Top of main content

Payment Services Directive

Background to PSD

On 1 November 2009 the EU Payment Services Directive (PSD1) was implemented with the aim to create a single market for payments in the European Union – making cross-border payments as easy, inexpensive and secure as domestic payments.

As the digital economy developed, new services that lay outside of the scope of PSD1 began to appear. To address this Payment Services Directive II (PSD2) was introduced on 13 January 2018.

HSBC Bank Malta p.l.c. can tell you all you need to know, whether you're a personal or business customer.

What did PSD2 Phase I cover?

Phase I was implemented to further harmonise the legal framework for payment transactions in the European Economic Area (EEA).

PSD2 Phase 1 extended the scope of the payment transactions covered in PSD1 and brought Third Party Providers (TPPs) - Account Information Service Providers, Payment Initiation Service Providers and Payment Instrument Issuing under regulation. 

What is PSD2 Phase II?

PSD2 Phase II is a new regulatory requirement being introduced across the European Union which represents a significant step forward by providing a regulatory framework for the evolving Open Banking business model.

The new regulatory framework, known as the Regulatory Technical Standards, supports more choice, innovation and security by providing Strong Customer Authentication in the provision of payment services to customers. It aims to give customers greater confidence when selecting to use a Third Party Provider to combine account information, or to undertake online and remote payments.

When did PSD2 Phase II come into effect?

PSD2 Phase II became effective on the 14 September 2019. 

What are the significant changes that PSD2 Phase II will bring?

Significant changes include:

1. Strong Customer Authentication (SCA)

The definition within PSD2 classifies strong customer authentication as meaning an authentication based on the use of two or more elements categorised as:

  1. Knowledge (something only the user knows), eg a secret code or a memorable question
  2. Possession (something only the user possesses) eg card, token
  3. Inherence (something the user is) eg a finger print

 

These need to be independent, meaning that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.

SCA is being introduced to help reduce fraud. With increasing amounts of purchases being made online, these new rules will provide the extra protection necessary to ensure that customers are safe when purchasing online and their money is better protected. In this space the concept of Dynamic Linking has been introduced. This is the process by which the payment transaction, payee details and the payment amount is connected and confirmed by submitting a security transaction code.  In this respect our Internet Banking and Mobile Banking has been upgraded to include this new protection feature.

Where can I get more information about changes regarding online banking, mobile apps etc?

1.1 Keeping customer safe when shopping online

We've teamed up with Visa® and Mastercard®to upgrade the way you shop online. The new system aims to reduce fraud and make online payments safer through enhanced security.

Find out more information on 3D Secure.

2. Payments Services Providers regulated under PSD2:

2.1 Third Party Provider

A TPP is a third party service provider who is authorised, with your express agreement, to access your online accounts to obtain and consolidate information about your finances (this may include information about accounts you hold with us and other banks). You may also give payment instructions through a TPP.

We have included terms that make clear you can use TPPs if you want to. You should check from the information they give you that they are authorised.

We may refuse to allow a TPP to access your account if we are concerned about unauthorised or fraudulent access by that TPP. Unless it would compromise our reasonable security measures or otherwise be unlawful, we'll tell you if we do this, and why, in the way we think most appropriate. If you use a TPP you must continue to tell us about any payments on your account that you think may be incorrect or unauthorised.

2.2 Account Information Service Provider (AISP)

An Account Information Service Provider ('AISP') means a provider pursuing business activities in the form of accessing account information. This will be provided following secure authentication by the PSU in order to provide services like aggregation of accounts across different banks within different countries/regions.

Under PSD2, an AISP has the following rights and obligations:

  • The right for the AISP to provide its services to a PSU shall not apply where the payment account is not accessible online

The AISP must:

  • Provide services only based on the payment service user's secure authentication
  • Ensure that the personalised security credentials of the payment service user, are not accessible to other parties (with the exception of the user and the issuer of the personalised credentials), and that when they are transmitted by the account information service provider, this is done through safe and efficient channels
  • At each session identify itself towards the ASPSP of the customer and securely communicate with the ASPSP(s) and the customer
  • Access only the information from designated payment accounts and associated payment transactions
  • Not request sensitive payment data linked to the payment accounts
  • Not to use, access and store any data for purposes other than for performing the account information service explicitly requested by the payment service user, in accordance with data protection rules®

As an example, a customer holding accounts in different banks across different countries/regions can use the service of an AISP to get consolidated reports of these accounts. These reports can provide various charts like analysis of the expenses and the revenues, like total balances status. 

