.svg)
Executive summary
The introduction of Directive (EU) 2015/2366 (revised Payment Services Directive, PSD2) in January 2018, despite new restrictions at the time, allowed for thousands of products and services to be offered to consumers via the limited network exclusion (LNE). However, this was not the intention of the LNE; as such, the European Banking Authority (EBA) has introduced the Consultation on Draft Guidelines on the Limited Network Exclusion under PSD2 to tighten the scope of exemptions to PSD2. Despite the tighter scope under these guidelines, there are still many ways for payment service providers (PSPs) to be exempt from strong customer authentication (SCA) requirements. Additionally, as the EBA cannot amend PSD2, PSD3 is likely to be needed to clarify any remaining inconsistencies.
The consultation runs until October 15, 2021, with the guidelines expected to apply from October 1, 2022.
This analysis seeks to understand the new draft guidelines exempting certain PSPs from PSD2, examining the background, the proposed changes, the EBA’s rationale and the implications and expectations for PSPs and future regulatory changes respectively.
The initial guidelines for exemption
When the European Union (EU) first attempted to create an EU-wide framework for payments via Directive 2007/64/EC (PSD1), criteria to exempt certain payment services from the directive were decided, known as the limited network exclusion (LNE). This was done to reduce the burden of compliance on payment options deemed to carry a low risk of fraud and other crimes, either due to low transaction values or having a limited network, e.g. a meal voucher. More than a decade later, on July 15, 2021, the EBA published new draft guidelines for the LNE, having identified “significant inconsistencies” in how the exclusions were applied across the EU.
This is not the first time that the LNE has been revised, as the creation of PSD2 was itself partly an attempt to restrict its scope. According to recital 13 of PSD2, market feedback showed that “the payment activities covered by the limited network exclusion often comprised significant payment volumes and values”, offering thousands of different products and services to consumers. As that did not fit the intended purpose of the LNE, the scope of PSD2 was increased, introducing new rules. One example is the “one leg out” rule, whereby all transactions fell under the scope of PSD2 if at least one party is located within the EU.
Protecting consumers
For the EBA, one of the main reasons to tighten the scope of exemptions to PSD2 was to maintain consumer protection. PSD2 brought in a range of security enhancing and consumer-orientated rules, notably strong customer authentication (SCA), which aimed to reduce the risk of fraud for electronic transactions and protect consumer data. This is achieved by payment firms being required to collect at least two of the following:
- Knowledge - something only the user knows (password, PIN)
- Possession - something only the user possesses (key material)
- Inherence - something the user is (fingerprint, voice recognition)
However, PSD2 provides for a number of additional measures aimed at protecting consumers, such as:
- Reducing consumer liability for unauthorised payments.
- Introducing an unconditional refund right for direct debits.
- Prohibiting additional charges for payments with consumer credit or debit cards.
- Obliging PSPs to have a complaints procedure for consumers before seeking out-of-court redress/launching court proceedings.
- Obliging PSPs to respond to any complaint within 15 business days.
- Opening the market to third-party providers by allowing non-bank companies to offer new services to their customers. This is done by obliging banks to share their customers’ data with any third-party payments service the customer grants access to.
However, according to the draft guidelines, the EBA is also concerned about the LNE being applied too inconsistently across member states, allowing PSPs to engage in regulatory arbitrage. In the long term, this could mean PSPs picking and choosing between EU countries when deciding where to offer their payment instruments (PIs), exploiting loopholes and effectively not offering the level of consumer protection the EU expects, while technically remaining compliant. The new draft guidelines, therefore, attempt to bring about regulatory convergence between member states on LNE.
The new rules — defining ‘limited’
The proposed guidelines aim to clarify what qualifies as “limited” for an LNE, the provision of exempted services, the use of PIs within limited networks and the submission of notifications to authorities.
Given the lack of definition for what was limited, the EBA considered at least 13 potential options (Chapter 4.2.2, Section 22) and chose four as suitable for defining a limited network or service provider. These four are:
- The geographical area.
- Restrictions on the use of PIs within an LNE to limit the growth of the networks, e.g. caps on the number of providers or goods and services offered.
- Whether a contractual agreement exists between the issuer and the merchants for the acceptance of the excluded instrument.
- Whether a common brand is used that characterises the limited network.
Provision
Given these criteria, the following use cases may be considered as limited networks (Chapter 4.2.2, Section 25), as long as they meet the requirements of the draft guidelines:
- A single shopping centre containing different stores.
- Different providers belonging to the same group.
- Different providers working under the same franchise system.
- A specific region with local producers of goods and services.
