EUROPEAN COMMISSION

Brussels, 28.6.2023

COM(2023) 366 final

2023/0209(COD)

Proposal for a

DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on payment services and electronic money services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC

(Text with EEA relevance)

{SEC(2023) 256 final} - {SWD(2023) 231 final} - {SWD(2023) 232 final}

EXPLANATORY MEMORANDUM

1.CONTEXT OF THE PROPOSAL

•Reasons for and objectives of the proposal

The second Payment Services Directive (PSD2 1 ) provides a legal framework for all retail payments in the EU, both Euro and other currencies, domestic and cross-border. The first Payment Services Directive (PSD1 2 ), adopted in 2007, established a harmonised legal framework for the creation of an integrated EU payments market. Building on PSD1, PSD2 addressed barriers to new types of payment services and improved the level of consumer protection and security. Most of the rules in PSD2 have been applicable since January 2018, but some rules, such as those on Strong Customer Authentication (SCA) have only applied since September 2019. 

PSD2 contains both rules on the provision of payment services by payment service providers (PSPs) and rules on the licensing and supervision of one specific category of PSP, namely payment institutions (PIs). Other categories of PSP include notably credit institutions, which are regulated under EU banking legislation 3 , and electronic money institutions (EMIs), which are regulated under the Electronic Money Directive 4 .

The Commission’s 2020 Communication on a Retail Payments Strategy (RPS) for the EU 5 laid down the Commission’s priorities regarding the retail payments sector for the term of office of the current College of Commissioners (2019-2024). It was accompanied by a Digital Finance Strategy, which set out priorities for the digital agenda in the finance sector other than payments. The RPS announced that “at the end of 2021, the Commission will launch a comprehensive review of the application and impact of PSD2”. This review was duly undertaken, essentially in 2022, and led to a decision by the Commission to propose legislative amendments to PSD2, in order to improve its functioning. These amendments are set out in two proposals, the present proposal for a Directive on payment services and electronic money services, focussing on licensing and supervision of payment institutions (and amending certain other Directives) and a proposal for a Regulation on payment services in the EU.

The proposed revision of PSD2 features in the Commission Work Programme for 2023, along with a planned legislative initiative on a framework for financial data access, extending financial data access and use beyond payment accounts to more financial services.

•Consistency with existing policy provisions in the policy area

Existing policy provisions of relevance to this initiative include other legislation in the area of retail payments, other financial services legislation also covering payment services providers and Union legislation of horizontal application that impacts the retail payments sector. Care has been taken in the preparation of this proposal to ensuring coherence with those provisions.

Other legislation in the field of retail payments, apart from those mentioned above, includes the Single Euro Payments Area (SEPA) Regulation of 2012, which harmonises the technical requirements for credit transfers and direct debits in euro 6 . On 26 October 2022, the Commission proposed an amendment to the SEPA Regulation, to accelerate and facilitate the use of instant payments in euro in the EU 7 . The Regulation on cross-border payments equalises pricing of domestic and cross-border transfers in euro 8 . The Regulation on Interchange Fees lays down maximum levels for such fees 9 . 

Other relevant financial services legislation includes the Settlement Finality Directive (SFD) 10 , to which a targeted change is made in this proposal, the Markets in Crypto-Assets Regulation (MiCA) 11 , the Digital Operational Resilience Act concerning cyber-security (DORA) 12 and the Anti-Money Laundering (AML) Directive, for which a package of proposed amendments is currently under discussion by the co-legislators.

•Consistency with other EU policies

The Commission is submitting a proposal for an EU legal framework on financial data access, which is presented in conjunction with the two proposals to amend PSD2; that proposal covers access to financial data other than payment account data, which remains covered by payments legislation.

More general EU legislation of relevance includes the General Data Protection Regulation 15 .

2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

•Legal basis

•Subsidiarity (for non-exclusive competence)

The freedom to provide services and freedom of establishment are widely used by payment service providers. In order to ensure harmonious conditions and a level playing field within the internal market for retail payment services, EU-level legislation is required. This logic underlies the first and second Payment Services Directive and continues to apply to this proposal.

•Proportionality

•Choice of the instrument

3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

•Ex-post evaluations/fitness checks of existing legislation

•Stakeholder consultations

To ensure that the Commission’s proposal takes account of the views of all interested stakeholders, the consultation strategy for this initiative comprised:

·an open public consultation, open from 10 May 2022 to 2 August 2022 19 ;

·a targeted (but nevertheless public and open) consultation, with more detailed questions than the public consultation, open from 10 May 2022 to 5 July 2022 20 ;

·a call for evidence, open from 10 May 2022 to 02 August 2022 21 ;

·a targeted consultation on the SFD, open from 12 February 2021 to 7 May 2021;

·consultation of stakeholders in a Commission expert group, the Payment Systems Market Expert Group;

·ad hoc contacts with various stakeholders, either on their initiative or that of the Commission;

·consultation of Member States’ experts in the Commission Expert Group on Banking Payments and Insurance.

The outcome of these consultations is summarised in Annex 2 to the impact assessment accompanying this proposal.

•Collection and use of expertise

–evidence supplied through the various consultations listed above and on an ad hoc basis by stakeholders.

–evidence provided by the European Banking Authority in its Advice 22 .

–a study carried out by a contractor, Valdani Vicari & Associati Consulting, delivered in September 2022, “A study on the application and impact of Directive (EU) 2015/2366 on Payment Services (PSD2). 23 .

–data obtained from private sector operators.

•Impact assessment

This proposal (and the proposal for a Regulation on payment services in the internal market) is accompanied by an impact assessment, which was examined by the Regulatory Scrutiny Board (RSB) on 1 March 2023. The RSB issued a positive opinion with reservations on 3 March 2023 (the reservations were dealt with in the final version). The impact assessment found that there are four key problems in the EU payment market, despite the achievements of PSD2:

–consumers are at risk of fraud and lack confidence in payments;

–the open banking sector functions imperfectly;

–supervisors in EU Member States have inconsistent powers and obligations;

–there is an unlevel playing field between banks and non-bank PSPs.

The consequences of these problems include the following:

–users (consumers merchants and SMEs) continue to be exposed to fraud risk and have limited choice of payment services, with prices higher than they need to be;

–open banking providers face obstacles to offering basic OB services and find it harder to innovate;

–PSPs experience uncertainty about their obligations, and non-bank PSPs are at a competitive disadvantage vis-à-vis banks;

–there are economic inefficiencies and higher costs of commercial operations, with negative impact on EU competitiveness;

–the internal market for payments is fragmented, with “forum shopping” occurring.

There are four specific objectives of the initiative, corresponding to the identified problems:

1. Strengthen user protection and confidence in payments;

2. Improve the competitiveness of open banking services;

3. Improve enforcement and implementation in Member States;

4. Improve (direct or indirect) access to payment systems and bank accounts for non- bank PSPs.

The impact assessment presents a package of preferred options, aiming to achieve the specific objectives (the list below covers both measures contained in this Directive and in the accompanying Regulation):

–For specific objective 1, improvements to the application of SCA, a legal basis for exchange of information on fraud and an obligation to educate customers about fraud, extension of IBAN verification to all credit transfers, and on conditional reversal of liability for authorised push payment fraud; an obligation on PSPs to improve accessibility of SCA for users with disabilities, older people and other people facing challenges regarding the use of SCA; measures to improve the availability of cash; improvements to user rights and information.

–For specific objective 2, a requirement for account servicing PSPs (ASPSPs) to put in place a dedicated data access interface; “permissions dashboards” to allow users to manage their granted open banking access permissions; more detailed specifications of minimum requirements for OB data interfaces;

–For specific objective 3, replacing the greater part of PSD2 with a directly applicable Regulation; strengthening of provisions on penalties; clarifications of elements which are ambiguous; integrating the licensing regimes for PIs and EMIs.

–For specific objective 4, strengthening of PI/EMI rights to a bank account; granting the possibility of direct participation of PIs and EMIs to all payment systems, including those designated by Member States pursuant to the SFD, with additional clarifications on admission and risk assessment procedures.

● Regulatory fitness and simplification

● Fundamental rights

● Application of the ‘one in, one out’ principle

The present initiative does not involve new administrative costs for businesses or consumers, as the initiative will not lead to any increased oversight or supervision of PSPs, or to specific new reporting obligations not already contained in PSD2. There are also no regulatory fees and charges arising from the initiative. The Commission therefore considers that this initiative does not generate administrative costs which require offsetting under the "one in one out" principle (although it is relevant for “one in one out” in that it creates implementation costs). It may be noted that the bringing together of the legislative regime for EMIs and that for PIs will reduce administrative costs, for example, removing the requirement to obtain a new license in certain circumstances.

● Climate and sustainability

No negative implications of the initiative for climate of this initiative have been identified. The initiative will contribute to target 8.2 of the UN Sustainability Development Goals: “to achieve higher levels of economic productivity through diversification, technological upgrading and innovation, including through a focus on high-value added and labour-intensive sectors”.

4.BUDGETARY IMPLICATIONS

5.OTHER ELEMENTS

•Implementation plans and monitoring, evaluation and reporting arrangements

•Detailed explanation of the specific provisions of the proposal

This proposal for a Directive on licensing and supervision of payment institutions is largely based on Title II of PSD2, regarding “Payment Service Providers”, which only applies to payment institutions. It updates and clarifies the provisions relating to PIs, and integrates former EMIs as a sub-category of PIs (and consequently repeals the second Electronic Money Directive, 2009/110/EC). Furthermore, it includes provisions concerning cash withdrawal services provided by retailers (without a purchase) or independent ATM deployers and amends the Settlement Finality Directive (Directive 98/26/EC).

●Subject matter scope and definitions

The proposal concerns access to the activity of providing payment services and electronic money services by payment institutions (not by credit institutions). A number of key definitions are clarified and aligned with the proposal for a Regulation accompanying this proposal

●Licensing and supervision of payment service providers

The procedures for application for authorisation and control of shareholding are mostly unchanged from PSD2, with the exception of a new requirement for a winding-up plan to be submitted with an application, but made fully consistent for institutions providing payment services and electronic money services. Amongst other changes, it is acknowledged that payment initiation service providers and account information service providers may hold initial capital instead of a professional indemnity insurance, considering that the requirement to hold a professional indemnity insurance at the licensing stage may be difficult to fulfil, taking into account previous experience. Requirements for initial capital are updated for inflation since the adoption of PSD2 (except for Payment Initiation Service Providers as this is considered not appropriate given the relatively short time they have been in operation). The possible methods for calculation of own funds are not changed, either for payment institutions covered by PSD2 or for former electronic money institutions; it is provided that one of the three possible methods of calculation of own funds should be considered the default option in order to enhance the level playing field – but exceptions are allowed for particular business models.

Safeguarding rules for payment institutions are unchanged except that the possibility of safeguarding in an account of a central bank (at the discretion of the latter) is introduced in order to extend the options for PSPs in this regard and that payment institutions must endeavour to avoid concentration risk in safeguarded funds; EBA regulatory technical standards on risk management of safeguarded funds are to be adopted in this respect. For payment institutions providing electronic money services, the safeguarding rules are fully aligned with those applying to payment institutions only providing payment services. More detailed provisions on internal governance of payment institutions, including EBA guidelines, are introduced.

Provisions regarding agents, branches and outsourcing are unchanged from PSD2, but a new definition of distributors of electronic money and related provisions, closely aligned with those applicable to agents, are added.

Provisions on cross-border provision of services by PIs, and the supervision of such services are broadly unchanged. With respect to the exercise of the right of establishment and freedom to provide services where PIs use agents, distributors and branches, specific provisions are laid down for cases where three Member States are involved (the Member State of establishment of the PIs, that of the agent, and a third Member State to which the agent provides services on a cross-border basis), thereby enhancing clarity.

Member States and the European Banking Authority shall continue to maintain a register of authorised payment institutions and in addition develop a list of machine-readable payment initiation services providers and account information service providers.

As in PSD2 and the Electronic Money Directive, competent authorities, with adequate powers, must be designated by Member States for licensing and supervision. Provisions for cooperation between national competent authorities are laid down, clarifying the rules in this regard, and adding the possibility for NCAs to request assistance of the EBA in solving possible disagreements between other NCAs.

As in PSD2, PIs which only carry out account information services are subjected to a requirement of registration not authorisation. The proposal specifies the documentation that must accompany the registration application. Account information service providers remain supervised by competent authorities. The optional exemptions from certain provisions which Member States may grant to small payment institutions are unchanged.

●Provisions concerning cash withdrawals

Operators of retail stores are exempted from the requirement for a payment institution license when they offer cash withdrawal services without a purchase on their premises (on a voluntary basis), if the amount of cash distributed does not exceed EUR 50, in line with the need to avoid unfair competition with ATM deployers.

Distributors of cash via ATMs who do not service payment accounts (the so-called “independent ATM deployers”) are exempted from the licensing requirements of payment institutions, and subjected only to a registration requirement. The registration must be accompanied by certain documentation.

●Transitional provisions

Transitional measures are appropriate regarding existing activities under PSD2 given the creation of a new legal licensing regime. For example, existing licenses for PIs and EMIs are prolonged in validity (“grandfathered”) until 30 months after entry into force (one year after the transposition deadline and the beginning of application) on condition that application for a license under this Directive is made at the latest 24 months after entry into force.

●Repeals and amendments to other legislation

The second Electronic Money Directive (Directive 2009/110/EC) is repealed, with effect from the date of application of this Directive.

The second Payment Services Directive (Directive 2015/2366/EC) is repealed as of the same date. A correlation table of articles with respect to the corresponding articles of PSD2 and EMD2 is annexed, for purposes of legal continuity.

An amendment is made to the SFD (Directive 98/26/EC) to add PIs to the list of institutions which have the possibility to participate directly in payment systems designated by a Member State pursuant to that Directive (but not to designated securities settlement systems). An amendment is also made to the definition of indirect participation in SFD, to revert the definition to the text which existed before 2019, when Directive (EU) 2019/879 25 changed this definition.

Article 47 provides for an amendment of Directive (EU) 2020/1828 to bring into its scope Regulation (EU) 20../…. on financial data access. This amendment will allow representative actions to be brought against infringements of the said Regulation.

