Regulation of Payment Initiation Service Providers (PISPs)

Regulation of Payment Initiation Service Providers (PISPs)

by June 23, 2017

With the market entry of third party provid­ers of the FinTech-branch, new technological challenges have arisen. Since payment initiation services were no subject to the European Union’s PSD (Directive 2007/64/EC), they are not necessarily supervised by a competent European authority and not required to comply with PSD. A new regulation should thus respond to: consumer protection, security, liability, competition and data protection.

Therefore «PSD2» (Directive 2015/2366), a «Fintech-Regulation» which replaces the PSD, will try to ad­dress these legal issues. However, five points of the extended field of application should be highlighted:

  1. Inclusion of PISPs
  2. PISPs’ authentication towards the account servicing payment service provider
  3. Handling of personalised security credentials and customer data
  4. Capital requirements
  5. Liability

Switzerland as a non-EU Member State is not bound by the PSD resp. PSD2. However, Swiss financial institutions participate in the SEPA. In order to achieve this, they must, inter alia, provide evidence that the provisions of Titles III and IV PSD2 are implemented in Switzerland either by statutory law or based on a substantially equivalent binding practice. Therefore, if Switzerland wants to remain part of SEPA-participation they must implement Titles III and IV of the PSD2 which regu­lates, inter alia, PISPs.

Startup Competition venture

Current Swiss Legal Situation

Switzerland does not have a specific regulation which contains Titles III and IV PSD2. The relationship between PISPs and their customers can be qualified as an agency contract, whereby no other special law interacts within the rela­tionship. Banks have ensured their duties by contractual means, i.e. a PISP shall every time a payment is initiated, identify itself towards the payer’s bank. However, one of the most important points is the handling of personalised security credentials and customer data. Swiss law has a lack of security regarding personalised security credentials because of the customer’s disclosure and the bank’s terms and conditions. Whereas customer data is fully regulated by the Data Protection Act. Further analysis of Swiss regulations regarding capital requirements and liabil­ity have shown that they are not equivalent to the Titles III and IV PSD2.

Thus it can be concluded that Swiss law lacks in the covering of personalised secu­rity credentials, capital requirements and liability.

Federal Council’s Three-Pillar Approach

The Federal Council’s proposal mentions payment systems at two points, but explic­itly in the third pillar. However, it probably does not consider “payment systems” like PISPs. The comments to the banking licence light lead to this conclusion. Moreo­ver, PISPs are not regulated by the Banking Act or Banking Ordinance, i.e. PISPs do not need a banking licence in any way. As a consequence, the Federal Council’s FinTech-Model will probably not contain provi­sions which implements the Titles III and IV PSD2.

Regulatory Suggestion

Besides a contractual alternative, the advantages a Swiss principle-based regulation pro­vide should be used to adapt the law to the new challenges with FinTech-companies.

At the first glance, payment systems according to Art. 81 f. of the Financial Market Infrastructure Act (FMIA) are not in the sense of “payment systems” like PISPs. However, the Swiss approach could allow for PISPs to be interpreted as a “payment system” in the sense of FMIA. The parlia­mentary debates are an important factor which leads to this proposal. It seems that payment systems and services were not a big issue, if any, in the parliamentary de­bates and that the importance of PISPs and another payment systems were not con­sidered in anyway. The same for the PSD2. The reason for such is unknown. Maybe, it was too new and PSD2 was still in consultation process or the legislator is simply not aware of the problem.

However, the option to integrate PISPs into the FMIA could be a pretty elegant solu­tion, which could regulate the remaining points (E.g. Art. 12 FMIA [minimum capital], Art. 14 FMIA [IT systems], Art. 16 FMIA [protection against confusion and deception], Art. 19 FMIA [documentation and retention duties]) and PISPs as a whole. According to Art. 81 FMIA a payment system is an entity that clears and settles payment obliga­tions based on uniform rules and procedures. But, the Federal Council’s Dispatch tends to not included PISPs, although, it was not discussed in de­tail. This leads to an open question about an inclusion of PISPs into the FMIA.

Important is to mention, that according to Art. 81 FMIA the Federal Council may de­fine specific duties for payment systems, namely in terms of capital adequacy, risk diversification and liquidity, if this is necessary for implementation recognised inter­national standards. This could allow to consult FinTech-expert parties regarding an equivalent implementation of the Titles III and IV PSD2.