Considerations on COM(2023)366 - Payment services and electronic money services in the Internal Market - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2023)366 - Payment services and electronic money services in the Internal Market. |
|---|---|
| document | COM(2023)366 |
| date | June 28, 2023 |
(2) The Communication from the Commission on a Retail Payments Strategy for the EU30 announced the launch of a comprehensive review of the application and impact of Directive (EU) 2015/2366 “which should include an overall assessment of whether it is still fit for purpose, taking into account market developments”.
(3) Directive (EU) 2015/2366 aimed at addressing barriers to new types of payment services and improving the level of consumer protection and security. The evaluation of the impact and application of Directive (EU) 2015/2366 by the Commission found that Directive (EU) 2015/2366 has been largely successful with regard to many of its objectives, but also identified certain areas where the objectives of the Directive have not been fully achieved. In particular, the evaluation identified problems regarding divergent implementation and enforcement of Directive (EU) 2015/2366, which have directly impacted competition between payment service providers, by leading to effectively different regulatory conditions in Member States because of different interpretation of the rules, encouraging regulatory arbitrage.
(4) There should be no room for ‘forum shopping’ where payment services providers would choose, as home country, those Member States where the application of Union rules on payment services is more advantageous for them and provide cross-border services in other Member States which apply stricter interpretation of the rules or apply more active enforcement policies to payment service providers established there. That practice distorts competition. The Union rules on payment services should be harmonised by incorporating rules governing the conduct of payment services in a Regulation and separating them from the rules on authorisation and supervision of payment institutions, which should be governed by this Directive (PSD3), and not continue to be governed by the Directive currently in force (PSD2).
(5) Even though the issuance of electronic money is regulated under Directive 2009/110/EC of the European Parliament and of the Council,31 the use of electronic money to fund payment transactions is to a very large extent regulated by Directive (EU) 2015/2366. Consequently, the legal framework applicable to electronic money institutions and payment institutions, in particular with regard to the conduct of business rules, is already substantially aligned. Over the years competent authorities in charge of authorisation and supervision of payment institutions and electronic money institutions have experienced practical difficulties in clearly delineating the two regimes and in distinguishing electronic money products and services from payment and electronic money services offered by payment institutions. This has led to concerns about regulatory arbitrage and an uneven level playing field, as well as issues related to the circumvention of the requirements of Directive 2009/110/EC where payment institutions issuing electronic money take advantage of the similarities between payment services and electronic money services and apply for authorisation as a payment institution. It is therefore appropriate that the authorisation and supervision regime applicable to electronic money institutions is further aligned with the regime applicable to payment institutions. However, the licensing requirements, in particular initial capital and own funds, and some key basic concepts governing the electronic money business, including the issuance of electronic money, electronic money distribution and redeemability, are distinct from the services provided by payment institutions. It is therefore appropriate to preserve these specificities when combining the provisions of Directive (EU) 2015/2366 and Directive 2009/110/EC.
(6) As evidenced in the review conducted by the Commission and given the evolution of the respective markets, businesses and risks attached to the activities, it is necessary to update the prudential regime for payment institutions, including those issuing electronic money and providing electronic money services, by requiring a single licence for providers of payment services and electronic money services not taking deposits. Given that Regulation (EU) 2023/1114 of the European Parliament and of the Council32 lays down in its Article 48(2) that that issuers of electronic money shall be deemed to be electronic money, the licensing regime for payment institutions, as they will replace the electronic money institutions, should also apply to issuers of electronic money tokens. The prudential regime applicable to payment institutions should be based on an authorisation, subject to a set of strict and comprehensive conditions, for legal persons offering payment services when not taking deposits. The prudential regime applicable to payment institutions should ensure that the same conditions apply Union-wide to the activity of providing payment services.
(7) It is appropriate to dissociate the service of enabling cash to be withdrawn from a payment account from the activity of servicing a payment account, as the providers of cash withdrawal services may not service payment accounts. The services of issuing payment instruments and of acquiring payment transactions, which were listed together in point 5 of the Annex to Directive (EU) 2015/2366 as if one could not be offered without the other, should be presented as two different payment services. Listing issuing and acquiring services separately should, together with distinct definitions of each service, clarify that the issuing and acquiring services may be offered separately by payment service providers.
(8) Taking into account the rapid evolution of the retail payments market, and the constant new offering of payment services and payment solutions, it is appropriate to adapt some of the definitions under Directive (EU) 2015/2366, such as the definition of payment account, funds and payment instrument, to the realities of the market to ensure that Union legislation remains fit for purpose and technology neutral.
