respect to those parts of the payments transaction which are carried out in the Union.
4. Title III, except for point (b) of Article 45(1), point (2)(e) of Article 52, point (5)(g) of Article 52 and point (a) of Article 56, and Title IV, except for Article 62(2) and (4), Articles 76, 77, 81, 83(1), 89 and 92, apply to payment transactions in all currencies where only one of the payment service providers is located within the Union, in respect to those parts of the payments transaction which are carried out in the Union.
5. Member States may exempt institutions referred to in points (4) to (23) of Article 2(5) of Directive 2013/36/EU from the application of all or part of the provisions of this Directive.
All PSPs
PSD2 applies to payment services which are being provided in the Union. The term Union in this context means the European Economic Area (EEA) Member States, i.e. the EU Member States and Norway, Iceland and Liechtenstein.
The rules on transparency and information requirements for payment service providers (Title III PSD2) and on rights and obligations in relation to the provision and use of payment services (Title IV PSD2) always are applicable if the PSP of the payer as well as the PSP of the payee are located within the EEA. This is also called the “two-leg-principle”. The same applies in case the payer and the payee use the same PSP which is located within the EEA. Therefore, locating the business of a PSP within the EEA triggers applicability of those provisions of PSD2.
Recital 8 of PSD2 addresses that the provisions of PSD2, where appropriate, should be extended to transactions in all official currencies between payment service providers that are located within the EEA. As a result the scope of PSD2 is not limited to payments made in the currency of the Euro Zone (Euro) or one of the other currencies used in the EU (Bulgarian lev, Croatian Kuna, Czech koruna, Danish krone, Hungarian forint, Polish zloty, Romanian leu, Swedish krona, Brith pund) or the EEA (Icelandic króna, Swiss franc (Liechtenstein), Norwegian krone). Payments in every foreign currency are also subject to PSD2, where all participant PSPs are located within the EEA. Please note that some provisions of Title III and Title IV are not applicable to such foreign payments: please see the articles mentioned in article 2 par. 3 of PSD2 for the relevant provision.
Recital 8 of PSD2 furthermore addresses that the provisions of Title III and Title IV should also apply, where appropriate, to transactions where one of the payment service providers is located outside the European Economic Area (EEA) in order to avoid divergent approaches across Member States to the detriment of consumers. This is also called the “one-leg-principle”. Thus also in cases where the payer’s PSP is located in the EEA but the payee’s PSP is located outside the EEA or the payer’s PSP is located outside the EEA but the payee’s PSP is located in the EAA, most of the provisions of Title III and Title IV are applicable in respect of those parts of the payments transaction which are carried out in the EEA. Please see article 2 par. 4 of PSD2 for the articles which are not applicable.
Chapter II of the “Guidance for implementation of the revised Payment Services Directive” of the European Banking Federation published in September 2016 (https://www.ebf.eu/wp-content/uploads/2018/09/EBF_PSD2_guidance_September_2016.pdf) provides guidance and interpretation on the scope of PSD2. Especially pages 8-14 should be considered a must read for anyone looking for a clear summary of the provisions of article 2 PSD2, including example scenarios.
Implementation in the Netherlands: artt. 2(1) en 2(2) PSDII >> 1:5a, eerste lid; 4:2b, eerste lid Wft en Bgfo (grondslag 1:5a eerst lid Wft). Art. 2(3)(nieuw) >> 4:2b,tweede lid, Wft en Bgfo (grondslag 1:5a, eerste lid Wft). Art. 2(4)(nieuw) >> 4:2b, tweede lid, en Bgfo (grondslag 1:5a, eerste lid Wft). Art. 2(5) >> behoeft geen implementatie
Article 3 - Application
This Directive does not apply to the following:
(a) payment transactions made exclusively in cash directly from the payer to the payee, without any intermediary intervention;(b) payment transactions from the payer to the payee through a commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of only the payer or only the payee;
(c) professional physical transport of banknotes and coins, including their collection, processing and delivery;
(d) payment transactions consisting of the non-professional cash collection and delivery within the framework of a non-profit or charitable activity;
(e) services where cash is provided by the payee to the payer as part of a payment transaction following an explicit request by the payment service user just before the execution of the payment transaction through a payment for the purchase of goods or services;
(f) cash-to-cash currency exchange operations where the funds are not held on a payment account;
(g) payment transactions based on any of the following documents drawn on the payment service provider with a view to placing funds at the disposal of the payee:
(i) paper cheques governed by the Geneva Convention of 19 March 1931 providing a uniform law for cheques;
(ii) paper cheques similar to those referred to in point (i) and governed by the laws of Member States which are not party to the Geneva Convention of 19 March 1931 providing a uniform law for cheques;
(iii) paper-based drafts in accordance with the Geneva Convention of 7 June 1930 providing a uniform law for bills of exchange and promissory notes;
(iv) paper-based drafts similar to those referred to in point (iii) and governed by the laws of Member States which are not party to the Geneva Convention of 7 June 1930 providing a uniform law for bills of exchange and promissory notes;
(v) paper-based vouchers; (vi) paper-based traveller’s cheques; (vii) paper-based postal money orders as defined by the Universal Postal Union;
(h) payment transactions carried out within a payment or securities settlement system between settlement agents, central counterparties, clearing houses and/or central banks and other participants of the system, and payment service providers, without prejudice to Article 35;
(i) payment transactions related to securities asset servicing, including dividends, income or other distributions, or redemption or sale, carried out by persons referred to in point (h) or by investment firms, credit institutions, collective investment undertakings or asset management companies providing investment services and any other entities allowed to have the custody of financial instruments;
(j) services provided by technical service providers, which support the provision of payment services, without them entering at any time into possession of the funds to be transferred, including processing and storage of data, trust and privacy protection services, data and entity authentication, information technology (IT) and communication network provision, provision and maintenance of terminals and devices used for payment services, with the exclusion of payment initiation services and account information services;
(k) services based on specific payment instruments that can be used only in a limited way, that meet one of the following conditions:
(i) instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a professional issuer;
(ii) instruments which can be used only to acquire a very limited range of goods or services;
(iii) instruments valid only in a single Member State provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer;
(l) payment transactions by a provider of electronic communications networks or services provided in addition to electronic communications services for a subscriber to the network or service:
(i) for purchase of digital content and voice-based services, regardless of the device used for the purchase or consumption of the digital content and charged to the related bill; or
(ii) performed from or via an electronic device and charged to the related bill within the framework of a charitable activity or for the purchase of tickets; provided that the value of any single payment transaction referred to in points (i) and (ii) does not exceed EUR 50 and: - the cumulative value of payment transactions for an individual subscriber does not exceed EUR 300 per month, or - where a subscriber pre-funds its account with the provider of the electronic communications network or service, the cumulative value of payment transactions does not exceed EUR 300 per month;
(m) payment transactions carried out between payment service providers, their agents or branches for their own account;
(n) payment transactions and related services between a parent undertaking and its subsidiary or between subsidiaries of the same parent undertaking, without any intermediary intervention by a payment service provider other than an undertaking belonging to the same group;
(o) cash withdrawal services offered by means of ATM by providers, acting on behalf of one or more card issuers, which are not a party to the framework contract with the customer withdrawing money from a payment account, on condition that those providers do not conduct other payment services as referred to in Annex I. Nevertheless the customer shall be provided with the information on any withdrawal charges referred to in Articles 45, 48, 49 and 59 before carrying out the withdrawal as well as on receipt of the cash at the end of the transaction after withdrawal.
PSPs
This article lists the activities that fall within the general definition of payment services, but are excluded from the applicability of PSD2 (this is not the same as the exemptions from the license requirement as provided for in article 32 PSD2). In other words, PSD2 does not apply to the activities listed in this article (however, see comments re O below and the notification requirements applicable to exemptions K and L - see T&T box). Most of these exclusions already existed under PSD1. The material changes introduced by PSD2 regard exclusions B, J, K, L and O.
B: this exclusion is available to a person who is in a payment chain only as a “commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of only the payer or only the payee”. Such commercial agent can thus not be an agent for both (which was different under PSD1). Additionally, the commercial agent must be authorised to negotiate or conclude transactions on behalf of the principal(s) for whom the agent is acting. In the context of selling via internet, there is in practice little scope for negotiating, so when seeking to rely on this exemption one should definitely be concluding transactions on behalf of the principal. Furthermore, when the commercial agent receives payment from a payer, the receipt of that payment should fully discharge the obligation of that payer to pay the payee.
