Notice | 17 December 2019

The revised Payment Services Directive (EU 2015/2366 PSD2) aims to reduce fraud while opening up payment markets to new entrants. Increasing security standards is a key part of PSD2 and the associated European Commission delegated Regulation (EU 2018/389). The deadline for compliance with Strong Customer Authentication (SCA) as set out in EU law is 14 September 2019.

In response to industry concerns about the readiness to apply SCA to e-commerce transactions and to minimise potential disruption to consumers and merchants, the European Banking Authority (EBA) has accepted that the Central Bank of Ireland and other EU National Competent Authorities may give limited additional time for firms to implement SCA for e-commerce transactions.

Accordingly, the Central Bank has set a deadline of 31 December 2020 for compliance with SCA for electronic commerce card-based payment transactions.

This deadline is dependent on firms completing migration plans detailing how they intend on complying with SCA requirements and those migration plans being executed in an expedited manner. The Central Bank also expects firms to detail their plans to inform customers of what these changes are and how they may impact on them.

The Central Bank will engage with industry to monitor delivery against agreed transition milestones and the 31 December 2020 deadline.

Notice | 8 August 2019

Regulatory Technical Standards on Strong Customer Authentication (SCA)

The deadline for compliance with the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) under the PSD2 Directive is 14 September 2019.

However, the Central Bank of Ireland recognises the difficulties with meeting this deadline. We have been engaging with the industry to develop a migration plan to implement SCA for ecommerce transactions, as soon as possible after this date.

In line with the EBA opinion published in June, a limited migration period will be put in place for firms regulated by the Central Bank of Ireland in relation to the application of SCA requirements under the PSD2 Directive. This migration period relates to ecommerce transactions only. As such, there will be no disruption to payments systems from 14 September, when the RTS on SCA of the Directive is due to come into force.

The Central Bank of Ireland will continue to engage with the EBA and other National Competent Authorities in the European Union in relation to this issue, aiming to agree a harmonised approach to the migration time periods across the European Union. The Central Bank of Ireland will continue to communicate on this issue as it develops.

PSD2 Overview

Directive 2015/2366/EU (or PSD2) is an EU Directive that applies to payment services in the EU. It expands the scope of the first EU Payment Services Directive (PSD) which entered into force in 2009.

PSD2 became law in Ireland on 13 January 2018 with the signing by the Minister for Finance of the European Union (Payment Services) Regulations 2018 (Statutory Instrument No.6 of 2018).

PSD established common rules in relation to certain types of electronic payments, such as credit transfers, direct debits, card payments, and mobile and online payments.

PSD2 builds on PSD by making it possible for the EU market in payment services to be opened up to new categories of payment services provider offering a range of new payment services to businesses and consumers.

These new payment services providers are known as:

  • Payment Initiation Service Providers (PISPs)
  • Account Information Service Providers (AISPs).

PSD2 enables PISPs and AISPs to compete with banks and other more traditional payment services providers by offering new, regulated payment products and services such as account information aggregation and payment initiation.

How does PSD2 affect consumers?

PSD2 is intended to be a positive development for all users of payment services, but particularly consumers.

The principal changes brought about by PSD2 from a consumer perspective are as follows:

  • Consumers will have a maximum liability of €50 in cases where an unauthorised transaction has occurred on their account, except in cases where it can be proved that they acted fraudulently or were grossly negligent.
  • The unconditional "eight week refund" rights already afforded to consumers by the SEPA Direct Debit Scheme are now enshrined in EU law by PSD2.
  • Retailers are no longer allowed to engage in the practice of “surcharging” whereby they charge consumers fees for paying by debit or credit cards.
  • A payment services user can now terminate a contract for the provision of payment services free of charge after a period of six months rather than 12 months.
  • The existing national requirement for all payment services providers to put a complaints resolution procedure in place is reinforced by PSD2.
  • Stricter requirements apply in a number of important areas, for example the initiation and the processing of electronic payments (particularly online payments) and protecting consumers' financial data.

See also: