Top of main content

Payment Services Directive

On 1 November 2009 the EU Payment Services Directive (PSD1) was implemented with the aim to create a single market for payments in the European Union – making cross-border payments as easy, inexpensive and secure as domestic payments.

As the digital economy developed, new services that lay outside of the scope of PSD1 began to appear. To address this Payment Services Directive II (PSD2) was introduced on 13 January 2018.

HSBC Bank Malta p.l.c. worked closely with local regulators to be ready for this new era and can tell you all you need to know, whether you're a personal or business customer.

What are the significant changes that PSD2 will bring?

What are the benefits of the PSD2?

The Payment Services Directive is all about clarity and consistency. Under the PSD, banks and other providers of payment services across Europe must:

  • provide you with all the information you need when you make a payment, including clear information about rates and charges
  • offer a consistent level of service, such as making sure all payments are completed within a predetermined timeframe
  • protect customers across Europe when payments aren’t executed correctly or authorised by the customer

What kind of payments does the PSD2 apply to?

The PSD2 applies to more or less all payments, except paper-based payment instruments like cheques and bankers' drafts. The PSD2 applies equally to transactions effected on your current, savings and cards-related accounts.

How will PSD2 impact the type of debit cards banks can issue?

This regulation will not permit local banks to continue issuing local debit cards that are not Chip & PIN compliant and can only be used in Malta.

Micro enterprises

Has either an annual turnover not exceeding €2 million or a balance sheet total not exceeding €2 million.

How will the Payment Services Directive affect you as a business?

The Payment Services Directive II (PSD2) applies different rules for different sizes of business.

If your turnover is less than €2 million or balance sheet total not exceeding €2 million and employ less than 10 people, under the PSD your business will be categorised as a micro enterprise.

If you're an HSBC business banking customer, it's important to let us know if the turnover of your business and any associated businesses changes, so we can make sure the relevant sections of the PSD2 are applied. If you have a Relationship Manager, they will do this with you at your annual review, but if the financial situation of your business changes in the meantime, please get in touch.

 

How the PSD2 will affect you:

The PSD2 recognises the need for your business to receive clear, open information about the charges and timescales surrounding the payments you make. The PSD2 aims to introduce further transparency, consistency and enhanced security for anyone making payments in Malta or across the European Economic Area (EEA).

What are the benefits of the PSD2?

Under the PSD2, banks and other Third Party Providers of payment services across Europe must:

  • increase transparency to payment fees and charges
  • increase customer protection
  • enhance payment security features
  • provide further efficiency in their processing

As HSBC Bank Malta p.l.c. already meets or exceeds most of the standards set out in the legislation you will probably not notice too many changes to your day-to-day business banking.

 

What kind of payments does the PSD2 apply to?

The PSD2 applies to most payment types, except paper-based payment instruments like cheques and bankers' drafts.

Corporate businesses

Has either an annual turnover exceeding €2 million or a balance sheet total exceeding €2 million

How will the Payment Services Directive affect you as a business?

The Payment Services Directive II (PSD2) applies different rules for different sizes of business.

If your turnover is more than €2 million or balance sheet total exceeding €2 million and employ 10 or more people, under the PSD your business is recognised as a corporate business.

If you're an HSBC business banking customer, it's important to let us know if the turnover of your business and any associated businesses changes, so we can make sure the relevant sections of the PSD2 are applied. If you have a Relationship Manager, this will done with you at your annual review, but if the financial situation of your business changes in the meantime, please get in touch.

How will the Payment Services Directive affect you as a corporate business?

When it comes to your business's finances, clarity is key. The PSD2 is an EU initiative that enhances the clarity and security to payment services rules in Malta and across the European Economic Area (EEA).

What does the PSD2 mean for your business?

The principal aim of the PSD2 is to ensure that banks and other Third Party Providers of payment services across Europe offer a consistent level of service and are transparent in their dealings with customers, by:

  • increasing transparency on the provision of information you need when making a payments, including clear information about rates and charges
  • providing a consistent level of security features for payment processing across all payment service providers
  • providing further efficiency in payments processing to improve level of service

As the PSD2 is primarily aimed at protecting the interests of personal customers and small businesses, many of the benefits are not relevant to businesses of your size, and the European Commission has given banks the option to opt-out of a small number of areas of the Directive as a result. Your Relationship Manager would be able to guide you on where HSBC Bank Malta p.l.c. has chosen to opt-out.

What kind of payments does the PSD2 apply to?

The PSD2 applies to most payment types, except paper-based payment instruments like cheques and bankers' drafts.

