The law transposing PSD 2 is finally here. What is specific for Romania?
On November 13, 2019, Law no. 209/2019, the law that transposes PSD 2,* was published in the Official Gazette of Romania. This legislation which comes after the commencement of an EC late transposition procedure, has been much anticipated by local Fintechs, and will become effective on December 13, 2019. From that date, Romanian third party providers (TPPs) will be able to register with the National Bank of Romania and payment service providers have 60 days to ensure conformity of their on-going contracts with titles III and IV of the new law (which refer to transparency requirements, rights and obligations in relation to payment services).
Secondary National Bank of Romania regulations required for the full application of PSD 2 should follow in the coming period so we expect that by January 2020 Romania will have a new, complete payments legislation.
Law no. 209/2019 mainly reflects the provisions of PSD 2 and creates an environment for open payment services in Romania. We highlight briefly below the key changes to the existing national payments framework as well as some Romania-specific provisions.
1. Scope and exemptions; Impact on value cards
As opposed to prior legislation, and in line with PSD 2, Law no. 209/2019 extends its scope to cover the so-called one-leg transactions – i.e., payment transactions in all currencies where only one of the payment service providers is located within a member state, for those parts of the transaction which are conducted in a member state.
On the same note, the scope of the exemptions has been reduced. For example, the commercial agent exemption will apply to commercial agents when their involvement is on behalf of only the payer or only of the payee, and not when acting in the interests of both parties as was previously possible.
Also, the limited network exemption was worded in a more precise manner making it more difficult to use loose language as a loophole to escape the law’s payment service obligations. As to Romania specific provisions, additional conditions were added that may impact retailer-issued value cards. On the bright side, the law includes some explicit examples of exempted products such as store cards, fuel cards, membership cards, public transport cards, parking ticketing and meal vouchers.
Importantly, even in cases when the limited network exception applies, if at any time the total value of payment transactions in the preceding 12 months exceeds one million EUR, the National Bank of Romania must be consulted as to whether the exception will continue to apply.
2. New players on the payment services market
As regards the activities of TPPs, Law no. 209/2019 transposes PSD 2 without significant deviations. Three types of regulated TPPs are introduced:
- PISP – a payment service provider that initiates a payment order at the request of a payment service user with respect to a payment account held at another payment service provider.
In practical terms, PISPs can simplify transactions by cutting out as many intermediaries as possible in the payment authorization process and are an alternative to traditional debit or credit cards. For example, in e-commerce transactions a PISP would directly initiate a bank transfer from the account of the payer to the account of the merchant.
- AISP – a payment service provider that provides consolidated information about one or more payment accounts held by a payment service user with either another payment service provider or with more than one payment service provider.
In other words, AISPs are information aggregators that provide consolidated information about one or more accounts held by their users with one or more different banks.
- CBPII – a payment service provider issuing card-based payment instruments.
The functionality of a CBPII is to issue card-based payment instruments in order to execute payment transactions from an account held by the payment service user to a bank (which is not managed by that CBPII).
3. The distribution of liability when PISPs process transactions
In line with PSD 2, in the case of non-executed or defective transactions initiated by a PISP, Law no. 209/2019 provides that the bank has the responsibility to make refunds to the payment service user. The bank then can seek compensation from the PISP if damages are attributable to it.
Law no. 209/2019 does not offer any supplementary guidance in terms of liability or dispute resolution between TPPs and banks. This could prove problematic in practice as, in the almost unavoidable scenario of litigation, the Romanian courts will have limited knowledge on the technical aspects that converge with the rules of liability. To help mitigate these risks and uncertainties, TPPs and banks could enter into detailed liability regimes among themselves. The question of establishment and allocation of liability will remain a key concern as market practice is established over time.
4. Strong Customer Authentication
In line with PSD 2, and with the aim of providing better payment transaction security, Law no. 209/2019 requires strong customer authentication (SCA) which entails using two or more of the following elements categorized as:
- knowledge (something only the user knows), such as a password, PIN, knowledge-based challenge question, passphrase or memorized swiping path.
- possession (something only the user possesses), such as a possession of devices evidenced by a one-time password (OTP) generated by, or received on, a device (hardware or software token generator, SMS OTP) or cards evidenced by a card reader;
- inherence (something the user is), such as fingerprint scanning, voice recognition, retina and iris scanning and even keystroke dynamics or the angle at which the device is held.
5. Difficulties implementing strong customer authentication in e-commerce transactions
The European Banking Authority (EBA), which supervises SCA at the EU level, has recognized the technical difficulties in implementing SCA solutions for e-commerce card-based payment transactions and allowed payment service providers to prepare migration plans that have to be implemented by 31 December 2020. Nevertheless, the EBA stressed that during this period, payment service providers will remain liable for unauthorized transactions when SCA has not been properly applied.
In line with EBA’s indications, the National Bank of Romania is expected to collaborate with the relevant stakeholders in order to supervise and achieve implementation of the migrations plans by the proposed deadline.
*The Directive 2015/2366 of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.