●Other provisions

There is an empowerment to the Commission to update amounts of own funds to take account of inflation by Delegated Act. The directive is a full harmonisation directive. It will enter into force 20 days after publication in the Official Journal. The deadline for Member States to transpose this Directive and the date of application of the transposing measures is 18 months after entry into force (except for amendments to the SFD, in which case it is 6 months). A review report will have to be presented 5 years after the entry into force of the Directive, focusing in particular on the appropriateness of the Directive’s scope, on its possible extension to payment systems and technical services, and on the impact of the safeguarding of payment institutions funds of the rules proposed by the Commission on 18 April 2023 26  which, when adopted, would amend Directive 2014/49/EU of the European Parliament and of the Council of 16 April 2014 on deposit guarantee schemes.

2023/0209 (COD)

Proposal for a

DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on payment services and electronic money services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC

(Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 53 and 114 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee 27 ,

Having regard to the opinion of the Committee of the Regions 28 ,

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1)Since the adoption of Directive (EU) 2015/2366 of the European Parliament and of the Council 29 , the retail payment services market underwent significant changes largely related to the increasing use of cards and other digital means of payment, the decreasing use of cash and the growing presence of new players and services, including digital wallets and contactless payments. The Covid-19 pandemic and the transformations it brought to consumption and payment practices has increased the importance of having secure and efficient digital payments.

(2)The Communication from the Commission on a Retail Payments Strategy for the EU 30 announced the launch of a comprehensive review of the application and impact of Directive (EU) 2015/2366 “which should include an overall assessment of whether it is still fit for purpose, taking into account market developments”.

(3)Directive (EU) 2015/2366 aimed at addressing barriers to new types of payment services and improving the level of consumer protection and security. The evaluation of the impact and application of Directive (EU) 2015/2366 by the Commission found that Directive (EU) 2015/2366 has been largely successful with regard to many of its objectives, but also identified certain areas where the objectives of the Directive have not been fully achieved. In particular, the evaluation identified problems regarding divergent implementation and enforcement of Directive (EU) 2015/2366, which have directly impacted competition between payment service providers, by leading to effectively different regulatory conditions in Member States because of different interpretation of the rules, encouraging regulatory arbitrage.

(4)There should be no room for ‘forum shopping’ where payment services providers would choose, as home country, those Member States where the application of Union rules on payment services is more advantageous for them and provide cross-border services in other Member States which apply stricter interpretation of the rules or apply more active enforcement policies to payment service providers established there. That practice distorts competition. The Union rules on payment services should be harmonised by incorporating rules governing the conduct of payment services in a Regulation and separating them from the rules on authorisation and supervision of payment institutions, which should be governed by this Directive (PSD3), and not continue to be governed by the Directive currently in force (PSD2).

(5)Even though the issuance of electronic money is regulated under Directive 2009/110/EC of the European Parliament and of the Council, 31  the use of electronic money to fund payment transactions is to a very large extent regulated by Directive (EU) 2015/2366. Consequently, the legal framework applicable to electronic money institutions and payment institutions, in particular with regard to the conduct of business rules, is already substantially aligned. Over the years competent authorities in charge of authorisation and supervision of payment institutions and electronic money institutions have experienced practical difficulties in clearly delineating the two regimes and in distinguishing electronic money products and services from payment and electronic money services offered by payment institutions. This has led to concerns about regulatory arbitrage and an uneven level playing field, as well as issues related to the circumvention of the requirements of Directive 2009/110/EC where payment institutions issuing electronic money take advantage of the similarities between payment services and electronic money services and apply for authorisation as a payment institution. It is therefore appropriate that the authorisation and supervision regime applicable to electronic money institutions is further aligned with the regime applicable to payment institutions. However, the licensing requirements, in particular initial capital and own funds, and some key basic concepts governing the electronic money business, including the issuance of electronic money, electronic money distribution and redeemability, are distinct from the services provided by payment institutions. It is therefore appropriate to preserve these specificities when combining the provisions of Directive (EU) 2015/2366 and Directive 2009/110/EC. 

(6)As evidenced in the review conducted by the Commission and given the evolution of the respective markets, businesses and risks attached to the activities, it is necessary to update the prudential regime for payment institutions, including those issuing electronic money and providing electronic money services, by requiring a single licence for providers of payment services and electronic money services not taking deposits. Given that Regulation (EU) 2023/1114 of the European Parliament and of the Council 32  lays down in its Article 48(2) that that issuers of electronic money shall be deemed to be electronic money, the licensing regime for payment institutions, as they will replace the electronic money institutions, should also apply to issuers of electronic money tokens. The prudential regime applicable to payment institutions should be based on an authorisation, subject to a set of strict and comprehensive conditions, for legal persons offering payment services when not taking deposits. The prudential regime applicable to payment institutions should ensure that the same conditions apply Union-wide to the activity of providing payment services.

(7)It is appropriate to dissociate the service of enabling cash to be withdrawn from a payment account from the activity of servicing a payment account, as the providers of cash withdrawal services may not service payment accounts. The services of issuing payment instruments and of acquiring payment transactions, which were listed together in point 5 of the Annex to Directive (EU) 2015/2366 as if one could not be offered without the other, should be presented as two different payment services. Listing issuing and acquiring services separately should, together with distinct definitions of each service, clarify that the issuing and acquiring services may be offered separately by payment service providers.

(8)Taking into account the rapid evolution of the retail payments market, and the constant new offering of payment services and payment solutions, it is appropriate to adapt some of the definitions under Directive (EU) 2015/2366, such as the definition of payment account, funds and payment instrument, to the realities of the market to ensure that Union legislation remains fit for purpose and technology neutral.

(9)Given the diverging views identified by the Commission in it its review of the implementation of Directive (EU) 2015/2366 and highlighted by the European Banking Authority (EBA) in its opinion of 23 June 2022 on the review of Directive (EU) 2015/2366, it is necessary to clarify the definition of a payment accounts. The  determining criterion for the categorisation of an account as payment account lies in the ability to perform daily payment transactions from such an account. The possibility of making payment transactions to a third party from an account or of benefiting from such transactions carried out by a third party is a defining feature of the concept of payment account. A payment account should therefore be defined as an account that is used for sending and receiving funds to and from third parties. Any account that possesses those characteristics should be considered a payment account and should be accessed for the provision of payment initiation and account information services. Situations where another intermediary account is needed to execute payment transactions from or to third parties should not fall under the definition of a payment account. Savings accounts are not used for sending and receiving funds to or from a third party, excluding them therefore from the definition of a payment account.

(10)Given the emergence of new types of payment instruments and the uncertainties prevailing in the market as to their legal qualification, the definition of a ‘payment instrument’ should be further specified as to what constitutes or does not constitute a payment instrument, bearing in mind the principle of technology neutrality.

(11)Despite the fact that Near-Field Communication (NFC) enables the initiation of a payment transaction, considering it as a fully-fledged ‘payment instrument’ would pose some challenges, including for the application of strong customer authentication for contactless payments at the point of sale and of the payment service provider’s liability regime. NFC should therefore rather be considered as a functionality of a payment instrument and not as a payment instrument as such.

(12)The definition of ‘payment instrument’ under Directive (EU) 2015/2366 made reference to a ‘personalised device’. Since there are pre-paid cards where the name of the holder of the instrument is not printed on the card, this could leave those cards outside the scope of the definition of a payment instrument. The definition of ‘payment instrument’ should, therefore, be amended to refer to ‘individualised’ devices, instead of ‘personalised’ ones, specifying that pre-paid cards where the name of the holder of the instrument is not printed on the card are payment instruments.

(13)So-called digital ‘pass-through wallets’, involving the tokenisation of an existing payment instrument, including a payment card, are to be considered as technical services, and should thus be excluded from the definition of payment instrument as a token cannot be regarded as being itself a payment instrument but, rather, a payment application within the meaning of Article 2, point (21) of Regulation (EU) 2015/75 of the European Parliament and of the Council 33 . However, some other categories of digital wallets, namely pre-paid electronic wallets such as ‘staged-wallets’ where users can store money for future online transaction, are to be considered a payment instrument and their issuance as a payment service.

(14)Money remittance is a payment service that is usually based on cash provided by a payer to a payment service provider without any payment accounts being created in the name of the payer or the payee which remits the corresponding amount, to a payee or to another payment service provider acting on behalf of the payee. In some Member States, supermarkets, merchants and other retailers provide to the public a service enabling them to pay utilities and other regular household bills. Those bill-paying services should therefore be treated as money remittance.

(15)The definition of funds should cover all forms of central bank money issued for retail use, including banknotes and coins, and any possible future central bank digital currency, electronic money and commercial bank money. Central bank money issued for use between the central bank and commercial banks, i.e. for wholesale use, should not be covered.

(16)Regulation (EU) 2023/1114 of 31 May 2023 lays down that electronic money tokens shall be deemed to be electronic money. Electronic money tokens should therefore be included, as electronic money, in the definition of funds. 

(17)The evaluation of the implementation of Directive (EU) 2015/2366 did not identify a clear need to substantially change the conditions for granting and maintaining authorisation as payment institutions or electronic money institutions prescribed under, respectively, Directives 2007/64/EC of the European Parliament and of the Council 34  and Directive 2015/2366/EU, on the one hand, and Directive 2009/110/EC on the other hand. Such conditions continue to include prudential requirements proportionate to the operational and financial risks faced by payment institutions, including institutions issuing electronic money and providing electronic money services in the course of their business. It is appropriate to add to the documentation required in support of an application for authorisation as a payment institution a winding-up plan for the eventuality of failure, proportionate to the business model of the future payment institution; that winding-up plan should be appropriate to support an orderly wind-up of activities under applicable national law, including continuity or recovery of any critical activities performed by outsourced service providers, agents or distributors. To avoid that authorisation is granted for services that are not effectively provided by a payment institution, it is necessary to specify that a payment institution should not be obliged to obtain an authorisation for payment services that it does not intend to provide.

(18)The EBA Peer Review on authorisation under Directive (EU) 2015/2366 published in January 2023 35  concluded that deficiencies in the authorisation process have led to a situation where applicants are subject to different supervisory expectations as regards the requirements for authorisation as a payment institution or electronic money institution across the Union, and that sometimes the process of granting an authorisation may take an exceedingly long time. To ensure a level playing field and a harmonised process for the granting of an authorisation to undertakings applying for a payment institution license, it is appropriate to impose to competent authorities a time limit of 3 months for the authorisation process to be concluded, after the receipt of all the information required for the decision.

(19)To ensure more consistency in the application process for payment institutions, it is appropriate to mandate the EBA to develop draft regulatory technical standards on authorisation, including on the information to be provided to the competent authorities in the application for the authorisation of payment institutions, a common assessment methodology for granting authorisation or for registration, what can be considered as a comparable guarantee to professional indemnity insurance and the criteria to be used to stipulate the minimum monetary amount of professional indemnity insurance or a comparable guarantee. The EBA should thereby take into account the experience acquired in the application of its Guidelines on the information to be provided by applicant payment service providers to national competent authorities for authorisation or registration, and of its Guidelines on the application of the criteria used to specify the minimum monetary amount of the professional indemnity insurance or other comparable guarantee. 

(20)The prudential framework applicable to payment institutions should continue to rest on the premise that those institutions are prohibited from accepting deposits from payment service users and are only permitted to use funds received from payment service users for rendering payment services. Consequently, it is appropriate that prudential requirements applicable to payment institutions reflect the fact that payment institutions engage in more specialised and limited activities than credit institutions, thus generating risks that are narrower and easier to monitor and control than those that arise across the broader spectrum of activities of credit institutions.

(21)Competent authorities should pay particular attention in considering applications for authorisation as a payment institution to the governance plan submitted as part of that application. Payment institutions should address the potentially detrimental effect of poorly designed governance arrangements on the sound management of risk by applying a sound risk culture at all levels. Competent authorities should monitor the adequacy of internal governance arrangements. It is appropriate for the EBA to adopt guidelines on internal governance arrangements, taking into account the variation of sizes and business models among payment institutions and respecting the principle of proportionality.

(22)Whilst the authorisation requirements set out specific rules on information and communication technology (ICT) security controls and mitigation elements for obtaining an authorisation to provide payment services, those requirements should be aligned with the requirements under Regulation (EU) 2022/2554 of the European Parliament and of the Council 36 .

(23)Payment initiation service providers and account information service providers, when providing those services, do not hold client funds. Accordingly, it would be disproportionate to impose own funds requirements on those market players. Nevertheless, it is important to ensure that payment initiation service providers and account information service providers be able to meet their liabilities in relation to their activities. In order to ensure a proper coverage of the risks associated with payment initiation or account information services, it is appropriate to require payment institutions offering these services to hold either a professional indemnity insurance or a comparable guarantee, and to further specify what risks need to be covered, in light of the provisions on liability included in Regulation XXX [PSR]. Taking into account the difficulties experienced by the providers of account information services and payment initiation services to contract a professional indemnity insurance covering the risks related to their activity, it is appropriate to provide for the possibility for these institutions to choose to hold initial capital of EUR 50 000 as an alternative to the professional indemnity insurance, at the licensing or registration stage only. That flexibility for account information and payment initiation service providers at the licensing or registration stage should be without prejudice to the requirement for those providers to subscribe to a professional indemnity insurance without undue delay after their license or registration has been obtained.

(24)To address the risks of acquisition of a qualified holding of a payment institution within the meaning of Regulation (EU) No 575/2013 of the European Parliament and of the Council 37 , it is appropriate to require notification of the acquisition to the relevant competent authority.

(25)To cater for the risks posed by their activities, payment institutions need to hold enough initial capital combined with own funds. Taking into account the possibility for payment institutions to engage in the wide range of activities covered by this Directive it is appropriate to adjust the level of the initial capital attached to individual services to the nature and the risks attached to these services.

(26)Taking into account that the initial requirements applicable to payment institutions have not been adapted since the adoption of Directive 2007/64/EC, it is appropriate to adjust these requirements to inflation. However, taking into account that the capital requirements applicable to payment institutions that provide only payment initiation services have only been implemented since the entry into force of Directive (EU) 2015/2366, and that no evidence was found with regard to the inadequacy of those requirements, those requirements should not be modified.

(27)The large variety of business models in the retail payments industry justifies the possibility to apply distinct methods for the calculation of own funds, which cannot however fall below the level of the relevant initial capital.

