Response to consultation on draft Guidelines on the limited network exclusion under PSD2
Go back
Initial situation:
Art. 1.1. of the Guidelines states: “Competent authorities should take into account that the specific payment instruments that can be used only in a limited way under Article 3(k) of PSD2 are payment instruments as defined in Article 4(14) of PSD2.”
According Art. 4(14) of the PSD2 payment instruments are defined as following:
“‘payment instrument’ means a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order”.
Comment and rationale:
• In our understanding, a device (e.g., a payment card) is "personalised" if there is a connection between the rightful holder (payer) and the device, whereby only the holder can use the instrument (e.g., through the identification by name and/or through the presence of a personalised security credential, such as a PIN). Accordingly, cash is not a payment instrument within the meaning of PSD2. Gift cards, which by their nature are not linked to a specific holder and are not issued to a specific person, are accordingly also not payment instruments under Art. 4(14) of PSD2. This statement applies to all anonymous and therefore non-personalised means of payment.
• There are different views of the CA in the individual member states on the question of which means of payment are covered by the LNE. The Austrian competent authority FMA, for example, takes the view outlined above: "Accordingly, it is not a payment instrument within the meaning of the ZaDiG 2018 if the instrument does not provide any information about the payment service user, since in such cases there is no personalization and there can be no personalized process flow. Consequently, the ZaDiG 2018 does not apply to such instruments."(FMA Rundschreiben „begrenzte Netze“ of 21 January 2020, p. 8 - https://www.fma.gv.at/finanzdienstleister/zahlungsinstitute/ausgenommene-dienstleistungen-vom-zadig-2018/)
• Other CAs (such as BaFin in Germany) are of the opinion that non-personalized gift cards may fall under the ZAG (law in which PSD2 is implemented), according to which the requirements of the LNE could also apply to such cards.
Proposal:
We support a clarification in the EBA Guidelines that non-personalized means of payment (like gift cards) do not fall under payment instruments as defined in Art. 4 (14) of PSD2 and that the requirements of the LNE do not apply to these products. The examples mentioned in Recital 14 of PSD2 (store cards, fuel cards, membership cards, public transport cards, parking ticketing, meal vouchers or vouchers for specific services) are only relevant for the LNE if these payment instruments are personalized.
Initial situation:
According GL 6.1., the notification should be submitted by the service provider who is providing excluded goods and/or services if the thresholds are breached.
The notification rules according Art. 37 (2) of the PSD2 are clear und without misinterpretations:
“Member States shall require that service providers carrying out either of the activities referred to in points (i) and (ii) of point (k) of Article 3 or carrying out both activities, for which the total value of payment transactions executed over the preceding 12 months exceeds the amount of EUR 1 million, send a notification to competent authorities containing a description of the services offered, specifying under which exclusion referred to in point (k)(i) and (ii) of Article 3 the activity is considered to be carried out.”
All service providers listed in the national register and in the Euclid-register should fulfill both requirements: activities based on specific payment instruments within the LNE and the value of these activities exceeds 1 Mio. Euro. The 1 m. euro threshold is not a potential target, it should be already reached in the preceding 12 months.
Comment and rationale:
• As we made our analysis (end of January 21), about 1,300 providers were listed in the EBA Euclid-register (“service provider excluded from scope PSD2” – including the exception according Art. 3 l), thereof 942 from Germany. Within this segment, about 375 German public transport companies are listed. Only about 7 to 10 of these public transport companies are issuing a payment instrument, which could have a payment volume above 1 m. Euro. All other public transport companies are listed precautionary, because they have a license to issue payments cards or a payment app. They are until now not using this license. So, we see about 370 flawed registrations within this segment.
• The other segment with flawed registrations is German sport betting agencies (about 140 notifications). Most of them are very small one-person-kiosks which are allowed to issue or are already issuing a prepaid card for sport betting. Most of these cards can only be used at the issuing agency (strictly closed-loop without PSD2 relevance). Only in few cases these cards can be used for payments at other regional agencies. Only in these cases, these non-closed loop cards are subject to PSD2. Based on our market research, it is totally unrealistic that such one-men-kiosks are issuing prepaid cards for sport betting with a volume of more than 1 m. Euro per kiosk! Again, notification was not made by the service provider itself, but presumably by the licensor of the respective payment instrument for precautionary reasons. In our research we have found that many registered service providers are unaware that they are listed in the national register.
• As result, we see at least about 500 flawed registered service providers in the Euclid-Register of a total of 1,300 registrations of service provider excluded from the scope of the PSD2 (as of January 2021). As result, almost 40% of the registrations in this part of the EBA Euclid-register are obviously wrong. The register would thus lose its informative value and meaning.