(9) Given the diverging views identified by the Commission in it its review of the implementation of Directive (EU) 2015/2366 and highlighted by the European Banking Authority (EBA) in its opinion of 23 June 2022 on the review of Directive (EU) 2015/2366, it is necessary to clarify the definition of a payment accounts. The determining criterion for the categorisation of an account as payment account lies in the ability to perform daily payment transactions from such an account. The possibility of making payment transactions to a third party from an account or of benefiting from such transactions carried out by a third party is a defining feature of the concept of payment account. A payment account should therefore be defined as an account that is used for sending and receiving funds to and from third parties. Any account that possesses those characteristics should be considered a payment account and should be accessed for the provision of payment initiation and account information services. Situations where another intermediary account is needed to execute payment transactions from or to third parties should not fall under the definition of a payment account. Savings accounts are not used for sending and receiving funds to or from a third party, excluding them therefore from the definition of a payment account.
(10) Given the emergence of new types of payment instruments and the uncertainties prevailing in the market as to their legal qualification, the definition of a ‘payment instrument’ should be further specified as to what constitutes or does not constitute a payment instrument, bearing in mind the principle of technology neutrality.
(11) Despite the fact that Near-Field Communication (NFC) enables the initiation of a payment transaction, considering it as a fully-fledged ‘payment instrument’ would pose some challenges, including for the application of strong customer authentication for contactless payments at the point of sale and of the payment service provider’s liability regime. NFC should therefore rather be considered as a functionality of a payment instrument and not as a payment instrument as such.
(12) The definition of ‘payment instrument’ under Directive (EU) 2015/2366 made reference to a ‘personalised device’. Since there are pre-paid cards where the name of the holder of the instrument is not printed on the card, this could leave those cards outside the scope of the definition of a payment instrument. The definition of ‘payment instrument’ should, therefore, be amended to refer to ‘individualised’ devices, instead of ‘personalised’ ones, specifying that pre-paid cards where the name of the holder of the instrument is not printed on the card are payment instruments.
(13) So-called digital ‘pass-through wallets’, involving the tokenisation of an existing payment instrument, including a payment card, are to be considered as technical services, and should thus be excluded from the definition of payment instrument as a token cannot be regarded as being itself a payment instrument but, rather, a payment application within the meaning of Article 2, point (21) of Regulation (EU) 2015/75 of the European Parliament and of the Council33. However, some other categories of digital wallets, namely pre-paid electronic wallets such as ‘staged-wallets’ where users can store money for future online transaction, are to be considered a payment instrument and their issuance as a payment service.
(14) Money remittance is a payment service that is usually based on cash provided by a payer to a payment service provider without any payment accounts being created in the name of the payer or the payee which remits the corresponding amount, to a payee or to another payment service provider acting on behalf of the payee. In some Member States, supermarkets, merchants and other retailers provide to the public a service enabling them to pay utilities and other regular household bills. Those bill-paying services should therefore be treated as money remittance.
(15) The definition of funds should cover all forms of central bank money issued for retail use, including banknotes and coins, and any possible future central bank digital currency, electronic money and commercial bank money. Central bank money issued for use between the central bank and commercial banks, i.e. for wholesale use, should not be covered.
(16) Regulation (EU) 2023/1114 of 31 May 2023 lays down that electronic money tokens shall be deemed to be electronic money. Electronic money tokens should therefore be included, as electronic money, in the definition of funds.
(17) The evaluation of the implementation of Directive (EU) 2015/2366 did not identify a clear need to substantially change the conditions for granting and maintaining authorisation as payment institutions or electronic money institutions prescribed under, respectively, Directives 2007/64/EC of the European Parliament and of the Council34 and Directive 2015/2366/EU, on the one hand, and Directive 2009/110/EC on the other hand. Such conditions continue to include prudential requirements proportionate to the operational and financial risks faced by payment institutions, including institutions issuing electronic money and providing electronic money services in the course of their business. It is appropriate to add to the documentation required in support of an application for authorisation as a payment institution a winding-up plan for the eventuality of failure, proportionate to the business model of the future payment institution; that winding-up plan should be appropriate to support an orderly wind-up of activities under applicable national law, including continuity or recovery of any critical activities performed by outsourced service providers, agents or distributors. To avoid that authorisation is granted for services that are not effectively provided by a payment institution, it is necessary to specify that a payment institution should not be obliged to obtain an authorisation for payment services that it does not intend to provide.
(18) The EBA Peer Review on authorisation under Directive (EU) 2015/2366 published in January 202335 concluded that deficiencies in the authorisation process have led to a situation where applicants are subject to different supervisory expectations as regards the requirements for authorisation as a payment institution or electronic money institution across the Union, and that sometimes the process of granting an authorisation may take an exceedingly long time. To ensure a level playing field and a harmonised process for the granting of an authorisation to undertakings applying for a payment institution license, it is appropriate to impose to competent authorities a time limit of 3 months for the authorisation process to be concluded, after the receipt of all the information required for the decision.