(28)This Directive pursues the same approach as Directive (EU) 2015/2366, which allowed for several methods to be used for the purpose of calculating the combined own funds requirements with a certain degree of supervisory discretion to ensure that the same risks are treated the same way for all payment service providers. The use of the payment institution’s payment volume of the previous year to compute its own funds requirements is the most adequate and the most applied own fund calculation method for most business models. For those reasons, and to improve consistency and ensure a level playing field, it is appropriate to require national competent authorities to prescribe the use of that method. It should however be possible for national competent authorities to deviate from that principle and to require payment institutions to apply other methods for business models that result in low volume but high value transactions. To ensure legal certainty and maximum clarity with regard to such business models, it is appropriate to mandate the EBA to develop draft regulatory technical standards.

(29)Notwithstanding the objective of aligning the prudential requirements of payment institutions providing payment services and electronic money services, it is appropriate to take account of the specificity of the business of issuing electronic money and carrying out electronic money business, and to allow payment institutions issuing electronic money and providing electronic money services to apply a more appropriate method to compute their own funds requirements.

(30)Where the same payment institution executes a payment transaction for both the payer and the payee and a credit line is provided to the payer, it is appropriate to safeguard the funds in favour of the payee once they represent the payee’s claim towards the payment institution.

(31)Considering the difficulties experienced by payment institutions in opening and maintaining payment accounts with credit institutions, it is necessary to provide for an additional option for the safeguarding of users’ funds, namely the possibility to hold those funds at a central bank. That possibility should however be without prejudice to the possibility for a central bank to not offer that option, based on its organic law. Taking into account the need to protect users’ funds and to avoid that such funds are used for other purposes than to provide payment services or electronic money services, it is appropriate to require that payment service user funds are kept separate from the payment institution’s own funds. To ensure a level playing field between payment institutions providing payment services and payment institutions issuing electronic money and providing electronic money services, it is appropriate to align as much as possible the regimes applicable to the safeguarding of users’ funds, whilst preserving the specificities of electronic money. Concentration risk is a significant risk faced by payment institutions, in particular where funds are safeguarded in a single credit institution. It is therefore important to ensure that payment institutions avoid concentration risk to the extent possible. For that reason, the EBA should be instructed to develop regulatory technical standards on risk avoidance in the safeguarding of customer funds.

(32)It should be possible for payment institutions to engage in other activities, beyond those covered by this Directive, including the provision of operational and closely related ancillary service and the operation of payment systems or other business activities regulated by applicable Union law and national law.

(33)Considering the higher risks of deposit-taking activity, it is appropriate to prohibit payment institutions offering payment services from accepting deposits from users, and to require them to only use funds received from users for providing payment services. Funds received from payment service users by payment institutions offering electronic money services should constitute neither a deposit nor other repayable funds received from the public within the meaning of Article 9 of Directive 2013/36/EC of the European Parliament and of the Council. 38

(34)To limit the risks of payment accounts being used for other purposes than for the execution of payment transactions, it is appropriate to specify that when engaging in the provision of one or more of the payment services or electronic money services, payment institutions should always hold payment accounts used exclusively for payment transactions.

(35)Payment institutions should be allowed to grant credit, but this activity should be subjected to some strict conditions. It is therefore appropriate to regulate the granting of credit by payment institutions in the form of credit lines and the issuance of credit cards, insofar as those services facilitate payment services and if credit is granted for a period not exceeding 12 months, including on a revolving basis. It is appropriate to allow payment institutions to grant short-term credit with regard to their cross-border activities, on the condition that it is refinanced using mainly the payment institution’s own funds, as well as other funds from the capital markets, and not the funds held on behalf of clients for payment services. That possibility should however be without prejudice to Directive 2008/48/EC of the European Parliament and of the Council 39  or other relevant Union law or national measures regarding conditions for granting credit to consumers. Given their principally lending nature, ‘Buy Now Pay Later’ services should not constitute a payment service. Those services are covered by the new Directive on consumer credits replacing Directive 2008/48/EC.

(36)To ensure that evidence on the compliance with the obligations laid down in this Directive is duly preserved for a reasonable amount of time, it is appropriate to require payment institutions to keep all appropriate records for at least five years. Personal data should not be kept longer than necessary for ensuring that purpose and, where an authorisation has been withdrawn, data should not be kept longer than five years after that withdrawal.

(37)To ensure that an undertaking does not provide payment services or electronic money services without being authorised, it is appropriate to require all undertakings intending to provide payment services or electronic money services to apply for an authorisation, except where this Directive provides for registration instead of authorisation. Furthermore, in order to ensure the stability and integrity of the financial system and payment systems and to protect consumers, such undertakings must be established in a Member State and effectively supervised. This requirement should also cover payment institutions issuing electronic money, given the significant new prudential risks associated with the possibility for electronic money institutions to also issue electronic money tokens. The establishment of a legal person in the EU should be required for electronic money issuers to enable effective supervision of those entities, and to align with Regulation 2023/1114/EU. Electronic money tokens are a form of crypto-asset which can scale up significantly in size and pose risks affecting financial stability, monetary sovereignty and monetary policy.

(38)To avoid abuses of the right of establishment and to avoid cases where a payment institution establishes itself in a Member State without planning to perform any activity in that Member State, it is appropriate to require that a payment institution requesting authorisation in a Member State provides at least part of its payment services business in that Member State. The obligation for an institution to carry out a part of its business in its home country, which was already imposed by Directive (EU) 2015/2366, has been interpreted very differently, with some home countries imposing that most of the business be carried out in their country. A ‘part’ should mean less than the majority of the institution’s business in order to preserve the “effet utile” of the payment institution’s freedom to provide cross-border services.

(39)A payment institution may engage in other activities than the provision of payment services or electronic money services. To ensure a proper supervision of the payment institution, it is appropriate to allow national competent authorities, where necessary, to require the establishment of a separate entity for the provision of payments services or electronic money services. Such a decision by the competent authority should take account of the potential negative impact that an event affecting the other business activities could have on the payment institution’s financial soundness, or the potential negative impact arising from a situation where the payment institution would not be able to provide separate reporting on own funds in relation to its payment and electronic money activities and its other activities. 

(40)To ensure a proper ongoing supervision of payment institutions and the availability of accurate and up-to-date information, it is appropriate to require payment institutions to inform national competent authorities of any change in their business affecting the accuracy of the information provided with regard to authorisation, including with regard to additional agents or entities to which activities are outsourced. Competent authorities should, in the event of doubt, verify that the information received is correct.

(41)To ensure a consistent authorisation regime of payment institutions throughout the Union, it is appropriate to lay out harmonised conditions under which national competent authorities may withdraw an authorisation issued to a payment institution.

(42)To enhance transparency of the operations of payment institutions that are authorised by, or registered with, competent authorities of the home Member State, including their agents, distributors and branches, and to ensure a high level of consumer protection in the Union, it is necessary to ensure easy public access to the list of the undertakings providing payment services, with their related brands, which should be included in a public national register.

(43)To ensure that information on authorised or registered payment institutions or entities entitled under national law to provide payment or electronic money services is available throughout the Union in a central register, the EBA should operate such a register in which it should publish a list of the names of the undertakings authorised or registered to provide payment services or electronic money services. Where that entails the processing of personal data, the publication at Union level of information on natural persons acting as agents or distributors is necessary to guarantee that only authorised agents and distributors operate in the internal market and is therefore in the interest of the adequate functioning of the internal market for payment services. Member States should ensure that the data that they provide on the undertakings concerned, including their agents, distributors and branches, is accurate and up-to-date, and transmitted to the EBA without undue delay and if possible in an automated way. The EBA should therefore develop draft regulatory technical standards to specify the methods and arrangements for the transmission of such information. Those draft regulatory technical standards should ensure a high level of granularity and consistency of the information. When developing those draft regulatory technical standards, the EBA should take into consideration the experience in applying Commission Delegated Regulation (EU) 2019/411. 40  To enhance transparency, it is appropriate that the information transmitted contains the brands of all payment and electronic money services provided. Publication of personal data should occur in compliance with the rules on data protection in force. Where personal data are published, appropriate data protection safeguards that prevent further unintended dissemination of the information online should be implemented.

(44)To enhance transparency and awareness of the services provided by payment initiation and account information service providers, it is appropriate that the EBA maintains a machine-readable list containing basic information on such undertakings and services provided by them. The information contained in this list should allow for the payment initiation and account information service providers to be identified unequivocally.

(45)To expand the reach of their services, payment institutions may need to use entities providing payment services on their behalf, including agents or, in the case of electronic money services, distributors. Payment institutions may also exercise their right of establishment in a host Member State, different from the home Member State, through branches. In such cases, it is appropriate that the payment institution communicates to the national competent authority all the relevant information related to agents, distributors and branches and informs national competent authorities of any changes without undue delay. To ensure transparency vis-à-vis end users, it is also appropriate that agents, distributors or branches acting on behalf of a payment institution inform payment service users of that fact.

(46)In conducting their business, payment institutions may need to outsource operational functions of part of their activity. To ensure that this is not done to the detriment of the continuing compliance of a payment institution with the requirements of its authorisation, or other applicable requirements under this Directive, it is appropriate to require a payment institution to inform without undue delay national competent authorities when it intends to outsource operational functions, and about any change regarding the use of entities to which activities are outsourced.

(47)To ensure a proper mitigation of the risks that the outsourcing of operational functions may generate, it is appropriate to require that payment institutions take reasonable steps to ensure that such outsourcing does not violate the requirements of this Directive. Payment institutions should remain fully liable for any acts of their employees, or any agent, distributor or outsourced entity.

(48)To ensure the effective enforcement of the provisions of national law adopted pursuant to this Directive, Member States should designate competent authorities in charge of the authorisation and supervision of payment institutions. Member States should ensure that competent authorities are granted the necessary powers and resources, including staff, to properly carry out their functions.

(49)To enable competent authorities to properly supervise payment institutions, it is appropriate to grant those authorities investigatory and supervisory powers and the possibility to impose administrative penalties and measures necessary to perform their tasks. For the same reason, it is appropriate to grant competent authorities the power to request information, conduct on-site inspections and issue recommendations, guidelines and binding administrative decisions. Member States should lay down national provisions with respect to the suspension or withdrawal of the authorisation of a payment institution. Member States should empower their competent authorities to impose administrative sanctions and measures aimed specifically at ending infringements of provisions concerning the supervision or pursuit of the payment service business.

(50)Due to the broad range of possible business models in the payments industry, it is appropriate to allow for a certain degree of supervisory discretion to ensure that the same risks are treated in the same way.

(51)When supervising compliance by payment institutions with their obligations, competent authorities should exercise their supervisory powers respecting fundamental rights, including the right to privacy. Without prejudice to the control of an independent authority (national data protection authority) and in accordance with the Charter of Fundamental Rights of the European Union, Member States should have in place adequate and effective safeguards where there is a risk that the exercise of those powers could lead to abuse or arbitrariness amounting to serious interference with such rights including, where appropriate, through the prior authorisation of the judicial authority of the Member State concerned.

(52)To ensure the protection of individual and business rights, Member States should ensure that all persons who work or who have worked for competent authorities are subjected to the obligation of professional secrecy.

(53)The activity of payment institutions may span across borders and be relevant for different competent authorities as well as the EBA, the European Central Bank (‘ECB’) and national central banks in their capacity as monetary and oversight authorities. It is therefore appropriate to provide for their effective cooperation and exchange of information. Information sharing arrangements should fully comply with the data protection rules laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council 41 and in Regulation (EU) 2018/1725 of the European Parliament and of the Council. 42

(54)Where disagreements occur in the context of the cross-border cooperation between competent authorities, those competent authorities should be able to request assistance from the EBA, which should take a decision without undue delay. The EBA should also be able to assist competent authorities in reaching an agreement on its own initiative.

(55)A payment institution that exercises the right of establishment or freedom to provide services should provide the competent authority of the home Member State with any relevant information with regard to its business and notify that competent authority about which Member State(s) the payment institution intends to operate in, whether it intends to use branches, agents or distributors and whether it intends to use outsourcing. 

(56)To facilitate cooperation between competent authorities and an effective supervision of payment institutions, in the context of the use of the right of establishment or freedom to provide services, it is appropriate that competent authorities in the home Member State communicate information to the host Member State. In situations of so-called “triangular passporting” where a payment institution authorised in a country “A” uses an intermediary, such as an agent, distributor or branch, located in a country “B” for offering payment services in another country “C”, the host Member State should be considered to be the one where the services are offered to end-users. Taking into account challenges in cross-border cooperation between competent authorities, it is appropriate that the EBA develops draft regulatory technical standards on cooperation and information exchange, taking into consideration the experience gained in applying Commission Delegated Regulation (EU) 2017/2055. 43

(57)Member States should be able to require payment institutions operating on their territory, whose head office is situated in another Member State, to report to them periodically on their activities in their territory for information or statistical purposes. Where those payment institutions operate pursuant to the right of establishment, the competent authorities of the host Member State(s) should be able to require that information also to be used for monitoring compliance with Regulation XXX [PSR]. The same should apply where there is no establishment in the host Member State(s), and the payment institution is providing services in the host Member State(s) on the basis of the free provision of services. To facilitate the supervision of networks of agents, distributors or branches by competent authorities, it is appropriate that Member States where agents, distributors or branches operate are able to require the parent payment institution to appoint a central contact point in their territory. The EBA should develop regulatory standards setting out the criteria to determine when the appointment of a central contact point is appropriate and what its functions should be. While doing so, the EBA should take into account the experience gained in the application of Commission Delegated Regulations (EU) 2021/1722 44 and 2020/1423 45 . The requirement to appoint a central contact point should be proportionate to achieving the aim of adequate communication and information reporting on compliance with the relevant provisions in Regulation XXX [PSR] in the host Member State.

(58)In emergency situations, where immediate action is necessary to address a serious threat to the collective interests of payment service users in the host Member State, including large scale fraud, it should be possible for the competent authorities of the host Member State to take precautionary measures in parallel with the cross-border cooperation between competent authorities of the host and the home Member States and pending measures by the competent authority of the home Member State. Those measures should be appropriate, proportionate to the aim, non-discriminatory and temporary in nature. Any measures should be properly justified. The competent authorities of the home Member State of the relevant payment institution and other authorities concerned, including the Commission and the EBA, should be informed in advance or, where not possible in view of the emergency situation, without undue delay.

