My response to HM Treasury consultation on Implementing PSD2
By email to PSD2consultation@HMTreasury.gsi.gov.uk
16 March 2017
Response to HMT Consultation on Implementing PSD2
Consultant Solicitor, Keystone Law
Question 1: Do you agree with the government’s proposed approach to implementation of the PSDII?
Bearing in mind the maximum harmonising nature of the PSDII, do you think the structure of the
regulatory regime will allow the UK’s competent authorities to enforce the regulations in a fair and equal
way towards all payment service providers?
While the maximum harmonising nature of PSD2 encourages fair and equal treatment of payment service
providers (PSPs), there are certain aspects of the regime that put this at risk:
1. There are many opportunities for PSD2 to be interpreted differently by member states. Some of the
more fertile areas for this are explained below. The more uncertainty that prevails, the greater the risk
of ‘regulatory creep’ as businesses will either needlessly apply for authorisation, tying up scarce FCA
resources; spend time and money making unnecessary alternative arrangements; or cease the
potentially regulated activity altogether. The adverse impact on existing businesses, as well as
innovation could be severe.
2. In particular, Article 100(4) of PSD2 provides that in the event of an infringement or suspected
infringement of transparency and conduct of business rules, the relevant competent authorities shall
be those of the home member state of the provider, except for the agents and branches set up in
exercise of the PSP’s right of establishment, where the competent authority is that of the host member
state. While an activity that falls within scope of PSD2 can be ‘passported’, there is no way to 'passport'
a favourable interpretation relating to scope or the applicability of an exclusion to other member
states. This raises the possibility (and from experience under the PSD, the likelihood) that:
a. a PSP’s consistent offering across the EEA may be subject to different derogations available to
member states under PSD2 among home and host states;
The writer is responding to this consultation on the basis of 20 years’ experience as a lawyer advising on retail
payment services and e-commerce, including as General Counsel at Earthport (1999-2001), a legal consultant to
Amazon.com (2008-2010) and WorldPay (2011-2012) and as external counsel to a range of payment institutions, e-
money institutions, merchants and technical service providers since 2012. He is the author of various articles charting
the progress of PSD2 for Society for Computers and Law. For more details see:
www.keystonelaw.co.uk/lawyers/simon-deane-johns. His views are based on his own general knowledge and
experience, and not those of any client.
b. home and host states may differ in their interpretation of scope, exclusions or exemptions2
and how regulatory technical standards may be complied with3
, for example, based on differing
view as to which activities are:
i. out of scope of PSD2 (e.g. whether the payment activity is even carried on by way of
; bill payment service providers5
ii. out of scope, but subject to a PSD2 requirement (e.g. a currency conversion service);
iii. in scope, but exempt (e.g. limited networks, commercial agents and technical service
iv. in scope, but subject only to some form of notification or registration requirement (e.g.
‘exempt’ large limited networks);
v. in scope and partially regulated, subject to certain thresholds or conditions;
vi. in scope and fully regulated.
3. Despite Brexit, UK-based e-money and payment institutions which offer their payment services in the
EEA will want to continue to support those from the UK, and vice versa. In the face of uncertainty,
firms would be well advised to assume there will be no passporting between the UK and the EEA,
because the implications of mistakenly assuming there will be passporting are profound. Such firms
could address the risk of no passporting by setting up an authorised entity based in an EU country to
passport its activities in the EEA; and granting a license to the EU-based ‘hub’ entity for a ‘white label’
version of the service; and/or use the UK business operations to support the ‘hub’ entity’s EEA
PSD2 and draft PSRs refer to the ‘negative scope’ activities as ‘exclusions’, which were generally known as
exemptions under the PSD; and ‘waivers’ that were available under the PSD as “exemptions”.
The UK seems to be requiring adherence to the Open Banking API Standard as the means of complying with the
European Banking Authority’s regulatory technical standards, for example, when other national standards may be
adhered to by systems used by the UK establishments of PSPs whose group systems are based in other EEA member
states. Perhaps the Open Banking API Standard accommodates compliance with such other standards?