J: this exclusion is usually referred to as the TSP exclusion: it applies to service providers that support the provision of payment services without them at any time coming into the possession of the funds that are being transferred. Such supporting technical services include data storage, trust and privacy protection services, data and entity authentication, providing IT and communication networks, or providing maintenance of terminals and devices used for payment services. As the activities of AISPs and PISPs are “technical” by their nature and because AISPs and PISPs will not come in the possession of the funds, it was considered that, unless they were specifically excluded from the TSP exclusion, the exclusion would have the effect of removing all AISPs or PISPs from the scope of PSD2. In this respect it is relevant to note that the EC has clarified that a TSP provides technical services to PSPs so that the PSP can provide payment services to its users. The TSP itself never enters in relationship with the users directly (unlike PSPs). TSPs are typically contracted by PSPs to assist technically in the provision of payment services.
K: the exclusions under (i) (the so-called limited network exclusion) and (ii) (the so-called limited range exclusion) already existed under PSD1, but PSD2 restricts the limited range exclusion by adding “very”. Furthermore, PSD2 introduces exclusion (iii) (very specialist and not further discussed). The limited network exclusion is generally considered to apply mostly to chains of providers functioning under a single brand – e.g. all Starbucks franchisees. The limited range exclusion is effectively limited to a closed number of functionally related goods or services. In the recitals to PSD2 it is stated that this exclusion could include store cards, fuel cards, membership cards, public transport cards, parking ticketing, meal vouchers or vouchers for specific services. This is also what DCB lists on its website as examples of the limited range exclusion. L: this exclusion is commonly called the electronic communications network exclusion or the ECN exclusion. This exclusion can only be relied on by a provider of electronic communications networks or services, such as a mobile network operator, when providing payment services in addition to electronic communications services. Furthermore, such mobile network operator can only rely on it when offering the services to subscribers to its network or services. Additionally, the exclusion only applies for the purchase of digital content and voice based services (and thus not physical goods) regardless of the device used for the purchase or within the framework of a charitable activity or for the purchase of tickets when using an electronic device.
On its website, DCB states that digital delivery, for example of a password or code number which can be used to obtain physical goods or services, is not covered by this exclusion. It does include the provision of such password or code number in exchange for digital goods or services, provided that the other requirements of the exclusion are met. DCB also states that a provider of telecommunications, IT or network services acting solely as an intermediary for payments is not covered by the exclusion. This is the case, for example, if such a provider only uses the instrument as a channel to offer goods or services to third parties, while the payment is made through the provider of the telecommunications, IT or network services. Finally, if the provider of the telephone, cable or network subscription offers added value itself, such a form of service is covered by the exclusion. For example, by offering the sale of goods and services of third parties via its own application, website or portal, adding information or providing tools to facilitate searching and finding.
O: PSD2 introduces the requirement that although the relevant cash withdrawal services themselves are excluded from PSD2, the customer must receive the information on any withdrawal charges referred to in articles 45, 48, 49 and 59 PSD2 before the withdrawal will be carried out, as well as on receipt of the cash at the end of the transaction after withdrawal.
B: please be aware that in some jurisdictions - but not in the NL - this exclusion is interpreted very restrictively. On its website, DCB clarified that this exclusion only applies if all of the following conditions are being met: (i) the agent acts only on behalf of the payer or only on behalf of the payee, AND (ii) the agreement must show that the commercial agent is authorised by the payer or the payee and that it acts on behalf of only the payer or only the payee; AND (iii) the agent concludes or negotiates the sale or purchase of the relevant goods or services between payer and payee.
K: a PSP relying on this exclusion must notify DCB in case the total value of transactions in the past 12 months exceeded €1m (parties that already exceed this limit must notify DCB within six months after the coming into effect of the PSD2 legislation in the Netherlands (i.e. no later than 18 August 2019)). When notifying DCB (via its digital supervision portal), you must submit a description of your activities and a justification as to why the exception applies. DCB will notify you whether you will be registered in its public register and that of EBA. If DCB is of the view that your activities do not fall within the scope of the exception, you will not be registered in the public register and you will either require a PSP license or will be required to adjust your activities to rely on this exclusion.
L: a PSP relying on this exclusion must always notify the DCB (parties that already relied on this exclusion before the coming into effect of this notification requirement must notify DCB within six months (i.e. no later than 18 August 2019)). When notifying DCB (via its digital supervision portal), you must submit a statement from an auditor that the activities are within the relevant transaction limits. DCB will notify you whether you will be registered in its public register and that of the EBA. If DCB is of the view that your activities do not fall within the scope of the exception, you will not be registered in the public register and you will either require a PSP license or will be required to adjust your activities to rely on this exclusion.
Art. 1:5a, paragraph 2 FSA; art. 7:515, paragraph 4 DCC
Article 4 - Definitions
For the purposes of this Directive, the following definitions apply:
(1) ‘home Member State’ means either of the following:
(a) the Member State in which the registered office of the payment service provider is situated; or
(b) if the payment service provider has, under its national law, no registered office, the Member State in which its head office is situated;
(2) ‘host Member State’ means the Member State other than the home Member State in which a payment service provider has an agent or a branch or provides payment services;
(3) ‘payment service’ means any business activity set out in Annex I;
(4) ‘payment institution’ means a legal person that has been granted authorisation in accordance with Article 11 to provide and execute payment services throughout the Union;
(5) ‘payment transaction’ means an act, initiated by the payer or on his behalf or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee;
(6) ‘remote payment transaction’ means a payment transaction initiated via internet or through a device that can be used for distance communication;
(7) ‘payment system’ means a funds transfer system with formal and standardised arrangements and common rules for the processing, clearing and/or settlement of payment transactions;
(8) ‘payer’ means a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order;
(9) ‘payee’ means a natural or legal person who is the intended recipient of funds which have been the subject of a payment transaction;
(10) ‘payment service user’ means a natural or legal person making use of a payment service in the capacity of payer, payee, or both;
(11) ‘payment service provider’ means a body referred to in Article 1(1) or a natural or legal person benefiting from an exemption pursuant to Article 32 or 33;
(12) ‘payment account’ means an account held in the name of one or more payment service users which is used for the execution of payment transactions;
(13) ‘payment order’ means an instruction by a payer or payee to its payment service provider requesting the execution of a payment transaction;
(14) ‘payment instrument’ means a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order;
(15) ‘payment initiation service’ means a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider;
(16) ‘account information service’ means an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider;
(17) ‘account servicing payment service provider’ means a payment service provider providing and maintaining a payment account for a payer;
(18) ‘payment initiation service provider’ means a payment service provider pursuing business activities as referred to in point (7) of Annex I;
(19) ‘account information service provider’ means a payment service provider pursuing business activities as referred to in point (8) of Annex I;
(20) ‘consumer’ means a natural person who, in payment service contracts covered by this Directive, is acting for purposes other than his or her trade, business or profession;
(21) ‘framework contract’ means a payment service contract which governs the future execution of individual and successive payment transactions and which may contain the obligation and conditions for setting up a payment account;
(22) ‘money remittance’ means a payment service where funds are received from a payer, without any payment accounts being created in the name of the payer or the payee, for the sole purpose of transferring a corresponding amount to a payee or to another payment service provider acting on behalf of the payee, and/or where such funds are received on behalf of and made available to the payee;
(23) ‘direct debit’ means a payment service for debiting a payer’s payment account, where a payment transaction is initiated by the payee on the basis of the consent given by the payer to the payee, to the payee’s payment service provider or to the payer’s own payment service provider;
(24) ‘credit transfer’ means a payment service for crediting a payee’s payment account with a payment transaction or a series of payment transactions from a payer’s payment account by the payment service provider which holds the payer’s payment account, based on an instruction given by the payer;
(25) ‘funds’ means banknotes and coins, scriptural money or electronic money as defined in point (2) of Article 2 of Directive 2009/110/EC;
(26) ‘value date’ means a reference time used by a payment service provider for the calculation of interest on the funds debited from or credited to a payment account;
(27) ‘reference exchange rate’ means the exchange rate which is used as the basis to calculate any currency exchange and which is made available by the payment service provider or comes from a publicly available source;
(28) ‘reference interest rate’ means the interest rate which is used as the basis for calculating any interest to be applied and which comes from a publicly available source which can be verified by both parties to a payment service contract;
(29) ‘authentication’ means a procedure which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the user’s personalised security credentials;
(30) ‘strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data
(31) ‘personalised security credentials’ means personalised features provided by the payment service provider to a payment service user for the purposes of authentication;