2.3 Payment Initiation Services Provider (PISP)

The new classification of Payment Initiation Service Provider ('PISP') will include third parties who contract with customers to initiate payments from the customer's account with a bank on behalf of the customer. The relationship between the PISP, the Payment Service User ('PSU') and the ASPSP is governed under PSD2. Under PSD2, a PISP has the following rights and obligations:

  • They should not retain possession of the payer's funds but only initiate payments in connection with the provision of the payment initiation service
  • They should ensure that the personalised security credentials of the payment service user, are not accessible to any other parties (except the user and the issuer of the personalised credentials), and that they are transmitted by the payment initiation service provider through safe and efficient channels
  • They should ensure that any other information about the payment service user, obtained when providing payment initiation services, is only provided to the payee and only with the payment service user's secure authentication
  • To identify itself towards the ASPSP of the Customer and communicate with the ASPSP, the customer and the beneficiary in a secure way every time a payment is initiated
  • Not to store sensitive payment data of the PSU
  • Not to request from the payment service user any data other than that which is necessary to provide the payment initiation service
  • Not to use, access and store any data for purposes other than for the provision of the payment initiation service as explicitly requested by the payer, and
  • Not modify the amount, the recipient or any other feature of the transaction

As an example, when using e-merchant's website, the customer might be offered the opportunity to pay via a PISP service as an alternative to using a debit/credit card. The Customer would then be required to input their credentials as if they were connecting to HSBC Online Banking service and select the particular payment account to transfer the money from/to the e-merchant's account using the PISP service. If there is a defectively executed transaction then the consumer will retain the 13 months refund right (or 2 months in the case of a corporate customer).

What are the benefits of PSD2?

PSD2 seeks to improve customer rights in a number of ways.

1. Increased transparency to payment fees and charges

Extending sharing of charges to non-EEA currencies within the EEA. With regard to bank transfers where both the payer and the payee are located in an EEA country, the shared ('SHA') charge type will apply to all currencies. This means that the payer will pay the fee charged by his/her bank while the payee will pay the fee charged by his/her bank

2. What happens if a payment is made into the customer’s account by mistake?

We're clarifying what we’ll do when a payment has been made into your account by mistake and introducing changes to reflect new industry standards that help customers who use incorrect payment details to send a payment.

If you tell us a payment, made from a bank within EEA, was intended for you but the payer says it was made into your account by mistake, we’re legally required to share all relevant information including your name and address and transaction information with the bank the payment came from, if they ask us, so that the payer may contact you directly. We're including a term to make this clear.

3. What happens if a payment is delayed?

If a payment you asked us to make within the EEA doesn't arrive when it should have (normally the business day after we send the payment from your account), you can ask us to contact the receiving bank and ask them to treat the payment as if it had been made on time.

4. Customer protection

If a customer reports an unauthorised transaction to their bank, even when using a third party, they will retain their 13-month refund right.

5. Efficient bank processing

Same day value date to credit a customer’s account once the bank receives the funds (FX payments are subject to conversion).

Refunds for unauthorised transactions (prior to investigation), shall be processed by the end of the next business day, unless it is a fraudulent transaction or gross negligence.

6. Complaints

PSD2 related payment complaints, need to be resolved within 15 business days, which may be further extended to 35 business days when the information required is not within the Bank's control.

PSD 2 Definitions of Abbreviations

Acronym Description
AIS 
Account Information Services
AISP
Account Information Service Providers – accesses account information and provides details on transactions and balances
API
Application Program Interface - allows the TPPS to connect with the Banks systems API-HSBC.
ASD 
Accelerated Service Delivery
ASPSP
Account Servicing Payment Service Providers
BERLIN Group
An API standard that is the most widely recognised in Europe. CBPII – Card-based payment instrument issuer
DSK
Digital Security Key
Dynamic Linking
Dynamically linking authentication tokens to the specific payment amount and the specific payee of the transaction
Inherence
Biometrics such as finger print, face ID or voice recognition
Knowledge
Something only the user knows such as Password and PIN (something which is secret)
OBIE
Open Banking Implementation Entity who have their own API standard
OTP
One Time Password
PIISP
Payment Issuer Instrument Service Providers
PIS
Payment Initiation Services
PISP 
Payment Initiation Service Providers – will be able to initiate payments on behalf of the customer from the customer’s account with a bank
Possession
Something that the customer only owns such as the Token Device
PSP
Payment Service Provider
PSU
Payment Service User
SCA 
Secure Customer Authentication
STET
European leader in payments processing based in France who have their own API standard
TPP
Third Party Provider