Useful links

If, after reading this website, you'd like to know about HSBC and the Payment Services Directive, you might find the following links helpful.

The Central Bank of Malta is the competent authority together with MFSA to transpose the Payment Services Directive (PSD) into local legislation.

The MFSA is the competent authority for some aspects of the Payment Services Directive (PSD) together with the Central Bank of Malta. These pages will help firms affected prepare for implementation.

If you'd like to read the Payment Services Directive in full, visit the European Commission website.

Frequently asked questions (FAQs) about the PSD Directive as issued by the European Commission.

HSBC

The HSBC website gives more information about a wide range of payments whether you're a personal or business customer.

 

PSD2 documents

Payments Services Directive - FAQs

1. PSD1 reminder and PSD2 key changes

1.1. What were the key measures brought in under first Payment Services Directive ("PSD1")?

The first Payments Services Directive ("PSD1"), was published in the Official European Journal in November 2007 and had a deadline for transposition into national law of each Member State by 1 November 2009.

The main objectives of the PSD1 were to protect the consumers who use payment services and also raise competition by encouraging an efficient and competitive payment environment which was opened up to new (and potential) entrants.

The key changes included:

  • transparency requirements: requirements to provide the Payment Service User (the customer) with transaction information on single payment instructions and as part of a framework contract were also included within the Directive. Importantly these transparency requirements could be opted out for top tier/corporate customers
  • harmonisation of settlement conditions: Strict regulation of payments value date (a requirement for payments to be day plus one (D+1). The practice of “float” by financial institutions was also forbidden (gap between posting date and value date of the transaction on the customer payment account)
  • consumer protection, refunds and liability allocation: Payment Service Users were also entitled to request a refund to their Payment Service Provider 13 months after the execution of an unauthorised transaction. The charge of the investigation and the dispute resolution were to be absorbed by the Payment Service Provider

 

The scope of the PSD1 covered all payment transactions from payment accounts where both Payment Service User, beneficiary and their respective Payment Service Providers are located within the EEA. In addition, the PSD1 would only apply to payments made in EEA currencies (or the Euro) within the EEA.

A number of exemptions existed within the Directive, including an exclusion of cash/cheque transactions, security/asset management and ATM’s.

The Directive recognised that different classes of Payment Service Users would have differing degrees of sophisticated as regards payment services and so larger corporate customers should be subject to a corporate opt out for certain provisions (in particular transparency requirements). The Directive also provided Member States a discretion as to whether micro enterprises and/or charities should be classified as corporate customers (and so it be possible to opt out of certain provisions) or whether they should be classified as a consumer (and therefore not subject to the corporate opt out). The experience from the PSD1 indicates that different Member States have adopted different approaches as to the classification of micro enterprises.

 

1.2. What’s different with the Payment Services Directive II ("PSD2")?

The PSD2 replaces the PSD1. It reflects the significant changes to the payments market since the passing of the PSD1.

Significant changes include:

  • extended scope of coverage of the Directive to include "One Leg Out transactions" (meaning where one of the Payment Service Providers is outside of the EEA). Expansion of the scope to include all payment transactions in all currencies within the EEA (not just EEA currency payments)
  • consideration of new PSPs: the PSD2 introduces two new forms of Payment Service Provider. The first being "Account Information Services Providers" ("AISPs") who are engaged by Payment Service Users and provide account aggregation type services. The second are Payment Initiation Services Providers ("PISPs") (see below for definition). Banks such as HSBC will be classified as "Account Servicing Payment Services Providers" ("ASPSP's") who allow AISP and PISP access to the customers systems
  • in case of a dispute, the PSD2 provides guidance on the respective liabilities of the ASPSP and the AISPs/PISPs. Increased consumer protection is required when using payment instruments (eg. Cards) including strong authentication being required when accessing online banking systems even for read only purpose, limitation on charges and obligations for the ASPSPs in case of loss/theft
  • corporate opt out principles are replicated within the PSD2. Each bank will be required to decide (and apply within the terms) which corporate opt outs apply to their customers

 

2. New Payments Services Providers regulated under PSD2

2.1. What is a PISP?

The new classification of Payment Initiation Service Provider ("PISP") will include third parties who contract with customers to initiate payments from the customer's account with a bank on behalf of the customer. The relationship between the PISP, the Payment Service User ("PSU") and the ASPSP is governed under the PSD2. Under PSD2, a PISP has the following rights and obligations:

