Welcome to the Holland FinTech PSD2 Web Guide
Holland FinTech has teamed up with 5 law firms from within our network to provide a detailed and comprehensive overview of the PSD2 legislation. We realise that most of us aren’t legal experts, but are affected by the legislation in our day to day business activities. Together with the contributing law firms, we created a resource where you can consult the legislation coupled with commentary, tips and tricks, applicability as well as information on where you can find the articles in Dutch Law. You can use filters to easily access the information you are looking for.
Holland FinTech would like to express its gratitude to the following firms for their contributions, in no particular order: Bird & Bird, Eversheds Sutherland LLC, CMS Derks Star Busmann, Baker Mckenzie and Ploum.
*This resource is intended for information purposes only and not to be construed as legal advice for individual cases. Every effort has been made to ensure that this information is up-to-date as of the date of publication (May 2019). It is not intended to be a full and exhaustive explanation of the law in any area, nor should it be used to replace the advice of your own legal counsel.
Article 1 – Subject Matter
(a) credit institutions as defined in point (1) of Article 4(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council (28), including branches thereof within the meaning of point (17) Article 4(1) of that Regulation where such branches are located in the Union, whether the head offices of those branches are located within the Union or, in accordance with Article 47 of Directive 2013/36/EU and with national law, outside the Union;(b) electronic money institutions within the meaning of point (1) of Article 2 of Directive 2009/110/EC, including, in accordance with Article 8 of that Directive and with national law, branches thereof, where such branches are located within the Union and their head offices are located outside the Union, in as far as the payment services provided by those branches are linked to the issuance of electronic money;(c) post office giro institutions which are entitled under national law to provide payment services; (d) payment institutions; (e) the ECB and national central banks when not acting in their capacity as monetary authority or other public authorities; (f) Member States or their regional or local authorities when not acting in their capacity as public authorities. 2. This Directive also establishes rules concerning:
(a) the transparency of conditions and information requirements for payment services; and (b) the respective rights and obligations of payment service users and payment service providers in relation to the provision of payment services as a regular occupation or business activity.
Article 2 – Scope
Article 3 – Application
(a) payment transactions made exclusively in cash directly from the payer to the payee, without any intermediary intervention;(b) payment transactions from the payer to the payee through a commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of only the payer or only the payee;(c) professional physical transport of banknotes and coins, including their collection, processing and delivery; (d) payment transactions consisting of the non-professional cash collection and delivery within the framework of a non-profit or charitable activity; (e) services where cash is provided by the payee to the payer as part of a payment transaction following an explicit request by the payment service user just before the execution of the payment transaction through a payment for the purchase of goods or services; (f) cash-to-cash currency exchange operations where the funds are not held on a payment account; (g) payment transactions based on any of the following documents drawn on the payment service provider with a view to placing funds at the disposal of the payee: (i) paper cheques governed by the Geneva Convention of 19 March 1931 providing a uniform law for cheques; (ii) paper cheques similar to those referred to in point (i) and governed by the laws of Member States which are not party to the Geneva Convention of 19 March 1931 providing a uniform law for cheques; (iii) paper-based drafts in accordance with the Geneva Convention of 7 June 1930 providing a uniform law for bills of exchange and promissory notes; (iv) paper-based drafts similar to those referred to in point (iii) and governed by the laws of Member States which are not party to the Geneva Convention of 7 June 1930 providing a uniform law for bills of exchange and promissory notes; (v) paper-based vouchers; (vi) paper-based traveller’s cheques; (vii) paper-based postal money orders as defined by the Universal Postal Union; (h) payment transactions carried out within a payment or securities settlement system between settlement agents, central counterparties, clearing houses and/or central banks and other participants of the system, and payment service providers, without prejudice to Article 35; (i) payment transactions related to securities asset servicing, including dividends, income or other distributions, or redemption or sale, carried out by persons referred to in point (h) or by investment firms, credit institutions, collective investment undertakings or asset management companies providing investment services and any other entities allowed to have the custody of financial instruments; (j) services provided by technical service providers, which support the provision of payment services, without