FCA guidance states (at PERG 15.2, Q.9) “…Simply because you provide payment services as part of your business
does not mean that you require authorisation or registration. You have to be providing payment services, themselves,
as a regular occupation or business to fall within the scope of the regulations. Accordingly, we would not generally
expect solicitors or broker dealers, for example, to be providing payment services for the purpose of the regulations
merely through operating their client accounts in connection with their main professional activities.” This distinction
is particularly critical in the context of the limited network and commercial agent’s exclusions, for example, as well as
payment initiation and account information services (as explained below).
Bill payment services enable a customer to pay a supplier's bill by paying a third party, e.g. at the till in a local
shop. The FCA has said these services are not caught by the PSD, so long as the customer's payment to the third party
discharges the customer's obligation to pay the supplier. In other words, in such a scenario the third party is the
'payee' or intended recipient of funds, not the supplier. But the PSD2 instructs EU member states to treat these
services as 'money remittance', unless they are treated as part of some other type of regulated payment service
(recital 9). There is no word, yet, on whether or how the UK plans to deliver on this edict, which is critical to deciding
which option existing providers should choose in the event their services are ruled in scope.
offerings. It follows that any divergence between UK and EU payment services regulation that requires
different features or structures would tend to undermine firms’ ability to mitigate the impact of Brexit.
4. There are inconsistencies in the scope of exclusions and how the recitals to PSD2 suggest they have
been targeted. In particular, the third party sales activities of ‘e-commerce platforms’ and
telecommunications service providers are structured in a similar way, yet the narrowing of the
commercial agents exclusion is aimed at regulating ‘e-commerce platforms’; while telecommunications
providers benefit from a specific exclusion (although this may be narrower than such providers
6. Do you agree with the government’s interpretation of the limited network and commercial agent
exclusions? Which business models do you think may now be brought into scope that were previously
Limited network exclusion:
1. The government has not explained its view of every aspect of this exclusion that is open to
interpretation, some of which are addressed below. This is a difficult task for the government (and the
FCA), but failure to do so would leave unregulated businesses, in particular, facing a considerable
degree of uncertainty. The more uncertainty that prevails, the greater the risk of ‘regulatory creep’ as
explained in answer to Question 1.
2. Not only does PSD2 alter the scope of this exclusion, but large limited networks7
are subject to a
notification requirement and the FCA’s obligation to then decide whether or not they are exempt, with
no transition period to explore alternative methods of supporting the scheme if the exclusion is held
not to apply.
3. So, businesses with large loyalty schemes, store card programmes etc. need to consider now whether
the relevant activities will be covered by the revised limited network exclusion in January 2018 and, if
not, whether they should outsource the operation of the programme to an authorised firm (or the
agent of one) or seek their own authorisation8
(or agency registration). Ultimately, they might
restructure the scheme to fit the exclusion, or shut it down altogether.
See recitals 11, 15 and 16; and paragraphs 2(b) and 2(l) of Part 2 of the draft PSRs. The term “digital content” is
defined as “goods or service which are produced and supplied in digital form, the use or consumption of which is
restricted to a technical device and which do not include in any way the use or the consumption of physical goods or
services”. This definition seems very narrow in the context of smart devices, the Internet of Things (e.g. the connected
home) and smart contracts, raising questions as to what is meant by “allow the use” of a physical device or item and
“consumption” of services.
Where “the total value of payment transactions executed through such services provided by the service provider in
any period of 12 months exceeds 1 million euros”
The timing of the UK transposition process and the time required to prepare an application suggests the
authorisation option has already expired.
4. Guidance on whether the exclusion applies under PSD2 will need to be far more detailed than for the
local network exclusion under the PSD.9
The Treasury and the FCA will need to explain how they plan
to communicate awareness of the notification requirement and how they will administer the related
notification process, including whether pre-clearances will be possible during 2017, for example, given
the lack of any transition period should the FCA conclude that the exclusion does not apply.
