The law transposing PSD 2 is finally here. What is specific for Romania?
On November 13, 2019, the Law no. 209/2019 on payment services that transposes PSD 2 (the Directive 2015/2366 of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC) was published in the Official Gazette of Romania.
A much expected piece of legislation by local fintechs, the law will enter into force within 30 days as of November 13, 2019.
By the end of year it is expected that the secondary legislation will also enter into force and most likely, by January 2020, Romania will have the first licenses as TPPs pending authorities’ approval.
Read below the key changes introduced by the new law and some highlights of the Romanian specifics.
Even though Romania should have implemented PSD 2 by 13 January 2018, the Law no. 209/2019 on payment services (“Law no. 209/2019”) transposing PSD 2 was finally published in the Official Gazette on 13 November 2019, after an infringement procedure for late transposition commenced by the European Commission.
The Law no. 209/2019 mainly reflects the provisions of PSD 2 and creates an environment of open payment services in Romania. In addition to the changes introduced by PSD 2, the national legislator also introduced some Romanian specific provisions.
We highlight below the key changes to the existing national payments framework introduced by the Law no. 209/2019, but also some contrasts with PSD 2.
1. Scope and exceptions of the new law. Impact on value cards
As opposed to Government Emergency Ordinance no. 113/2009 (the previous enactment that regulated payment services), in line with PSD 2, the Law no. 209/2019 extends its scope also to one-leg transactions – i.e. payment transactions in all currencies where only one of the payment service providers is located within the Union, in respect to those parts of the payments transaction which are carried out in the Union.
On the same note, the scope of the exceptions from the legislation regulating payment services has been reduced. For example, the commercial agent exemption will apply to commercial agents involved in a transaction acting only on behalf of the payer or only of the payee and not in the interest of both parties as was previously possible. Also, the limited network exception was worded in a more specific manner in order to defuse any attempts to take advantage of an imprecise language and hence escape the obligations imposed by the payment services legislation.
The Romanian legislator went the extra mile in what concerns the limited network exception and provided in excess of the recitals of PSD 2 additional conditions that may impact value cards issued by retailers. On the bright side, the law includes some explicit examples of exempted products such as store cards, fuel cards, membership cards, public transport cards, parking ticketing or meal vouchers.
Importantly to be considered, even in those cases when the limited network exception is successfully triggered, if the total value of the payment transactions in the last 12 months exceeded 1 million EUR, the National Bank of Romania must be consulted whether the exception will further apply.
2. New players on the payment services market
Law no. 209/2019 introduces to the payment services market the third party providers, generally referred to as TPPs, regulated by PSD 2:
- PISP – a payment service provider that initiates a payment order at the request of the payment service user with respect to a payment account held at another payment service provider.
In practical terms, PISPs can simplify transactions by cutting as many middle-men as possible in the payments’ authorization process and hence becoming an alternative to the traditional debit or credit cards.
For example, in e-commerce transactions a PISP can directly initiate a bank transfer from the account of the payer to the account of the merchant.
- AISP – a payment service provider that provides consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider.
In other words, AISPs are information aggregators that provide consolidated information on the accounts held by their users with different banks.
- CBPII – payment service provider issuing card-based payment instruments.
The functionality of CBPIIs is to issue card-based payment instruments in order to execute payment transactions from an account held by the payment service user to a bank (which is not managed by CBPII).
Law no. 209/2019 follows the lines of PSD 2 in transposing the activity of TPPs and has minimum deviations.
Secondary legislation regulating the authorization or registration of TPPs is expected to enter into force by the end of the year with the expectation that the first licensed TPPs will appear in the first half of the year 2020.
3. The distribution of liability when PISPs process transactions
In line with PSD 2, in case of non-executed or defective transactions initiated by a PISP, Law no. 209/2019 provides that the bank is the one that refunds the payment service user.
Only at a later time can the bank be compensated by the PISP in case the third party provider was the one that caused the damage.
Law no. 209/2019 does not offer any supplementary guidance in terms of liability or dispute resolution between TPPs and banks. This could prove problematic in practice as, in the almost unavoidable scenario of litigation, the Romanian courts will have limited knowledge of the technical aspects that converge with the rules of liability. To avoid these cases, TPPs and banks can enter into agreements in order to mitigate this risk of uncertainty and draw up the liability regime themselves. Nevertheless, the question of establishment and distribution of liability will remain a hot topic as market practice will probably form over time.
4. Strong Customer Authentication
In line with PSD 2, the Law no. 209/2019 introduces strong customer authentication (“SCA”) with the aim to provide better security to payment transactions. SCA entails the use of two or more elements categorised as:
- knowledge (something only the user knows) such as password, PIN, knowledge-based challenge questions, passphrase or memorised swiping path.
- possession (something only the user possesses) such as possession of devices evidenced by an one-time password generated by, or received on, a device (hardware or software token generator, SMS that transmits an one-time password) or cards evidenced by a card reader;
- inherence (something the user is) such as fingerprint scanning, voice recognition, retina and iris scanning and even keystroke dynamics or the angle at which the device is held.
5. Difficulties in implementing SCA with e-commerce transactions
European Banking Authority (“EBA”), the authority supervising the implementation of SCA at EU level, recognized the technical difficulties in implementing SCA solutions for e-commerce transactions and allowed the payment service providers to prepare migration plans that have to be implemented by 31 December 2020. Nevertheless, EBA stressed the point that the time given for these migration plans does not entail that payment service providers are not liable for unauthorized transactions in case SCA is not applied.
In line with EBA’s indications, the National Bank of Romania is expected to collaborate with the relevant stakeholders in order to supervise and achieve the implementation of the migrations plans by the proposed deadline.
6. Entering into force
The Law no. 209/2019 will enter into force in 30 days as of 13 November 2019, the date of its publishing in the Official Gazette of Romania. From that date of entering into force, Romanian TPPs will be able to register with the National Bank of Romania and payments service providers will have 60 days to ensure the conformity of their on-going contracts with the provisions of the new law.
The secondary legislation required for the full application of PSD 2 is expected to be enacted in the coming period by the National Bank of Romania, thus it is expected that by January 2020 Romania will have a fully functional new payments legislation.