  • they should not retain possession of the payer's funds for any length of time, but only initiate payments in connection with the provision of the payment initiation service
  • they should ensure that the personalised security credentials of the payment service user, are not accessible to any other parties (except the user and the issuer of the personalised credentials), and that they are transmitted by the payment initiation service provider through safe and efficient channels
  • they should ensure that any other information about the payment service user, obtained when providing payment initiation services, is only provided to the payee and only with the payment service user's explicit consent
  • to identify itself towards the ASPSP of the Customer and communicate with the ASPSP, the customer and the beneficiary in a secure way every time a payment is initiated
  • not to store sensitive payment data of the PSU
  • not to request from the payment service user any data other than that which is necessary to provide the payment initiation service
  • not to use, access and store any data for purposes other than for the provision of the payment initiation service as explicitly requested by the payer, and
  • not modify the amount, the recipient or any other feature of the transaction

As an example, a customer purchasing some goods on an e-merchant website can use a PISP service as an alternative to a debit/credit card. The customer will have to share his bank credentials with this PISP and give his consent as the PISP will access his bank accounts details to initiate the payment.

 

2.2. What is an AISP?

An Account Information Service Provider ("AISP") means a provider pursuing business activities in the form of accessing account information with the consent of the PSU in order to provide services like aggregation of accounts across different banks within different countries.

Under the PSD2, an AISP has the following rights and obligations:

  • the right for the AISP to provide its services to a PSU shall not apply where the payment account is not accessible online

The AISP must:

  • provide services only based on the payment service user's explicit consent
  • ensure that the personalised security credentials of the payment service user, are not accessible to other parties (with the exception of the user and the issuer of the personalised credentials), and that when they are transmitted by the account information service provider, this is done through safe and efficient channels
  • at each session identify itself towards the ASPSP of the customer and securely communicate with the ASPSP(s) and the customer
  • access only the information from designated payment accounts and associated payment transactions
  • not request sensitive payment data linked to the payment accounts
  • not to use, access and store any data for purposes other than for performing the account information service explicitly requested by the payment service user, in accordance with data protection rules

As an example, a customer holding accounts in different banks across different countries can use the service of an AISP to get consolidated reports of these accounts. These reports can provide various charts like analysis of the expenses and the revenues, like total balances status.

 

2.3. As a consumer and as a corporate what is the impact if I use a PISP in my e-commerce activity?

When using e-merchant's website, the customer might be offered the opportunity to pay via a PISP service as an alternative to using a debit/credit card. The Customer would then be required to input their credentials as if they were connecting to HSBC online banking service and select the particular payment account to transfer the money from/to the e-merchant's account using the PISP service. If there is a defectively executed transaction then the consumer will retain the 13 months refund right (or 2 months in the case of a corporate customer).

 

2.4. As a consumer and as a corporate what is the impact if I use an AISP to access my accounts?

Customers can use the service of AISPs to get a consolidated view of their accounts across various banks (including HSBC accounts). Again the customer will have to share their credentials with AISPs in a safe manner for this type of service. HSBC will have to transmit to AISPs the payments accounts data as required under the PSD2.

 

2.5. Why would a customer use a method of payment other than his debit/credit card?

Increasingly e-merchants are providing incentives to encourage customers to move towards alternative payment channels and away from using a debit or credit card. These incentives can take different forms including rebate on the purchase price and/or reductions in payment charges (partially paid out of removed interchange fees through the avoidance of the card schemes).

 

2.6. If my payment is accepted for initiation, does this mean my payment is accepted?

The acceptance of the payment, often a Single Euro Payments Area (SEPA) Credit Transfer, for initiation only confirms that it is now with the bank to be processed. The Bank will then follow the normal process of execution for this payment including controls. The payment will only be accepted if the execution process is successful.

 

2.7. How would I know that my payment has failed?

If the payment fails, the Bank will have to inform the customer immediately and the PISP if the PISP was involved.

 

3. Corporate opt out

3.1. What does corporate opt out mean?

The PSD1 and PSD2 are written with consumer protection in mind. However the PSD1 and PSD2 apply to both retail consumers but also corporate companies, which clearly have different needs and requirements.

PSD2 caters for this by allowing Banks and Corporate Customers the option of using a ‘corporate opt-out' for certain provisions, which can by mutual agreement be disapplied within the terms and conditions.

In addition, the PSD1 and PSD2 contain the option for the particular Member State to apply or not apply particular articles of the Directive. This is known as a "derogation". An example is the derogation which allows Member States to treat micro enterprises (with fewer than 10 staff and an annual turnover of less than €2 million) like consumers.