(19) To ensure more consistency in the application process for payment institutions, it is appropriate to mandate the EBA to develop draft regulatory technical standards on authorisation, including on the information to be provided to the competent authorities in the application for the authorisation of payment institutions, a common assessment methodology for granting authorisation or for registration, what can be considered as a comparable guarantee to professional indemnity insurance and the criteria to be used to stipulate the minimum monetary amount of professional indemnity insurance or a comparable guarantee. The EBA should thereby take into account the experience acquired in the application of its Guidelines on the information to be provided by applicant payment service providers to national competent authorities for authorisation or registration, and of its Guidelines on the application of the criteria used to specify the minimum monetary amount of the professional indemnity insurance or other comparable guarantee.
(20) The prudential framework applicable to payment institutions should continue to rest on the premise that those institutions are prohibited from accepting deposits from payment service users and are only permitted to use funds received from payment service users for rendering payment services. Consequently, it is appropriate that prudential requirements applicable to payment institutions reflect the fact that payment institutions engage in more specialised and limited activities than credit institutions, thus generating risks that are narrower and easier to monitor and control than those that arise across the broader spectrum of activities of credit institutions.
(21) Competent authorities should pay particular attention in considering applications for authorisation as a payment institution to the governance plan submitted as part of that application. Payment institutions should address the potentially detrimental effect of poorly designed governance arrangements on the sound management of risk by applying a sound risk culture at all levels. Competent authorities should monitor the adequacy of internal governance arrangements. It is appropriate for the EBA to adopt guidelines on internal governance arrangements, taking into account the variation of sizes and business models among payment institutions and respecting the principle of proportionality.
(22) Whilst the authorisation requirements set out specific rules on information and communication technology (ICT) security controls and mitigation elements for obtaining an authorisation to provide payment services, those requirements should be aligned with the requirements under Regulation (EU) 2022/2554 of the European Parliament and of the Council36.
(23) Payment initiation service providers and account information service providers, when providing those services, do not hold client funds. Accordingly, it would be disproportionate to impose own funds requirements on those market players. Nevertheless, it is important to ensure that payment initiation service providers and account information service providers be able to meet their liabilities in relation to their activities. In order to ensure a proper coverage of the risks associated with payment initiation or account information services, it is appropriate to require payment institutions offering these services to hold either a professional indemnity insurance or a comparable guarantee, and to further specify what risks need to be covered, in light of the provisions on liability included in Regulation XXX [PSR]. Taking into account the difficulties experienced by the providers of account information services and payment initiation services to contract a professional indemnity insurance covering the risks related to their activity, it is appropriate to provide for the possibility for these institutions to choose to hold initial capital of EUR 50 000 as an alternative to the professional indemnity insurance, at the licensing or registration stage only. That flexibility for account information and payment initiation service providers at the licensing or registration stage should be without prejudice to the requirement for those providers to subscribe to a professional indemnity insurance without undue delay after their license or registration has been obtained.
(24) To address the risks of acquisition of a qualified holding of a payment institution within the meaning of Regulation (EU) No 575/2013 of the European Parliament and of the Council37, it is appropriate to require notification of the acquisition to the relevant competent authority.
(25) To cater for the risks posed by their activities, payment institutions need to hold enough initial capital combined with own funds. Taking into account the possibility for payment institutions to engage in the wide range of activities covered by this Directive it is appropriate to adjust the level of the initial capital attached to individual services to the nature and the risks attached to these services.
(26) Taking into account that the initial requirements applicable to payment institutions have not been adapted since the adoption of Directive 2007/64/EC, it is appropriate to adjust these requirements to inflation. However, taking into account that the capital requirements applicable to payment institutions that provide only payment initiation services have only been implemented since the entry into force of Directive (EU) 2015/2366, and that no evidence was found with regard to the inadequacy of those requirements, those requirements should not be modified.
(27) The large variety of business models in the retail payments industry justifies the possibility to apply distinct methods for the calculation of own funds, which cannot however fall below the level of the relevant initial capital.
(28) This Directive pursues the same approach as Directive (EU) 2015/2366, which allowed for several methods to be used for the purpose of calculating the combined own funds requirements with a certain degree of supervisory discretion to ensure that the same risks are treated the same way for all payment service providers. The use of the payment institution’s payment volume of the previous year to compute its own funds requirements is the most adequate and the most applied own fund calculation method for most business models. For those reasons, and to improve consistency and ensure a level playing field, it is appropriate to require national competent authorities to prescribe the use of that method. It should however be possible for national competent authorities to deviate from that principle and to require payment institutions to apply other methods for business models that result in low volume but high value transactions. To ensure legal certainty and maximum clarity with regard to such business models, it is appropriate to mandate the EBA to develop draft regulatory technical standards.