5. The starting point for any guidance should be whether the relevant business is within the scope of PSD2
at all. As the FCA has indicated in relation to the PSD, “simply because you provide payment services
as part of your business does not mean that you require authorisation or registration. You have to be
providing payment services, themselves, as a regular occupation or business to fall within the scope of
It is arguable that a retailer’s gift card and loyalty ‘points’ arrangements are part of
its wider retail activities and not operated as a means of ‘payment’. If an activity is out of scope of
PSD2, then the limited network exclusion will be irrelevant. Independently operated loyalty
programmes with multiple participating retailers seem more likely to fall within the scope of PSD2 (and
the second electronic money directive (“EMD2”)), and would therefore need to consider whether an
6. The limited network exclusion (or “exclusion”) under PSD2 (Part 2(k) of Schedule 1 of the draft PSRs) is
for the following activity (with areas of uncertainty underlined):
"services based on specific payment instruments that can be used only in a limited way,
that meet one of the following conditions:
(i) instruments allowing the holder to acquire goods or services only in the premises of the
issuer or within a limited network of service providers under direct commercial agreement
with a professional issuer [not defined];
(ii) instruments which can be used only to acquire a very limited range of goods or services;
(iii) instruments valid only in a single Member State provided at the request of an
undertaking or a public sector entity and regulated by a national or regional public
authority for specific social or tax purposes to acquire specific goods or services from
suppliers having a commercial agreement with the issuer."
7. Some guidance as to what is meant by 'limited' or 'very limited' is to be found in the relevant recital to
PSD2, but it is still not clear what is meant (again the uncertain aspects are underlined):
The limited network exclusion under the PSD applies to services based on instruments that can be used to acquire
goods or services only: (a) in the premises used by the issuer; or (b) under a commercial agreement with the issuer
either (i) within a limited network of service providers or (ii) for a limited range of goods or services (my
See footnote 1.
"Instruments which can be used for purchases in stores of listed merchants should not be
excluded from the scope of this Directive as such instruments are typically designed for a
network of service providers which is continuously growing."
Commercial agents’ exclusion
1. PSD2 narrows this exclusion to apply only to transactions where the commercial agent is acting on
behalf of either the payer or the payee. The government has said that it “expects that a number of
‘platform’ business models which match buyers and sellers for goods and services are unlikely to
benefit from the new exclusion”.
2. Again, however, the ‘business test’ is critical. Numerous businesses operate client accounts under
various regulatory regimes as an adjunct to their businesses, including accountants, law firms and
numerous types of financial services regulated by the FCA; as well as those relating to rental bonds and
so on. There may or may not be agency relationships involved.
3. “Platform business models” are no different to the examples cited in the FCA guidance11
, since the
payments aspect is usually just an ancillary step in a much wider set of services and business processes
that are nothing to do with making payments. In fact, they are even less likely to be ‘payment services’
where a party to a transaction on the platform discharges the obligation to pay the counterparty under
the terms of the transaction by paying the platform operator. There is also a great deal more
functionality and a wider set of business operations involved in a typical retail or e-commerce
‘platform’ than any that merely facilitate payment: extensive contractual and operational
arrangements with suppliers; features that catalogue and display data about items for sale; enabling
consumers to conduct data searches for items; enabling consumers to read and write product reviews;
ensuring compliance with advertising regulation and rules concerning prohibited items; providing
delivery information; enabling order tracking; and facilitating or carrying out wholesale and retail
warehousing, distribution and delivery. These activities are far more significant aspects of operating an
e-commerce service than merely facilitating the transfer of payment data or the resulting
disbursement of proceeds to merchants or suppliers. Indeed, the acceptance of payment for items
reflects the need to set-off fees owed by merchants and suppliers for services provided to them by the
4. Such treatment of e-commerce platforms is also inconsistent with the exemption afforded for
transactions that are performed from or via an electronic device and charged to the related service bill
for either the purchase of tickets or 'within the framework of charitable activity'; or which involve the
purchase of digital content and “voice-based services” on a public telecommunication network being
charged to users’ phone bills, which previous drafts of PSD2 conceded are merely “ancillary services to
electronic communications services (i.e. the core business of the operator concerned).”
