Draft bill for a new Act on Payment Services (PSD2)

On 9 March 2021, the Minister of Finance and Economic Affairs’ introduced to Parliament a bill for a new Act on Payment Services.

Law firms in Iceland

This bill includes a new comprehensive act on payment services, implementing EU Directive no. 2015/2366 (PSD2) and repeal Act no. 120/2011 on Payment Services which transposed EU Directive no. 2004/64/EB (PSD1). The bill also proposes individual amendments to the Act on Issuance and Handling of Electronic Money no. 17/2013, which is also based on the content of the EU Directive no. 2015/2366. If the bill is approved, the directive will be fully implemented.

The bill entails that legislation on payment services within the European Economic Area will be harmonized in order to create a more equal basis for competition for all market participants and to establish supervision of parties in the payment services market. The bill is supposed to lead to increased supply and innovation in payment services for consumers and retailers, increase information security and consumer protection.

It is clear from our review of this bill and EU Directive no. 2015/2366 that there is not much difference between the bill and the directive. The provisions of the bill apply to payment service providers as the term is defined in the bill and includes e.g. to financial undertakings, electronic money institutions, payment institutions, payment institutions with limited operating licenses, postal operators licensed under the Postal Services Act, the European Central Bank (ECB) and the central banks of the European Economic Area when not in the role of monetary authorities and authorities if payment services are not related to their role as such. The bill covers payment services provided by these parties, whether in the form of payments made in Iceland or within the European Economic Area and in the currency of a member state or another currency within the same area. The scope of the bill has been extended to include not only so-called “one-leg” payments in euros or other currencies, but to all currencies. Certain exceptions to the scope of the directive are introduced in the bill and the Directive contains new terms from the first Payment Services Directive introduced by the bill.

The main changes proposed in the bill are, firstly, the creation of new payment service providers, payment processors and account information service providers, which are also payment institutions. A payment processor is defined as a service that consists of issuing a payment instruction at the request of a payment service user in respect of a payment account stored with another payment service provider. A payment processor must apply for an operating license as a payment institution with the Financial Supervisory Authority. An account information service provider involves providing the user of an account information service with aggregated information about one or payment account that he has with one or more payment service providers. An account information service provider is only required to register at the Financial Supervisory Authority.

Secondly, banks will have to provide for new payment service providers with access to customers’ payment accounts from their systems without an existing agreement, provided that there is an unambiguous consent from the account holder in place.

Thirdly, increased security requirements are made for payment service providers. They are reflected in the fact that the payment service provider must require strong customers authentication from the payer in the case of telecommunications. Strong authentication is a type of identification that should be particularly strong and secure and should ensure that only the right person is allowed to appear as a payment service user. Increased security requirements also mean that banks and the new payment service providers must communicate securely in accordance with rules to be set by the Central Bank of Iceland. The Central Bank of Iceland’s rules will include the implementation of the delegated EU regulation 2018/389 on regulatory technical standards on strong customers authentication and common and secure open standards of communications. The bill requires payment services providers to maintain an operational and security risk monitoring system and a response plan for serious deviations.

It is proposed in the bill that an optional provision of Art. 32 of the directive to be implemented. The provision of the bill requires a monthly average of total value of payment transaction by a payment institution with a limited operating license, the intention is to ensure that the authorization to provide payment services obtained with an exemption from what otherwise applies to payment service providers, cf. Art. 3(23) is limited to smaller companies. Iceland does not make use of the authorisation granted in Art. 38(2) and in Art. 61 (2) of the directive provision subject to microenterprises.

The bill proposes that the Act enters into force on 1 July 2021. A payment institution that has been granted with an operating license on the basis of the Act on Payment Services no. 120/2011, shall submit the relevant information to the Financial Supervisory Authority, before 1 September 2021, so that it can assess whether a payment institution fulfils the requirements laid down in Chapter I and II of the bill. Parties covered by the act, i.e. payment service providers need to implement strong authentication, and payment service providers that provide invoicing services also need to set up an online interface for payment processors, account information service providers and card issuers to access their customer’s payment accounts.

Our experts

Related articles