them entering at any time into possession of the funds to be transferred, including processing and storage of data, trust and privacy protection services, data and entity authentication, information technology (IT) and communication network provision, provision and maintenance of terminals and devices used for payment services, with the exclusion of payment initiation services and account information services; (k) services based on specific payment instruments that can be used only in a limited way, that meet one of the following conditions: (i) instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a professional issuer; (ii) instruments which can be used only to acquire a very limited range of goods or services; (iii) instruments valid only in a single Member State provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer; (l) payment transactions by a provider of electronic communications networks or services provided in addition to electronic communications services for a subscriber to the network or service: (i) for purchase of digital content and voice-based services, regardless of the device used for the purchase or consumption of the digital content and charged to the related bill; or (ii) performed from or via an electronic device and charged to the related bill within the framework of a charitable activity or for the purchase of tickets; provided that the value of any single payment transaction referred to in points (i) and (ii) does not exceed EUR 50 and: – the cumulative value of payment transactions for an individual subscriber does not exceed EUR 300 per month, or – where a subscriber pre-funds its account with the provider of the electronic communications network or service, the cumulative value of payment transactions does not exceed EUR 300 per month; (m) payment transactions carried out between payment service providers, their agents or branches for their own account; (n) payment transactions and related services between a parent undertaking and its subsidiary or between subsidiaries of the same parent undertaking, without any intermediary intervention by a payment service provider other than an undertaking belonging to the same group; (o) cash withdrawal services offered by means of ATM by providers, acting on behalf of one or more card issuers, which are not a party to the framework contract with the customer withdrawing money from a payment account, on condition that those providers do not conduct other payment services as referred to in Annex I. Nevertheless the customer shall be provided with the information on any withdrawal charges referred to in Articles 45, 48, 49 and 59 before carrying out the withdrawal as well as on receipt of the cash at the end of the transaction after withdrawal.
Article 4 – Definitions
Article 5 – Applications for authorisation
(a) a programme of operations setting out in particular the type of payment services envisaged;(b) a business plan including a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly;(c) evidence that the payment institution holds initial capital as provided for in Article 7; (d) for the payment institutions referred to in Article 10(1), a description of the measures taken for safeguarding payment service users’ funds in accordance with Article 10; (e) a description of the applicant’s governance arrangements and internal control mechanisms, including administrative, risk management and accounting procedures, which demonstrates that those governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate; (f) a description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints, including an incidents reporting mechanism which takes account of the notification obligations of the payment institution laid down in Article 96; (g) a description of the process in place to file, monitor, track and restrict access to sensitive payment data; (h) a description of business continuity arrangements including a clear identification of the critical operations, effective contingency plans and a procedure to regularly test and review the adequacy and efficiency of such plans; (i) a description of the principles and definitions applied for the collection of statistical data on performance, transactions and fraud; (j) a security policy document, including a detailed risk assessment in relation to its payment services and a description of security control and mitigation measures taken to adequately protect payment service users against the risks identified, including fraud and illegal use of sensitive and personal data; (k) for payment institutions subject to the obligations in relation to money laundering and terrorist financing under Directive (EU) 2015/849 of the European Parliament and of the Council ( 1 ) and Regulation (EU) 2015/847 of the European Parliament and of the Council ( 2 ), a description of the internal control mechanisms which the applicant has established in order to comply with those obligations; (l) a description of the applicant’s structural organisation, including, where applicable, a description of the intended use of agents and branches and of the off-site and on-site checks that the applicant undertakes to perform on them at least annually, as well as a description of outsourcing arrangements, and of its participation in a national or international payment system; (m) the identity of persons holding in the applicant, directly or indirectly, qualifying holdings within the meaning of point (36) of Article 4(1) of Regulation (EU) No 575/2013, the size of their