See footnote 1.
5. Accordingly, ‘platform business models’ whose main regular occupation or business is not providing
payment services and where the payment step is merely ancillary to a much wider business offering
should generally be seen as falling outside the scope of PSD2 altogether, making the applicability of
the commercial agents’ exclusion irrelevant.
Question 9: Do you agree with the approach to continue to exercise the SPI exclusion, with the same
conditions as under the PSD?
Question 10: Do you agree that the government should extend the right of termination to overdrawn
Question 11. Do you agree that the Title III provisions should continue to apply to transactions involving
micro-enterprises in the same way as those involving consumers?
Question 12. Do you agree with the government’s proposal to maintain the thresholds set for low-value
payment instruments in the PSRs?
Question 13: Do you think PSPs should be required to provide monthly statements to payers and payees?
PSPs should be able to provide monthly statements to payers and payees either on paper or another
durable medium, at the PSP’s option.
Question 14: Do you agree with the government’s proposal to provide access to out-of-court procedures
(in the form of the FOS) only where the complainant would usually be eligible to refer a complaint to the
I agree with widening the remit of the FOS from a “micro-enterprise” threshold to a “small business”
threshold. Only major businesses really have any bargaining power with their payment services providers.
Question 15: Do you agree that the prohibition on surcharging should be limited to payment instruments
regulated under Chapter II of the IFRs?
Question 16: Do you agree with the proposal to maintain the thresholds set for low-value payment
instruments under the PSRs?
Question 17: Do you agree with the proposed approach to consent, authentication and communication?
This is a very complex question that cuts across numerous aspects of PSD2, including the use of personal
data; and the nature and scope of payment initiation services, account information services and the
technical service providers’ exclusion.
1. Under Article 94(2) of PSD2, PSPs should only be able to access, process and retain personal data for
the provision of payment services, with the explicit consent of the payment service user. However, this
should be read as subject to article 94(1) and the rights of use for data controllers to carry out certain
necessary processing uses available under Data Protection Act 1998 (“DPA”) and the equivalent
provisions under the General Data Protection Regulation in due course12
• for the performance of a contract to which the data subject is a party, or (b) for the taking of steps
at the request of the data subject with a view to entering into a contract (para 2, Sched 2, DPA);
• for compliance with any legal obligation to which the data controller is subject, other than an
obligation imposed by contract (para 3, Sched 2, DPA);
• in order to protect the vital interests of the data subject (para 4, Sched 2, DPA);
• either…(b) for the exercise of any functions conferred on any person by or under any enactment,…
or (d) for the exercise of any other functions of a public nature exercised in the public interest by
any person (para 5, Sched 2, DPA); or
• for the purposes of legitimate interests pursued by the data controller or by the third party or
parties to whom the data are disclosed, except where the processing is unwarranted in any
particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data
subject (para 6, Sched 2, DPA),
and similar rights relating to the processing of sensitive personal data.
Strong Customer Authentication:
2. Regulation 100(1) of the draft PSRs requires PSPs to apply "strong customer authentication" where
(among other things) "a payment service user... directly or through an account information service
provider (a) accesses its payment account online; [or] (b) initiates an electronic payment transaction…."
(which presumably could not be done via an AISP).
3. This beg the question, in particular, as to how each type of payment transaction is initiated, and there
is considerable uncertainty and scope of differing interpretations here, as discussed in answer to
4. While distinctions concerning how payments are initiated and by whom might seem to matter less in
the context of security measures to be adopted by PSPs - since everyone is interested in reducing
financial crime - it is absolutely critical in the context of software and services that contribute in any
Article 6(1) and 9(2), in particular.
way to payments being "initiated" and whether the suppliers or users of such software and services
must be authorised as "payment initiation service providers" or perhaps even as the issuers of payment
instruments. The same can be said for technical service providers in the context of account information
services. In both cases, this will in turn affect the scope of the technical service providers’ exclusion,
also discussed in answer to Question 19.