(32) ‘sensitive payment data’ means data, including personalised security credentials which can be used to carry out fraud. For the activities of payment initiation service providers and account information service providers, the name of the account owner and the account number do not constitute sensitive payment data;
(33) ‘unique identifier’ means a combination of letters, numbers or symbols specified to the payment service user by the payment service provider and to be provided by the payment service user to identify unambiguously another payment service user and/or the payment account of that other payment service user for a payment transaction;
(34) ‘means of distance communication’ means a method which, without the simultaneous physical presence of the payment service provider and the payment service user, may be used for the conclusion of a payment services contract;
(35) ‘durable medium’ means any instrument which enables the payment service user to store information addressed personally to that payment service user in a way accessible for future reference for a period of time adequate to the purposes of the information and which allows the unchanged reproduction of the information stored;
(36) ‘microenterprise’ means an enterprise, which at the time of conclusion of the payment service contract, is an enterprise as defined in Article 1 and Article 2(1) and (3) of the Annex to Recommendation 2003/361/EC;
(37) ‘business day’ means a day on which the relevant payment service provider of the payer or the payment service provider of the payee involved in the execution of a payment transaction is open for business as required for the execution of a payment transaction;
(38) ‘agent’ means a natural or legal person who acts on behalf of a payment institution in providing payment services;
(39) ‘branch’ means a place of business other than the head office which is a part of a payment institution, which has no legal personality and which carries out directly some or all of the transactions inherent in the business of a payment institution; all of the places of business set up in the same Member State by a payment institution with a head office in another Member State shall be regarded as a single branch;
(40) ‘group’ means a group of undertakings which are linked to each other by a relationship referred to in Article 22(1), (2) or (7) of Directive 2013/34/EU or undertakings as defined in Articles 4, 5, 6 and 7 of Commission Delegated Regulation (EU) No 241/2014 (29), which are linked to each other by a relationship referred to in Article 10(1) or in Article 113(6) or (7) of Regulation (EU) No 575/2013;
(41) ‘electronic communications network’ means a network as defined in point (a) of Article 2 of Directive 2002/21/EC of the European Parliament and of the Council (30);
(42) ‘electronic communications service’ means a service as defined in point (c) of Article 2 of Directive 2002/21/EC;
(43) ‘digital content’ means goods or services which are produced and supplied in digital form, the use or consumption of which is restricted to a technical device and which do not include in any way the use or consumption of physical goods or services;
(44) ‘acquiring of payment transactions’ means a payment service provided by a payment service provider contracting with a payee to accept and process payment transactions, which results in a transfer of funds to the payee;
(45) ‘issuing of payment instruments’ means a payment service by a payment service provider contracting to provide a payer with a payment instrument to initiate and process the payer’s payment transactions;
(46) ‘own funds’ means funds as defined in point 118 of Article 4(1) of Regulation (EU) No 575/2013 where at least 75 % of the Tier 1 capital is in the form of Common Equity Tier 1 capital as referred to in Article 50 of that Regulation and Tier 2 is equal to or less than one third of Tier 1 capital;
(47) ‘payment brand’ means any material or digital name, term, sign, symbol or combination of them, capable of denoting under which payment card scheme card-based payment transactions are carried out;
(48) ‘co-badging’ means the inclusion of two or more payment brands or payment applications of the same payment brand on the same payment instrument.
All parties within PSD2’s scope.
Some key definitions, such as “payment account”, “business day”, “framework contract”, are unchanged.
Some key additions include “acquiring” payment transactions.
Additionally, definitions contained in the relevant regulations, like “credit transfer” in Regulation No. 260/2012 were included as a point of reference.
The most important new items are the new services listed in Annex 1. This includes: “payment initiation service”, “account information service”, “account servicing payment provider”, “payment initiation service provider”, and “account information service provider”.
Payment initiation service
Recitals 27 and 29 provides further context on this definition where the definition of PIS would apply to help avoid confusion with other definitions.
Accordingly, PIS relates to an online situation where the PISP’s contractual relationship is with the merchant. Payers can utilise a PIS to initiate a transaction via a merchant’s website.
Account information service
AIS allows clients to obtain a consolidated view of their payment accounts. Clients allow a AIS provider to access information from their payment accounts and to provide services based upon the information related to their payment accounts.
Recital 28 and Article 67(2) provides further context that the information an AISP will make available concerns the update account balances of the payment accounts and payment account debit/credit entries within the scope of PSD2.
1:1 Wft
514 Book 7 Dutch Civil Code.
Article 5 - Applications for authorisation
1. For authorisation as a payment institution, an application shall be submitted to the competent authorities of the home Member State, together with the following:
(a) a programme of operations setting out in particular the type of payment services envisaged;(b) a business plan including a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly;
(c) evidence that the payment institution holds initial capital as provided for in Article 7;
(d) for the payment institutions referred to in Article 10(1), a description of the measures taken for safeguarding payment service users’ funds in accordance with Article 10;
(e) a description of the applicant’s governance arrangements and internal control mechanisms, including administrative, risk management and accounting procedures, which demonstrates that those governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate;
(f) a description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints, including an incidents reporting mechanism which takes account of the notification obligations of the payment institution laid down in Article 96;
(g) a description of the process in place to file, monitor, track and restrict access to sensitive payment data;
(h) a description of business continuity arrangements including a clear identification of the critical operations, effective contingency plans and a procedure to regularly test and review the adequacy and efficiency of such plans;
(i) a description of the principles and definitions applied for the collection of statistical data on performance, transactions and fraud;
(j) a security policy document, including a detailed risk assessment in relation to its payment services and a description of security control and mitigation measures taken to adequately protect payment service users against the risks identified, including fraud and illegal use of sensitive and personal data;
(k) for payment institutions subject to the obligations in relation to money laundering and terrorist financing under Directive (EU) 2015/849 of the European Parliament and of the Council ( 1 ) and Regulation (EU) 2015/847 of the European Parliament and of the Council ( 2 ), a description of the internal control mechanisms which the applicant has established in order to comply with those obligations;
(l) a description of the applicant’s structural organisation, including, where applicable, a description of the intended use of agents and branches and of the off-site and on-site checks that the applicant undertakes to perform on them at least annually, as well as a description of outsourcing arrangements, and of its participation in a national or international payment system;
(m) the identity of persons holding in the applicant, directly or indirectly, qualifying holdings within the meaning of point (36) of Article 4(1) of Regulation (EU) No 575/2013, the size of their holdings and evidence of their suitability taking into account the need to ensure the sound and prudent management of a payment institution;
(n) the identity of directors and persons responsible for the management of the payment institution and, where relevant, persons responsible for the management of the payment services activities of the payment institution, as well as evidence that they are of good repute and possess appropriate knowledge and experience to perform payment services as determined by the home Member State of the payment institution;
(o) where applicable, the identity of statutory auditors and audit firms as defined in Directive 2006/43/EC of the European Parliament and of the Council ( 3 );
(p) the applicant’s legal status and articles of association;
(q) the address of the applicant’s head office.
For the purposes of points (d), (e) (f) and (l) of the first subparagraph, the applicant shall provide a description of its audit arrangements and the organisational arrangements it has set up with a view to taking all reasonable steps to protect the interests of its users and to ensure continuity and reliability in the performance of payment services.The security control and mitigation measures referred to in point (j) of the first subparagraph shall indicate how they ensure a high level of technical security and data protection, including for the software and IT systems used by the applicant or the undertakings to which it outsources the whole or part of its operations. Those measures shall also include the security measures laid down in Article 95(1). Those measures shall take into account EBA’s guidelines on security measures as referred to in Article 95(3) when in place.
2. Member States shall require undertakings that apply for authorisation to provide payment services as referred to in point (7) of Annex I, as a condition of their authorisation, to hold a professional indemnity insurance, covering the territories in which they offer services, or some other comparable guarantee against liability to ensure that they can cover their liabilities as specified in Articles 73, 89, 90 and 92.
3. Member States shall require undertakings that apply for registration to provide payment services as referred to in point (8) of Annex I, as a condition of their registration, to hold a professional indemnity insurance covering the territories in which they offer services, or some other comparable guarantee against their liability vis-à-vis the account servicing payment service provider or the payment service user resulting from non-authorised or fraudulent access to or non-authorised or fraudulent use of payment account information.
4. By 13 January 2017, EBA shall, after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, issue guidelines, addressed to the competent authorities, in accordance with Article 16 of Regulation (EU) No 1093/2010 on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee referred to in paragraphs 2 and 3.