 

4. Strong customer authentication concept

4.1. What does ‘strong customer authentication' mean?

The definition within the PSD2 classifies strong customer authentication as meaning an authentication based on the use of two or more elements categorised as:

  1. knowledge (something only the user knows), eg a secret code or a memorable question
  2. possession (something only the user possesses) eg a debit card, and
  3. inherence (something the user is) eg a finger print

These need to be independent, meaning that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.

 

4.2. What are the impacts for me of having to use strong authentication?

When accessing HSBC online banking service, the customer will have to systematically use their secure token.

These increased security requirements are mandated within the PSD2 but are also a consequence of HSBC needing to engage with third party providers (PISPs/AISPs) and their ability to access customer accounts to initiate a payment transaction or request account information. In this new environment, it is increasingly important to ensure these accesses are either done by the customer itself or by parties having received consents from the customer.

 

5. One Leg Out concept

5.1. What does the One Leg Out concept mean?

The concept of One Leg Out extends the scope of the PSD2 to payment transactions in all currencies where only one of the payment service providers is located within the EU. The Directive makes clear that One Leg Out will only apply in respect to those parts of the payments transaction which are carried out in the EU. One Leg Out transactions are part of the scope extension of PSD2 Directive.

 

5.2. What are the implications of the refund period for unauthorised transactions?

The Payment Service User shall obtain rectification from the Payment Service Provider only if he notifies the Payment Service Provider without undue delay on becoming aware of any unauthorised or incorrectly executed payment transactions giving rise to a claim, and no later than 13 months after the debit date (2 months for corporate customers), unless, where applicable, the Payment Service Provider has failed to provide or make available the information on that payment transaction.

 

PSD2 Acronyms and descriptions

Acronym

Description

AISP

Account Information Service Provider

ASPSP

Account Servicing Payment Services Providers (e.g. HSBC when a TPP is referenced within the payment scenario)

BRD

Business Requirements Document (part of the HSBC change process)

EBA

European Banking Authority

ECB

European Central Bank

EEA

European Economic Area, all EU Member States and Member States of the European Free Trade Association (EFTA)

One leg out

Where one of the payment service providers is outside of the EU

Payee

Natural or legal person who is the intended recipient of funds which have been the subject of a payment transaction

Payer

Natural or legal person who holds a payment account and allows a payment order from that payment account, or, who gives a payment order

PISP

Payment Initiation Service Provider

PSD

Payment Services Directive

PSP

Payment Service Provider (e.g. HSBC)

PSU

Payment Service Users (e.g. consumers/customers of payment services)

T&Cs

Terms and Conditions

TPP

Third party payment provider (Payment initiation services and/or Account information services)

PSD2 Acronyms and descriptions

Acronym

AISP

Description

Account Information Service Provider

Acronym

ASPSP

Description

Account Servicing Payment Services Providers (e.g. HSBC when a TPP is referenced within the payment scenario)

Acronym

BRD

Description

Business Requirements Document (part of the HSBC change process)

Acronym

EBA

Description

European Banking Authority

Acronym

ECB

Description

European Central Bank

Acronym

EEA

Description

European Economic Area, all EU Member States and Member States of the European Free Trade Association (EFTA)

Acronym

One leg out

Description

Where one of the payment service providers is outside of the EU

Acronym

Payee

Description

Natural or legal person who is the intended recipient of funds which have been the subject of a payment transaction

Acronym

Payer

Description

Natural or legal person who holds a payment account and allows a payment order from that payment account, or, who gives a payment order

Acronym

PISP

Description

Payment Initiation Service Provider

Acronym

PSD

Description

Payment Services Directive

Acronym

PSP

Description

Payment Service Provider (e.g. HSBC)

Acronym

PSU

Description

Payment Service Users (e.g. consumers/customers of payment services)

Acronym

T&Cs

Description

Terms and Conditions

Acronym

TPP

Description

Third party payment provider (Payment initiation services and/or Account information services)

Disclaimer

The Site is primarily intended for those who access it from within Malta. Because of this we cannot guarantee that the Site or the information thereon complies with law or regulation of other countries, or is appropriate for use, in other places. You are wholly responsible for use of the Site by any person using your computer and you must ensure that any such person complies with these Terms. The information provided on this Site is not intended for distribution to, or use by, any person in any jurisdiction where such distribution or use would be contrary to law or regulation. This Site should not be considered as communicating any invitation or inducements to engage in banking or investment activity or any offer to buy or sell any securities or other instruments outside Malta.

Listening to what you have to say about our services matters to us.