Implementation of the Second Payment Services Directive

The German Act Implementing the Second Payment Services Directive (Gesetz zur Umsetzung der Zweiten Zahlungsdiensterichtlinie) was promulgated in the Federal Law Gazette¹ on 21 July 2017. By way of this act, which entered into force on 13 January 2018, amendments have been made to the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz) (see info box "Information on the Payment Services Supervision Act").

Changes resulting from the new Payment Services Supervision Act

Two further transaction types are now subject to the authorisation requirement for institutions subject to the Payment Services Supervision Act. Payment initiation services are services that trigger a payment transaction at the customer's request; the account accessed in this process is not held at the payment initiation service provider, but at another institution. Given the increase in online trading, these service providers are becoming increasingly important.

Another new addition to the catalogue of payment services is the account information service. This is an online service that provides consolidated information on one or more accounts held by a payment service user with other institutions. Where a supervision requirement under the Payment Services Supervision Act previously only applied if access to customer funds was involved, the mere access to data relating to payment accounts has now been placed under supervision for the first time.

In addition, the definition of “Akquisitionsgeschäft” (issuing of payment instruments and/or acquiring of payment transactions) has been expanded. The digital payments business will no longer be a payment service subject to separate standards and requirements. However, this does not mean that it will cease to exist without replacement, but rather will be merged in existing and new definitions of payment services.

Finally, in the implementation of the Payment Services Directive, the industry-wide exemptions for certain payment systems and for the telecommunications sector were narrowed down: a payment instrument will in future be exempted from the authorisation requirement only if the ways in which it can be used are limited to a clearly (more narrowly) defined network, a very limited product range or certain social or tax purposes. The telecommunications sector, too, is only exempt from the authorisation requirement for certain types of transactions, provided certain upper limits are not exceeded.

Technical requirements expanded

For the supervision of payment and e-money institutions, the act has in particular led to expanded technical requirements. For example, processes for handling security incidents, for dealing with sensitive payment data and for ensuring business continuity in crisis situations must be implemented and documented, as do the collection of statistical data and a security strategy. Companies that exclusively provide account information services do not have to get authorisation; instead they only have to apply for registration, although they are then also supervised. Payment initiation and account information service providers need cover, such as liability insurance.

Security of payments

The security of payments is a topic of major significance in payment transactions. Mandatory strong customer authentication for certain transactions is intended to keep cases of fraud in payment transactions to a minimum. Special requirements imposed on the new payment service providers for the technical access interfaces to the payment account are intended to allow structured, secure access to payment accounts. The European Banking Authority (EBA) drafted regulatory technical standards, which entered into force on 14 March 2018 as a Delegated Regulation of the European Commission². Payment service providers now have until 14 September 2019 to implement this regulation.