In developing the guidelines referred to in the first subparagraph, EBA shall take account of the following:
(a) the risk profile of the undertaking;
(b) whether the undertaking provides other payment services as referred to in Annex I or is engaged in other business;
(c) the size of the activity:
(i) for undertakings that apply for authorisation to provide payment services as referred to in point (7) of Annex I, the value of the transactions initiated;
(ii) for undertakings that apply for registration to provide payment services as referred to in point (8) of Annex I, the number of clients that make use of the account information services;
(d) the specific characteristics of comparable guarantees and the criteria for their implementation.
EBA shall review those guidelines on a regular basis.
5. By 13 July 2017, EBA shall, after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 concerning the information to be provided to the competent authorities in the application for the authorisation of payment institutions, including the requirements laid down in points (a), (b), (c), (e) and (g) to (j) of the first subparagraph of paragraph 1 of this Article.
EBA shall review those guidelines on a regular basis and in any event at least every 3 years.
6. Taking into account, where appropriate, experience acquired in the application of the guidelines referred to in paragraph 5, EBA may develop draft regulatory technical standards specifying the information to be provided to the competent authorities in the application for the authorisation of payment institutions, including the requirements laid down in points (a), (b), (c), (e) and (g) to (j) of paragraph 1.
Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
7. The information referred to in paragraph 4 shall be notified to competent authorities in accordance with paragraph 1.
Member States and payment service providers.
This provision provides an overview of application requirements for obtaining a license for providing payment services in a Member State.
Please note that regulators take their time to process applications for payment services. This should be taken into account when applying for a license. In any event regulators should respond within 3 months after receipt of the applications (article 12 PSD2).
Article 2:3b and 3:17 FSA in conjunction with 3a Market Access for Financial Undertakings Decree (Besluit Markttoegang financiele ondernemingen Wft, MAFU) 24 and 26c Prudential Rules Decree (Besluit prudentiële regels Wft, PRD).
Article 6 - Control of the shareholding
1. Any natural or legal person who has taken a decision to acquire or to further increase, directly or indirectly, a qualifying holding within the meaning of point (36) of Article 4(1)of Regulation (EU) No 575/2013 in a payment institution, as a result of which the proportion of the capital or of the voting rights held would reach or exceed 20 %, 30 % or 50 %, or so that the payment institution would become its subsidiary, shall inform the competent authorities of that payment institution in writing of their intention in advance. The same applies to any natural or legal person who has taken a decision to dispose, directly or indirectly, of a qualifying holding, or to reduce its qualifying holding so that the proportion of the capital or of the voting rights held would fall below 20 %, 30 % or 50 %, or so that the payment institution would cease to be its subsidiary.2. The proposed acquirer of a qualifying holding shall supply to the competent authority information indicating the size of the intended holding and relevant information referred to in Article 23(4) of Directive 2013/36/EU.
3. Member States shall require that where the influence exercised by a proposed acquirer, as referred to in paragraph 2 is likely to operate to the detriment of the prudent and sound management of the payment institution, the competent authorities shall express their opposition or take other appropriate measures to bring that situation to an end. Such measures may include injunctions, penalties against directors or the persons responsible for the management, or the suspension of the exercise of the voting rights attached to the shares held by the shareholders or members of the payment institution in question.
Similar measures shall apply to natural or legal persons who fail to comply with the obligation to provide prior information, as laid down in this Article.
4. If a holding is acquired despite the opposition of the competent authorities, Member States shall, regardless of any other penalty to be adopted, provide for the exercise of the corresponding voting rights to be suspended, the nullity of votes cast or the possibility of annulling those votes.
All natural or legal persons intending to acquire or enlarge a qualifying holding in a payment institution which provides the services as included under points (1) to (7) of Annex I to PSD2. This provision therefore is not relevant to parties solely providing account information services.
This article lays out the rules for holdings in a payment institution. Following the implementation of this article in Dutch legislation, all natural or legal persons which are going to directly or indirectly acquire or enlarge a qualifying holding in a payment institution must obtain prior permission from DNB by applying for a so-called declaration of no-objection.
Definition of a qualifying holding
A qualifying holding in a payment institution consists of a direct or indirect holding in the payment institution which:
represents 10% or more of the capital or the voting rights; or
makes it possible to exercise a significant influence over the management of the payment institution.
Bandwidth
The application for a declaration of no-objection must specify a bandwidth. Bandwidths may have a limit of 10% (the threshold for a declaration of no-objection) and can have upper limits of 20%, 33%, 50% or 100%. The holder of a qualifying holding must notify DNB of certain specific changes in the size of holdings, for example if the size of the holding falls below 10%. In this case, the issued declaration of no-objection will lapse by operation of law.
In case of a breach of the declaration of no-objection requirement, DNB may impose a suspension of the voting rights of shareholders related to the qualifying holding.
In order to determine whether a qualifying holding is acquired and for a description of what documents and information DNB needs to receive to assess an application for a declaration of no-objection, reference is made to the DNB document ”Notes to the application form for a declaration of no-objection (DNO) – Section 3:95 of the Wft” as available on the website of DNB (http://www.toezicht.dnb.nl/en/binaries/51-236125.pdf).
Another useful point of reference are the ”Joint Guidelines on the prudential assessment of acquisitions and increases of qualifying holdings in the financial sector” (the ”Guidelines”) as published by the Joint Committee of the three European Supervisory Authorities (https://esas-joint-committee.europa.eu/Pages/Guidelines/Joint-Guidelines-on-the-prudential-assessment-of-acquisitions-and-increases-of-qualifying-holdings-in-the-banking,-insuranc.aspx). These Guidelines basically reflect how the competent authorities (e.g. DNB) must assess applications for declarations of no-objection. It should be noted that the Guidelines are dating from 1 October 2017 and are tailored to qualifying holdings generally.
Relevant tests for acquisitions of qualifying holdings
Basically, there are two steps to determine whether a (indirect) qualifying holding is acquired. The first step is the application of the so-called control criterion. Based on this criterion, all natural or legal persons who:
acquire, directly or indirectly, control over an existing holder of a qualifying holding in a payment institution, irrespective of whether such existing holding is direct or indirect; or
directly or indirectly, control the proposed direct acquirer of a qualifying holding in a payment institution
should be considered to constitute indirect acquirers of a qualifying holding. In both case 1. and case 2. the indirect acquirers include the ultimate natural person or persons at the top of the corporate control chain.
If the control criterion cannot be applied, the so-called multiplication criterion should subsequently be applied. This criterion entails the multiplication of the percentages of the holdings across the corporate chain, starting from the participation held directly in the payment institution, which has to be multiplied by the participation held at the level immediately above and continuing up the corporate chain for so long as the result of the multiplication continues to be 10% or more. The multiplication criterion basically entails the multiplication of the percentages of holdings across the corporate chain.
The Guidelines set out a number of useful examples of how both the control criterion and the multiplication criterion described above apply in practice.
Implementation in the Netherlands: art. 6 (nieuw) PSDII >> reeds geïmplementeerd in 3:95, 3:102, eerste lid, 3:103, zesde lid, 1:86 en 1:87 Wft
Article 7 - Initial capital
Member States shall require payment institutions to hold, at the time of authorisation, initial capital, comprised of one or more of the items referred to in Article 26(1)(a) to (e) of Regulation (EU) No 575/2013 as follows:
(a) where the payment institution provides only the payment service as referred to in point (6) of Annex I, its capital shall at no time be less than EUR 20 000;(b) where the payment institution provides the payment service as referred to in point (7) of Annex I, its capital shall at no time be less than EUR 50 000;
(c) where the payment institution provides any of the payment services as referred to in points (1) to (5) of Annex I, its capital shall at no time be less than EUR 125 000.
Payment institutions which provide the services as included under points (1) to (7) of Annex I to PSD2. This provision therefore is not relevant to parties solely providing account information services.
The initial capital requirement is one of the conditions to be met at the time of the issuance of the payment licence by DNB. This article sets outs that the initial capital requirement of payment institutions must be EUR 20,000, EUR 50,000 or EUR 125,000 depending on the payment services it carries out (see table below).
Payment Services
(as referred to in Annex I to the PSD)
Initial capital required (minimum in EUR) Status as per 6 March 2019
1.
Services enabling cash to be placed on a payment account as well as all the operations required for operating a payment account.
125,000
2.
Services enabling cash withdrawals from a payment account as well as all the operations required for operating a payment account.
125,000
3.
Execution of payment transactions, including transfers of funds on a payment account with the user’s PSP or with another PSP.