(29) Notwithstanding the objective of aligning the prudential requirements of payment institutions providing payment services and electronic money services, it is appropriate to take account of the specificity of the business of issuing electronic money and carrying out electronic money business, and to allow payment institutions issuing electronic money and providing electronic money services to apply a more appropriate method to compute their own funds requirements.
(30) Where the same payment institution executes a payment transaction for both the payer and the payee and a credit line is provided to the payer, it is appropriate to safeguard the funds in favour of the payee once they represent the payee’s claim towards the payment institution.
(31) Considering the difficulties experienced by payment institutions in opening and maintaining payment accounts with credit institutions, it is necessary to provide for an additional option for the safeguarding of users’ funds, namely the possibility to hold those funds at a central bank. That possibility should however be without prejudice to the possibility for a central bank to not offer that option, based on its organic law. Taking into account the need to protect users’ funds and to avoid that such funds are used for other purposes than to provide payment services or electronic money services, it is appropriate to require that payment service user funds are kept separate from the payment institution’s own funds. To ensure a level playing field between payment institutions providing payment services and payment institutions issuing electronic money and providing electronic money services, it is appropriate to align as much as possible the regimes applicable to the safeguarding of users’ funds, whilst preserving the specificities of electronic money. Concentration risk is a significant risk faced by payment institutions, in particular where funds are safeguarded in a single credit institution. It is therefore important to ensure that payment institutions avoid concentration risk to the extent possible. For that reason, the EBA should be instructed to develop regulatory technical standards on risk avoidance in the safeguarding of customer funds.
(32) It should be possible for payment institutions to engage in other activities, beyond those covered by this Directive, including the provision of operational and closely related ancillary service and the operation of payment systems or other business activities regulated by applicable Union law and national law.
(33) Considering the higher risks of deposit-taking activity, it is appropriate to prohibit payment institutions offering payment services from accepting deposits from users, and to require them to only use funds received from users for providing payment services. Funds received from payment service users by payment institutions offering electronic money services should constitute neither a deposit nor other repayable funds received from the public within the meaning of Article 9 of Directive 2013/36/EC of the European Parliament and of the Council.38
(34) To limit the risks of payment accounts being used for other purposes than for the execution of payment transactions, it is appropriate to specify that when engaging in the provision of one or more of the payment services or electronic money services, payment institutions should always hold payment accounts used exclusively for payment transactions.
(35) Payment institutions should be allowed to grant credit, but this activity should be subjected to some strict conditions. It is therefore appropriate to regulate the granting of credit by payment institutions in the form of credit lines and the issuance of credit cards, insofar as those services facilitate payment services and if credit is granted for a period not exceeding 12 months, including on a revolving basis. It is appropriate to allow payment institutions to grant short-term credit with regard to their cross-border activities, on the condition that it is refinanced using mainly the payment institution’s own funds, as well as other funds from the capital markets, and not the funds held on behalf of clients for payment services. That possibility should however be without prejudice to Directive 2008/48/EC of the European Parliament and of the Council39 or other relevant Union law or national measures regarding conditions for granting credit to consumers. Given their principally lending nature, ‘Buy Now Pay Later’ services should not constitute a payment service. Those services are covered by the new Directive on consumer credits replacing Directive 2008/48/EC.
(36) To ensure that evidence on the compliance with the obligations laid down in this Directive is duly preserved for a reasonable amount of time, it is appropriate to require payment institutions to keep all appropriate records for at least five years. Personal data should not be kept longer than necessary for ensuring that purpose and, where an authorisation has been withdrawn, data should not be kept longer than five years after that withdrawal.
(37) To ensure that an undertaking does not provide payment services or electronic money services without being authorised, it is appropriate to require all undertakings intending to provide payment services or electronic money services to apply for an authorisation, except where this Directive provides for registration instead of authorisation. Furthermore, in order to ensure the stability and integrity of the financial system and payment systems and to protect consumers, such undertakings must be established in a Member State and effectively supervised. This requirement should also cover payment institutions issuing electronic money, given the significant new prudential risks associated with the possibility for electronic money institutions to also issue electronic money tokens. The establishment of a legal person in the EU should be required for electronic money issuers to enable effective supervision of those entities, and to align with Regulation 2023/1114/EU. Electronic money tokens are a form of crypto-asset which can scale up significantly in size and pose risks affecting financial stability, monetary sovereignty and monetary policy.