• The question arises as to how such a volume of misreporting can occur if the registration was made after a required "duly motivated decision" by the CA in accordance with Art. 37 (2) of PSD2.
Proposal:
In view of the massive volume of false notifications, it seems appropriate to us to explicitly state in the Guidelines that notifications are only permitted if the requirements under Art. 37 of PSD2 are met. Precautionary notifications are not permitted. Notification to the CA shall be made by the service provider or its designated representative, but not by third parties without the express authorization of the service provider. According to Recital 19 in combination with Art. 37 (2) of the PSD2, the question of whether the conditions for claiming exclusion are met should not be based on “own assessments” of the service provider, but on an examination and a “duly motivated decision” by the CA.
To 6.2. and 6.8. (content of the notification and content of the registers)
Initial situation:
According GL 6.2. the notification should “contain information about the type of exclusion under which the activity is carried out and the description of the activity.”
According GL 6.8., the national register should “reflect the description of the activities carried out with each specific payment instrument under Article 3(k) of the PSD2.”
According Art. 37 (5) of the PSD2, “the description of the activity notified under paragraphs 2 and 3 of this Article shall be made publicly available in the registers provided for in Articles 14 and 15.”
From our understanding, the “type of exclusion under which the activity is carried out” is a reference to the category i (limited network) or ii (limited range). The “description of the activity” is at least a reference to the kind of payment instrument (e.g. store card, fuel card etc.).
Comment and rationale:
Both the national register and the EBA Euclid-register lack the information for the Member State Italy on the “description of activity”. In both register the exclusion category is mentioned twice, which makes no sense.
Proposal:
For some competent authorities it is obviously unclear that both information must be included in the two registers. A clarification would be appropriate. We would also welcome EBA's attention to compliance with this rule.
To Guideline 6: Missing issues
Proposals:
• The definition of a reasonable response time of the CA after submission of the notification of max. 3 months.
• A requirement for regular updating of the national register by the CA (the last update of the register of BaFin in Germany was on August 26, 2020!) and the requirement for a regular forwarding of the data to the EBA by the CA so that the Euclid-register is also up-to-date.
Q1. Do you have comments on Guideline 1 on the specific payment instruments under Article 3(k) of PSD2?
To 1.1. (Definition of a payment instrument)Initial situation:
Art. 1.1. of the Guidelines states: “Competent authorities should take into account that the specific payment instruments that can be used only in a limited way under Article 3(k) of PSD2 are payment instruments as defined in Article 4(14) of PSD2.”
According Art. 4(14) of the PSD2 payment instruments are defined as following:
“‘payment instrument’ means a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order”.
Comment and rationale:
• In our understanding, a device (e.g., a payment card) is "personalised" if there is a connection between the rightful holder (payer) and the device, whereby only the holder can use the instrument (e.g., through the identification by name and/or through the presence of a personalised security credential, such as a PIN). Accordingly, cash is not a payment instrument within the meaning of PSD2. Gift cards, which by their nature are not linked to a specific holder and are not issued to a specific person, are accordingly also not payment instruments under Art. 4(14) of PSD2. This statement applies to all anonymous and therefore non-personalised means of payment.
• There are different views of the CA in the individual member states on the question of which means of payment are covered by the LNE. The Austrian competent authority FMA, for example, takes the view outlined above: "Accordingly, it is not a payment instrument within the meaning of the ZaDiG 2018 if the instrument does not provide any information about the payment service user, since in such cases there is no personalization and there can be no personalized process flow. Consequently, the ZaDiG 2018 does not apply to such instruments."(FMA Rundschreiben „begrenzte Netze“ of 21 January 2020, p. 8 - https://www.fma.gv.at/finanzdienstleister/zahlungsinstitute/ausgenommene-dienstleistungen-vom-zadig-2018/)
• Other CAs (such as BaFin in Germany) are of the opinion that non-personalized gift cards may fall under the ZAG (law in which PSD2 is implemented), according to which the requirements of the LNE could also apply to such cards.
Proposal:
We support a clarification in the EBA Guidelines that non-personalized means of payment (like gift cards) do not fall under payment instruments as defined in Art. 4 (14) of PSD2 and that the requirements of the LNE do not apply to these products. The examples mentioned in Recital 14 of PSD2 (store cards, fuel cards, membership cards, public transport cards, parking ticketing, meal vouchers or vouchers for specific services) are only relevant for the LNE if these payment instruments are personalized.
Q6. Do you have comments on Guideline 6 on the notifications under Article 37(2) of PSD2?