125,000
4.
Execution of payment transactions where the funds are covered by a credit line for a payment service user.
125,000
5.
Issuing of payment instruments and/or acquiring of payment transactions.
125,000
6.
Money remittance.
20,000
7.
Payment initiation services.
50,000
8.
Account information services.
none
Where more than one initial capital requirement applies to the payment institution, it must hold the greater amount.
Implementation in the Netherlands: art. 7 PSDII >> reeds geïmplementeerd in art. 48 eerste lid, onderdeel k, l en m, Bpr (grondslag 3:53 Wft)
Article 8 - Own funds
1. The payment institution’s own funds, shall not fall below the amount of initial capital as referred to in Article 7 or the amount of own funds as calculated in accordance with Article 9 of this Directive, whichever is the higher.2. Member States shall take the necessary measures to prevent the multiple use of elements eligible for own funds where the payment institution belongs to the same group as another payment institution, credit institution, investment firm, asset management company or insurance undertaking. This paragraph shall also apply where a payment institution has a hybrid character and carries out activities other than providing payment services.
3. If the conditions laid down in Article 7 of Regulation (EU) No 575/2013 are met, Member States or their competent authorities may choose not to apply Article 9 of this Directive to payment institutions which are included in the consolidated supervision of the parent credit institution pursuant to Directive 2013/36/EU.
Payment institutions which provide the services as included under points (1) to (7) of Annex I to PSD2. This provision therefore is not relevant to parties solely providing account information services.
As part of solvency requirements, payment institutions are required to hold at all times own funds equal to or in excess of the greater of (i) the amount of initial capital that is required according to article 7 PSD2 or (ii) the amount of the own funds requirement calculated in accordance with the methods as described in article 9 PSD2.
Composition of the amount of own funds
The amount of own funds of a payment institution is formed by the value of the capital components as referred to in article 26(1)(a)-(e) CRR, for example by certain share premium accounts or retained earnings.
Implementation in the Netherlands: art. 8(1) PSDII >> reeds geïmplementeerd in art. 3:53 Wft; art. 8(2) PSDII >> reeds geïmplementeerd in art. 3:53 Wft en art. 8(3) PSDII >> behoeft geen implementatie
Article 9 - Calculation of own funds
1. Notwithstanding the initial capital requirements set out in Article 7, Member States shall require payment institutions, except those offering only services as referred to in point (7) or (8), or both, of Annex I, to hold, at all times, own funds calculated in accordance with one of the following three methods, as determined by the competent authorities in accordance with national legislation:Method A
The payment institution’s own funds shall amount to at least 10 % of its fixed overheads of the preceding year. The competent authorities may adjust that requirement in the event of a material change in a payment institution’s business since the preceding year. Where a payment institution has not completed a full year’s business at the date of the calculation, the requirement shall be that its own funds amount to at least 10 % of the corresponding fixed overheads as projected in its business plan, unless an adjustment to that plan is required by the competent authorities.
Method B
The payment institution’s own funds shall amount to at least the sum of the following elements multiplied by the scaling factor k defined in paragraph 2, where payment volume (PV) represents one twelfth of the total amount of payment transactions executed by the payment institution in the preceding year:
(a) 4,0 % of the slice of PV up to EUR 5 million; plus
(b) 2,5 % of the slice of PV above EUR 5 million up to EUR 10 million; plus
(c) 1 % of the slice of PV above EUR 10 million up to EUR 100 million; plus
(d) 0,5 % of the slice of PV above EUR 100 million up to EUR 250 million; plus
(e) 0,25 % of the slice of PV above EUR 250 million.
Method C
The payment institution’s own funds shall amount to at least the relevant indicator defined in point (a), multiplied by the multiplication factor defined in point (b) and by the scaling factor k defined in paragraph 2.
(a) The relevant indicator is the sum of the following:
(i) interest income;
(ii) interest expenses;
(iii) commissions and fees received; and
(iv) other operating income. Each element shall be included in the sum with its positive or negative sign. Income from extraordinary or irregular items shall not be used in the calculation of the relevant indicator. Expenditure on the outsourcing of services rendered by third parties may reduce the relevant indicator if the expenditure is incurred from an undertaking subject to supervision under this Directive. The relevant indicator is calculated on the basis of the 12-monthly observation at the end of the previous financial year. The relevant indicator shall be calculated over the previous financial year. Nevertheless own funds calculated according to Method C shall not fall below 80 % of the average of the previous 3 financial years for the relevant indicator. When audited figures are not available, business estimates may be used.
(b) The multiplication factor shall be:
(i) 10 % of the slice of the relevant indicator up to EUR 2,5 million;
(ii) 8 % of the slice of the relevant indicator from EUR 2,5 million up to EUR 5 million;
(iii) 6 % of the slice of the relevant indicator from EUR 5 million up to EUR 25 million;
(iv) 3 % of the slice of the relevant indicator from EUR 25 million up to 50 million;
(v) 1,5 % above EUR 50 million.
2. The scaling factor k to be used in Methods B and C shall be:
(a) 0,5 where the payment institution provides only the payment service as referred to in point (6) of Annex I; (b) 1 where the payment institution provides any of the payment services as referred to in any of points (1) to (5) of Annex I.
3. The competent authorities may, based on an evaluation of the risk-management processes, risk loss data base and internal control mechanisms of the payment institution, require the payment institution to hold an amount of own funds which is up to 20 % higher than the amount which would result from the application of the method chosen in accordance with paragraph 1, or permit the payment institution to hold an amount of own funds which is up to 20 % lower than the amount which would result from the application of the method chosen in accordance with paragraph 1.
Payment institutions which provide the services as included under points (1) to (6) of Annex I to PSD2. This provision therefore is not relevant to parties solely providing payment initiation services and/or account information services.
The required own funds of a payment institution following article 8 PSD2 must be calculated in accordance with the three calculation methods (method A, B and C) as laid down in article 9 PSD2.
Method A
Following method A, the own funds requirement of the payment institution must be calculated according to fixed overheads of the previous financial year: it must amount to at least 10% of the fixed overheads of the preceding year.
Method B
Following method B, the own funds requirement of the institutions must be calculated according to the total amount of payment volume of the preceding year.
Method C
Following method C, the own funds requirements of the payment institution depends on among other things the sum of interest income, interest expenses, commissions, and fees and other operating income.
According to DNB policy, a payment institution must apply all three methods in respect of its payment licence application.
For a detailed description of the three calculation methods and the accompanying formulas, reference is made chapter 10 of to the DNB document ”Notes to the licence application form for payment service providers – PSD2” as available on the website of DNB (http://www.toezicht.dnb.nl/en/binaries/51-235572.pdf).
It should be noted that – according to article 9(3) PSD2 – under circumstances related to the risk-management process and internal control mechanisms of a payment institution, DNB may require a payment institution to hold an amount of own funds which is up to 20% higher or up to 20% lower than the amount which would result from the application of the three calculation methods.
Composition of the amount of own funds
The amount of own funds of a payment institution is formed by the value of the capital components as referred to in article 26(1)(a)-(e) CRR, for example by certain share premium accounts or retained earnings.
Implementation in the Netherlands: art. 9(1) (nieuw) PSDII >> 3:57, zevende lid, Wft en Bpr (grondslag 3:57 Wft); art. 9(2) (nieuw) PSDII >> Bpr (grondslag 3:57 Wft) en art, 9(3) PSDII >> Reeds geïmplementeerd in art. 40a, vierde lid, Bpr (grondslag 3:57 Wft)
Article 10 - Safeguarding requirements
1. The Member States or competent authorities shall require a payment institution which provides payment services as referred to in points (1) to (6) of Annex I to safeguard all funds which have been received from the payment service users or through another payment service provider for the execution of payment transactions, in either of the following ways:
(a)funds shall not be commingled at any time with the funds of any natural or legal person other than payment service users on whose behalf the funds are held and, where they are still held by the payment institution and not yet delivered to the payee or transferred to another payment service provider by the end of the business day following the day when the funds have been received, they shall be deposited in a separate account in a credit institution or invested in secure, liquid low-risk assets as defined by the competent authorities of the home Member State; and they shall be insulated in accordance with national law in the interest of the payment service users against the claims of other creditors of the payment institution, in particular in the event of insolvency;(b) funds shall be covered by an insurance policy or some other comparable guarantee from an insurance company or a credit institution, which does not belong to the same group as the payment institution itself, for an amount equivalent to that which would have been segregated in the absence of the insurance policy or other comparable guarantee, payable in the event that the payment institution is unable to meet its financial obligations.