(38) To avoid abuses of the right of establishment and to avoid cases where a payment institution establishes itself in a Member State without planning to perform any activity in that Member State, it is appropriate to require that a payment institution requesting authorisation in a Member State provides at least part of its payment services business in that Member State. The obligation for an institution to carry out a part of its business in its home country, which was already imposed by Directive (EU) 2015/2366, has been interpreted very differently, with some home countries imposing that most of the business be carried out in their country. A ‘part’ should mean less than the majority of the institution’s business in order to preserve the “effet utile” of the payment institution’s freedom to provide cross-border services.
(39) A payment institution may engage in other activities than the provision of payment services or electronic money services. To ensure a proper supervision of the payment institution, it is appropriate to allow national competent authorities, where necessary, to require the establishment of a separate entity for the provision of payments services or electronic money services. Such a decision by the competent authority should take account of the potential negative impact that an event affecting the other business activities could have on the payment institution’s financial soundness, or the potential negative impact arising from a situation where the payment institution would not be able to provide separate reporting on own funds in relation to its payment and electronic money activities and its other activities.
(40) To ensure a proper ongoing supervision of payment institutions and the availability of accurate and up-to-date information, it is appropriate to require payment institutions to inform national competent authorities of any change in their business affecting the accuracy of the information provided with regard to authorisation, including with regard to additional agents or entities to which activities are outsourced. Competent authorities should, in the event of doubt, verify that the information received is correct.
(41) To ensure a consistent authorisation regime of payment institutions throughout the Union, it is appropriate to lay out harmonised conditions under which national competent authorities may withdraw an authorisation issued to a payment institution.
(42) To enhance transparency of the operations of payment institutions that are authorised by, or registered with, competent authorities of the home Member State, including their agents, distributors and branches, and to ensure a high level of consumer protection in the Union, it is necessary to ensure easy public access to the list of the undertakings providing payment services, with their related brands, which should be included in a public national register.
(43) To ensure that information on authorised or registered payment institutions or entities entitled under national law to provide payment or electronic money services is available throughout the Union in a central register, the EBA should operate such a register in which it should publish a list of the names of the undertakings authorised or registered to provide payment services or electronic money services. Where that entails the processing of personal data, the publication at Union level of information on natural persons acting as agents or distributors is necessary to guarantee that only authorised agents and distributors operate in the internal market and is therefore in the interest of the adequate functioning of the internal market for payment services. Member States should ensure that the data that they provide on the undertakings concerned, including their agents, distributors and branches, is accurate and up-to-date, and transmitted to the EBA without undue delay and if possible in an automated way. The EBA should therefore develop draft regulatory technical standards to specify the methods and arrangements for the transmission of such information. Those draft regulatory technical standards should ensure a high level of granularity and consistency of the information. When developing those draft regulatory technical standards, the EBA should take into consideration the experience in applying Commission Delegated Regulation (EU) 2019/411.40 To enhance transparency, it is appropriate that the information transmitted contains the brands of all payment and electronic money services provided. Publication of personal data should occur in compliance with the rules on data protection in force. Where personal data are published, appropriate data protection safeguards that prevent further unintended dissemination of the information online should be implemented.
(44) To enhance transparency and awareness of the services provided by payment initiation and account information service providers, it is appropriate that the EBA maintains a machine-readable list containing basic information on such undertakings and services provided by them. The information contained in this list should allow for the payment initiation and account information service providers to be identified unequivocally.
(45) To expand the reach of their services, payment institutions may need to use entities providing payment services on their behalf, including agents or, in the case of electronic money services, distributors. Payment institutions may also exercise their right of establishment in a host Member State, different from the home Member State, through branches. In such cases, it is appropriate that the payment institution communicates to the national competent authority all the relevant information related to agents, distributors and branches and informs national competent authorities of any changes without undue delay. To ensure transparency vis-à-vis end users, it is also appropriate that agents, distributors or branches acting on behalf of a payment institution inform payment service users of that fact.
(46) In conducting their business, payment institutions may need to outsource operational functions of part of their activity. To ensure that this is not done to the detriment of the continuing compliance of a payment institution with the requirements of its authorisation, or other applicable requirements under this Directive, it is appropriate to require a payment institution to inform without undue delay national competent authorities when it intends to outsource operational functions, and about any change regarding the use of entities to which activities are outsourced.
(47) To ensure a proper mitigation of the risks that the outsourcing of operational functions may generate, it is appropriate to require that payment institutions take reasonable steps to ensure that such outsourcing does not violate the requirements of this Directive. Payment institutions should remain fully liable for any acts of their employees, or any agent, distributor or outsourced entity.
(48) To ensure the effective enforcement of the provisions of national law adopted pursuant to this Directive, Member States should designate competent authorities in charge of the authorisation and supervision of payment institutions. Member States should ensure that competent authorities are granted the necessary powers and resources, including staff, to properly carry out their functions.