To 6.1. (conditions for notification)Initial situation:
According GL 6.1., the notification should be submitted by the service provider who is providing excluded goods and/or services if the thresholds are breached.
The notification rules according Art. 37 (2) of the PSD2 are clear und without misinterpretations:
“Member States shall require that service providers carrying out either of the activities referred to in points (i) and (ii) of point (k) of Article 3 or carrying out both activities, for which the total value of payment transactions executed over the preceding 12 months exceeds the amount of EUR 1 million, send a notification to competent authorities containing a description of the services offered, specifying under which exclusion referred to in point (k)(i) and (ii) of Article 3 the activity is considered to be carried out.”
All service providers listed in the national register and in the Euclid-register should fulfill both requirements: activities based on specific payment instruments within the LNE and the value of these activities exceeds 1 Mio. Euro. The 1 m. euro threshold is not a potential target, it should be already reached in the preceding 12 months.
Comment and rationale:
• As we made our analysis (end of January 21), about 1,300 providers were listed in the EBA Euclid-register (“service provider excluded from scope PSD2” – including the exception according Art. 3 l), thereof 942 from Germany. Within this segment, about 375 German public transport companies are listed. Only about 7 to 10 of these public transport companies are issuing a payment instrument, which could have a payment volume above 1 m. Euro. All other public transport companies are listed precautionary, because they have a license to issue payments cards or a payment app. They are until now not using this license. So, we see about 370 flawed registrations within this segment.
• The other segment with flawed registrations is German sport betting agencies (about 140 notifications). Most of them are very small one-person-kiosks which are allowed to issue or are already issuing a prepaid card for sport betting. Most of these cards can only be used at the issuing agency (strictly closed-loop without PSD2 relevance). Only in few cases these cards can be used for payments at other regional agencies. Only in these cases, these non-closed loop cards are subject to PSD2. Based on our market research, it is totally unrealistic that such one-men-kiosks are issuing prepaid cards for sport betting with a volume of more than 1 m. Euro per kiosk! Again, notification was not made by the service provider itself, but presumably by the licensor of the respective payment instrument for precautionary reasons. In our research we have found that many registered service providers are unaware that they are listed in the national register.
• As result, we see at least about 500 flawed registered service providers in the Euclid-Register of a total of 1,300 registrations of service provider excluded from the scope of the PSD2 (as of January 2021). As result, almost 40% of the registrations in this part of the EBA Euclid-register are obviously wrong. The register would thus lose its informative value and meaning.
• The question arises as to how such a volume of misreporting can occur if the registration was made after a required "duly motivated decision" by the CA in accordance with Art. 37 (2) of PSD2.
Proposal:
In view of the massive volume of false notifications, it seems appropriate to us to explicitly state in the Guidelines that notifications are only permitted if the requirements under Art. 37 of PSD2 are met. Precautionary notifications are not permitted. Notification to the CA shall be made by the service provider or its designated representative, but not by third parties without the express authorization of the service provider. According to Recital 19 in combination with Art. 37 (2) of the PSD2, the question of whether the conditions for claiming exclusion are met should not be based on “own assessments” of the service provider, but on an examination and a “duly motivated decision” by the CA.
To 6.2. and 6.8. (content of the notification and content of the registers)
Initial situation:
According GL 6.2. the notification should “contain information about the type of exclusion under which the activity is carried out and the description of the activity.”
According GL 6.8., the national register should “reflect the description of the activities carried out with each specific payment instrument under Article 3(k) of the PSD2.”
According Art. 37 (5) of the PSD2, “the description of the activity notified under paragraphs 2 and 3 of this Article shall be made publicly available in the registers provided for in Articles 14 and 15.”
From our understanding, the “type of exclusion under which the activity is carried out” is a reference to the category i (limited network) or ii (limited range). The “description of the activity” is at least a reference to the kind of payment instrument (e.g. store card, fuel card etc.).
Comment and rationale:
Both the national register and the EBA Euclid-register lack the information for the Member State Italy on the “description of activity”. In both register the exclusion category is mentioned twice, which makes no sense.
Proposal:
For some competent authorities it is obviously unclear that both information must be included in the two registers. A clarification would be appropriate. We would also welcome EBA's attention to compliance with this rule.
To Guideline 6: Missing issues
Proposals:
• The definition of a reasonable response time of the CA after submission of the notification of max. 3 months.
• A requirement for regular updating of the national register by the CA (the last update of the register of BaFin in Germany was on August 26, 2020!) and the requirement for a regular forwarding of the data to the EBA by the CA so that the Euclid-register is also up-to-date.