Regulation of Payment Initiation Service Providers (PISPs)by Ivo Buric June 23, 2017
With the market entry of third party providers of the FinTech-branch, new technological challenges have arisen. Since payment initiation services were no subject to the European Union’s PSD (Directive 2007/64/EC), they are not necessarily supervised by a competent European authority and not required to comply with PSD. A new regulation should thus respond to: consumer protection, security, liability, competition and data protection.
Therefore «PSD2» (Directive 2015/2366), a «Fintech-Regulation» which replaces the PSD, will try to address these legal issues. However, five points of the extended field of application should be highlighted:
- Inclusion of PISPs
- PISPs’ authentication towards the account servicing payment service provider
- Handling of personalised security credentials and customer data
- Capital requirements
Switzerland as a non-EU Member State is not bound by the PSD resp. PSD2. However, Swiss financial institutions participate in the SEPA. In order to achieve this, they must, inter alia, provide evidence that the provisions of Titles III and IV PSD2 are implemented in Switzerland either by statutory law or based on a substantially equivalent binding practice. Therefore, if Switzerland wants to remain part of SEPA-participation they must implement Titles III and IV of the PSD2 which regulates, inter alia, PISPs.
Current Swiss Legal Situation
Switzerland does not have a specific regulation which contains Titles III and IV PSD2. The relationship between PISPs and their customers can be qualified as an agency contract, whereby no other special law interacts within the relationship. Banks have ensured their duties by contractual means, i.e. a PISP shall every time a payment is initiated, identify itself towards the payer’s bank. However, one of the most important points is the handling of personalised security credentials and customer data. Swiss law has a lack of security regarding personalised security credentials because of the customer’s disclosure and the bank’s terms and conditions. Whereas customer data is fully regulated by the Data Protection Act. Further analysis of Swiss regulations regarding capital requirements and liability have shown that they are not equivalent to the Titles III and IV PSD2.
Thus it can be concluded that Swiss law lacks in the covering of personalised security credentials, capital requirements and liability.
Federal Council’s Three-Pillar Approach
The Federal Council’s proposal mentions payment systems at two points, but explicitly in the third pillar. However, it probably does not consider “payment systems” like PISPs. The comments to the banking licence light lead to this conclusion. Moreover, PISPs are not regulated by the Banking Act or Banking Ordinance, i.e. PISPs do not need a banking licence in any way. As a consequence, the Federal Council’s FinTech-Model will probably not contain provisions which implements the Titles III and IV PSD2.
Besides a contractual alternative, the advantages a Swiss principle-based regulation provide should be used to adapt the law to the new challenges with FinTech-companies.
At the first glance, payment systems according to Art. 81 f. of the Financial Market Infrastructure Act (FMIA) are not in the sense of “payment systems” like PISPs. However, the Swiss approach could allow for PISPs to be interpreted as a “payment system” in the sense of FMIA. The parliamentary debates are an important factor which leads to this proposal. It seems that payment systems and services were not a big issue, if any, in the parliamentary debates and that the importance of PISPs and another payment systems were not considered in anyway. The same for the PSD2. The reason for such is unknown. Maybe, it was too new and PSD2 was still in consultation process or the legislator is simply not aware of the problem.
However, the option to integrate PISPs into the FMIA could be a pretty elegant solution, which could regulate the remaining points (E.g. Art. 12 FMIA [minimum capital], Art. 14 FMIA [IT systems], Art. 16 FMIA [protection against confusion and deception], Art. 19 FMIA [documentation and retention duties]) and PISPs as a whole. According to Art. 81 FMIA a payment system is an entity that clears and settles payment obligations based on uniform rules and procedures. But, the Federal Council’s Dispatch tends to not included PISPs, although, it was not discussed in detail. This leads to an open question about an inclusion of PISPs into the FMIA.
Important is to mention, that according to Art. 81 FMIA the Federal Council may define specific duties for payment systems, namely in terms of capital adequacy, risk diversification and liquidity, if this is necessary for implementation recognised international standards. This could allow to consult FinTech-expert parties regarding an equivalent implementation of the Titles III and IV PSD2.