PSD 2 Definitions of Abbreviations

Acronym AIS 
Description Account Information Services
Acronym AISP
Description Account Information Service Providers – accesses account information and provides details on transactions and balances
Acronym API
Description Application Program Interface - allows the TPPS to connect with the Banks systems API-HSBC.
Acronym ASD 
Description Accelerated Service Delivery
Acronym ASPSP
Description Account Servicing Payment Service Providers
Acronym BERLIN Group
Description An API standard that is the most widely recognised in Europe. CBPII – Card-based payment instrument issuer
Acronym DSK
Description Digital Security Key
Acronym Dynamic Linking
Description Dynamically linking authentication tokens to the specific payment amount and the specific payee of the transaction
Acronym Inherence
Description Biometrics such as finger print, face ID or voice recognition
Acronym Knowledge
Description Something only the user knows such as Password and PIN (something which is secret)
Acronym OBIE
Description Open Banking Implementation Entity who have their own API standard
Acronym OTP
Description One Time Password
Acronym PIISP
Description Payment Issuer Instrument Service Providers
Acronym PIS
Description Payment Initiation Services
Acronym PISP 
Description Payment Initiation Service Providers – will be able to initiate payments on behalf of the customer from the customer’s account with a bank
Acronym Possession
Description Something that the customer only owns such as the Token Device
Acronym PSP
Description Payment Service Provider
Acronym PSU
Description Payment Service User
Acronym SCA 
Description Secure Customer Authentication
Acronym STET
Description European leader in payments processing based in France who have their own API standard
Acronym TPP
Description Third Party Provider

Micro enterprises

Has either an annual turnover not exceeding €2 million or a balance sheet total not exceeding €2 million.

How will Payment Services Directive affect you as a business?

The Payment Services Directive II (PSD2) applies different rules for different sizes of business.

If your turnover is less than €2 million or balance sheet total not exceeding €2 million and employ less than 10 people, under PSD your business will be categorised as a micro enterprise.

If you're an HSBC business banking customer, it's important to let us know if the turnover of your business and any associated businesses changes, so we can make sure the relevant sections of PSD2 are applied.

If you have a Relationship Manager, they will do this with you at your annual review, but if the financial situation of your business changes in the meantime, please get in touch.

How will PSD2 affect you?

Under PSD2, banks and other Third Party Providers of payment services across Europe must:

  • Increase transparency to payment fees and charges
  • Increase customer protection
  • Enhance payment security features
  • Provide further efficiency in their processing

 

As HSBC Bank Malta p.l.c. already meets or exceeds most of the standards set out in the legislation you will probably not notice too many changes to your day-to-day business banking.

What kind of payments does PSD2 apply to?

PSD2 applies to most payment types, except paper-based payment instruments like cheques and bankers' drafts.

Corporate businesses

Has either an annual turnover exceeding €2 million or a balance sheet total exceeding €2 million.

How will the Payment Services Directive affect you as a business?

The Payment Services Directive II (PSD2) applies different rules for different sizes of business.

If your turnover is more than €2 million or balance sheet total exceeding €2 million and employ 10 or more people, under PSD your business is recognised as a corporate business.

If you're an HSBC business banking customer, it's important to let us know if the turnover of your business and any associated businesses changes, so we can make sure the relevant sections of PSD2 are applied. If you have a Relationship Manager, this will done with you at your annual review, but if the financial situation of your business changes in the meantime, please get in touch.

How will the Payment Services Directive affect you as a corporate business?

When it comes to your business's finances, clarity is key. PSD2 is an EU initiative that enhances the clarity and security to payment services rules in Malta and across the European Economic Area (EEA).

What does PSD2 mean for your business?

The principal aim of PSD2 is to ensure that banks and other Third Party Providers of payment services across Europe offer a consistent level of service and are transparent in their dealings with customers, by:

  • Increasing transparency on the provision of information you need when making payments, including clear information about rates and charges
  • Providing a consistent level of security features for payment processing across all payment service providers
  • Providing further efficiency in payments processing to improve level of service

 

As PSD2 is primarily aimed at protecting the interests of personal customers and small businesses, many of the benefits are not relevant to businesses of your size, and the European Commission has given banks the option to opt-out of a small number of areas of the Directive as a result. Your Relationship Manager would be able to guide you on where HSBC Bank Malta p.l.c. has chosen to opt-out.

What kind of payments does PSD2 apply to?

PSD2 applies to most payment types, except paper-based payment instruments like cheques and bankers' drafts.

Useful links

If, after reading this website, you'd like to know about HSBC and the Payment Services Directive, you might find the following links helpful.

 

The Central Bank of Malta is the competent authority together with MFSA to transpose the Payment Services Directive (PSD) into local legislation.

The MFSA is the competent authority for some aspects of the Payment Services Directive (PSD) together with the Central Bank of Malta. These pages will help firms affected prepare for implementation.

If you'd like to read more about the Payment Services Directive, visit the European Commission website.

Find out more about the PSD Directive as issued by the European Commission.

PSD2 documents

Listening to what you have to say about our services matters to us.