(59)It is important to ensure that all entities providing payment services be brought within the scope of certain minimum legal and regulatory requirements. Thus, it is desirable to require the registration of the identity and whereabouts of all persons providing payment services, including of entities which are unable to meet the full range of conditions for authorisation as payment institutions, including some small payment institutions. Such an approach is in line with the rationale of Recommendation 14 of the Financial Action Task Force, which provides for a mechanism whereby payment service providers which are unable to meet all of the conditions set out in that Recommendation may nevertheless be treated as payment institutions. For those purposes, even where entities are exempt from all or part of the conditions for authorisation, Member States should enter them in the register of payment institutions. However, it is essential to make the possibility of an exemption from authorisation subject to strict requirements relating to the value of payment transactions. Entities benefiting from an exemption from authorisation should not enjoy the right of establishment or freedom to provide services and should not indirectly exercise those rights while being a participant in a payment system.

(60)To ensure transparency with regard to possible exemptions for small payment institutions, it is appropriate to require Member States to communicate such decisions to the Commission.

(61)In view of the specific nature of the activity performed and the risks connected to the provision of account information services, it is appropriate to provide for a specific prudential regime for account information service providers, without a need for a fully-fledged authorisation regime but with a lighter registration requirement, accompanied by documents and information to assist the competent authority with carrying out supervision. Account information service providers should be allowed to provide services on a cross-border basis, benefiting from the ‘passporting’ rules.

(62)To further improve access to cash, which is a priority of the Commission, retailers should be allowed to offer, in physical shops, cash provision services even in the absence of a purchase by a customer, without having to obtain a payment service provider authorisation, registration or being an agent of a payment institution. Those cash provision services should, however, be subject to the obligation to disclose fees charged to the customer, if any. These services should be provided by retailers on a voluntary basis and should depend on the availability of cash by the retailer. To prevent unfair competition between ATM deployers not servicing payment accounts and retailers offering cash withdrawals without a purchase, and to ensure that shops do not rapidly run out of cash, it is appropriate to impose a cap of EUR 50 per transaction.

(63)Directives 2007/64/EC and 2015/2366/EU conditionally excluded from their scope payment services offered by certain deployers of automated teller machines (ATMs). That exclusion has stimulated the growth of ATM services in many Member States, in particular in less populated areas, supplementing bank ATMs. However, this exclusion has proven difficult to apply due to its ambiguity with regard to the entities covered by it. To address this issue, it is appropriate to make explicit that previously excluded ATM deployers are those which do not service payment accounts. Taking into account the limited risks involved in the activity of such ATM deployers, it is appropriate, instead of excluding them totally from the scope, to subject them to a specific prudential regime adapted to those risks, requiring only a registration regime.

(64)Service providers seeking to benefit from an exclusion from the scope of Directive (EU) 2015/2366 often did not consult their authorities on whether their activities are covered by, or excluded from, that Directive, but often relied on their own assessments. That has led to a divergent application of certain exclusions across Member States. It also appears that some exclusions may have been used by payment service providers to redesign business models so that the payment activities offered would fall outside the scope of that Directive. That may result in increased risks for payment service users and divergent conditions for payment service providers in the internal market. Service providers should therefore be obliged to notify relevant activities to competent authorities so that the competent authorities can assess whether the requirements set out in the relevant provisions are fulfilled and to ensure a homogenous interpretation of the rules throughout the internal market. In particular, for all exclusions based on the respect of a threshold, a notification procedure should be provided to ensure compliance with the specific requirements. Moreover, it is important to include a requirement for potential payment service providers to notify competent authorities of the activities that they provide in the framework of a limited network on the basis of the criteria set out in Regulation XXX [PSR] where the value of payment transactions exceeds a certain threshold. Competent authorities should assess whether the activities so notified can be considered to be activities provided in the framework of a limited network, to ascertain whether they should remain excluded from the scope.

(65)The power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of updating any of the amounts to take account of inflation. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.

(66)To ensure a consistent application of the applicable requirements, the Commission should be able to rely on the expertise and support of the EBA, which should be given the task of preparing guidelines and draft regulatory technical standards. The Commission should be empowered to adopt those draft regulatory technical standards. Those specific tasks are fully in line with the role and responsibilities of the EBA as provided in Regulation (EU) No 1093/2010 of the European Parliament and of the Council 46 .

(67)Since the further integration of an internal market in payment services, cannot be sufficiently achieved by the Member States alone because it requires the harmonisation of different rules currently existing in the legal systems of the various Member States which would be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary in order to achieve that objective.

(68)This Directive does not include licensing requirements for payment systems, payment schemes or payment arrangements, taking into account the need to avoid any duplication with the Eurosystem’s oversight framework over retail payment systems, including over Systemically Important Payment Systems and other systems, as well as the Eurosystem’s new ‘PISA’ Framework, and oversight by national central banks. This Directive also does not cover, in its scope, the provision of technical services including processing or the operation of digital wallets. However, considering the pace of innovation in the payments sector and the possible emergence of new risks, it is necessary that in its future review of this Directive the Commission gives particular consideration to those developments and assesses whether the scope of the Directive should be extended to cover new services and entities.

(69)In the interest of legal certainty, it is appropriate to make transitional arrangements allowing undertakings who have commenced the activities of payment institutions in accordance with the national law transposing Directive (EU) 2015/2366 before the entry into force of this Directive to continue those activities within the Member State concerned for a specified period.

(70)In the interest of legal certainty, transitional arrangements should be made to ensure that electronic money institutions which have taken up their activities in accordance with the national laws transposing Directive 2009/110/EC are able to continue those activities within the Member State concerned for a specified period. That period should be longer for electronic money institutions that have benefited from the waiver provided for in Article 9 of Directive 2009/110/EC.

(71)Payment institutions are not included in the list of entities which fall under the definition of “institutions” in Article 2, point (b) of Directive 98/26/EC of the European Parliament and of the Council 47 . Consequently, payment institutions are effectively prevented from participating in payment systems designated by Member States pursuant to that Directive. That lack of access to certain key payment systems can impede payment institutions in providing a full range of payment services to their clients effectively and competitively. It is therefore justified to include payment institutions under the definition of ‘institutions’ in that Directive, but only for the purpose of payment systems, and not for securities settlement systems. Payment institutions should meet the requirements and respect the rules of payment systems to be allowed to participate in those systems. Regulation XXX [PSR] lays down requirements on operators of payment systems regarding the admission of new applicants for participation, including as regards an assessment of relevant risks. Given the importance of restoring as soon as possible the level playing field between banks and ‘non-banks’ and considering the impact that the current situation causes to competition in payment markets, it is necessary to grant Member States a shorter transposition and application deadline for this new provision in Directive 98/26/EC than for the other provisions of the present Directive. It is therefore appropriate to require Member States to transpose that new provision into their national law within 6 months of the entry into force of this Directive, rather than the 18 months that applies for the other provisions of this Directive.  

(72)The specification that participants may act as a central counterparty, a settlement agent or a clearing house or carry out part or all of these tasks should be reinserted in Directive 98/26/EC to ensure a similar understanding in the Member States. It should also be reinserted that, where justified due to systemic risk, Member States should be allowed to consider an indirect participant as a participant of the system and apply the provisions of Directive 98/26/EC to such an indirect participant. However, to ensure that this does not limit the responsibility of the participant through which the indirect participant passes transfer orders to the system, this should be made clear in that Directive to ensure legal certainty.

(73)Consumers should be entitled to enforce their rights in relation to the obligations imposed on data users or data holders under Regulation (EU) 20../…. [FIDA] of the European Parliament and of the Council 48 through representative actions in accordance with Directive (EU) 2020/1828 of the European Parliament and of the Council 49 . For that purpose, this Directive should provide that Directive (EU) 2020/1828 is applicable to the representative actions brought against infringements by data users or data holders of provisions of Regulation (EU) 20../…. [FIDA] that harm or can harm the collective interests of consumers. The Annex to that Directive should therefore be amended accordingly. It is for the Member States to ensure that that amendment is reflected in their transposition measures adopted in accordance with Directive (EU) 2020/1828.

(74)In keeping with the principles of better regulation, this Directive should be reviewed for its effectiveness and efficiency in achieving its objectives, as laid out in the accompanying impact assessment. The review should take place a sufficient time after the entry into force, to base the review on appropriate evidence. Five years is considered to be an appropriate period. While the review should consider the entire Directive, certain topics should be singled out for particular attention, namely the scope and the safeguarding of payment institutions funds which may be affected by  the rules proposed by the Commission on 18 April 2023 50  which, when adopted, would amend Directive 2014/49/EU of the European Parliament and of the Council of 16 April 2014 on deposit guarantee schemes. Regarding the scope of this Directive, however, it is appropriate for a review to take place earlier, three years after its entry into force, given the importance attached to this subject in Regulation (EU) 2022/2554. That review of scope should consider both the possible extension of the list of covered payment services to include services such as those performed by payment systems and payment schemes, and the possible inclusion in the scope of some technical services currently excluded. 

(75)Given the number of changes that need to be made to Directive (EU) 2015/2366 and Directive 2009/110/EC, it is appropriate to repeal both Directives and replace them by this Directive.

(76)Any personal data processing in the context of this Directive must comply with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725. Therefore, the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 are responsible for the supervision of processing of personal data carried out in the context of this Directive. When transposing this Directive, the Member States should ensure that the national legislation include appropriate data protection safeguards for processing of personal data.

(77)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on [XX XX 2023],

HAVE ADOPTED THIS DIRECTIVE:

TITLE I

SUBJECT MATTER, SCOPE AND DEFINITIONS

Article 1

Subject matter and scope

1.This Directive lays down rules concerning:

(a)access to the activity of providing payment services and electronic money services, within the Union, by payment institutions;

(b)supervisory powers and tools for the supervision of payment institutions.

2.Member States may exempt the institutions referred to in Article 2 (5), points (4) to (23), of Directive 2013/36/EU from the application of all or part of the provisions of this Directive.

3.Unless specified otherwise, any reference to payment services shall be understood in this Directive as meaning payment and electronic money services.

4.Unless specified otherwise, any reference to payment service providers shall be understood in this Directive as meaning payment service providers and electronic money service providers. 

Article 2

Definitions

For the purposes of this Directive, the following definitions apply:

(1)‘home Member State’ means either of the following:

(a)the Member State in which the payment service provider has its registered office; or

(b)if the payment service provider has, under its national law, no registered office, the Member State in which the payment service provider has its head office;

(2)‘host Member State’ means the Member State other than the home Member State in which a payment service provider has an agent, a distributor, or a branch or provides payment services;

(3)‘payment service’ means any business activity set out in Annex I;

(4)‘payment institution’ means a legal person that has been granted authorisation in accordance with Article 13 to provide payment services or electronic money services throughout the Union;

(5)‘payment transaction’ means an act of placing, transferring or withdrawing funds, based on a payment order placed by the payer, or on his behalf, or by the payee, or on his behalf, irrespective of any underlying obligations between the payer and the payee;

(6)‘execution of a payment transaction’ means the process starting once the initiation of a payment transaction is completed and ending once the funds placed, withdrawn, or transferred are available to the payee;

(7)‘payment system’ means a funds transfer system with formal and standardised arrangements and common rules for the processing, clearing or settlement of payment transactions;

(8)‘payment system operator’ means the legal entity legally responsible for operating a payment system;

(9)‘payer’ means a natural or legal person who holds a payment account and places a payment order from that payment account, or, where there is no payment account, a natural or legal person who places a payment order;

(10)‘payee’ means a natural or legal person who is the intended recipient of funds which are the subject of a payment transaction;

(11)‘payment service user’ means a natural or legal person making use of a payment service or of an electronic money service in the capacity of payer, payee, or both;

(12)‘payment service provider’ means a body referred to in Article 2(1) of Regulation XXX [PSR] or a natural or legal person benefiting from an exemption pursuant to Articles 34, 36 and 38 of this Directive;

(13)‘payment account’ means an account held by a payment service provider in the name of one or more payment service users which is used for the execution of one or more payment transactions and allows for sending and receiving funds to and from third parties;

(14)‘payment order’ means an instruction by a payer or payee to its payment service provider requesting the execution of a payment transaction;

(15)‘payment instrument’ means an individualised device or devices and/or set of procedures agreed between the payment service user and the payment service provider which enables the initiation of a payment transaction;

(16)‘account servicing payment service provider’ means a payment service provider providing and maintaining a payment account for a payer;

(17)‘payment initiation service’ means a service to place a payment order at the request of the payer or of the payee with respect to a payment account held at another payment service provider;

(18)‘account information service’ means an online service of collecting, either directly or through a technical service provider, and consolidating information held on one or more payment accounts of a payment service user with one or several account servicing payment service providers;

(19)‘payment initiation service provider’ means a payment service provider providing payment initiation services;

(20)‘account information service provider’ means a payment service provider providing account information services;

(21)‘consumer’ means a natural person who, in payment service contracts covered by this Directive, is acting for purposes other than his or her trade, business or profession;

(22)‘money remittance’ means a payment service where funds are received from a payer, without any payment accounts being created in the name of the payer or the payee, for the sole purpose of transferring a corresponding amount to a payee or to another payment service provider acting on behalf of the payee, or where such funds are received on behalf of and made available to the payee;

(23)‘funds’ means central bank money issued for retail use, scriptural money and electronic money;

(24)‘technical service provider’ means a provider of services which, although not being payment services, are necessary to support the provision of payment services, without the provider of technical services entering at any time into possession of the funds to be transferred; 

(25)‘sensitive payment data’ means data which can be used to carry out fraud, including personalised security credentials;

(26)‘business day’ means a day on which the payment service provider of the payer or of the payee involved in the execution of a payment transaction is open for business as required for the execution of a payment transaction;

(27)‘Information and technology (ICT) services’ means ICT Services as defined in Article 3, point 21, of Regulation (EU) 2022/2554;

(28)‘agent’ means a natural or legal person who acts on behalf of a payment institution in providing payment services;

(29)‘branch’ means a place of business other than the head office which is a part of a payment institution, which has no legal personality and which carries out directly some or all of the transactions inherent in the business of a payment institution; all of the places of business set up in the same Member State by a payment institution with a head office in another Member State shall be regarded as a single branch;

(30)‘group’ means a group of undertakings that are linked to each other by a relationship as referred to in Article 22(1), points (2) or (7) of Directive 2013/34/EU of the European Parliament and of the Council 51 , or undertakings as referred to in Articles 4, 5, 6 and 7 of Commission Delegated Regulation (EU) No 241/2014 52 , which are linked to each other by a relationship as referred to in Article 10(1) or Article 113(6), first subparagraph, or 113(7), first subparagraph of Regulation (EU) No  575/2013;

(31)‘acquiring of payment transactions’ means a payment service provided by a payment service provider contracting with a payee to accept and process payment transactions, which results in a transfer of funds to the payee;

(32)‘issuing of payment instruments’ means a payment service by a payment service provider contracting to provide a payer with a payment instrument to initiate and process the payer’s payment transactions;

(33)‘own funds’ means funds as defined in Article 4(1), point 118, of Regulation (EU) No 575/2013 where at least 75 % of the Tier 1 capital is in the form of Common Equity Tier 1 capital as referred to in Article 50 of that Regulation and Tier 2 capital is equal to or less than one third of Tier 1 capital;

(34)‘electronic money’ means electronically, including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions and which is accepted by other natural or legal persons than the issuer;

(35)‘average outstanding electronic money’ means the average total amount of financial liabilities related to electronic money in issue at the end of each calendar day over the preceding six calendar months, calculated on the first calendar day of each calendar month and applied for that calendar month;

(36)‘distributor’ means a natural or legal person that distributes or redeems electronic money on behalf of a payment institution;

(37)‘electronic money services’ means the issuance of electronic money, the maintenance of payment accounts storing electronic money units, and the transfer of electronic money units;

(38)‘ATM deployer’ means operators of automated teller machines who do not service payment accounts.

