Simont Braun - Avocats advocaten lawyers

PSD2: Licensed payment service institutions, do you comply with the new authorisation requirements?

Estimated time to read this article
2 min
Date of publication
19 May 2017
Author(s)
Catherine Houssa, Charlotte De Thaye, Lucien Standaert, Philippe De Prez, Thomas Derval
Categories
Banking, Finance and Insurance, Digital Finance and FinTech

Introduction

Much has already been said and written about important new features of the PSD2 such as the introduction of new payment services, increased security measures, negative scope precision, incident reporting, improved home-host cooperation for agents/branches, etc.

For existing payment service institutions (“PSI”) (i.e. payment institutions which obtained their license prior to 13 January 2018 under the PSD1 regime) it is important to bear in mind that the license obtained under the former regime, will be put under review by the competent supervisor (i.e. the National Bank of Belgium or “NBB”).

The existing authorisation requirements under the PSD1 regime (programme of operations, business plan, safeguarding of funds, etc.) is completed under the PSD2 with additional requirements that are not only imposed on new applicants but also on already licensed PSI’s.

The new authorisation requirements

The most important new authorisation requirements include:

  1. a procedure to monitor, handle and follow up a security incident and security-related customer complaints;
  2. a procedure for the management of sensitive payment data;
  3. business continuity arrangements;
  4. principles for collection of statistical data;
  5. security policy document in relation to payment service users;
  6. description of the off-site and on-site checks performed by applicants on their agents and branches;
  7. personal indemnity insurance for account information service providers (article 5 PSD2).

Grandfathering provisions in place

Existing PSI’s will not be forced to comply with the additional authorisation requirements by 13 January 2018 (final transposition date of PSD2 into local law).

However, those PSI’s will be required to submit to the NBB all relevant information in order to allow the supervisor to assess, by 13 July 2018, whether they comply with these new requirements, which measures need to be taken or whether a withdrawal of the license is appropriate.

NBB officials have stated that existing PSI’s and accredited auditors of those PSI’s will receive more precise guidance after the summer of 2017. According to our information, the NBB also intends to organise dedicated workshops to fully inform the PSI’s of what is expected from them. Finally, the assessment of the new authorisation requirements is said to take place in a pragmatic manner, taking into account the size and the nature of each PSI concerned. Correctly and timely anticipation of those new requirements will in any way be crucial for a smooth transition.

For any assistance or further information, please contact Simont Braun’s Digital Finance team: digitalfinance@simontbraun.eu – +32 (0)2 543 70 80