holdings and evidence of their suitability taking into account the need to ensure the sound and prudent management of a payment institution; (n) the identity of directors and persons responsible for the management of the payment institution and, where relevant, persons responsible for the management of the payment services activities of the payment institution, as well as evidence that they are of good repute and possess appropriate knowledge and experience to perform payment services as determined by the home Member State of the payment institution; (o) where applicable, the identity of statutory auditors and audit firms as defined in Directive 2006/43/EC of the European Parliament and of the Council ( 3 ); (p) the applicant’s legal status and articles of association; (q) the address of the applicant’s head office. For the purposes of points (d), (e) (f) and (l) of the first subparagraph, the applicant shall provide a description of its audit arrangements and the organisational arrangements it has set up with a view to taking all reasonable steps to protect the interests of its users and to ensure continuity and reliability in the performance of payment services.The security control and mitigation measures referred to in point (j) of the first subparagraph shall indicate how they ensure a high level of technical security and data protection, including for the software and IT systems used by the applicant or the undertakings to which it outsources the whole or part of its operations. Those measures shall also include the security measures laid down in Article 95(1). Those measures shall take into account EBA’s guidelines on security measures as referred to in Article 95(3) when in place. 2. Member States shall require undertakings that apply for authorisation to provide payment services as referred to in point (7) of Annex I, as a condition of their authorisation, to hold a professional indemnity insurance, covering the territories in which they offer services, or some other comparable guarantee against liability to ensure that they can cover their liabilities as specified in Articles 73, 89, 90 and 92. 3. Member States shall require undertakings that apply for registration to provide payment services as referred to in point (8) of Annex I, as a condition of their registration, to hold a professional indemnity insurance covering the territories in which they offer services, or some other comparable guarantee against their liability vis-à-vis the account servicing payment service provider or the payment service user resulting from non-authorised or fraudulent access to or non-authorised or fraudulent use of payment account information. 4. By 13 January 2017, EBA shall, after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, issue guidelines, addressed to the competent authorities, in accordance with Article 16 of Regulation (EU) No 1093/2010 on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee referred to in paragraphs 2 and 3. In developing the guidelines referred to in the first subparagraph, EBA shall take account of the following:
(a) the risk profile of the undertaking; (b) whether the undertaking provides other payment services as referred to in Annex I or is engaged in other business; (c) the size of the activity: (i) for undertakings that apply for authorisation to provide payment services as referred to in point (7) of Annex I, the value of the transactions initiated; (ii) for undertakings that apply for registration to provide payment services as referred to in point (8) of Annex I, the number of clients that make use of the account information services; (d) the specific characteristics of comparable guarantees and the criteria for their implementation. EBA shall review those guidelines on a regular basis. 5. By 13 July 2017, EBA shall, after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 concerning the information to be provided to the competent authorities in the application for the authorisation of payment institutions, including the requirements laid down in points (a), (b), (c), (e) and (g) to (j) of the first subparagraph of paragraph 1 of this Article. EBA shall review those guidelines on a regular basis and in any event at least every 3 years. 6. Taking into account, where appropriate, experience acquired in the application of the guidelines referred to in paragraph 5, EBA may develop draft regulatory technical standards specifying the information to be provided to the competent authorities in the application for the authorisation of payment institutions, including the requirements laid down in points (a), (b), (c), (e) and (g) to (j) of paragraph 1. Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010. 7. The information referred to in paragraph 4 shall be notified to competent authorities in accordance with paragraph 1.
Article 6 – Control of the shareholding
Article 7 – Initial capital
Article 8 – Own funds
Article 9 – Calculation of own funds
(a) 4,0 % of the slice of PV up to EUR 5 million; plus (b) 2,5 % of the slice of PV above EUR 5 million up to EUR 10 million; plus (c) 1 % of the slice of PV above EUR 10 million up to EUR 100 million; plus (d) 0,5 % of the slice of PV above EUR 100 million up to EUR 250 million; plus (e) 0,25 % of the slice of PV above EUR 250 million. Method C The payment institution’s own funds shall amount to at least the relevant indicator defined in point (a), multiplied by the multiplication factor defined in point (b) and by the scaling factor k defined in paragraph 2.