- Stores in a town, which are registered at the local town’s chamber of commerce.
The EBA has also proposed in Guideline 1.3 that the way funds are transferred to the PI is irrelevant to whether the instrument would fall under the LNE. The EBA further clarifies that the payment activity should be directly related to the purchase of goods and/or services, otherwise it would require authorisation under PSD2 or Directive 2009/110/EC (Electronic Money Directive 2, EMD2).
Restricted use
On the use of PIs within the LNE, the draft guidelines propose a number of restrictions:
- It should not be possible to use the same instrument to make transactions within more than one limited network or to acquire an unlimited range of goods and services.
- The use of an LNE cannot be applied more than once as this would make it easier for PSPs to use PIs much more broadly while still being exempted.
- Single card-based means of payment can no longer combine regulated and exempted PIs as this could lead to situations where consumers mistakenly believe the transaction is covered by PSD2 consumer protection.
- National regulators should take into account that the PI can be used for acquiring both physical and digital goods and services. This would stop any practice of a PI used in a local store being made exempt from PSD2 while still being able to be used for online transactions, which breaks the geographic rule.
- Although firms regulated under PSD2 should be able to make use of the LNE for PIs, the customer must be clearly advised that the product is exempt and subject to lower regulatory requirements.
Notifying the authorities
According to Article 37(2) of PSD2, if the total value of transactions for an exempted product executed over the last 12 months exceeds a threshold of €1m, the payment provider must notify its national regulator. The regulator must then decide whether the activity qualifies as a limited network. The EBA has noticed that national regulators have starkly differing rules to govern this process and desires convergence, so that consumers using an exempt PI are aware of the lack of consumer protection.
A move towards SCA-exempted PIs
Overall, the draft guidelines represent a significant clampdown on PSPs offering PI solutions to consumers without having to comply with PSD2 requirements. Although the exact impact of the guidelines is yet to be seen, not least as the guidelines might change, PSPs will likely need to take care to avoid falling under the scope of PSD2. For certain PIs, such as those benefiting from multiple exemptions, it could mean certain payment products becoming unviable, along with companies potentially having to deal with SCA-related difficulties such as increased transaction abandonment and failure rates, leading to less revenue for merchants and therefore payment firms. According to CMS Payments Intelligence (CMSPI), if the current high abandonment and failure rates were to continue, it would mean over €75bn worth of sales were at risk.
Although the scope of exemptions for PSD2 as a whole is likely to be reduced, PSPs can still find exemptions to specific areas, notably SCA, which are laid out in Chapter 2.2.2 of the Regulatory Technical Standards, for PSD2. Apart from the first transaction, which must be SCA compliant, these exemptions include:
- Merchant-initiated transactions, such as merchant refunds.
- Fixed recurring transactions such as direct debit subscriptions or buy now, pay later.
- Contactless payments below the nationally set threshold, often €50.
- Trusted beneficiaries, which consumers have the option to assign, with PSPs able to suggest themselves.
PSPs can also become SCA-exempt by meeting the conditions for the transaction risk analysis exemption, whereby the rate of fraud for that type of transaction must be below a specified level. Together, these SCA exemptions could potentially shape how the payments market in the EU develops, incentivising more subscription and direct debit models, as well as creating lower value payments such as via buy now, pay later and recurring low value transactions, over large, one-off purchases.
More changes expected in future
Additionally, although the EBA has made an attempt to reduce the uncertainty over how an LNE can be applied, the body has stated that the “proposed guidelines cannot address all the inconsistencies that the EBA has identified”, as this would require amending PSD2. PSPs regulated by PSD2 should therefore expect some level of further regulatory change, such as PSD3, as the European Commission is likely to want to clarify emerging inconsistencies for exemptions.
The introduction of PSD3 also looks likely given comments made in the Retail Payments Strategy for the EU in September 2020. The strategy stated “the large potential of open banking still remains largely untapped” and that, with the exception of global players, “there is virtually no digital payment solution that can be used across Europe to make payments in shops and in e-commerce”’. The introduction of PSD3 could therefore simultaneously remedy the inconsistencies of how the exemptions are applied across the EU and tap the potential of open banking.
Conclusion
Overall, the draft guidelines represent a significant clampdown on PSPs to offer PI solutions to consumers without having to comply with PSD2 requirements. PSPs will need to make sure their PIs meet the final guidelines when they emerge and, if they are likely to be affected, may want to consider ways to exempt their payment solutions from SCA requirements. Additionally, PSPs should consider the possibility of further changes, either from the consultation, ending on October 15, 2021, or through the possible emergence of PSD3 to fix the remaining inconsistencies the EBA has identified.
