New regulations for payment services providers in Europe
Payment services have seen significant technical innovations in recent years. These led to a fast increase in electronic and mobile payments and the creation of new payment methods, like Paypal, Giropay or instant transfers.
In the beginnings, however, many of these innovative payment methods and services did not fall under any regulation. Existing regulatory requirements turned out to be simply obsolete. This led to legal uncertainty, possible security risks within the payment chain and poor consumer protection.
In order to take account of technical developments, the European legislator has revised the European Payment Services Directive (PSD) of 2007. The Second Payments Services Directive creates a comprehensive regulatory framework for all payment services within the European Union.
The Law on the Implementation of the Second Payment Services Directive has transposed PSD II into German law and revised the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz; ZAG). The new ZAG entered into force on January 13, 2018.
Payment initiation services and account information services
The new payment services directive mainly regulates two groups of payment services providers, so-called payment initiation services and account information services. In the future, these services providers are planned to act in payment services between the bank customers and the bank holding their accounts. Payment initiation services, for instance, allow customers to pay their online purchases immediately by transmitting their online banking access data and a transaction number (TAN) directly to a payment services provider linked to the online shop.
Thanks to account information services, e.g. via app, customers can also receive an overview of their financial situation at any time, in real time.
PSD II – Effects on privacy
But PSD II has an impact not only on regulatory and civil law provisions governing the performance of payment services but also at the privacy level, especially in view of the General Data Protection Regulation (GDPR) which has been applicable since May 25, 2018.
For carrying out their services, payment services providers need certain data of bank customers. Where bank customers have expressly consented, banks have to grant payment services providers access to the customers’ data. While this leaves room for new innovative payment services, it also gives rise to serious privacy concerns. If the level of data protection is insufficient, account data, like information on account balances and transactions, can represent a particularly high risk to the rights and freedoms of the account holder. Hence, these data require superior protection.
PSD II contradicts GDPR
Although PSD II sets out some rules concerning the treatment of bank customers’ personal data, these are less restrictive than the requirements of the GDPR. According to the present interpretation of PSD II, it would be admissible for a bank to grant an account information services provider access to all account transactions within a relevant period. But this could lead to sensitive information, like drug bills, hence, health data, being included in the processing and finally being used for creating a profile. A transmission of all account transactions to the account information service also seems to conflict with the principles of the GDPR, which include
- a purpose limitation;
- data minimization; and
- data control (the individual bank customer’s right to control their data).
We advise payment services providers and banks on privacy
In order to ensure that banks and payment services providers are in compliance with law, it is indispensable for them to make sure that, both in technical and organizational terms, they perform their payment services in a way that meets the requirements of both the GDPR, like the rights to erasure and access, or compulsory information to be provided when personal data are collected, and the regulatory requirements under PSD II. Our experienced attorneys specializing in privacy law and payment services law will be pleased to assist you.