(39)‘payment institution providing electronic money services’ means a payment institution which provides the services of issuance of electronic money, maintenance of payment accounts storing electronic money units, and transfer of electronic money units, whether or not it also provides any of the services referred to in Annex I.

TITLE II

PAYMENT INSTITUTIONS

CHAPTER I

Licensing and supervision

S e c t i o n 1

G e n e r a l r u l e s

Article 3

Applications for authorisation

1.Member States shall require undertakings other than the undertakings referred to in Article 2(1), points (a), (b), (d), and (e), of Regulation XXX [PSR], and other than natural or legal persons benefiting from an exemption pursuant to Articles 34, 36, 37 and 38 of this Directive, that intend to provide any of the payment services referred to in Annex I, or electronic money services, to obtain authorisation from the competent authorities of the home Member Sate for the provision of those services.

2.The authorisation referred to in the first subparagraph shall only be required for those payment services that the applicant payment institutions actually intend to provide.

3.Member States shall ensure that undertakings that apply for an authorisation as referred to in paragraph 1 provide the competent authorities of the home Member State with an application for authorisation, together with the following:

(a)a programme of operations setting out in particular the type of payment services envisaged;

(b)a business plan including a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly;

(c)evidence that the applicant holds initial capital as provided for in Article 5;

(d)for the undertakings applying to provide services as referred to in Annex I, points (1) to (5), and electronic money services, a description of the measures taken for safeguarding payment service users’ funds in accordance with Article 9; 

(e)a description of the applicant’s governance arrangements and internal control mechanisms, including administrative, risk management and accounting procedures, and a description of the applicant’s arrangements for the use of ICT services as referred to in Articles 6 and 7 of Regulation (EU) 2022/2554, which demonstrates that those governance arrangements, internal control mechanisms and arrangements for the use of ICT services are proportionate, appropriate, sound and adequate;

(f)a description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints, including an incident reporting mechanism which takes account of the notification obligations of the payment institution laid down in Chapter III of Regulation (EU) 2022/ 2554;

(g)a description of the process in place to file, monitor, track and restrict access to sensitive payment data;

(h)a description of business continuity arrangements including a clear identification of the critical operations, a description of the ICT business continuity plans and ICT response and recovery plans, and a description of the procedure to regularly test and review the adequacy and efficiency of such ICT business continuity and ICT response and recovery plans, as required by Article 11(6) of Regulation (EU) 2022/2554;

(i)a description of the principles and definitions applied for the collection of statistical data on performance, transactions and fraud;

(j)a security policy document, including:

(i) a detailed risk assessment in relation to the applicant’s payment and electronic money services;

(ii) a description of security control and mitigation measures to adequately protect payment service users against the risks identified, including fraud and the illegal use of sensitive and personal data;

(iii) for applicant institutions wishing to enter information sharing arrangements with other payment service providers for the exchange of payment fraud related data as referred to in Article 83(5) of Regulation XXX [PSR], the conclusions of the data protection impact assessment referred to in Article 83(5) of Regulation XXX [PSR] and pursuant to Article 35 of Regulation (EU) 2016/679 and, where applicable, the outcome of the prior consultation of the competent supervisory authority pursuant to Article 36 of that Regulation;

(k)for applicant institutions that are subject to the obligations in relation to money laundering and terrorist financing under Directive (EU) 2015/849 of the European Parliament and of the Council 53 and Regulation (EU) 2015/847 of the European Parliament and of the Council 54 , a description of the internal control mechanisms which the applicant has established to comply with that Directive and Regulation;

(l)a description of the applicant’s structural organisation, including, where applicable, a description of:

(i) the intended use of agents, distributors or branches;

(ii) the off-site and on-site checks that the applicant undertakes to perform on those agents, distributors or branches at least annually;

(iii) a description of outsourcing arrangements;

(iv) the applicant’s participation in a national or international payment system;

(m)the identity of the persons that hold in the applicant, directly or indirectly, qualifying holdings within the meaning of Article 4(1), point (36), of Regulation (EU) No 575/2013, the size of their holdings and evidence of their suitability to ensure the sound and prudent management of the applicant;

(n)the identity of directors and other persons responsible for the management of the applicant payment institution and, where relevant:

(i) the identity of the persons responsible for the management of the payment services activities of the payment institution;

(ii) evidence that the persons responsible for the management of the payment services activities of the payment institution are of good repute and possess appropriate knowledge and experience to perform payment services as determined by the home Member State of the applicant;

(o)where applicable, the identity of the statutory auditors and audit firms as defined in Article 2, points 2 and 3, of Directive 2006/43/EC of the European Parliament and of the Council 55 ;

(p)the applicant’s legal status and articles of association;

(q)the address of the applicant’s registered office;

(r)an overview of EU jurisdictions where the applicant is submitting or is planning to submit an application for authorisation to operate as a payment institution.

(s)a winding-up plan in case of failure, which is adapted to the envisaged size and business model of the applicant.

For the purposes of the first subparagraph, points (d), (e), (f) and (l), Member States shall ensure that the applicant provides a description of its audit arrangements and of the organisational arrangements it has set up to protect the interests of its users and to ensure continuity and reliability in the performance of payment or electronic money services.

The security control and mitigation measures referred to in the first subparagraph, point (j), shall indicate how the applicant will ensure a high level of digital operational resilience as required by Chapter II of Regulation (EU) 2022/2554, in particular in relation to technical security and data protection, including for the software and ICT systems used by the applicant or the undertakings to which it outsources its operations.

4.Member States shall require undertakings that apply for authorisation to provide payment services as referred to in Annex I, point (6), as a condition of their authorisation, to hold a professional indemnity insurance, covering the territories in which they offer services, or some other comparable guarantee against liability to ensure that:

(a)they can cover their liabilities as specified in Articles 56, 57, 59, 76, and 78 of Regulation XXX [PSR];

(b)they cover the value of any excess, threshold or deductible from the insurance cover or comparable guarantee;

(c)they monitor the coverage of the insurance or comparable guarantee on an ongoing basis.

5.The EBA shall develop draft regulatory technical standards specifying:

(a)the information to be provided to the competent authorities in the application for the authorisation of payment institutions, including the requirements laid down in paragraph 3, points (a), (b), (c), (e) and (g) to (k) and (r); 

(b)a common assessment methodology for granting authorisation as a payment institution, or registration as an account information service provider or ATM deployer, under this Directive;

(c)what is a comparable guarantee, as referred in paragraph 4, first subparagraph, which should be interchangeable with a professional indemnity insurance;

(d)the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee as referred in paragraph 4.

6.When developing those draft regulatory technical standards referred to in paragraph 5, the EBA shall take account of the following:

(a)the risk profile of the undertaking;

(b)whether the undertaking provides other payment services as referred to in Annex I or is engaged in other businesses;

(c)the size of the activity of the undertaking;

(d)the specific characteristics of comparable guarantees, as referred in paragraph 4, and the criteria for their implementation.

The EBA shall submit those draft regulatory technical standards referred to in paragraph 5 to the Commission by [ OP please insert the date= 1 year after the date of entry into force of this Directive].

Power is delegated to the Commission to adopt the regulatory technical standards in accordance with Article 10 to 14 of Regulation (EU) No 1093/2010.

Article 4

Control of the shareholding

1.Any natural or legal person who has taken a decision to acquire or to further increase, directly or indirectly, a qualifying holding within the meaning of Article 4(1), point (36), of Regulation (EU) No 575/2013 in a payment institution, as a result of which the proportion of the capital or of the voting rights held would reach or exceed 20 %, 30 % or 50 %, or so that the payment institution would become its subsidiary, shall inform the competent authorities of that payment institution in writing of their intention in advance. The same applies to any natural or legal person who has taken a decision to dispose, directly or indirectly, of a qualifying holding, or to reduce its qualifying holding so that the proportion of the capital or of the voting rights held would fall below 20 %, 30 % or 50 %, or so that the payment institution would cease to be its subsidiary.

2.The proposed acquirer of a qualifying holding in the payment institution shall inform the competent authority about the size of the intended holding and relevant necessary information as referred to in Article 23(4) of Directive 2013/36/EU.

3.Member States shall require that where the influence exercised by a proposed acquirer, as referred to in paragraph 1, is likely to operate to the detriment of the prudent and sound management of the payment institution, the competent authorities shall express their opposition or take other appropriate measures to bring that situation to an end. Such measures may include injunctions, penalties against directors or the persons responsible for the management of the payment institution in question, or the suspension of the exercise of the voting rights attached to the shares held by the shareholders or members of this payment institution.

Similar measures shall apply to natural or legal persons who fail to comply with the obligation to provide prior information, as laid down in paragraph 2.

4.Where a holding as referred to in paragraph 1 is acquired despite the opposition of the competent authorities, Member States shall, regardless of any other penalty to be adopted, provide for the exercise of the corresponding voting rights to be suspended, the nullity of votes cast or the possibility of annulling those votes.

Article 5

Initial capital

Member States shall require payment institutions to hold, at the time of authorisation, initial capital, comprised of one or more of the items referred to in Article 26, points (1)(a) to (e), of Regulation (EU) No 575/2013 as follows:

(a)where the payment institution provides only the payment service referred to in Annex I, point (5), its capital shall at no time be less than EUR 25 000;

(b)where the payment institution provides the payment service referred to in Annex I, point (6), its capital shall at no time be less than EUR 50 000;

(c)where the payment institution provides any of the payment services referred to in Annex I, points (1) to (4), its capital shall at no time be less than EUR 150 000;

(d)where the payment institution provides electronic money services, its capital shall at no time be less than EUR 400 000.

Article 6

Own funds

1.Member States shall require that the payment institution’s own funds does not fall below the amount of initial capital referred to in Article 5, or the amount of own funds either calculated in accordance with Article 7 for payment institutions that do not offer electronic money services, or calculated in accordance with Article 8 for payment institutions that offer electronic money services, whichever is the highest.

2.Member States shall take the necessary measures to prevent the multiple use of elements eligible for own funds where the payment institution belongs to the same group as another payment institution, credit institution, investment firm, asset management company or insurance undertaking. The same shall also apply where a payment institution has a hybrid character and carries out activities other than providing payment or electronic money services.

3.Where the conditions laid down in Article 7 of Regulation (EU) No 575/2013 are met, Member States or their competent authorities may choose not to apply Articles 7 or 8 of this Directive, as applicable, to payment institutions which are included in the consolidated supervision of the parent credit institution pursuant to Directive 2013/36/EU.

Article 7

Calculation of own funds for payment institutions not offering electronic money services

1.Notwithstanding the initial capital requirements set out in Article 5, Member States shall require payment institutions, other than payment institutions that either only offer payment initiation services as referred to in Annex I, point (6), or only offer account information services as referred to in Annex I, point (7), or both, and other than payment institutions offering electronic money services, to hold own funds calculated in accordance with paragraph 2 at all times.

2.Competent authorities shall require payment institutions to apply, by default, method B as laid down in point b) below. Competent authorities may however decide that, in light of their specific business model, in particular where they only execute a small number of transactions but of a high individual value, payment institutions shall rather apply method A or C. For the purposes of methods A, B and C, the preceding year is to be understood as the full 12-month period prior to the moment of calculation. 

(a)Method A

The payment institution’s own funds shall amount to at least 10 % of its fixed overheads of the preceding year. The competent authorities may adjust that requirement in the event of a material change in a payment institution’s business since the preceding year. Where a payment institution has not completed a full year’s business at the date of the calculation, payment institution’s own funds shall amount to at least 10 % of the corresponding fixed overheads as projected in its business plan, unless the competent authorities have required an adjustment to that plan.

(b)Method B

The payment institution’s own funds shall amount to at least the sum of the following elements multiplied by the scaling factor k referred to in paragraph 3, where payment volume (PV) represents one twelfth of the total amount of payment transactions executed by the payment institution in the preceding year:

(i) 4,0 % of the slice of PV up to EUR 5 million;

plus

(ii) 2,5 % of the slice of PV above EUR 5 million up to EUR 10 million;

plus

(iii) 1 % of the slice of PV above EUR 10 million up to EUR 100 million;

plus

(iv) 0,5 % of the slice of PV above EUR 100 million up to EUR 250 million;

plus

(v) 0,25 % of the slice of PV above EUR 250 million.

(c)Method C

The payment institution’s own funds shall amount to at least the relevant indicator referred to in point (i), multiplied by the multiplication factor referred to in point (ii) and by the scaling factor k referred to in paragraph 3.

(i) The relevant indicator shall be the sum of the following:

(1)interest income;

(2)interest expenses;

(3)commissions and fees received; and

(4)other operating income.

Each element shall be included in the sum with its positive or negative sign. Income from extraordinary or irregular items shall not be used in the calculation of the relevant indicator. Expenditure on the outsourcing of services rendered by third parties may reduce the relevant indicator where the expenditure is incurred from an undertaking subject to supervision under this Directive. The relevant indicator shall be calculated on the basis of the 12-monthly observation at the end of the previous financial year. The relevant indicator shall be calculated over the previous financial year.

Own funds calculated in accordance with method C shall not fall below 80 % of the average of the previous 3 financial years for the relevant indicator. When audited figures are not available, business estimates may be used.

