Payment Services Directive (PSD)

The original Payment Services Directive (PSD) was implemented in 2009 with an aim to stimulate competition throughout Europe, improve the quality of payment services and protect consumers.

As the payment industry evolved, new services cropped up which were outside the scope of the original Directive and the European Commission (EC) started the process to revise such Directive. The revised Payment Services Directive (PSD2) became applicable in 2018 with an aim to regulate new market players known as Third Party Providers (TPPs), make payments safer, increase consumer protection and foster innovation and competition.

The PSD2 identifies two types of TPPs: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). AISPs provide a consenting client with an aggregated view of all the client's payment accounts held with different banks. PISPs are able to initiate a payment on behalf of a consenting client from the client's payment account held with a particular bank.

In order to enhance security and mitigate fraud, the PSD2 enforces strong customer authentication whenever the client accesses his payment account online, initiates an electronic payment transaction or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.   

Bank transfers where both the payer's bank and the payee's bank are located in an EEA country will attract the sharing of charges irrespective of the currency. This means that the payer pays the charges levied by his bank while the payee pays the charges levied by his bank.

The PSD2 provides further consumer protection whereby, if a client has his card lost or stolen and it transpires that a fraudulent transaction has been effected, the client is only liable to pay a maximum of EUR 50 unless the client acted fraudulently or with gross negligence. The PSD2 also prohibits surcharging on electronic payments which translates to cheaper transactions. This means that merchants are unable to charge an extra fee to those payers opting to pay with an electronic instrument such as a card.

Clients have a right to submit a complaint with the bank relating to any alleged infringements of PSD2 provisions. The bank is obliged to handle the complaint within 15 business days which may be extended to 35 business days when the information required is not within the bank's control. If the client is not satisfied with the complaint resolution, he may resort to the Office of the Arbiter for Financial Services for alternative dispute resolution. Further information on complaints can be found here.

The Malta Bankers' Association has also published a leaflet which explains the main changes of the PSD2.

The Malta Financial Services Authority (MFSA) and the Central Bank of Malta (the Bank) have been appointed as competent authorities under the PSD2. The provisions falling under the remit of the Bank have been transposed to the CBM Directive No. 1: Provision and Use of Payment Services. The provisions relating to the open access criteria and strong customer authentication can be found under the Regulatory Technical Standards on Strong Customer Authentication and Open Standards of Communication.