Question 18. Do you agree with the information and payment functionality that will be available to AISPs
This is not possible to assess, due to the government’s overly broad interpretation of the nature and scope
of these activities. Please see the answers to Question 19.
Question 19. Do you agree with the government’s interpretation of the definition of AIS and PIS?
Sadly, no, as the government’s interpretation of the definition of these activities is overly broad. That may
be consistent with a policy intent to increase the range of firms who can access bank payment systems, but
it will impose a disproportionately high regulatory burden and related legal and compliance costs on firms
whose regular occupation or business is not that of carrying on such activities, except perhaps as minor
ancillary steps in the context of other types of business. To treat the proposed wide variety of firms as
within the scope of PSD2 in a way that makes them ineligible for the technical service providers’ exclusion,
would have far reaching consequences for smaller firms, in particular, and for innovation and competition
generally in many industries - not to mention overwhelming the FCA’s scarce resources.
The Technical Service Providers’ Exemption
1. Under the current PSD, the ‘technical service provider exclusion’ applies to firms that provide various
technical services which support the provision of payment services, so long as they do not enter into
possession of any funds to be transferred. But under PSD2 that exclusion will not apply where such a
firm also provides a payment initiation service (“PIS”) or account information service (“AIS”).
“services provided by technical service providers, which support the provision of payment services,
without them entering at any time into possession of the funds to be transferred, including
processing and storage of data, trust and privacy protection services, data and entity
authentication, information technology (IT) and communication network provision, provision and
maintenance of terminals and devices used for payment services, with the exclusion of payment
initiation services and account information services.”13
2. It is clear from the words “which support the provision of payment services” that (a) by implication,
the scope of PSD2 is only intended to cover firms whose regular occupation or business is the provision
of any type of payment service (including a PIS or AIS); and (b) the exclusion is available to other firms
who provide the specified technical services to the first set of firms, but do not themselves handle
funds or have as their own regular occupation or business the provision of an AIS or PIS.
Paragraph 2(j) of Part 2 of Schedule 1 of the proposed regulations
Payment Initiation Service
3. The decision to regulate "payment initiation services" is said to have resulted from the popularity of
services that enable you to pay for online purchases by making a bank transfer (see recital 27 and the
Commission's FAQs 18, 21). Accordingly, it appears that the German authorities are interpreting the
scope of this service to apply only to the online initiation of bank transfers and they claim to have only
one payment initiation service provider (“PISP”) – presumably SOFORT GmbH. Yet the UK government
has adopted a broad definition of "payment initiation service"; and wishes to insist that users will have
the right to use payment initiation services in connection with “all online payment accounts, including
current accounts, credit card accounts, savings and e-money accounts” (paras 6.22, 6.23 and 6.27 of
the consultation paper) without being clear as to how a PIS might manifest itself in the context of those
other types of account.
4. On its face, the definition of "payment initiation service" in article 3 of PSD2 appears to cover any
“a service to initiate a payment order at the request of the payment service user with respect to a
payment account held at another payment service provider.”
Note also, that a "payment instrument" is defined as "a personalised device(s) and/or set of procedures
agreed between the payment service user and the payment service provider and used in order to
initiate a payment order (see next section).
5. Yet there is no definition of “initiate a payment order” in PSD2 and different payment methods
comprise different processes, actors and events. So it becomes a factual matter as to what constitutes
the relevant activity. In this regard, it seems logical to consider:
a. which type of payment method or instrument is being used;
b. which of potentially several payment orders is involved;
c. which payment account each order relates to;
d. which payment service user is making the request to initiate the relevant payment order;
e. which element of which service actually initiates that payment order;
f. whether the payment initiation feature is a service offered by way of business in its own right;
g. who offers that service; and
h. to whom.