(a) The relevant indicator is the sum of the following: (i) interest income; (ii) interest expenses; (iii) commissions and fees received; and (iv) other operating income. Each element shall be included in the sum with its positive or negative sign. Income from extraordinary or irregular items shall not be used in the calculation of the relevant indicator. Expenditure on the outsourcing of services rendered by third parties may reduce the relevant indicator if the expenditure is incurred from an undertaking subject to supervision under this Directive. The relevant indicator is calculated on the basis of the 12-monthly observation at the end of the previous financial year. The relevant indicator shall be calculated over the previous financial year. Nevertheless own funds calculated according to Method C shall not fall below 80 % of the average of the previous 3 financial years for the relevant indicator. When audited figures are not available, business estimates may be used. (b) The multiplication factor shall be: (i) 10 % of the slice of the relevant indicator up to EUR 2,5 million; (ii) 8 % of the slice of the relevant indicator from EUR 2,5 million up to EUR 5 million; (iii) 6 % of the slice of the relevant indicator from EUR 5 million up to EUR 25 million; (iv) 3 % of the slice of the relevant indicator from EUR 25 million up to 50 million; (v) 1,5 % above EUR 50 million. 2. The scaling factor k to be used in Methods B and C shall be:
(a) 0,5 where the payment institution provides only the payment service as referred to in point (6) of Annex I; (b) 1 where the payment institution provides any of the payment services as referred to in any of points (1) to (5) of Annex I. 3. The competent authorities may, based on an evaluation of the risk-management processes, risk loss data base and internal control mechanisms of the payment institution, require the payment institution to hold an amount of own funds which is up to 20 % higher than the amount which would result from the application of the method chosen in accordance with paragraph 1, or permit the payment institution to hold an amount of own funds which is up to 20 % lower than the amount which would result from the application of the method chosen in accordance with paragraph 1.
Article 10 – Safeguarding requirements
(a)funds shall not be commingled at any time with the funds of any natural or legal person other than payment service users on whose behalf the funds are held and, where they are still held by the payment institution and not yet delivered to the payee or transferred to another payment service provider by the end of the business day following the day when the funds have been received, they shall be deposited in a separate account in a credit institution or invested in secure, liquid low-risk assets as defined by the competent authorities of the home Member State; and they shall be insulated in accordance with national law in the interest of the payment service users against the claims of other creditors of the payment institution, in particular in the event of insolvency;(b) funds shall be covered by an insurance policy or some other comparable guarantee from an insurance company or a credit institution, which does not belong to the same group as the payment institution itself, for an amount equivalent to that which would have been segregated in the absence of the insurance policy or other comparable guarantee, payable in the event that the payment institution is unable to meet its financial obligations. 2. Where a payment institution is required to safeguard funds under paragraph 1 and a portion of those funds is to be used for future payment transactions with the remaining amount to be used for non-payment services, that portion of the funds to be used for future payment transactions shall also be subject to the requirements of paragraph 1. Where that portion is variable or not known in advance, Member States shall allow payment institutions to apply this paragraph on the basis of a representative portion assumed to be used for payment services provided such a representative portion can be reasonably estimated on the basis of historical data to the satisfaction of the competent authorities.
Article 11 – Granting of authorisation
Article 12 – Communication of the decision
Article 13 – Withdrawal of authorisation
(a) does not make use of the authorisation within 12 months, expressly renounces the authorisation or has ceased to engage in business for more than 6 months, if the Member State concerned has made no provision for the authorisation to lapse in such cases;(b) has obtained the authorisation through false statements or any other irregular means;(c) no longer meets the conditions for granting the authorisation or fails to inform the competent authority on major developments in this respect; (d) would constitute a threat to the stability of or the trust in the payment system by continuing its payment services business; or (e) falls within one of the other cases where national law provides for withdrawal of an authorisation. 2. The competent authority shall give reasons for any withdrawal of an authorisation and shall inform those concerned accordingly. 3. The competent authority shall make public the withdrawal of an authorisation, including in the registers referred to in Articles 14 and 15.