(49) To enable competent authorities to properly supervise payment institutions, it is appropriate to grant those authorities investigatory and supervisory powers and the possibility to impose administrative penalties and measures necessary to perform their tasks. For the same reason, it is appropriate to grant competent authorities the power to request information, conduct on-site inspections and issue recommendations, guidelines and binding administrative decisions. Member States should lay down national provisions with respect to the suspension or withdrawal of the authorisation of a payment institution. Member States should empower their competent authorities to impose administrative sanctions and measures aimed specifically at ending infringements of provisions concerning the supervision or pursuit of the payment service business.
(50) Due to the broad range of possible business models in the payments industry, it is appropriate to allow for a certain degree of supervisory discretion to ensure that the same risks are treated in the same way.
(51) When supervising compliance by payment institutions with their obligations, competent authorities should exercise their supervisory powers respecting fundamental rights, including the right to privacy. Without prejudice to the control of an independent authority (national data protection authority) and in accordance with the Charter of Fundamental Rights of the European Union, Member States should have in place adequate and effective safeguards where there is a risk that the exercise of those powers could lead to abuse or arbitrariness amounting to serious interference with such rights including, where appropriate, through the prior authorisation of the judicial authority of the Member State concerned.
(52) To ensure the protection of individual and business rights, Member States should ensure that all persons who work or who have worked for competent authorities are subjected to the obligation of professional secrecy.
(53) The activity of payment institutions may span across borders and be relevant for different competent authorities as well as the EBA, the European Central Bank (‘ECB’) and national central banks in their capacity as monetary and oversight authorities. It is therefore appropriate to provide for their effective cooperation and exchange of information. Information sharing arrangements should fully comply with the data protection rules laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council41 and in Regulation (EU) 2018/1725 of the European Parliament and of the Council.42
(54) Where disagreements occur in the context of the cross-border cooperation between competent authorities, those competent authorities should be able to request assistance from the EBA, which should take a decision without undue delay. The EBA should also be able to assist competent authorities in reaching an agreement on its own initiative.
(55) A payment institution that exercises the right of establishment or freedom to provide services should provide the competent authority of the home Member State with any relevant information with regard to its business and notify that competent authority about which Member State(s) the payment institution intends to operate in, whether it intends to use branches, agents or distributors and whether it intends to use outsourcing.
(56) To facilitate cooperation between competent authorities and an effective supervision of payment institutions, in the context of the use of the right of establishment or freedom to provide services, it is appropriate that competent authorities in the home Member State communicate information to the host Member State. In situations of so-called “triangular passporting” where a payment institution authorised in a country “A” uses an intermediary, such as an agent, distributor or branch, located in a country “B” for offering payment services in another country “C”, the host Member State should be considered to be the one where the services are offered to end-users. Taking into account challenges in cross-border cooperation between competent authorities, it is appropriate that the EBA develops draft regulatory technical standards on cooperation and information exchange, taking into consideration the experience gained in applying Commission Delegated Regulation (EU) 2017/2055.43
(57) Member States should be able to require payment institutions operating on their territory, whose head office is situated in another Member State, to report to them periodically on their activities in their territory for information or statistical purposes. Where those payment institutions operate pursuant to the right of establishment, the competent authorities of the host Member State(s) should be able to require that information also to be used for monitoring compliance with Regulation XXX [PSR]. The same should apply where there is no establishment in the host Member State(s), and the payment institution is providing services in the host Member State(s) on the basis of the free provision of services. To facilitate the supervision of networks of agents, distributors or branches by competent authorities, it is appropriate that Member States where agents, distributors or branches operate are able to require the parent payment institution to appoint a central contact point in their territory. The EBA should develop regulatory standards setting out the criteria to determine when the appointment of a central contact point is appropriate and what its functions should be. While doing so, the EBA should take into account the experience gained in the application of Commission Delegated Regulations (EU) 2021/172244 and 2020/142345. The requirement to appoint a central contact point should be proportionate to achieving the aim of adequate communication and information reporting on compliance with the relevant provisions in Regulation XXX [PSR] in the host Member State.
(58) In emergency situations, where immediate action is necessary to address a serious threat to the collective interests of payment service users in the host Member State, including large scale fraud, it should be possible for the competent authorities of the host Member State to take precautionary measures in parallel with the cross-border cooperation between competent authorities of the host and the home Member States and pending measures by the competent authority of the home Member State. Those measures should be appropriate, proportionate to the aim, non-discriminatory and temporary in nature. Any measures should be properly justified. The competent authorities of the home Member State of the relevant payment institution and other authorities concerned, including the Commission and the EBA, should be informed in advance or, where not possible in view of the emergency situation, without undue delay.