As the European Banking Authority (“EBA”) has pointed out, even within the payment initiation
process, however, there may be technical service providers who support the process but are not
responsible for the "payment initiation service" that initiates the relevant payment order.14
6. Different PSPs might also structure the same type of payment method differently (and there may be
scope for differing interpretations of the relevant facts). The use of payment cards provides a good
example, as discussed further below, given the difference between four party and three party schemes;
different payment accounts involved depending on whether the card is a debit card or credit card; and
different payment transactions involved with different payer/payees, none of which might actually
involve a card payment at all. E-money accounts also come in different varieties, with some e-money
issuers only offering customers the ability to pay using prepaid debit cards, while others allow
customers to only pay using their e-wallets, and some offer both methods; and various different
payment methods may be used in purchasing and redeeming the e-money. It is unusual for a “savings
account” to have any payments capability, as opposed to an interest-bearing current account, for
example. By way of illustration, here is a suggested analysis of where a PIS might feature in connection
payments involving a four party card scheme:
a. While PSD appeared to ignore how card schemes actually work15
, PSD2 concedes (at recital 68)
that there are (at least) three steps related to a credit card ‘payment’ – (i) pre-authorisation
(to check the validity of the card and sufficient funds/credit available); (ii) an initial payment
transaction, where the issuer pays the acquirer (which only occurs in four-party card schemes,
and involves a complex netting process involving a scheme operator); and (iii) a later payment
transaction between the cardholder's bank account and the issuer, to reimburse the issuer).
There is a third payment transaction, of course, where the acquirer pays the merchant. But the
fact this is not mentioned in the recital underscores why it is misleading to refer to the
cardholder as the 'payer' in relation to the merchant and the merchant as the cardholder’s
intended 'payee', since the cardholder clearly intends to pay his card issuer, rather than the
b. Accordingly the cardholder could not have initiated any of the actual payment orders that
relate to the two or three payment transactions that are involved in the use of a payment card.
Recital 68 sidesteps this critical issue by stating that the "use of a card or card-based
instrument... triggers" the whole payment flow, and article 65(2)(b) refers to a scenario where:
The EBA’s regulatory technical standard for security of online payments refers to "payment integrators" as firms
who "provide the payee (i.e. the e -merchant) with a standardised interface to payment initiation services provided
by PSPs": https://www.eba.europa.eu/documents/10180/934179/EBA-GL-2014-
Which the FSA and FCA tried to accommodate in Annex 5 of the Approach document. The card scheme process
was described by the Court of Appeal in Lancore Services v Barclays Bank plc  1 All ER 763 (per Rimer LJ); and
paragraphs 2.9 and 2.10, Part II of the Joint Money Laundering Steering Group guidance
"the payer has initiated the card-based payment transaction for the amount in question
using a card based payment instrument issued by the payment service provider".
"Payer" is defined to mean either "a natural or legal person who holds a payment account and
allows a payment order from that payment account, or, where there is no payment account, a
natural or legal person who gives a payment order.” But "allowing" and “giving” are not the
same as "initiating" and factually the cardholder is only a party to the second payment
transaction mentioned in recital 68.
c. Accordingly, in these circumstances, payment initiation would seem to have occurred as
i. As to the first payment transaction (between issuer and acquirer in a four-party card
scheme), the relevant payment order is likely initiated by the issuer, as payer,
requesting a bank transfer to the card scheme operator as payee; and then by the
scheme operator as payer by initiating a bank transfer to the acquirer or the acquirer’s
ii. As to the second transaction, between cardholder and issuer, it would depend on
whether the payment is made by a bank transfer (initiated by means of payment order
from the cardholder as payer via his bank to the issuer’s account) or a direct debit
(initiated by means of a payment order from the issuer as payee under the direct debit
iii. As to the third transaction, between acquirer and merchant, by the acquirer initiating
a bank transfer by payment order to its bank (or from its own system, if the acquirer is
a bank in its own right),
although it is possible that in each case the initiation of the payment order is carried out
using a feature provided by a third party (“payment initiation service provider”).
7. Clearly, it is critical that all stakeholders are clear as to the facts in each case before concluding whether
a payment initiation service is being offered.