Article 14 – Registration in the home Member State
(a) authorised payment institutions and their agents;(b) natural and legal persons benefiting from an exemption pursuant to Article 32 or 33, and their agents; and (c) the institutions referred to in Article 2(5) that are entitled under national law to provide payment services. Branches of payment institutions shall be entered in the register of the home Member State if those branches provide services in a Member State other than their home Member State. 2. The public register shall identify the payment services for which the payment institution is authorised or for which the natural or legal person has been registered. Authorised payment institutions shall be listed in the register separately from natural and legal persons benefiting from an exemption pursuant to Article 32 or 33. The register shall be publicly available for consultation, accessible online, and updated without delay. 3. Competent authorities shall enter in the public register any withdrawal of authorisation and any withdrawal of an exemption pursuant to Article 32 or 33. 4. Competent authorities shall notify EBA of the reasons for the withdrawal of any authorisation and of any exemption pursuant to Article 32 or 33
Article 15 – EBA register
Article 16 – Maintenance of authorisation
Article 17 – Accounting and statutory audit
Article 18 – Activities
(a) the provision of operational and closely related ancillary services such as ensuring the execution of payment transactions, foreign exchange services, safekeeping activities, and the storage and processing of data;(b) the operation of payment systems, without prejudice to Article 35;(c) business activities other than the provision of payment services, having regard to applicable Union and national law. 2. Where payment institutions engage in the provision of one or more payment services, they may hold only payment accounts which are used exclusively for payment transactions. 3. Any funds received by payment institutions from payment service users with a view to the provision of payment services shall not constitute a deposit or other repayable funds within the meaning of Article 9 of Directive 2013/36/EU, or electronic money as defined in point (2) of Article 2 of Directive 2009/110/EC. 4. Payment institutions may grant credit relating to payment services as referred to in point (4) or (5) of Annex I only if all of the following conditions are met:
(a) the credit shall be ancillary and granted exclusively in connection with the execution of a payment transaction; (b) notwithstanding national rules on providing credit by credit cards, the credit granted in connection with a payment and executed in accordance with Article 11(9) and Article 28 shall be repaid within a short period which shall in no case exceed 12 months; (c) such credit shall not be granted from the funds received or held for the purpose of executing a payment transaction; (d) the own funds of the payment institution shall at all times and to the satisfaction of the supervisory authorities be appropriate in view of the overall amount of credit granted. 5. Payment institutions shall not conduct the business of taking deposits or other repayable funds within the meaning of Article 9 of Directive 2013/36/EU. 6. This Directive shall be without prejudice to Directive 2008/48/EC, other relevant Union law or national measures regarding conditions for granting credit to consumers not harmonised by this Directive that comply with Union law.
Article 19 – Use of agents, branches or entities to which activities are outsourced
(a) the name and address of the agent;(b) a description of the internal control mechanisms that will be used by the agent in order to comply with the obligations in relation to money laundering and terrorist financing under Directive (EU) 2015/849, to be updated without delay in the event of material changes to the particulars communicated at the initial notification;(c) the identity of directors and persons responsible for the management of the agent to be used in the provision of payment services and, for agents other than payment service providers, evidence that they are fit and proper persons; (d) the payment services of the payment institution for which the agent is mandated; and (e) where applicable, the unique identification code or number of the agent. 2. Within 2 months of receipt of the information referred to in paragraph 1, the competent authority of the home Member State shall communicate to the payment institution whether the agent has been entered in the register provided for in Article 14. Upon entry in the register, the agent may commence providing payment services. 3. Before listing the agent in the register, the competent authorities shall, if they consider that the information provided to them is incorrect, take further action to verify the information. 4. If, after taking action to verify the information, the competent authorities are not satisfied that the information provided to them pursuant to paragraph 1 is correct, they shall refuse to list the agent in the register provided for in Article 14 and shall inform the payment institution without undue delay. 5. If the payment institution wishes to provide payment services in another Member State by engaging an agent or establishing a branch it shall follow the procedures set out in Article 28. 6. Where a payment institution intends to outsource operational functions of payment services, it shall inform the competent authorities of its home Member State accordingly. Outsourcing of important operational functions, including IT systems, shall not be undertaken in such way as to impair materially the quality of the payment institution’s internal control and the ability of the competent authorities to monitor and retrace the payment institution’s compliance with all of the obligations laid down in this Directive. For the purposes of the second subparagraph, an operational function shall be regarded as important if a defect or failure in its performance would materially impair the continuing compliance of a payment institution with the requirements of its authorisation requested pursuant to this Title, its other obligations under this Directive, its financial performance, or the soundness or the continuity of its payment services. Member States shall ensure that when payment institutions outsource important operational functions, the payment institutions meet the following conditions:
(a) the outsourcing shall not result in the delegation by senior management of its responsibility; (b) the relationship and obligations of the payment institution towards its payment service users under this Directive shall not be altered; (c) the conditions with which the payment institution is to comply in order to be authorised and remain so in accordance with this Title shall not be undermined; (d) none of the other conditions subject to which the payment institution’s authorisation was granted shall be removed or modified. 7. Payment institutions shall ensure that agents or branches acting on their behalf inform payment service users of this fact. 8. Payment institutions shall communicate to the competent authorities of their home Member State without undue delay any change regarding the use of entities to which activities are outsourced and, in accordance with the procedure provided for in paragraphs 2, 3 and 4, agents, including additional agents.