2. Where a payment institution is required to safeguard funds under paragraph 1 and a portion of those funds is to be used for future payment transactions with the remaining amount to be used for non-payment services, that portion of the funds to be used for future payment transactions shall also be subject to the requirements of paragraph 1. Where that portion is variable or not known in advance, Member States shall allow payment institutions to apply this paragraph on the basis of a representative portion assumed to be used for payment services provided such a representative portion can be reasonably estimated on the basis of historical data to the satisfaction of the competent authorities.
Payment institutions which provide the services as included under points (1) to (6) of Annex 1 to PDS2.
This article provides a safeguard for payment service users and aims to protect those users from claims of other creditors of the payment institution, especially in case of bankruptcy. The payment institution should ensure that the funds received will not be commingled with the funds of the payment institution itself. The payment institution needs to deliver funds received on behalf of the payment service user ultimately on the immediate following business day of receipt thereof to the payee or another payment service provider. Alternatively, the payment institution will need to deposit the funds in a separate account in a credit institution or invest the funds in a secure, liquid low-risk assets as defined
The obligation to secure funds of payment service users is included in article 3:29a of the Dutch Financial Supervision Act and its further elaboration in Article 40a of the Dutch Prudential Rules Decree. In the explanatory notes on article 40a of the Dutch Prudential Rules Decree it is mentioned that the Dutch legislator specifically considered that a separate and independent bailee (bewaarder) of the funds of the payments services users can be used to comply with this obligation. In accordance thereto in the Netherlands many payment institutions use a third-party funds foundation (stichting derdengelden) to comply with the obligation of securing funds of payment service users. Often the funds will be directly received by and further distributed by such foundation.
Implementation in the Netherlands: art. 10(1) PSDII >> 3:29a, derde lid, Wft en 40a, eerste lid, Bpr (grondslag 3:29a Wft) en art. 10(2) (nieuw) PSDII >> reeds geïmplementeerd in art. 40a, vierde lid, Bpr (grondslag 3:29a Wft)
Article 11 - Granting of authorisation
1. Member States shall require undertakings other than those referred to in points (a), (b), (c), (e) and (f) of Article 1(1) and other than natural or legal persons benefiting from an exemption pursuant to Article 32 or 33, who intend to provide payment services, to obtain authorisation as a payment institution before commencing the provision of payment services. An authorisation shall only be granted to a legal person established in a Member State.2. Competent authorities shall grant an authorisation if the information and evidence accompanying the application complies with all of the requirements laid down in Article 5 and if the competent authorities’ overall assessment, having scrutinised the application, is favourable. Before granting an authorisation, the competent authorities may, where relevant, consult the national central bank or other relevant public authorities.
3. A payment institution which, under the national law of its home Member State is required to have a registered office, shall have its head office in the same Member State as its registered office and shall carry out at least part of its payment service business there.
4. The competent authorities shall grant an authorisation only if, taking into account the need to ensure the sound and prudent management of a payment institution, the payment institution has robust governance arrangements for its payment services business, which include a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective procedures to identify, manage, monitor and report the risks to which it is or might be exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures; those arrangements, procedures and mechanisms shall be comprehensive and proportionate to the nature, scale and complexity of the payment services provided by the payment institution.
5. Where a payment institution provides any of the payment services as referred to in points (1) to (7) of Annex I and, at the same time, is engaged in other business activities, the competent authorities may require the establishment of a separate entity for the payment services business, where the non-payment services activities of the payment institution impair or are likely to impair either the financial soundness of the payment institution or the ability of the competent authorities to monitor the payment institution’s compliance with all obligations laid down by this Directive.
6. The competent authorities shall refuse to grant an authorisation if, taking into account the need to ensure the sound and prudent management of a payment institution, they are not satisfied as to the suitability of the shareholders or members that have qualifying holdings.
7. Where close links as defined in point (38) of Article 4(1) of Regulation (EU) No 575/2013 exist between the payment institution and other natural or legal persons, the competent authorities shall grant an authorisation only if those links do not prevent the effective exercise of their supervisory functions.
8. The competent authorities shall grant an authorisation only if the laws, regulations or administrative provisions of a third country governing one or more natural or legal persons with which the payment institution has close links, or difficulties involved in the enforcement of those laws, regulations or administrative provisions, do not prevent the effective exercise of their supervisory functions.
9. An authorisation shall be valid in all Member States and shall allow the payment institution concerned to provide the payment services that are covered by the authorisation throughout the Union, pursuant to the freedom to provide services or the freedom of establishment.
Member States, regulators and payment service providers.
This provision provides for the conditions which a payment service provider should fulfill in order to receive a license from the regulatir. In order to prevent any misuse of the right of establishment, article 11 PSD2 provides for the obligation of payment service providers to at least provide a part of its services in the Member State where it has its seat.
Please note that regulators of Member States may request payment service providers to establish a separate entity in the event the payment service provide also undertakes other activities which could affect the ability of the payment service provider to fulfill its financial obligations and other obligations under PSD2.
Article 2:3a, 2:3b, 3:17, 3:29b, 3:8 and 3:9 FSA.
Article 12 - Communication of the decision
Within 3 months of receipt of an application or, if the application is incomplete, of all of the information required for the decision, the competent authorities shall inform the applicant whether the authorisation is granted or refused. The competent authority shall give reasons where it refuses an authorisation.
Regulators in Member States.
This provision provides for regulators of Member States to respond in any event within 3 months of receipt of an application.
The period of 3 months should be taken into account by payment service providers in relation to the timing of undertaking any payment services.
Article 2:3b of the Dutch Financial Supervision Act (Wet op het financieel toezicht, “FSA”)
Article 13 - Withdrawal of authorisation
1. The competent authorities may withdraw an authorisation issued to a payment institution only if the institution:
(a) does not make use of the authorisation within 12 months, expressly renounces the authorisation or has ceased to engage in business for more than 6 months, if the Member State concerned has made no provision for the authorisation to lapse in such cases;(b) has obtained the authorisation through false statements or any other irregular means;
(c) no longer meets the conditions for granting the authorisation or fails to inform the competent authority on major developments in this respect;
(d) would constitute a threat to the stability of or the trust in the payment system by continuing its payment services business; or
(e) falls within one of the other cases where national law provides for withdrawal of an authorisation.
2. The competent authority shall give reasons for any withdrawal of an authorisation and shall inform those concerned accordingly.
3. The competent authority shall make public the withdrawal of an authorisation, including in the registers referred to in Articles 14 and 15.
Regulators in Member States and payment service providers.
According to this article regulators in Member States have the authority to withdraw licenses under certain circumstances.
payment service providers should on a regular basis assess whether (one of) the events as set forth in this article apply to it in order to anticipate the possibility that the regulator may withdraw its licence. Please note that withdrawals of licenses will be published by regulators, which could lead to reputational risk of the firm itself as well as the persons involbved and may have affect on the eligibility of (co-)decision makers in the future.
Article 3:41 Dutch General Administrative Law Act (Algemene wet bestuursrecht) and 1:107 FSA.
Article 14 - Registration in the home Member State
1. Member States shall establish a public register in which the following are entered:
(a) authorised payment institutions and their agents;(b) natural and legal persons benefiting from an exemption pursuant to Article 32 or 33, and their agents; and (c) the institutions referred to in Article 2(5) that are entitled under national law to provide payment services. Branches of payment institutions shall be entered in the register of the home Member State if those branches provide services in a Member State other than their home Member State.
2. The public register shall identify the payment services for which the payment institution is authorised or for which the natural or legal person has been registered. Authorised payment institutions shall be listed in the register separately from natural and legal persons benefiting from an exemption pursuant to Article 32 or 33. The register shall be publicly available for consultation, accessible online, and updated without delay.
3. Competent authorities shall enter in the public register any withdrawal of authorisation and any withdrawal of an exemption pursuant to Article 32 or 33.
4. Competent authorities shall notify EBA of the reasons for the withdrawal of any authorisation and of any exemption pursuant to Article 32 or 33
All PSPs and their agents.
Article 14 prescribes that all Member States shall establish a public register in which the following entities are entered:
authorized payment institutions and their agents;
natural and legal persons benefiting from an exemption mentioned in articles 32 or 33 PSD2, and their agents; and
institutions referred to in article 2 (5) PSD2 that are entitled under national law to provide payment services.
Furthermore, competent authorities shall enter any withdrawal of authorization and/or exemption in the public register.
