Payments Insights #1 –
Safeguarding under the Proposed PSD3

Introduction to the Payments Insights Series

The European Commission is currently in the process of updating the EU’s legal framework for payment services. These proposals include:

• A proposed Third Payment Services Directive (the ‘PSD3’) which is a directive on payment services and electronic money services in the EU’s internal market which will repeal the Second Payment Services Directive (the ‘PSD2’) and the Second Electronic Money Directive (the ‘EMD2’); and
• A proposed new Payment Services Regulation (the ‘PSR’).

The proposed legal amendments aim to:

• Strengthen the protection of users and enhance confidence in payments and electronic money services;
• Improve the competitiveness and accessibility of open banking services;
• Unify the implementation of payment services regulation across EU Member States and;
• Improve access to payment systems and bank accounts for non-bank payment service providers.

In this series of Payments Insights, we will delve into the different aspects of how the legal framework for payment services will be updated in the EU; and any impacts it will have on Maltese laws.

Safeguarding under the Proposed PSD3

In this first insight of our Firm’s series on payments law, we will be focusing on the aspects of safeguarding of funds within payment institutions and how the proposed new EU framework will impact Malta.

The requirements for safeguarding of funds in Malta are transposed in the Financial Institutions Act (Chapter 376 of the Laws of Malta), the Financial Institutions Act (Safeguarding of Funds) Regulations (Subsidiary Legislation 376.04) and the applicable Malta Financial Services Authority (‘MFSA’)’s Financial Institutions Rules which currently fall under the purview of the Fintech Supervision Function within the MFSA.

Article 10B of the Financial Institutions Act provides that any payment institution or electronic money institution “shall safeguard all funds received from any person making use of its services, or received through another payment service provider for the execution of payment transactions, or in exchange for electronic money that has been issued.” The proposed PSD3 and PSR will merge payment institutions and electronic money institutions into one definition, namely, the ‘payment institution’. Nevertheless, for the purpose of this insight, the reference to each particular institution will be kept separate as that is how they are defined under the current laws in force.

In practice, safeguarding of funds entails the method through which a payment institution or an electronic money institution is required to continuously protect the funds held in-trust for the beneficial use of underlying users in the event that the financial institution licensed under PSD2 or EMD2 were to go into liquidation. This requirement is a condition of authorisation, as well as an on-going requirement that must be met at all times.

In terms of the MFSA’s rules, there are currently two methods for safeguarding of funds by payment institutions and electronic money institutions, as follows:

• Segregating the money from all other funds by either depositing them in a safeguarded account with a credit institution or investing them in secure, low-risk assets (PSD2 says: “in either of the following ways”) or;
• Protecting the money with an insurance policy or other comparable guarantee from an insurance company or a credit institution.

The underlying legal principles which underpin the safeguarding of funds regime have been the subject of legal analysis and jurisprudential proceedings. In fact, adhering to the safeguarding requirement was not easy because Paragraph 31 of the preamble of the proposed PSD3 considers the “difficulties experienced by payment institutions in opening and maintaining payment accounts with credit institutions…”

Whilst the current PSD2 lists the safeguarding obligation in Article 10, the proposed PSD3 will shift this to Article 9.  Hereunder one may find a brief overview of the proposed changes to the safeguarding of funds requirements under the proposed PSD3:

• New method for safeguarding of funds: The option of holding funds with central banks has been added as one of the safeguarding methods for payment institutions and electronic money institutions in addition to utilising a commercial bank for the safeguarding obligation. Whilst this option is at the discretion of the central bank, paragraph 31 of the preamble of the proposed PSD3 also adds that a central bank can opt to “not offer that option, based on its organic law”.

• Clarification on the term “credit institution”: The clarification on the term “credit institution” closes the debate (and varying legal interpretations) as to whether the term “credit institution” in the current Article 10 of the PSD2 is referring to banks authorised in third countries outside the EU. This is being clarified with the proposed PSD3 as it will specifically stipulate that the term will only refer to credit institutions authorised in a Member State of the EU.

• A new risk concept – the “concentration risk”: To minimise concentration risk, payment institutions and electronic money institutions would be required not to use the same safeguarding method for all their customers funds and to endeavour not to safeguard all client funds with one credit institution. Paragraph 31 of the Preamble of the proposed PSD3 provides that: “Concentration risk is a significant risk faced by payment institutions, in particular where funds are safeguarded in a single credit institution.” The proposed PSD3 is not envisaged to provide a definition of “concentration risk”. However, the European Banking Authority (‘EBA’) is being mandated to issue regulatory technical standards (‘RTSs’) on risk management of safeguarded funds. It is recommended that financial institutions should improve their risk management frameworks in anticipation of the new proposed rules and take note that the EBA will first publish a draft of these RTSs. The proposed text stipulates in the same Preamble 31 that: “Payment institutions shall avoid concentration risk to safeguarded customer funds by ensuring that the same safeguarding method is not used for the totality of their safeguarded customer funds. In particular, they shall endeavour not to safeguard all consumer funds with one credit institution.”

• Changes to the notification requirements relating to the safeguarding method: The proposed PSD3 stipulates the indispensability of the requirement of payment institutions to notify the competent authorities in advance of any material change in measures taken for the safeguarding of funds. This is already stipulated in the Financial Institutions Rules for electronic money institutions transposing the Electronic Money Directive.

It should be emphasised that the texts of the proposed new requirements are not yet final and could be subject to changes. At the time of writing, the latest texts of the PSD3 and the PSR are still being debated in the European Parliament. The additional safeguarding requirements which are found mainly in Article 9 of the proposed PSD3 would require transposition in each Member State before coming into force. Until PSD3 is promulgated, payment institutions and electronic money institutions must abide by the specific obligations delineated by the PSD2 and EMD2 independently.