Payment and e-money firms should be able to clearly demonstrate how they comply with at least the following requirements:
Payment Services Directive and Regulation
PAYMENT SERVICES DIRECTIVE 1 (PSD 1)
PSD1, adopted in 2007, aimed to create a single market for payments within the European Union.
- Provided the legal basis for the Single Euro Payments Area (SEPA).
- Introduced a new licensing regime to encourage non-banks to enter the payments market.
- Set common standards for terms and conditions, focusing on high levels of transparency.
- Shifted liability between providers and customer to enhance consumer protection.
PAYMENT SERVICES DIRECTIVE 2 (PSD 2)
PSD2, adopted in 2016, aimed at enhancing the security, innovation, and competitiveness of the European payments market.
- Mandates strong customer authentication (SCA) to make electronic payments more secure.
- Provides better protection for consumers against fraud and unauthorised transactions.
- Aims to standardise regulations across EU member states.
- Allows third party providers to access payment account information.
PAYMENT SERVICES DIRECTIVE 3 (PSD 3) & PAYMENT SERVICES REGULATION (PSR)
PSD3 is an update to the PSD2 Directive. It embeds the Electronic Money Directive and tackles requirements regarding the authorisation (licensing) and supervision of Payment Institutions (PIs) and Electronic Money Institutions (EMIs).
PSR is a proposed legislation introduced together with PSD3, that consists of articles from PSD2, accompanied by clarifications and some new articles.
It's likely that the final versions may become available in early 2025, with an expected 18-month transition period.
The obligation to comply with the PSR could be expected by 2026 or early 2027. It automatically becomes law for all EU member states.
E-MONEY DIRECTIVE
The objectives of the new E-Money Directive are:
- to enable innovation within the market to create tangible benefits for consumers, businesses and the wider internal market
- to establish a single passport for e-money firms
- to allow e-money firms to provide multiple service offerings and to provide enhanced market access to new players so that real and effective competition
- to align the regulatory framework between e-money firms and payment service providers across Europe.
Please note that the E-Money Directive will be replaced by the third Payment Services Directive when it comes into force.
INSTANT PAYMENTS REGULATION
The Instant Payments Regulation deals with payment transactions denominated in euro and applies to Member State payment service providers (PSPs) who offer payment service users (PSUs) the service of sending and receiving credit transfers.
Find out more about the Instant Payments Regulation by reading our latest briefing.
DIGITAL OPERATIONAL RESILIENCE ACT
DORA applies to a wide range of financial entities regulated by the Central Bank of Ireland including payment service providers and e-money institutions.
- DORA addresses digital operational risk in the financial sector by introducing targeted rules on:
- Information and Communication Technology (ICT) risk management
- ICT-related incident management, classification and reporting
- Digital operational resilience testing
- Management of ICT third-party risk (including the introduction of an oversight framework for critical ICT third-party service providers)
- Information sharing arrangements.
CBI "Dear CEO" Letter
The "Dear CEO" letter from January 2023, issued by the Central Bank of Ireland, outlines several key supervisory findings and expectations for payment and e-money firms.
The Dear CEO Letter follows the December 2021 Dear CEO Letter to payment and e-money firms on its supervisory expectations. It also refers to the recent reference in the International Monetary Fund's (IMF) Technical Note on Oversight of Fintech in Ireland of the payment and e-money sector's growing importance within the broader fintech sector.
Safeguarding
Risk management frameworks to ensure that users' funds are appropriately identified, managed and protected. Safeguarding risk frameworks should include measures for segregation, designation and reconciliation of client balances.
An audit of compliance with the safeguarding requirements was required to be carried out by an audit firm and submitted to the Central Bank by 31 July 2023.
Governance, Risk Management, Conduct and Culture
Boards should consider their governance, risk management and internal control frameworks in addition to the composition (both number and skills) of their board and management teams.
Business Model, Strategy, and Financial resilience
Firms should have board-approved business strategies in place supported by robust financial projections. Firms must understand and meet their capital requirements. Strong internal controls must be in place that are subject to regular testing.
Operational Resilience
Firms should demonstrate readiness for and resilience to operational disruptions, including a required emphasis on IT risk management.
Anti-Money Laundering and Countering Terrorist Financing
- Follow a risk-based approach.
- Firms must exercise adequate oversight (including appropriate assessment) of the agents and distributors.
- Simplified due diligence must only be carried out where appropriate and where the firm has conducted a risk assessment of each relationship.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.
