PSD2 was adopted in 2015 and has applied in member states since 13 January 2018. In Poland, the relevant law entered into force in June 2018, and was implemented by payment services providers (PSP) by 20 December 2018.
The main objective of PSD2 was to ensure fair competition between PSPs, provide security of payments on the rapidly evolving market, and enhance consumer protection.
To increase competition on the payment services market, PSD2 introduced two new payment services, namely payment-initiation service (PIS) and account information service (AIS). Under the PIS, the payment-service user may initiate the payment transaction through the external provider, which can be used for the purpose of online purchases. According to the AIS, the user gives the external provider access to the payment service account, thanks to which the user may have access to accounts maintained by many different banks in one online application.
The AIS and PIS may only be served by the PSPs which have the relevant license or authorisation given by the competent financial supervision authority.
Even though PSD2 was intended to enhance consumer protection, its provisions to a large extent apply to corporate clients. However, in particular with regard to corporate clients applying strong customer authentication (SCA), as well as the use of PIS and AIS by the latter, this causes certain difficulties in practice, which are further discussed below.
Consent for PIS and AIS
One of the main issues is who is allowed to give consent to the relevant PSP for PIS and AIS, and how should such person be authenticated and by whom.
The common understanding is that the person authorised to represent a corporate client being the owner of the payment account, is allowed to give its consent to the PSP for PIS and AIS. The identity of such person is authenticated by the ASPSP (account servicing payment service provider, usually the bank) maintaining the payment account. In most cases, an authentication is processed using the individual security credentials (such as access data to the e-banking platform, such as password, SMS code, token code etc) by the person granting its consent. Thereafter, the PSP providing PIS and AIS receives confirmation from ASPSP that the user granting its consent has been successfully authenticated and is the person who they claim to be.
After receiving such confirmation, the PSP has access to the payment account and is allowed to provide its services.
Power of attorney to the payment account vs. consent for PIS and AIS
Another important issue is whether the corporate client’s agent, acting on the basis of a power of attorney (PoA) to the payment account, is entitled to give consent for the provision of PIS and AIS.
The problem is that in the pre-PSD2 world the PoA did not specify whether an agent is authorised to grant the firm’s consent for PIS and AIS, and its scope only covered managing the payment account. Thus, it is not clear whether or not granting consent for PIS and AIS is covered by the current PoA. Some market players follow that in practice granting consent for AIS and PIS is a form of a further PoA (a power of attorney given by the person acting based on an initial power of attorney), as based on such consent the user authorises the third party to access its payment account maintained by the bank.
In the opinion of other market participants, granting consent for PIS and AIS is a just another form of managing the payment account. By using the standard banking services as based on PIS and AIS services, the user initiates the payment transaction or accesses its payment account, but through an external provider.
In our view, both interpretations are justified, but we are finding more legal arguments to defend the latter standpoint. To avoid any potential risk, however, we recommend that the company's management inform all agents with a PoA to the company's payment account to what extent the agents may grant consent for PIS and AIS (such as the limits of transactions which may be initiated through PIS).
Another interesting issue widely discussed between industry players regarding PIS and AIS is how payment transactions initiated through PIS should be authorised when authorisation of two different representatives is required.
When a corporate client makes a payment order, it is often the case that such payment order must be authorised by two representatives (co-signed). There has been a broad discussion in the industry on how to co-sign corp0orate payment orders when using PIS. The most common approach is that after the payment order is initiated and authorised by the first representative via PIS (provided that such representative is authorised to do so), the payment order ends up in a queue, waiting to be authorised by the co-signer. Thus, the payment is not rejected because of lack of immediate co-signing. The payment order is pending and waiting to be co-signed for a specified period. The second representative can co-sign the payment order after logging into their internet banking platform. Some PSPs provide immediate push notifications on the co-signer’s mobile phone or computer.
Another novelty of PSD2 is that PSPs authenticate their clients. The PSD2 introduced the SCA, a multi-factor authentication based on the use of two or more elements categorised as knowledge (something only the user knows such as a password), possession (something only the user possesses – such as a SMS code or scratch-card), and inherence (something the user is – such as fingerprint authentication). The SCA applies for day-to-day access to the e-banking platform and on-line payment transaction, irrespective of whether the user is doing so by themself or through the PIS/AIS provider.
The SCA applies where the payer:
accesses its account online
initiates an electronic payment transaction
carries out any action through a remote channel which may imply a risk of payment fraud or other abuses
However, the PSP (in most cases, the bank) can decide not to apply the SCA by taking advantage of one of the exemptions. The exemptions from the SCA are listed by law and the PSP may decide whether or not to apply the SCA exemption. This means that even if conditions for applying an exemption are met, the PSP can still decide to apply the SCA without the obligation to justify its decision. The aim of using the exemption is to simplify the authentication process while ensuring a high level of the payment security.
One of several SCA exemptions provided by law is an exemption for secure corporate payment processes and protocols. This exemption is dedicated for corporate clients only. The PSP is allowed not to apply the SCA, in respect of corporate clients initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers, where the financial supervision authority is satisfied that those processes or protocols guarantee at least equivalent levels of security to those provided for by PSD2.
The above means that, for example, host-to-host communication or central travel accounts might be exempted from the SCA (provided that it provides at least the equivalent level of security to this provided for by PSD2).
As mentioned above, PSD2 has opened up the market for new market players (in particular FinTechs) and authorised them to provide new payment services. This revolution has generated new market opportunities for financial sector participants, but at the same time it has created many new practical issues. Only time will tell how service providers and other market participants have found themselves in the new legal reality, and how the new payment services have changed the payment services market as we know today.