(59) It is important to ensure that all entities providing payment services be brought within the scope of certain minimum legal and regulatory requirements. Thus, it is desirable to require the registration of the identity and whereabouts of all persons providing payment services, including of entities which are unable to meet the full range of conditions for authorisation as payment institutions, including some small payment institutions. Such an approach is in line with the rationale of Recommendation 14 of the Financial Action Task Force, which provides for a mechanism whereby payment service providers which are unable to meet all of the conditions set out in that Recommendation may nevertheless be treated as payment institutions. For those purposes, even where entities are exempt from all or part of the conditions for authorisation, Member States should enter them in the register of payment institutions. However, it is essential to make the possibility of an exemption from authorisation subject to strict requirements relating to the value of payment transactions. Entities benefiting from an exemption from authorisation should not enjoy the right of establishment or freedom to provide services and should not indirectly exercise those rights while being a participant in a payment system.
(60) To ensure transparency with regard to possible exemptions for small payment institutions, it is appropriate to require Member States to communicate such decisions to the Commission.
(61) In view of the specific nature of the activity performed and the risks connected to the provision of account information services, it is appropriate to provide for a specific prudential regime for account information service providers, without a need for a fully-fledged authorisation regime but with a lighter registration requirement, accompanied by documents and information to assist the competent authority with carrying out supervision. Account information service providers should be allowed to provide services on a cross-border basis, benefiting from the ‘passporting’ rules.
(62) To further improve access to cash, which is a priority of the Commission, retailers should be allowed to offer, in physical shops, cash provision services even in the absence of a purchase by a customer, without having to obtain a payment service provider authorisation, registration or being an agent of a payment institution. Those cash provision services should, however, be subject to the obligation to disclose fees charged to the customer, if any. These services should be provided by retailers on a voluntary basis and should depend on the availability of cash by the retailer. To prevent unfair competition between ATM deployers not servicing payment accounts and retailers offering cash withdrawals without a purchase, and to ensure that shops do not rapidly run out of cash, it is appropriate to impose a cap of EUR 50 per transaction.
(63) Directives 2007/64/EC and 2015/2366/EU conditionally excluded from their scope payment services offered by certain deployers of automated teller machines (ATMs). That exclusion has stimulated the growth of ATM services in many Member States, in particular in less populated areas, supplementing bank ATMs. However, this exclusion has proven difficult to apply due to its ambiguity with regard to the entities covered by it. To address this issue, it is appropriate to make explicit that previously excluded ATM deployers are those which do not service payment accounts. Taking into account the limited risks involved in the activity of such ATM deployers, it is appropriate, instead of excluding them totally from the scope, to subject them to a specific prudential regime adapted to those risks, requiring only a registration regime.
(64) Service providers seeking to benefit from an exclusion from the scope of Directive (EU) 2015/2366 often did not consult their authorities on whether their activities are covered by, or excluded from, that Directive, but often relied on their own assessments. That has led to a divergent application of certain exclusions across Member States. It also appears that some exclusions may have been used by payment service providers to redesign business models so that the payment activities offered would fall outside the scope of that Directive. That may result in increased risks for payment service users and divergent conditions for payment service providers in the internal market. Service providers should therefore be obliged to notify relevant activities to competent authorities so that the competent authorities can assess whether the requirements set out in the relevant provisions are fulfilled and to ensure a homogenous interpretation of the rules throughout the internal market. In particular, for all exclusions based on the respect of a threshold, a notification procedure should be provided to ensure compliance with the specific requirements. Moreover, it is important to include a requirement for potential payment service providers to notify competent authorities of the activities that they provide in the framework of a limited network on the basis of the criteria set out in Regulation XXX [PSR] where the value of payment transactions exceeds a certain threshold. Competent authorities should assess whether the activities so notified can be considered to be activities provided in the framework of a limited network, to ascertain whether they should remain excluded from the scope.
(65) The power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of updating any of the amounts to take account of inflation. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.
(66) To ensure a consistent application of the applicable requirements, the Commission should be able to rely on the expertise and support of the EBA, which should be given the task of preparing guidelines and draft regulatory technical standards. The Commission should be empowered to adopt those draft regulatory technical standards. Those specific tasks are fully in line with the role and responsibilities of the EBA as provided in Regulation (EU) No 1093/2010 of the European Parliament and of the Council46.
(67) Since the further integration of an internal market in payment services, cannot be sufficiently achieved by the Member States alone because it requires the harmonisation of different rules currently existing in the legal systems of the various Member States which would be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary in order to achieve that objective.
(68) This Directive does not include licensing requirements for payment systems, payment schemes or payment arrangements, taking into account the need to avoid any duplication with the Eurosystem’s oversight framework over retail payment systems, including over Systemically Important Payment Systems and other systems, as well as the Eurosystem’s new ‘PISA’ Framework, and oversight by national central banks. This Directive also does not cover, in its scope, the provision of technical services including processing or the operation of digital wallets. However, considering the pace of innovation in the payments sector and the possible emergence of new risks, it is necessary that in its future review of this Directive the Commission gives particular consideration to those developments and assesses whether the scope of the Directive should be extended to cover new services and entities.