This register shows the date from which an authorized payment institution is allowed to carry out the payment services.
Branches of payment institutions need to be included in the register of the home Member State if those branches provide services in a Member State other than their home Member State. See article 28 PSD2 for the relevant notification procedure.
In the Netherlands this register can be consulted on the website of AFM and DNB, see: https://www.afm.nl/en/professionals/registers and https://www.dnb.nl/en/supervision/public-register/index.jsp.
Implementation in the Netherlands: art. 14(1) (nieuw) PSDII >> 1:107, eerste en tweede lid, onderdeel a, sub 1°, en derde lid, onderdeel j 1:107, eerste lid en derde lid, onderdeel h, 1:108, tweede lid, Wft; art. 14(2) (nieuw) PSDII >> behoeft geen
implementatie; art. 14(3) (nieuw) PSDII >> aanhef 1:107 Wft en art. 14(4) (nieuw) PSDII >> Regeling taakuitoefening
en grensoverschrijdende samenwerking financiële toezichthouders Wft (grondslag 1:69, derde lid, Wft
Article 15 - EBA register
1. EBA shall develop, operate and maintain an electronic, central register that contains the information as notified by the competent authorities in accordance with paragraph 2. EBA shall be responsible for the accurate presentation of that information.EBA shall make the register publicly available on its website, and shall allow for easy access to and easy search for the information listed, free of charge.2. Competent authorities shall, without delay, notify EBA of the information entered in their public registers as referred to in Article 14 in a language customary in the field of finance.
3. Competent authorities shall be responsible for the accuracy of the information specified in paragraph 2 and for keeping that information up-to-date.
4. EBA shall develop draft regulatory technical standards setting technical requirements on development, operation and maintenance of the electronic central register and on access to the information contained therein. The technical requirements shall ensure that modification of the information is only possible by the competent authority and EBA.
EBA shall submit those draft regulatory technical standards to the Commission by 13 January 2018.
Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
5. EBA shall develop draft implementing technical standards on the details and structure of the information to be notified pursuant to paragraph 1, including the common format and model in which this information is to be provided.
EBA shall submit those draft implementing technical standards to the Commission by 13 July 2017.
Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph in accordance with Article 15 of Regulation (EU) No 1093/2010.
Regulators in Member States and EBA.
This provision provides for the new role of EBA who will maintain and manage a central register where all exempted and licensed payment service providers are included and which will stimulate a more efficient regulation of payment service providers in the EU. All regulators in the Member States are obliged to inform the EBA of changes in their local registers.
Article 1:69 paragraph 3 FSA in conjunction with the Regulation in relation to the tasks and cross-border cooperation financial supervisors FSA (Regeling taakuitoefening en grensoverschrijdende samenwerking financiele toezichthouders Wft).
Article 16 - Maintenance of authorisation
Where any change affects the accuracy of information and evidence provided in accordance with Article 5, the payment institution shall, without undue delay, inform the competent authorities of its home Member State accordingly.
All registered payment institutions providing services in the EU.
Upon the occurrence of a change that effects the accuracy of the Application Documentation , payment institutions registered in the Netherlands must notify the DNB. For foreign payment institutions, this notification must be made to the appropriate regulator where the payment institution is registered.
Upon the occurrence of a change that effects the accuracy of the Application Documentation, good business practice is to notify the DNB promptly.
3:29, first paragraph, Wft
Article 17 - Accounting and statutory audit
1. Directives 86/635/EEC and 2013/34/EU, and Regulation (EC) No 1606/2002 of the European Parliament and of the Council, shall apply to payment institutions mutatis mutandis.2. Unless exempted under Directive 2013/34/EU and, where applicable, Directive 86/635/EEC, the annual accounts and consolidated accounts of payment institutions shall be audited by statutory auditors or audit firms within the meaning of Directive 2006/43/EC.
3. For supervisory purposes, Member States shall require that payment institutions provide separate accounting information for payment services and activities referred to in Article 18(1), which shall be subject to an auditor’s report. That report shall be prepared, where applicable, by the statutory auditors or an audit firm.
4. The obligations established in Article 63 of Directive 2013/36/EU shall apply mutatis mutandis to the statutory auditors or audit firms of payment institutions in respect of payment services activities.
Payment institutions
Article 17(1) updates the list of Directives to apply to payment institutions in the context of accounting and statutory audit. Thus, Directive 2013/34/EU of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings replaces in PSD 2 the repealed Directives 78/660/EEC and Directives 83/349/EEC.
2:360 eerste lid, Book 7, Dutch Civil Code
3:71 Wft
3:74b Wft
4:27 Wft
Article 18 - Activities
Activities1. Apart from the provision of payment services, payment institutions shall be entitled to engage in the following activities:
(a) the provision of operational and closely related ancillary services such as ensuring the execution of payment transactions, foreign exchange services, safekeeping activities, and the storage and processing of data;(b) the operation of payment systems, without prejudice to Article 35;
(c) business activities other than the provision of payment services, having regard to applicable Union and national law.
2. Where payment institutions engage in the provision of one or more payment services, they may hold only payment accounts which are used exclusively for payment transactions.
3. Any funds received by payment institutions from payment service users with a view to the provision of payment services shall not constitute a deposit or other repayable funds within the meaning of Article 9 of Directive 2013/36/EU, or electronic money as defined in point (2) of Article 2 of Directive 2009/110/EC.
4. Payment institutions may grant credit relating to payment services as referred to in point (4) or (5) of Annex I only if all of the following conditions are met:
(a) the credit shall be ancillary and granted exclusively in connection with the execution of a payment transaction;
(b) notwithstanding national rules on providing credit by credit cards, the credit granted in connection with a payment and executed in accordance with Article 11(9) and Article 28 shall be repaid within a short period which shall in no case exceed 12 months;
(c) such credit shall not be granted from the funds received or held for the purpose of executing a payment transaction;
(d) the own funds of the payment institution shall at all times and to the satisfaction of the supervisory authorities be appropriate in view of the overall amount of credit granted.
5. Payment institutions shall not conduct the business of taking deposits or other repayable funds within the meaning of Article 9 of Directive 2013/36/EU.
6. This Directive shall be without prejudice to Directive 2008/48/EC, other relevant Union law or national measures regarding conditions for granting credit to consumers not harmonised by this Directive that comply with Union law.
All payment institutions.
Article 18 PSD2 sets out certain activities payment institutions are entitled to engage, apart from the provision of payment services. It states that where payment institutions engage in the provision of one or more payment services, they may hold only payment accounts which are used exclusively for payment transactions (paragraph 2). As a corollary it states that any funds received by the payment institutions from payment service users relating to the provision of payment services shall not constitute “deposit or other repayable funds” or “electronic money” within the meaning of respectively the EU directives “CRD IV” and the “E-Money Directive” (paragraph 3). This is an important provision for payment institutions since their payment activities would otherwise often trigger another regulated activity for which another license is required and/or a prohibition is applicable. All the more since paragraph 5 of this article explicitly states the prohibition for payment institutions of conducting business of taking “deposits or other repayable funds”, which prohibition is included in Dutch law in article 3:5 Wft.
Paragraph 4 of this article sets out the rules for payment institutions in the event of granting credit relating to payment services as referred to in point (4) and (5) of Annex I to PSD2. An example for this is the offering of credit cards, a product which includes the provision of payment services as well as granting credit. One of the requirements is that the credit shall be ancillary and granted exclusively in connection with the execution of a payment transaction.
According to article 3:5 Wft in principle no party may attract, obtain or have the disposal of repayable funds (in Dutch: “opvorderbare gelden”) in the Netherlands in the pursuit of a business from the public. The prohibition of holding repayable funds applies to funds of the “public”. According to the current interpretation of the Dutch legislator and DNB - until there is a uniform European definition - the term “public” refers to 1) outside a restricted circle and 2) of others than professional market parties as defined in article 1:1 of the Wft. Both elements should be fulfilled to fall within the scope of “public” and the prohibition of holding repayable funds. In the event of repayable funds of a person or company within a restricted circle or which qualifies as a professional market party; the definition of the term “public” is not fulfilled and therefore the prohibition concerning repayable funds does not apply to that situation.
In this context it is also of importance that according to the Dutch Parliamentary History regarding repayable funds, funds do not qualify as repayable funds in the event the funds are provided for continued payment and the funds are no longer under a third party than technical and organizational necessary. It is assumed that funds are no longer under a third party than technical and organizational necessary if the holding of the funds lasts for a maximum period of 5 calendar days.