(ii) The multiplication factor shall be:

(1)10 % of the slice of the relevant indicator up to EUR 2,5 million;

(2)8 % of the slice of the relevant indicator from EUR 2,5 million up to EUR 5 million;

(3)6 % of the slice of the relevant indicator from EUR 5 million up to EUR 25 million;

(4)3 % of the slice of the relevant indicator from EUR 25 million up to 50 million;

(5)1,5 % above EUR 50 million.

3.The scaling factor k to be used in methods B and C shall be:

(a)0,5 where the payment institution provides only the payment service as referred to in point (5) of Annex I;

(b)1 where the payment institution provides any of the payment services as referred to in any of points (1) to (4) of Annex I.

4.Member States shall require that payment institutions other than payment institutions that either only offer payment initiation services as referred to in Annex I, point 6, or only offer account information services as referred to in Annex I, point 7, or both, and other than payment institutions offering only electronic money services that also engage in the activities referred to in Article 10 ensure that the own funds held for the services listed in Annex I, points 1 to 5, are not considered as own funds held for the purpose of Article 10, paragraph 4, point (d) or other services not regulated under this Directive.

5.Competent authorities may, based on an evaluation of the risk-management processes, risk loss data base and internal control mechanisms of the payment institution, require the payment institution to hold an amount of own funds which is up to 20 % higher than the amount which would result from the application of the method chosen in accordance with paragraph 2. Competent authorities may permit the payment institution to hold an amount of own funds which is up to 20 % lower than the amount which would result from the application of the method to be applied in accordance with paragraph 2.

6.The EBA shall develop draft regulatory standards in accordance with Article 16 of Regulation (EU) No 1093/2010 concerning the criteria to determine when the payment institution’s business model is such that they only execute a small number of transactions, but of a high individual value, as referred in paragraph 2 of this Article.

The EBA shall submit those draft regulatory technical standards to the Commission by [ OP please insert the date= 1 year after the date of entry into force of this Directive].

Power is delegated to the Commission to adopt the regulatory technical standards in accordance with Article 10 to 14 of Regulation (EU) No 1093/2010.

Article 8

Calculation of own funds for payment institutions offering electronic money services

1.Notwithstanding the initial capital requirements set out in Article 5, Member States shall require payment institutions offering both payment services and electronic money services to hold, at all times, own funds calculated in accordance with Article 7 for their payment services activity.

2.Notwithstanding the initial capital requirements set out in Article 5, Member States shall require payment institutions only offering electronic money services to hold, at all times, own funds calculated in accordance with Method D as set out in point (3) below.

3.Method D: The own funds for the activity of providing electronic money services shall amount to at least 2 % of the average outstanding electronic money.

4.Member States shall require that payment institutions offering both payment services and electronic money services hold at all times own funds that are at least equal to the sum of the requirements referred to in paragraphs 1 and 2.

5.Member States shall allow payment institutions providing both payment services and electronic money services which carry out any of the activities referred to in Annex I that are not linked to the electronic money services, or any of the activities referred to in Article 10 paragraphs 1 and 4, to calculate their own funds requirements on the basis of a representative portion assumed to be used for the electronic money services, provided that such a representative portion can be reasonably estimated on the basis of historical data and to the satisfaction of the competent authorities, where the amount of outstanding electronic money is unknown in advance. Where the payment institution has not completed a sufficient period of business, its own funds requirements shall be calculated on the basis of projected outstanding electronic money evidenced by its business plan subject to any adjustment to that plan required by the competent authorities.

6.Paragraphs 4 and 5 of Article 7 shall apply mutatis mutandis to payment institutions providing electronic money services.

Article 9

Safeguarding requirements

1.Member States shall require a payment institution which provides payment services as referred to in Annex I, points (1) to (5), or electronic money services, to safeguard all funds it has received from payment service users or through another payment service provider for the execution of payment transactions, or where applicable the funds received in exchange for electronic money that has been issued, in either of the following ways:

(a)those funds shall not be commingled at any time with the funds of any natural or legal person other than the payment service users on whose behalf the funds are held;

(b)those funds shall be covered by an insurance policy or some other comparable guarantee from an insurance company or a credit institution, which does not belong to the same group as the payment institution itself, for an amount equivalent to the amount that would have been segregated in the absence of the insurance policy or other comparable guarantee, payable in the event that the payment institution is unable to meet its financial obligations.

For the purposes of the first subparagraph, point (a), where the payment institution still holds the funds and has not yet by the end of the business day following the day when the funds have been received, delivered those funds to the payee or transferred those funds to another payment service provider, the payment institution shall do either of the following:

(a)deposit those funds either in a separate account in a credit institution authorised in a Member State, or at a central bank at the discretion of that central bank;

(b)invest those funds in secure, liquid low-risk assets, as determined by the competent authorities of the home Member State;

Payment institutions shall insulate those funds in accordance with national law in the interest of the payment service users against the claims of other creditors of the payment institution, in particular in the event of insolvency.

2.Payment institutions shall avoid concentration risk to safeguarded customer funds by ensuring that the same safeguarding method is not used for the totality of their safeguarded customer funds. In particular, they shall endeavour not to safeguard all consumer funds with one credit institution.

3.Where a payment institution is required to safeguard funds under paragraph 1 and a portion of those funds is to be used for future payment transactions with the remaining amount to be used for services other than payment services, that portion of the funds to be used for future payment transactions shall also be subject to the requirements of paragraph 1. Where that portion is variable or not known in advance, Member States shall allow payment institutions to apply this paragraph on the basis of a representative portion assumed to be used for payment services, provided that such a representative portion can be reasonably estimated on the basis of historical data to the satisfaction of the competent authorities.

4.Where a payment institution provides electronic money services, funds received for the purpose of issuing electronic money need not be safeguarded until the funds are credited to the payment institution’s payment account or are otherwise made available to the payment institution in accordance with the execution time requirements laid down in Regulation XXX [PSR]. In any event, such funds shall be safeguarded by no later than the end of the business day following the day when the funds have been received, after the issuance of electronic money.

5.Where a payment institution provides electronic money services, for the purpose of application of paragraph 1, secure, low-risk assets are asset items falling into one of the categories set out in Table 1 of Article 336(1) of Regulation (EU) No 575/2013 for which the specific risk capital charge is no higher than 1,6 %, but excluding other qualifying items as defined in Article 336(4) of that Regulation.

For the purposes of paragraph 1, secure, low-risk assets are also units in an undertaking for collective investment in transferable securities (UCITS) which invests solely in assets as specified in the first subparagraph.

In exceptional circumstances and with a proper justification, the competent authorities may, based on an evaluation of security, maturity, value or other risk elements of the assets as specified in the first and second subparagraphs, determine which of those assets shall not be considered as secure, low-risk assets for the purposes of paragraph 1.

6.A payment institution shall inform the competent authorities in advance of any material change in measures taken for safeguarding of funds received for payment services provided and in case of electronic money services in exchange for electronic money issued.

7.The EBA shall develop regulatory technical standards on safeguarding requirements, laying down in particular safeguarding risk management frameworks for payment institutions to ensure protection of users’ funds, and including requirements on segregation, designation, reconciliation and calculation of safeguarding funds requirements.

The EBA shall submit those draft regulatory technical standards to the Commission by [ OP please insert the date= 1 year after the date of entry into force of this Directive].

Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.

Article 10

Activities

1.In addition to the provision of payment services or electronic money services, payment institutions shall be entitled to engage in the following activities:

(a)the provision of operational and closely related ancillary services, including ensuring the execution of payment transactions, foreign exchange services, safekeeping activities, and the storage and processing of data;

(b)the operation of payment systems;

(c)business activities other than the provision of payment services or electronic money services, having regard to applicable Union and national law.

2.Payment institutions that provide one or more payment services or electronic money services, shall only hold payment accounts which are used exclusively for payment transactions.

3.Any funds received by payment institutions from payment service users to provide payment or electronic money services shall not constitute a deposit or other repayable funds within the meaning of Article 9 of Directive 2013/36/EU.

4.Payment institutions may grant credit relating to the payment services referred to in Annex I, point 2, only where all of the following conditions have been met:

(a)the credit is ancillary to, and granted exclusively in connection with, the execution of a payment transaction;

(b)notwithstanding national rules, if any, on providing credit by issuers of credit cards, the credit granted in connection with a payment and executed in accordance with Article 13(6) and Article 30 is to be repaid within a short period, which shall in no case exceed 12 months;

(c)the credit granted does not come from the funds received or held for executing a payment transaction or from the funds which have been received from payment services users in exchange of electronic money and held in accordance with Article 9, paragraph 1;

(d)the own funds of the payment institution are at all times and to the satisfaction of the supervisory authorities appropriate in view of the overall amount of credit granted.

5.Payment institutions shall not take deposits or other repayable funds within the meaning of Article 9 of Directive 2013/36/EU.

6.Payment institutions that provide electronic money services shall exchange any funds, including cash or scriptural money, received by that payment institution from payment service users for electronic money without delay. Such funds shall neither constitute a deposit, nor other repayable funds received from the public within the meaning of Article 9 of Directive 2013/36/EC.

7.This Directive shall be without prejudice to Directive 2008/48/EC, other relevant Union law or national measures regarding conditions for granting credit to consumers not harmonised by this Directive that comply with Union law.

Article 11

Accounting and statutory audit

1.Council Directive 86/635/EEC 56 , Directive 2013/34/EU and Regulation (EC) No  1606/2002 of the European Parliament and of the Council 57 , shall apply to payment institutions mutatis mutandis.

2.Unless exempted under Directive 2013/34/EU and, where applicable, Directive 86/635/EEC, the annual accounts and consolidated accounts of payment institutions shall be audited by statutory auditors or audit firms as defined in Article 2, points 2 and 3, of Directive 2006/43/EC.

3.For supervisory purposes, Member States shall require that payment institutions provide separate accounting information for, on the one hand, payment services or electronic money services, and, on the other hand, the activities referred to in Article 10(1), which shall be subject to an auditor’s report. That report shall be prepared, where applicable, by the statutory auditors or an audit firm.

4.The obligations laid down in Article 63 of Directive 2013/36/EU shall apply mutatis mutandis to the statutory auditors or audit firms of payment institutions in respect of payment services or electronic money services.

Article 12

Record-keeping

Member States shall require payment institutions to keep all appropriate records for the purpose of this Title for at least 5 years, without prejudice to Directive (EU) 2015/849 or other relevant Union law. When such records include personal data, the payment institution shall not keep those records for longer than necessary for the purpose of this Title. Where there is a withdrawal of the authorisation of the payment institution in accordance with Article 16, records that include personal data shall not be kept more than 5 years after the authorisation has been withdrawn.

Article 13

Granting of authorisation

1.Member States shall authorise an applicant payment institution for the payment services and electronic money services it intends to provide, provided that the applicant payment institution:

(a)is a legal person established in a Member State;

(b)has submitted to its competent authorities the information referred to in Article 3(3);

(c)has taken into account the need to ensure the sound and prudent management of the applicant payment institution, robust governance arrangements for the payment services or electronic money services it intends to provide, including:

(i) a clear organisational structure with well-defined, transparent and consistent lines of responsibility;

(ii) effective procedures to identify, manage, monitor and report the risks to which the applicant payment institution is or might be exposed;

(iii) adequate internal control mechanisms, including sound administration and accounting procedures.

(d)has the initial capital referred to in Article 5;

(e)complies with Article 3(4).

The governance arrangements and control mechanisms referred to in point (c) shall be comprehensive and proportionate to the nature, scale and complexity of the payment services or electronic money services the applicant payment institutions intend to provide.

The EBA shall adopt guidelines on the arrangements, processes and mechanisms referred to in this paragraph.

2.Competent authorities of the home Member State shall grant an authorisation if the information and evidence accompanying the application complies with all of the requirements laid down in Article 3 and if the competent authorities’ overall assessment, having scrutinised the application, is favourable. Before granting an authorisation, the competent authorities may, where relevant, consult the national central bank or other relevant public authorities.

3.A payment institution which, under the national law of its home Member State, is required to have a registered office, shall have its head office in the same Member State as its registered office and shall carry out a part of its payment service or electronic money business there. The competent authorities of the Member State where the payment institution is to have its registered office shall however not require the payment institution to carry out the majority of its business in the country where it will have its registered office.

4.Competent authorities may, as a condition for authorisation, require that the applicant payment institution establishes a separate entity for the provision of the payment services referred to in Annex I, points 1 to 6, where the applicant payment institution is engaged in other business activities that may impair, or is likely to impair, either the financial soundness of the applicant payment institution or the ability of the competent authorities to monitor the applicant payment institution’s compliance with this Directive.

5.Competent authorities shall refuse to authorise an applicant payment institution in any of the following cases:

(a)where, taking into account the need to ensure the sound and prudent management of the payment institution, those competent authorities are not satisfied as to the suitability of the shareholders or members that have qualified holdings;

(b)where there are close links as defined in Article 4(1), point (38), of Regulation (EU) No 575/2013 between the payment institution and natural or legal persons that do prevent the effective exercise of the supervisory functions of the competent authorities;

(c)where the laws, regulations, or administrative provisions of a third country governing one or more natural or legal persons with which the payment institution has close links as defined in Article 4(1), point (38), of Regulation (EU) No 575/2013, or difficulties involved in the enforcement of those laws, regulations or administrative provisions, prevent the effective exercise of the supervisory functions of the competent authorities.

6.An authorisation shall be valid in all Member States and shall allow the payment institution concerned to provide the payment or electronic money services that are covered by the authorisation throughout the Union, pursuant to the freedom to provide services or the freedom of establishment.

Article 14

Communication of the decision to authorise or refuse authorisation

Within 3 months of receipt of an application for authorisation as referred to in Article 3, or, where such application is incomplete, of all of the information referred to in Article 3(3), the competent authorities shall inform the applicant whether the authorisation is granted or refused. The competent authority shall give reasons where it refuses an authorisation.

Article 15

Maintenance of the authorisation as a payment institution

Member States shall require payment institutions to inform their competent authority of any change in the information and evidence provided in accordance with Article 3 which may affect the accuracy of that information or evidence.