Issuing Payment Instruments
8. Allied to “payment initiation services” is the process of issuing the instruments used to initiate payment
orders. PSD2 defines a "payment instrument" as "a personalised device(s) and/or set of procedures
agreed between the payment service user and the payment service provider and used in order to
initiate a payment order.” The activity of “issuing of payment instruments” is defined as “a payment
service by a payment service provider contracting to provide a payer with a payment instrument to
initiate and process the payer’s payment transactions.” The term “co-badged” is defined as “in relation
to a payment instrument, refers to an instrument on which is included two or more payment brands,
or two or more payment applications of the same payment brand.” The availability of “co-badged card-
based payment instruments” triggers the need to provide certain information under the Merchant
Interchange Fee Regulations.
9. Of course, a typical online merchant 'checkout' page or process usually displays a list of at least several
ways a customer may pay for selected items, whether that is by way of two or more payment brands
or applications of the same brand. To some extent the page is personalised by reference to the specific
buyer and the selected item(s). These pages may be hosted by a regulated PSP, an exempt 'technical
service provider' or 'gateway', and sometimes by the merchant itself. At some level the PSP(s) acting
as acquirers and those whose payment methods are available on the checkout might be taken to have
implicitly agreed with both the merchant and other payment service users that certain payment
instruments can be used where certain logos are displayed by following the relevant procedures; and
perhaps payment initiation will occur via a service available on the checkout, with some degree of data
processing involved. Yet the typical merchant is not itself in the business of issuing payment
instruments or providing other payment services, and guidance should make it clear that the merchant
is only in scope of PSD2 as a “payee” (or “payer” in the case of refunds, compensation payments etc.)
or a “payment service user”, rather than as the issuer of payment instrument.
10. Similarly, a merchant’s checkout page or process should not be interpreted as a payment initiation
service, nor is that typically the regular occupation or business of a merchant.
11. It is conceivable, perhaps, that a merchant might otherwise act as a technical service provider in
transmitting its own payments data to an acquirer rather than relying on a ‘gateway’ service provider.
But if that is to be suggested, then it should be made clear in guidance that the fact the merchant
ultimately receives funds does not prevent the merchant relying on the technical service providers’
exclusion, since by the time the funds are received they are simply funds owed to it in satisfaction of a
debt owed by the acquirer, and not “funds to be transferred”.
12. There is now little time for retailers and their service providers to decide whether checkout pages or
processes are caught and, if so, whether to outsource the hosting of the checkout process to a duly
authorised firm or its agent, restructure the checkout process or the entity/ies that hosts or operates
it, or become authorised or the agent of an authorised firm. Any guidance on the topic, however,
would need to address the following:
• which type of payment transaction or method is involved in the relevant scenario, and who is the
relevant PSP, payer and payment service user?
• is the checkout process/page a "personalised device"; or "personalised set of procedures agreed
between" the customer and the merchant acting as a payment service provider?
• if so, is the checkout process/page used "in order to initiate a payment order" or “to initiate [and
process] the relevant payment transaction(s)”?
• finally, how much processing would a merchant have to do to fall within the meaning of "initiate
and process the payer's payment transactions"? In other words:
o when does that processing begin and end;
o what steps/participants are involved;
o what is the nature and degree of the processing (e.g. does it send transaction data to a
payment gateway, acquirer or other type of payment service provider or somehow directly
result in the debit of a payment account?);
o is the merchant acting merely as a payee or payment service user?
Account Information Service (“AIS”)
13. The Treasury has copied the definition of this activity from PSD2:
‘account information service’ means an online service to provide consolidated information on one
or more payment accounts held by the payment service user with either another payment service
provider or with more than one payment service provider (article 4(16)) - [my emphasis] –
but has added:
"and include such a service whether information is provided—
(a) in its original form or after processing;
(b) only to the payment service user or to the payment service user and to another person in
accordance with the payment service user’s instructions" [which do not appear in PSD2]
14. PSD2 requires that the AIS provider (“AISP”) should be granted access by the account service provider
to the same data on the payment account as the user of that account (para 6.25). Yet the government
believes that a firm will be considered an AISP even if it only "uses" some and not all of that account
information to provide "an information service" (para 6.28).