(69) In the interest of legal certainty, it is appropriate to make transitional arrangements allowing undertakings who have commenced the activities of payment institutions in accordance with the national law transposing Directive (EU) 2015/2366 before the entry into force of this Directive to continue those activities within the Member State concerned for a specified period.
(70) In the interest of legal certainty, transitional arrangements should be made to ensure that electronic money institutions which have taken up their activities in accordance with the national laws transposing Directive 2009/110/EC are able to continue those activities within the Member State concerned for a specified period. That period should be longer for electronic money institutions that have benefited from the waiver provided for in Article 9 of Directive 2009/110/EC.
(71) Payment institutions are not included in the list of entities which fall under the definition of “institutions” in Article 2, point (b) of Directive 98/26/EC of the European Parliament and of the Council47. Consequently, payment institutions are effectively prevented from participating in payment systems designated by Member States pursuant to that Directive. That lack of access to certain key payment systems can impede payment institutions in providing a full range of payment services to their clients effectively and competitively. It is therefore justified to include payment institutions under the definition of ‘institutions’ in that Directive, but only for the purpose of payment systems, and not for securities settlement systems. Payment institutions should meet the requirements and respect the rules of payment systems to be allowed to participate in those systems. Regulation XXX [PSR] lays down requirements on operators of payment systems regarding the admission of new applicants for participation, including as regards an assessment of relevant risks. Given the importance of restoring as soon as possible the level playing field between banks and ‘non-banks’ and considering the impact that the current situation causes to competition in payment markets, it is necessary to grant Member States a shorter transposition and application deadline for this new provision in Directive 98/26/EC than for the other provisions of the present Directive. It is therefore appropriate to require Member States to transpose that new provision into their national law within 6 months of the entry into force of this Directive, rather than the 18 months that applies for the other provisions of this Directive.
(72) The specification that participants may act as a central counterparty, a settlement agent or a clearing house or carry out part or all of these tasks should be reinserted in Directive 98/26/EC to ensure a similar understanding in the Member States. It should also be reinserted that, where justified due to systemic risk, Member States should be allowed to consider an indirect participant as a participant of the system and apply the provisions of Directive 98/26/EC to such an indirect participant. However, to ensure that this does not limit the responsibility of the participant through which the indirect participant passes transfer orders to the system, this should be made clear in that Directive to ensure legal certainty.
(73) Consumers should be entitled to enforce their rights in relation to the obligations imposed on data users or data holders under Regulation (EU) 20../…. [FIDA] of the European Parliament and of the Council48 through representative actions in accordance with Directive (EU) 2020/1828 of the European Parliament and of the Council49. For that purpose, this Directive should provide that Directive (EU) 2020/1828 is applicable to the representative actions brought against infringements by data users or data holders of provisions of Regulation (EU) 20../…. [FIDA] that harm or can harm the collective interests of consumers. The Annex to that Directive should therefore be amended accordingly. It is for the Member States to ensure that that amendment is reflected in their transposition measures adopted in accordance with Directive (EU) 2020/1828.
(74) In keeping with the principles of better regulation, this Directive should be reviewed for its effectiveness and efficiency in achieving its objectives, as laid out in the accompanying impact assessment. The review should take place a sufficient time after the entry into force, to base the review on appropriate evidence. Five years is considered to be an appropriate period. While the review should consider the entire Directive, certain topics should be singled out for particular attention, namely the scope and the safeguarding of payment institutions funds which may be affected by the rules proposed by the Commission on 18 April 202350 which, when adopted, would amend Directive 2014/49/EU of the European Parliament and of the Council of 16 April 2014 on deposit guarantee schemes. Regarding the scope of this Directive, however, it is appropriate for a review to take place earlier, three years after its entry into force, given the importance attached to this subject in Regulation (EU) 2022/2554. That review of scope should consider both the possible extension of the list of covered payment services to include services such as those performed by payment systems and payment schemes, and the possible inclusion in the scope of some technical services currently excluded.
(75) Given the number of changes that need to be made to Directive (EU) 2015/2366 and Directive 2009/110/EC, it is appropriate to repeal both Directives and replace them by this Directive.
(76) Any personal data processing in the context of this Directive must comply with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725. Therefore, the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 are responsible for the supervision of processing of personal data carried out in the context of this Directive. When transposing this Directive, the Member States should ensure that the national legislation include appropriate data protection safeguards for processing of personal data.
(77) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on [XX XX 2023],