Finally, note that article 3:5 Wft includes some exemptions (for example the prohibition does not apply to institutions holding a license of a bank) and that DNB may under specific conditions issue dispensation from this prohibition (http://www.toezicht.dnb.nl/en/2/51-236077.jsp).
Implementation in the Netherlands: art. 18(1) PSDII >> 3:29c Wft; art. 18(2) PSDII >> 3:29c, eerste lid, Wft; art. 18(3) (nieuw) PSDII >> 3:29c, tweede lid, Wft; art. 18(4) (nieuw) PSDII >> 3:29c, vierde lid, Wft; art. 18(5) PSDII >> 3:5 Wft en art. 18(6) PSDII >> behoeft geen implementatie
Article 19 - Use of agents, branches or entities to which activities are outsourced
1. Where a payment institution intends to provide payment services through an agent it shall communicate the following information to the competent authorities in its home Member State:
(a) the name and address of the agent;(b) a description of the internal control mechanisms that will be used by the agent in order to comply with the obligations in relation to money laundering and terrorist financing under Directive (EU) 2015/849, to be updated without delay in the event of material changes to the particulars communicated at the initial notification;
(c) the identity of directors and persons responsible for the management of the agent to be used in the provision of payment services and, for agents other than payment service providers, evidence that they are fit and proper persons;
(d) the payment services of the payment institution for which the agent is mandated; and
(e) where applicable, the unique identification code or number of the agent.
2. Within 2 months of receipt of the information referred to in paragraph 1, the competent authority of the home Member State shall communicate to the payment institution whether the agent has been entered in the register provided for in Article 14. Upon entry in the register, the agent may commence providing payment services.
3. Before listing the agent in the register, the competent authorities shall, if they consider that the information provided to them is incorrect, take further action to verify the information.
4. If, after taking action to verify the information, the competent authorities are not satisfied that the information provided to them pursuant to paragraph 1 is correct, they shall refuse to list the agent in the register provided for in Article 14 and shall inform the payment institution without undue delay.
5. If the payment institution wishes to provide payment services in another Member State by engaging an agent or establishing a branch it shall follow the procedures set out in Article 28.
6. Where a payment institution intends to outsource operational functions of payment services, it shall inform the competent authorities of its home Member State accordingly. Outsourcing of important operational functions, including IT systems, shall not be undertaken in such way as to impair materially the quality of the payment institution’s internal control and the ability of the competent authorities to monitor and retrace the payment institution’s compliance with all of the obligations laid down in this Directive. For the purposes of the second subparagraph, an operational function shall be regarded as important if a defect or failure in its performance would materially impair the continuing compliance of a payment institution with the requirements of its authorisation requested pursuant to this Title, its other obligations under this Directive, its financial performance, or the soundness or the continuity of its payment services. Member States shall ensure that when payment institutions outsource important operational functions, the payment institutions meet the following conditions:
(a) the outsourcing shall not result in the delegation by senior management of its responsibility;
(b) the relationship and obligations of the payment institution towards its payment service users under this Directive shall not be altered;
(c) the conditions with which the payment institution is to comply in order to be authorised and remain so in accordance with this Title shall not be undermined;
(d) none of the other conditions subject to which the payment institution’s authorisation was granted shall be removed or modified.
7. Payment institutions shall ensure that agents or branches acting on their behalf inform payment service users of this fact.
8. Payment institutions shall communicate to the competent authorities of their home Member State without undue delay any change regarding the use of entities to which activities are outsourced and, in accordance with the procedure provided for in paragraphs 2, 3 and 4, agents, including additional agents.
All payment institutions acting through an agent and all payment institutions which intends to outsource operational functions of payment services.
Article 19 PSD2 relates to the situation where a payment institution intends to provide payment services through an agent in its home Member State. An agent means a natural or legal person who acts on behalf of a payment institution in providing payment services.
In the event a Dutch payment institution intends to provide payment services in the Netherlands through an agent, this payment institution is obliged to communicate the information as set out in article 19 (1) PSD2 to the competent authority (i.e. DNB) before the agent may commence providing its payment services in the Netherlands. As such DNB is able to monitor payment institutions which provide payment services through an agent.
In the Netherlands article 19 (1) PSD2 is implemented in article 2:3c Wft en article 3b Decree on Market Access of Financial Undertakings under the Wft. According to this latter article the payment institution must communicate in addition to what is stated in article 19 (1) PSD2 the agent’s email address fax- and telephone number as well.
According to article 19 (2) PSD2, the competent authority of the home Member State (i.e. DNB) shall assess the information and will inform the payment institution – within 2 months of receipt of the required information – whether the agent has been entered in the register (see article 14 PSD2). After the agent has been entered in this register, the agent may commence providing payment services. DNB however may refuse to list the agent in the register after it has verified the provided information and is (still) not satisfied that this information is correct. DNB shall inform the payment institution without delay.
Outsourcing
Furthermore, article 19 PSD2 determines when and under which conditions operational functions of payment services may be outsourced. According to article 19 (6) PSD2 a payment institution which intends to outsource operational functions of payment services shall inform the competent authorities of its home Member State accordingly.
Outsourcing of important operational functions must not impair the internal control and the ability of the competent authorities to monitor and retrace the payments institution’s compliance with all of the obligations laid down in PSD2. In the event a payment institution intends to outsource important operational functions, it must meet the conditions mentioned in article 19 (6) PSD2.
Important operational functions are qualified in article 19 (6) PSD2. In PSD2 IT systems are now expressly mentioned among important operational functions. Other examples of important operational functions are, amongst others: cyber security, credit risk reporting and compliance monitoring.
Article 19 (8) PSD2 imposes on payment institutions an obligation to communicate to the competent authorities of their home Member State without undue delay any change regarding the use of entities to which activities are outsourced and agents, including additional agents.
If the payments institution wishes to provide payment services in another Member State by engaging an agent or establishing a branch it shall follow the procedures set out in article 28.
DNB published good practices for managing outsourcing risks on its website, see http://www.toezicht.dnb.nl/en/2/51-237257.jsp
Implementation in the Netherlands: art. 19 (1) (nieuw) PSDII >> 2:3c Wft en Bmfo (grondslag 2:106a, tweede lid, Wft);
art. 19 (2) (nieuw) PSDII >> 2:3c Wft; art. 19 (3) (nieuw) PSDII >> behoeft geen implementatie; art. 19 (4) (nieuw) PSDII >> 2:3c, tweede lid, Wft; art. 19 (5) (nieuw) PSDII >> (6) 2:3c en 2:106a, Wft; art. 19 (6) (nieuw) PSDII >> reeds geïmplementeerd in 27, eerste lid, 28–30, 32a, 32b Bpr en 37, 38f-38k Bgfo (grondslag 3:18 en 4:16); Artikel 19 (7) PSDII >> reeds geïmplementeerd
in 71l Bgfo (grondslag 4:22) en art. 19 (8) (nieuw) PSDII >> Bpr (grondslag 3:18 en 4:16)
Article 20 - Liability
1. Member States shall ensure that, where payment institutions rely on third parties for the performance of operational functions, those payment institutions take reasonable steps to ensure that the requirements of this Directive are complied with.2. Member States shall require that payment institutions remain fully liable for any acts of their employees, or any agent, branch or entity to which activities are outsourced.
PSPs
This article already existed under PSD1 and stipulates that in case of outsourcing of (operational) activities, the relevant PSP will remain responsible for the outsourced activities. The PSP must take reasonable step to see to it that the third party/ies it outsources activities to, will comply with the relevant provisions of PSD2. Detailed rules applicable to outsourcing of activities by a PSP are stipulated (and commented on) in (and pursuant to) article 19, paragraphs 6 and 8. Article 20 requires PSPs to stay in control of the outsourced activities at all times (and thus also be able to understand what the third party it outsources activities to does exactly and monitor the third party’s activities - see also T&T box).
The DPR and DBSFI provide for detailed rules regarding outsourcing, including the requirement to enter into a written agreement with the third party, the topics that should be covered in such agreement and rules regarding the governance, monitoring and evaluation of the outsourcing. Furthermore, the PSP must have accurate procedures, measures, expertise and information to assess the execution of the outsourced activities.
EBA published revised guidelines on outsourcing by financial institutions, including PSPs, on 25 February 2019 (https://eba.europa.eu/documents/10180/2551996/EBA+revised+Guidelines+on+outsourcing+arrangements). These guidelines will enter into force on 30 September 2019.
Art. 3:18, 4:16 FSA; art. 32a DPR; art. 38j, 38k DBSFI;