15. It seems that the concept of “uses” is overly broad, as is the concept of any “information service”, as
opposed to an “account information service”. There is also no reference to the need to consider
whether the service in question constitutes the provider’s regular occupation or business, in which
case it could be an AIS; or whether it is merely ancillary to the provider’s main activity, in which case it
should not be an AIS. This is evident from the list of services that the government believes are among
those that may constitute AISs (using italics for services that should not constitute AIS’s under the
• dashboard services that show aggregated information across a number of payment accounts;
• price comparison and product identification services;
• income and expenditure analysis, including affordability and credit rating or credit worthiness
• expenditure analysis that alerts users to consequences of particular actions, such as breaching
their overdraft limit.
The services could be either standardised or bespoke, so might include accountancy or legal
services, for example” (para 6.30).
16. Some other key points to consider include:
a. does it matter to whom the account information service is provided? The additional wording
seems to suggest that the 'payment service user' must be at least one recipient of the
information, but does that mean the payment service user of the payment account or the
person using the account information service? In other words, is there an AIS where the
recipient of the information is not the actual accountholder (e.g. a trustee, adviser, guardian
b. what does “online service” really mean? What elements of the end-to-end process of obtaining
and providing the account information have to be “online”?
c. little seems to turn on the word "consolidated", since the Treasury says a firm only needs to
use some of the information from the payment account to be offering an AIS, and it could be
from only one payment account. For instance, what if a service provides a simple 'yes' or 'no'
to a balance inquiry or request to say whether adequate funds are available in an account, and
that 'information' or conclusion/knowledge is not drawn from the payment account itself, but
merely based on comparing the balance with the amount in the customer's inquiry or proposed
transaction (e.g. authentication or confirmation under article 31(1)(c) of the EBA regulatory
technical standards on strong customer authentication)?
d. the payment account that the information relates to must be 'held by the payment service
user' with one or more PSPs, so presumably this would not include an online data account or
electronic statement that shows the amount of funds held for and on behalf of a client in a
trust account or other form of safeguarded or segregated account which is in the name of, say,
a law firm or an investment firm;
e. it seems impossible for the relevant data to provided in its 'original form', since data is arguably
processed in some way when merely passing from the account service provider’s system to the
AISP’s system. Applying the business test, providers of personal data stores or cloud storage
services, for example, are in the business of providing storage services for any type of data or
back-ups for later access, rather than providing a specific ‘payment account information’
f. what is meant by 'after processing'? For instance:
i. it may not be clear that a firm is providing information 'on a payment account', as
opposed to the same information from another type of data account;
ii. does this mean each data processor in a series of processors is providing an AIS to its
customer(s) or does interim processing 'break the chain' so that the next processor can
say that the information was not 'on a payment account' but came from some other
service provider's database (whether or not it was an AIS), such as a credit reference
iii. what about accounting/tax software providers who calculate your income and
expenditure by reference to payment account information but may not necessarily
display or 'provide' the underlying data? Again, applying the business test, the
inclusion of figures for bank account interest income (if any) in a tax return, for
example, should not of itself mean that an accounting firm or accounting software
provider that is preparing or filing the tax return is in the business of offering an AIS.
Acquiring of payment transactions
17. The regulated activity of "acquiring of payment transactions" is now defined to mean:
“a payment service provided by a payment service provider contracting with a payee to accept and
process payment transactions, which results in a transfer of funds to the payee;”
Yet it is not clear whether the transfer of funds needs to come from or on behalf of the payment service
provider in question, or whether the payee need only receive funds from a third party as a result of the
service provided. It is also important to note that a consumer could be a relevant “payee” in this context
e.g. if a firm were to enable them to receive a refund, withdrawal or other transfer of funds to their
payment account. It should be made clear that a PIS or the issuing of a payment instrument (or indeed
a gateway or other technical services that support a payment service) would not be construed as
acquiring, even though they each might be said to eventually result in a transfer of funds to a payee.
20 What services are currently provided that you think may be brought into scope of the PSDII by the
broad reading of the definition of AIS and PIS?
Please see the answers to Question 19.