Article 16

Withdrawal of the authorisation as a payment institution

1.Competent authorities of the home Member State may withdraw an authorisation issued to a payment institution only where:

(a)the payment institution has not made use of its authorisation within 12 months after it has obtained that authorisation, or has not provided any of the services for which it has been authorised for more than six successive months;

(b)the payment institution has explicitly renounced that authorisation;

(c)the payment institution no longer meets the conditions for granting the authorisation or fails to inform the competent authority on major developments in this respect;

(d)the payment institution has obtained the authorisation based on false statements or any other irregular means;

(e)the payment institution has breached its obligations in terms of money laundering or terrorist financing prevention under Directive (EU) 2015/849;

(f)the continued provision of the payment services or electronic money services by the payment institution would threaten the stability of, or the trust in, the payment system;

(g)the payment institution falls within one of the cases where national law provides for such withdrawal.

2.The competent authority shall give reasons for any withdrawal of an authorisation and shall inform those concerned accordingly.

3.The competent authority shall make public the withdrawal of an authorisation, including in the registers or lists referred to in Articles 17 and 18.

Article 17

Register of payment institutions in the home Member State

1.Member States shall operate and maintain a public electronic register of payment institutions, including entities registered in accordance with Articles 34, 36, 38, and of their agents or distributors. Member States shall ensure this register contains all of the following information:

(a)payment institutions authorised in accordance with Article 13 and their agents and their agents or distributors, if any;

(b)natural and legal persons registered in accordance with Articles 34(2), 36(1) or 38(1) and their agents or distributors, if any;

(c)the institutions referred to in Article 1(2) that are entitled under national law to provide payment or electronic money services.

Branches of payment institutions shall be entered in the register of the home Member State if those branches provide services in a Member State other than their home Member State.

2.The public register referred to in paragraph 1 shall:

(a)identify the payment and electronic money services and the respective brands for which the payment institution has been authorised, or for which the natural or legal person has been registered;

(b)include the agents or distributors, as applicable, through which the payment institution provides payment or electronic money services, except electronic money issuance, and specify the services these agents or distributors carry out on behalf of the payment institution;

(c)include the other Member States where the payment institution is active and indicate the date when these passported activities started.

3.Member States shall ensure that payment institutions are listed in the register referred to in paragraph 1 separately from natural and legal persons registered in accordance with Articles 34, 36 or 38, and that that register is publicly available for consultation, accessible online, and updated without delay.

4.Competent authorities shall enter in the public register dates of authorisation or registration, any withdrawal of authorisation, suspension of authorisation, and any withdrawal of a registration pursuant to Articles 34, 36 or 38.

5.Competent authorities shall notify the EBA without any undue delay of the reasons for the withdrawal of the authorisation or registration, suspension of authorisation or registration, or of any exemptions pursuant to Article 34, 36 or 38.

Article 18

EBA register

1.The EBA shall operate and maintain an electronic central register of payment institutions, including entities registered in accordance with Articles 34, 36 and 38, and their agents or distributors, and branches where applicable. That electronic central register shall contain the information as notified by the competent authorities in accordance with paragraph 3. The EBA shall be responsible for the accurate presentation of that information.

2.The EBA shall make the electronic central register publicly available on its website, and shall allow for easy access to and easy search for the information listed, free of charge.

3.Competent authorities shall provide the EBA with the information entered in their national public registers in accordance with Article 17 at the latest within one business day after they entered that information in the national public registers.

4.Competent authorities shall be responsible for the accuracy of the information contained in their national registers and provided to the EBA, and for keeping that information up to date. Companies listed in the Register shall be given means to correct any inaccuracies concerning themselves.

5.The EBA shall develop draft regulatory technical standards on the operation and maintenance of the electronic central register referred to in paragraph 1 and on access to the information contained therein to ensure that only the competent authority concerned or the EBA may modify the information contained in the register. 

The EBA shall submit those draft regulatory technical standards to the Commission by [ OP please insert the date= 18 months after the date of entry into force of this Directive].

Power is delegated to the Commission to adopt the regulatory technical standards in accordance with Article 10 to 14 of Regulation (EU) No 1093/2010.

6.The EBA shall develop draft implementing technical standards on the details and structure of the information to be notified pursuant to paragraph 1, including the data standards and formats for the information, as set out in Commission Implementing Regulation (EU) 2019/410 58 .

The EBA shall submit those draft implementing technical standards to the Commission by [ OP please insert the date= 18 months after the date of entry into force of this Directive].

Power is delegated to the Commission to adopt the implementing technical standards referred to in the first subparagraph in accordance with Article 15 of Regulation (EU) No 1093/2010.

7.The EBA shall develop, operate and maintain a central, machine-readable list of the payment service providers offering the payment services listed in Annex I, points 6 and 7, based on the most recent information contained in the EBA register referred to in paragraph 1 and on the EBA Credit Institution Register created pursuant to Article 8(2), point (j) of Regulation (EU) No 1093/2010. That list shall contain the name and identifier of those payment services providers and their authorisation status.

Section 2

Use of agents, distributors, branches and outsourcing

Article 19

Use of agents

1.Payment institutions that intend to provide payment services through agents shall communicate to the competent authorities in their home Member State all of the following information:

(a)the name and address of the agent;

(b)an up-to-date description of the internal control mechanisms that the agent will use to comply with Directive (EU) 2015/849;

(c)the identity of directors and the other persons responsible for the management of the agent and, where the agent is not a payment service provider, evidence that those persons are fit and proper for their tasks;

(d)the payment services provided by the payment institution for which the agent is mandated;

(e)where applicable, the unique identification code or number of the agent.

2.Member States shall ensure that the competent authorities of the home Member State communicate to the payment institution within 2 months of receipt of the information referred to in paragraph 1 whether the agent has been entered in the register referred to in Article 17. Upon entry in the register, the agent may commence providing payment services.

3.Before listing the agent in the register referred to in Article 17, the competent authorities shall, where they consider that the information referred to in paragraph 1 is incorrect, take further action to verify the information.

4.Where, after having verified the information referred to in paragraph 1, the competent authorities are not satisfied that that information is correct, they shall refuse to list the agent in the register referred to in Article 17 and shall inform the payment institution thereof without undue delay.

5.Member States shall ensure that payment institutions that wish to provide payment services in another Member State by engaging an agent, or that intend to provide payment services in a Member State other than its home Member State via an agent located in a third Member State, follow the procedures set out in Article 30. 

6.Member States shall ensure that payment institutions inform their payment service users of the fact that an agent is acting on their behalf.

7.Member States shall ensure that payment institutions communicate to the competent authorities of their home Member State any change regarding the use of agents, including about additional agents, without undue delay and in accordance with the procedure provided for in paragraphs 2, 3 and 4.

Article 20

Distributors of electronic money services

1.Member States shall allow payment institutions that provide electronic money services to distribute and redeem electronic money through distributors.

2.Member States shall ensure that payment institutions that intend to provide electronic money services through a distributor apply the requirements laid down in Article 19 mutatis mutandis.

3.Where the payment institution intends to distribute electronic money services in another Member State by engaging a distributor, Articles 30 to 33, with exception of Article 31(4) and (5) of this Directive, including the delegated acts adopted in accordance with Article 30(5) of this Directive, shall apply mutatis mutandis to such payment institution.

Article 21

Branches

1.Member States shall require from payment institutions that intend to provide payment services in another Member State by establishing a branch, or that intends to provide payment services in a Member State other than their home Member State via a branch located in a third Member State, follow the procedures set out in Article 30.

2.Member States shall ensure that payment institutions require the branches that act on their behalf to inform payment service users of this fact.

Article 22

Entities to which activities are outsourced

1.Member States shall ensure that payment institutions that intend to outsource operational functions of payment or electronic money services inform the competent authorities of their home Member State thereof.

Member States shall ensure that payment institutions do not outsource important operational functions, including ICT systems, in such way that the quality of the payment institution’s internal control and the ability of the competent authorities to monitor and retrace the payment institution’s compliance with all of the obligations laid down in this Directive is materially impaired.

An operational function shall be important where a defect or failure in its performance would materially impair the continuing compliance of a payment institution with the requirements of its authorisation, its other obligations under this Directive, its financial performance, or the soundness or the continuity of its payment or electronic money services.

Member States shall ensure that when payment institutions outsource important operational functions, they shall meet all of the following conditions:

(a)the outsourcing does not result in the delegation by senior management of its responsibility;

(b)the relationship and obligations of the payment institution towards its payment service users under this Directive is not altered;

(c)the conditions with which the payment institution is to comply to be authorised and remain so is not undermined;

(d)none of the other conditions subject to which the payment institution’s authorisation was granted is removed or modified.

2.Member States shall ensure that payment institutions communicate without undue delay to the competent authorities of their home Member State any change regarding the use of entities to which activities are outsourced.

Article 23

Liability

1.Member States shall ensure that payment institutions that rely on third parties for the performance of operational functions take reasonable steps to ensure that the requirements of this Directive are complied with.

2.Member States shall require that payment institutions remain fully liable for any acts of their employees, or any agent, distributor, branch or entity to which activities are outsourced.

S e c t i o n 3

Competent authorities and supervision

Article 24

Designation of competent authorities

1.Member States shall designate as the competent authorities responsible for the authorisation and prudential supervision of payment institutions which are to carry out the duties provided for under this Title either public authorities, or bodies recognised by national law or by public authorities expressly empowered for that purpose by national law, including national central banks. Member States shall not designate payment institutions, credit institutions, or post office giro institutions as competent authorities.

The competent authorities shall be independent from economic bodies and avoid conflicts of interest.

Member States shall provide the Commission with the name and the contact details of the competent authority designated in accordance with the first subparagraph.

2.Member States shall ensure that the competent authorities designated under paragraph 1 possess all powers necessary for the performance of their duties.

Member States shall ensure that competent authorities have the necessary resources, notably in terms of dedicated staff, to exercise their tasks.

3.Member States that have appointed more than one competent authority for matters covered by this Title, or that have appointed as competent authorities competent authorities that are responsible for the supervision of credit institutions, shall ensure that those authorities cooperate closely to discharge their respective duties effectively.

4.The tasks of the competent authorities designated under paragraph 1 shall be the responsibility of the competent authorities of the home Member State.

5.Paragraph 1 shall not imply that the competent authorities are required to supervise business activities of the payment institutions other than the provision of payment services and the activities referred to in Article 10(1), point (a).

Article 25

Supervision

1.Member States shall ensure that the controls exercised by the competent authorities for checking continued compliance with this Title are proportionate, adequate and responsive to the risks to which payment institutions are exposed.

To check compliance with this Title, the competent authorities shall, in particular, be entitled to take the following steps:

(a)require the payment institution to provide any information needed to monitor compliance specifying the purpose of the request, as appropriate, and the time limit by which the information is to be provided;

(b)carry out on-site inspections at the business premises of the payment institution, of any agent, distributor or branch providing payment services or electronic money services under the responsibility of the payment institution, or at the business premises of any entity to which activities are outsourced;

(c)issue recommendations, guidelines and, if applicable, binding administrative provisions;

(d)to suspend or to withdraw an authorisation pursuant to Article 16.

2.Without prejudice to Article 16 and any national provisions of criminal law, Member States shall provide that their competent authorities may impose penalties or measures aimed specifically at ending observed infringements, and removing the causes of such infringements, upon payment institutions or those who effectively control the business of payment institutions which breach the provisions transposing this Directive.

3.Notwithstanding the requirements of Article 5, Article 6(1) and (2), Article 7, and Article 8, Member States shall ensure that the competent authorities can take the steps referred to in paragraph 1 of this Article to ensure sufficient capital for payment institutions, in particular where activities other than payment services or electronic money services impair or are likely to impair the financial soundness of the latter.

Article 26

Professional secrecy

1.Without prejudice to cases covered by national criminal law, Member States shall ensure that all persons who work or who have worked for the competent authorities, and any experts acting on behalf of the competent authorities, are bound by the obligation of professional secrecy.

2.The information exchanged in accordance with Article 28 shall be subject to the obligation of professional secrecy by both the sharing and recipient authority to ensure the protection of individual and business rights.

3.Member States may apply this Article taking into account, mutatis mutandis, Articles 53 to 61 of Directive 2013/36/EU.

Article 27

Right to apply to the courts

1.Member States shall ensure that decisions taken by the competent authorities in respect of a payment institution pursuant to the laws, regulations and administrative provisions adopted in accordance with this Directive may be contested before the courts.

2.Paragraph 1 shall apply also in respect of a failure to act.

Article 28

Cooperation and exchange of information

1.The competent authorities of the different Member States shall cooperate with each other and, where appropriate, with the ECB and the national central banks of the Member States, the EBA and other relevant competent authorities designated under Union or national law applicable to payment service providers.

2.Member States shall allow for the exchange of information between their competent authorities and:

(a)the competent authorities of other Member States responsible for the authorisation of applicant payment institutions and the supervision of payment institutions;

(b)the ECB and the national central banks of Member States, in their capacity as monetary and oversight authorities, and, where appropriate, other public authorities responsible for overseeing payment and settlement systems;

(c)other relevant authorities designated under this Directive, and other Union law applicable to payment service providers, including Directive (EU) 2015/849;

(d)the EBA, in its capacity of contributing to the effective and consistent functioning of supervising mechanisms as referred to in Article 1(5), point (a), of Regulation (EU) No 1093/2010.

Article 29

Settlement of disagreements between competent authorities of different Member States

1.A competent authority of a Member State that considers that, in a particular matter, cross-border cooperation with competent authorities of another Member State as referred to in Articles 28, 30, 31, 32 or 33 does not comply with the conditions set out in those provisions may refer the matter to the EBA and request its assistance in accordance with Article 19 of Regulation (EU) No 1093/2010.

2.Where the EBA has been requested to assist pursuant to paragraph 1, it shall take a decision under Article 19(3) of Regulation (EU) No 1093/2010 without undue delay. The EBA may also assist the competent authorities in reaching an agreement on its own initiative in accordance with Article 19(1), second subparagraph, of that Regulation. In either case, the competent authorities involved shall defer their decisions pending resolution under Article 19 of that Regulation.

Article 30

Application to exercise the right of establishment and freedom to provide services

1.Member States shall ensure that any payment institution wishing to provide payment or electronic money services for the first time in a Member State other than its home Member State, including via an establishment in a third Member State, in the exercise of the right of establishment or the freedom to provide services, shall communicates the following information to the competent authorities in its home Member State:

(a)the name, the address and, where applicable, the authorisation number of the payment institution;

(b)the Member State(s) in which the payment institution intends to operate and planned date of commencement of operations in this Member State;

(c)the payment or electronic money service(s) that the payment institution intends to provide;

(d)where the payment institution intends to make use of an agent or distributor, the information referred to in Articles 19(1) and 20(2);

(e)where the payment institution intends to make use of a branch:

(i)the information referred to in Article 3(3), points (b) and (e), with regard to the payment or electronic money service business in the host Member State;

(ii)a description of the organisational structure of the branch;

(iii)the identity of those responsible for the management of the branch.

