The fight against fraud mandated by Directive No. 2015/2366 on payment services in the European Union ("PSD2") has sometimes been limited by Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and the free movement of such data ("GDPR"). The new regulation reforming PSD2 increases the data processing capabilities of payment service providers for efficiency.
Strengthening anti-fraud obligations by PSD2 in brief
PSD2 profoundly transformed the world of payments, replacing the obsolete Directive 2007/64 ("PSD1"). PSD2 created two new actors: aggregators and initiators, and implemented open banking, providing banks' interfaces freely to new actors, enabling them to access payment accounts to offer services to customers.
PSD2 also strengthened anti-fraud obligations, requiring all payment service providers ("PSPs") to apply Strong Customer Authentication ("SCA") whenever a user initiates an electronic payment or accesses their online banking interface. PSPs across the Union developed authentication solutions based on at least two of the following elements: "knowledge" (something only the user knows), "possession" (something only the user possesses), and "inherence" (part of the user's identity obtained, for example, through biometrics). Practical experience revealed the need for clarification and standardization, leading to the reform of PSD2.
The Reform of PSD2
On June 28, 2023, two texts were published: a proposed directive (2022/0209) on payment and electronic money services (PSD3) and a proposed regulation (2023/0210) on payment services in the European Union (RSP1). Using a regulation signifies the European Commission's desire to standardize payment regulations. Non-transposable, the regulation applies directly, avoiding differences in application between Member States. These texts were adopted by the European Parliament in April 2024 and are still awaiting a vote. They will come into force 20 days from their publication in the Official Journal of the European Union, with an additional 24 months for provisions requiring PSPs to verify discrepancies between the name and unique identifier of a beneficiary in case of a transfer and the corresponding liability regime.
RSP1: authorisation to process special categories of personal data
To regulate the use of personal data and protect consumers, GDPR requires customer consent for using their biometric data. As fraudsters are unlikely to give this consent, it impacts the effectiveness of biometrics in fighting fraud. On September 24, 2020, the European Commission published a communication on a retail payments strategy for the European Union, recognizing that "payments have gained strategic importance and become the lifeblood of the European economy."
This public interest justifies regulatory evolution. Thus, RSP1, which reforms PSD2, indicates that PSPs and payment system operators should process special categories of personal data under Article 9 (notably biometric data) and Article 10 (processing personal data relating to criminal convictions and offenses under GDPR) as necessary for providing payment services and fulfilling obligations under RSP1 in the public interest of the proper functioning of the internal market for payment services, subject to appropriate safeguards for the fundamental rights and freedoms of individuals, particularly under Article 80 of RSP1:
- technical measures to ensure compliance with principles of purpose limitation, data minimization, and retention limitation as outlined in GDPR, including technical limitations on data reuse and the use of advanced security and privacy measures such as pseudonymization or encryption.
- organizational measures, including training on processing special categories of data, limiting access to such data, and recording access.
This possibility was eagerly awaited by PSPs, who were limited in the effectiveness of their SCA due to this prohibition, despite possible safeguards as provided by RSP1. Notably, biometric data can (and generally must) only be used for authentication and then deleted.
RSP1 now allows using biometrics for customer authentication and fraud prevention without their consent. With the same goal, RSP1 encourages information sharing among PSPs.
RSP1: information sharing among PSPs
Under Article 83 of RSP1, to better detect fraudulent payment transactions and protect their customers, PSPs are authorized to voluntarily exchange personal data such as unique beneficiary identifiers (e.g., IBAN), manipulation techniques, and other circumstances associated with fraudulent transfers individually identified by each PSP within information-sharing arrangements. Sufficient elements for sharing unique identifiers are presumed when at least two different payment service users, customers of the same PSP, have reported that a unique beneficiary identifier was used to make a fraudulent transfer.
These information-sharing arrangements must define detailed participation modalities and operational elements, including the use of specific IT platforms. Before participating in such arrangements, PSPs must conduct a data protection impact assessment and, if necessary, consult the supervisory authority per GDPR. An initial impact assessment is required, but it is unnecessary to redo one when a PSP joins an existing information-sharing arrangement.
GDPR and PSD2 have common goals of consumer protection, but practice has shown that certain GDPR provisions limited the fight against fraud using biometrics, among other things. The reform of PSD2 will remove these limits and strengthen the fight against fraud in an environment where fraud techniques are increasingly sophisticated and fake identity documents sometimes impossible to detect.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.