Member States shall ensure that payment institutions that intend to outsource operational functions of the payment or electronic money services to other entities in the host Member State, inform the competent authorities of their home Member State thereof.

2.Within 1 month of receipt of all of the information referred to in paragraph 1, the competent authorities of the home Member State shall send that information to the competent authorities of the host Member State. Where the services are provided via a third Member State, the Member State to be notified shall be the one where the services are provided to payment service users.

Within 1 month of receipt of the information from the competent authorities of the home Member State, the competent authorities of the host Member State shall assess that information and provide the competent authorities of the home Member State with relevant information about the intended provision of payment or electronic money services by the relevant payment institution in the exercise of the freedom of establishment or the freedom to provide services. The competent authorities of the host Member State shall inform the competent authorities of the home Member State of any grounds for concern in connection with the intended engagement of an agent, distributor or establishment of a branch with regard to money laundering or terrorist financing within the meaning of Directive (EU) 2015/849. Before doing so, the competent authority of the host Member State shall liaise with the relevant competent authorities as referred to in Article 7(2) of Directive (EU) 2015/849 to establish whether such grounds exist.

Competent authorities of the home Member State that do not agree with the assessment of the competent authorities of the host Member State shall provide the competent authorities of the host Member State with the reasons for their disagreement.

Where the assessment of the competent authorities of the home Member State, in light of the information received from the competent authorities of the host Member State is not favourable, the competent authority of the home Member State shall refuse to register the agent, branch or distributor, or shall withdraw the registration if already made.

3.Within 3 months of receipt of the information referred to in paragraph 1, the competent authorities of the home Member State shall communicate their decision to the competent authorities of the host Member State and to the payment institution.

Upon entry in the register referred to in Article 17, the agent, distributor or branch may commence its activities in the relevant host Member State.

Member States shall ensure that the payment institution notifies to the competent authorities of the home Member State the start date of the activities conducted on the payment institution’s behalf through the agent, distributor or branch in the host Member State concerned. The competent authorities of the home Member State shall inform the competent authorities of the host Member State thereof.

4.Member States shall ensure that the payment institution communicates to the competent authorities of the home Member State any relevant change regarding the information communicated in accordance with paragraph 1 without undue delay, including additional agents, distributors, branches or entities to which activities are outsourced in the host Member States in which the payment institution operates. The procedure provided for under paragraphs 2 and 3 shall apply.

5.The EBA shall develop draft regulatory technical standards specifying the framework for cooperation, and for the exchange of information, between competent authorities of the home and of the host Member State in accordance with this Article. Those draft regulatory technical standards shall specify the method, means and details of cooperation in the notification of payment institutions operating on a cross-border basis and, in particular, the scope and treatment of information to be submitted, including common terminology and standard notification templates to ensure a consistent and efficient notification process.

The EBA shall submit those draft regulatory technical standards to the Commission by [ OP please insert the date= 18 months after the date of entry into force of this Directive].

Power is delegated to the Commission to adopt the regulatory technical standards in accordance with Article 10 to 14 of Regulation (EU) No 1093/2010.

Article 31

Supervision of payment institutions exercising the right of establishment and freedom to provide services

1.When carrying out the controls and take the necessary steps provided for in this Title in respect of the agent, distributor or branch of a payment institution located in the territory of another Member State, the competent authorities of the home Member State shall cooperate with the competent authorities of the host Member State, including by informing the competent authorities of the host Member State of where they intend to carry out an on-site inspection in the territory of that host Member State.

The competent authorities of the home Member State may delegate to the competent authorities of the host Member State the task of carrying out on-site inspections of the payment institution concerned.

2.The competent authorities of the host Member States may require that payment institutions having agents, distributors or branches within their territories report to them periodically about the activities carried out in their territories.

Such reports shall be required for information or statistical purposes and, as far as the agents, distributors or branches provide payment services or electronic money services, to monitor compliance with Titles II and III of Regulation XXX [PSR]. Such agents, distributors or branches shall be subject to professional secrecy requirements that are at least equivalent to those referred to in Article 26.

The competent authorities of the host Member State may request ad hoc information from payment institutions where those authorities have evidence of non-compliance with this Title or with Titles II and III of Regulation XXX [PSR].

3.The competent authorities of the home and host Member States shall provide each other with all essential or relevant information, in particular in the case of infringements or suspected infringements by an agent, a distributor or a branch, and where such infringements occurred in the context of the exercise of the freedom to provide services. Competent authorities shall communicate, upon request, all relevant information and, on their own initiative, all essential information, including on the compliance of the payment institution with the conditions laid down in Article 13(3).

4.Member States may require payment institutions operating on their territory through agents, the head office of which is situated in another Member State, to appoint a central contact point in their territory to ensure adequate communication and information reporting in compliance with Titles II and III of Regulation XXX [PSR], and to facilitate supervision by competent authorities of home Member State and host Member States, including by providing competent authorities with documents and information on request.

5.The EBA shall develop draft regulatory technical standards to specify the criteria to be applied when determining, in accordance with the principle of proportionality, the circumstances under which the appointment of a central contact point referred to in paragraph 4 is appropriate, and the functions of those contact points.

Those draft regulatory technical standards shall, in particular, take account of:

(a)the total volume and value of transactions carried out by the payment institution in host Member States;

(b)the type of payment services provided;

(c)the total number of agents established in the host Member State.

The EBA shall submit those draft regulatory technical standards to the Commission by [ OP please insert the date= 18 months after the date of entry into force of this Directive].

Power is delegated to the Commission to adopt the regulatory technical standards in accordance with Article 10 to 14 of Regulation (EU) No 1093/2010.

Article 32

Measures in case of non-compliance, including precautionary measures

1.Where a competent authority of a host Member State considers that a payment institution having agents, distributors or branches in its territory does not comply with this Title or with Titles II and III of Regulation XXX [PSR], that competent authority shall inform the competent authority of the home Member State thereof without undue delay.

The competent authority of the home Member State, after having evaluated the information received pursuant to the first subparagraph, shall, without undue delay, take all appropriate measures to ensure that the payment institution concerned puts an end to its failure of compliance. The competent authority of the home Member State shall communicate those measures to the competent authority of the host Member State and to the competent authorities of any other Member State concerned without delay.

2.In emergency situations, where immediate action is necessary to address a serious threat to the collective interests of the payment service users in the host Member State, the competent authorities of the host Member State may, in parallel to the cross-border cooperation between competent authorities and pending measures by the competent authorities of the home Member State as set out in Article 31, take precautionary measures.

3.Any precautionary measures as referred to in paragraph 2 shall be appropriate and proportionate to their purpose to protect against a serious threat to the collective interests of the payment service users in the host Member State. Those measures shall not result in a preference for payment service users of the payment institution in the host Member State over payment service users of the payment institution in other Member States.

Precautionary measures shall be temporary and shall be terminated when the serious threats identified have been addressed, including with the assistance of or in cooperation with the home Member State’s competent authorities or with the EBA as provided for in Article 29(1).

4.Where compatible with the emergency situation, the competent authorities of the host Member State shall inform the competent authorities of the home Member State and those of any other Member State concerned, the Commission and the EBA of the precautionary measures taken under paragraph 2 and of their justification in advance and in any case without undue delay.

Article 33

Reasons and communication

1.Any measure taken by the competent authorities pursuant to Article 25, 30, 31 or 32 involving penalties or restrictions on the exercise of the freedom to provide services or the freedom of establishment shall be properly justified and communicated to the payment institution concerned.

2.Articles 30, 29 and 32 shall be without prejudice to the obligation of competent authorities under Directive (EU) 2015/849 and Regulation (EU) 2015/847, in particular under Article 47(1) of Directive (EU) 2015/849 and Article 22(1) of Regulation (EU) 2015/847, to supervise or monitor the compliance with the requirements laid down in those instruments.

CHAPTER II

Exemptions and notifications

Article 34

Optional exemptions

1.Member States may exempt, or allow their competent authorities to exempt, natural or legal persons providing payment services as referred to in Annex I, points 1 to 5, or providing electronic money services from the application of all or part of the procedures and conditions set out in Chapter I, Sections 1, 2 and 3, with the exception of Articles 17, 18, 24, 26, 27 and 28, where:

(a)in the case of payment services, the monthly average of the preceding 12 months’ total value of payment transactions executed by the person concerned, including any agent for which the person concerned assumes full responsibility, does not exceed a limit set by the Member State but that, in any event, amounts to no more than EUR 3 million; or

(b)in the case of electronic money services, the total business activities generate an average amount of outstanding electronic money that does not exceed a limit set by the Member State but that, in any event, does not exceed EUR 5 million; and

(c)in the case of payment services and electronic money services, none of the natural persons responsible for the management or operation of the business has been convicted of offences relating to money laundering or terrorist financing or other financial crimes.

For the purposes of the subparagraph, point (a), the assessment of whether the limit has been exceeded shall be based on the projected total amount of payment transactions in its business plan, unless the competent authorities have required an adjustment to that plan.

Where a payment institution providing electronic money services also offers any payment service or any of the activities referred to in Article 10, and the amount of outstanding electronic money is unknown in advance, the competent authorities shall allow that payment institution to apply the first subparagraph point (b), on the basis of a representative portion assumed to be used for the electronic money services, provided that such a representative portion can be reasonably estimated on the basis of historical data and to the satisfaction of the competent authorities. Where a payment institution has not completed a sufficiently long period of business, that requirement shall be assessed on the basis of projected outstanding electronic money evidenced by its business plan subject to any adjustment to that plan required by the competent authorities.

Member States may also provide for the granting of the optional exemptions to be subject to an additional requirement of a maximum storage amount on the payment instrument or payment account of the consumer where the electronic money is stored.

A natural or legal person benefitting from an exemption under paragraph 1, first subparagraph, point (b), may provide payment services not related to electronic money services only in accordance with paragraph 1, first subparagraph, point (a).

2.Member States shall require any natural or legal person exempted from the application of the procedures and conditions referred to in paragraph 1 to register with the competent authority of the home Member State. Member States shall determine the documentation which shall accompany such request for registration, from the elements listed in Article 3(3) points (a) to (s).

3.Member States shall require any natural or legal person registered in accordance with paragraph 2 to have its head office or place of residence in the Member State in which it actually carries out its business.

4.The persons exempted from the application of the procedures and conditions referred to in paragraph 1 shall be treated as payment institutions. Article 13(6) and Articles 30, 31 and 32 shall not apply to those persons.

5.Member States may provide that any natural or legal person registered in accordance with paragraph 2 may engage only in certain activities listed in Article 10.

6.The persons exempted from the application of the procedures and conditions referred to in paragraph 1 shall notify the competent authorities of any change in their situation which is relevant to the conditions specified in that paragraph, and at least annually, on the date specified by the competent authorities, report on the following:

(a)the average of the preceding 12 months’ total value of payment transactions where they provide payment services;

(b)the average outstanding electronic money where they provide electronic money services.

7.Member States shall take the necessary steps to ensure that where the conditions set out in paragraphs 1, 3 or 5 of this Article are no longer met, the persons concerned shall seek authorisation within 30 calendar days in accordance with Article 13. Member States shall ensure that their competent authorities are sufficiently empowered to verify continued compliance with this Article.

8.Paragraphs 1 to 6 of this Article shall be without prejudice to Directive (EU) 2015/849 or of national laws on anti-money laundering or terrorist financing.

Article 35

Notification and information

A Member State that decides to grant an exemption as referred to in Article 34 shall inform the Commission of all of the following:

(a)its decision to grant such an exemption;

(b)any subsequent change to this exemption;

(c)the number of natural and legal persons concerned;

(d)on an annual basis, the total value of payment transactions executed as of 31 December of each calendar year, as referred to in Article 34(1), point (a), and of the total amount of outstanding electronic money issued, as referred to in Article 34(1), point (b). 

Article 36

Account information service providers

1.Natural or legal persons providing only the payment service referred to in Annex I, point (7), shall not be subject to authorisation but shall register with the competent authority of the home Member State before taking up activity.

2.Such registration request shall be accompanied by the information and documentation referred to in Article 3(3), points (a), (b), (e) to (h), (j), (l), (n), (p) and (q).

For the purposes of the documentation referred to in Article 3(3), points (e), (f) and (l), the natural or legal person registering shall provide a description of its audit arrangements and of the organisational arrangements it has set up with a view to taking all reasonable steps to protect the interests of its users and to ensure continuity and reliability in the performance of the payment service as referred to in Annex I, point (7).

3.The security control and mitigation measures referred to in Article 3(3), point (j), shall indicate how the natural or legal person registering will ensure a high level of digital operational resilience in accordance with Chapter II of Regulation (EU) 2022/2554, in particular in relation to technical security and data protection, including for the software and ICT systems used by the natural or legal person registering or the undertakings to which it outsources the whole or part of its operations.

4.Member States shall require persons as referred to in paragraph 1, as a condition of their registration, to hold a professional indemnity insurance covering the territories in which they offer services, or some other comparable guarantee, and that they ensure that:

(a)they can cover their liability vis-à-vis the account servicing payment service provider or the payment service user resulting from non-authorised or fraudulent access to or non-authorised or fraudulent use of payment account information service;

(b)they can cover the value of any excess, threshold or deductible from the insurance or comparable guarantee;

(c)they monitor the coverage of the insurance or comparable guarantee on an ongoing basis.

5.Sections 1 and 2 of Chapter I shall not apply to the persons providing the services referred to in paragraph 1 of this Article. Section 3 of Chapter I shall apply to the persons providing the services referred to in paragraph 1 of this Article, with the exception of Article 25(3).

As an alternative to holding a professional indemnity insurance as required in paragraphs 3 and 4, the undertakings as referred to in paragraph 1 shall hold an initial capital of EUR 50 000, which can be replaced by a professional indemnity insurance after those undertakings have commenced their activity as a payment institution, without undue delay.

6.The persons referred to in paragraph 1 of this Article shall be treated as payment institutions.

Article 37

Services where cash is provided in retail stores without a purchase

1.Member States shall exempt from the application of this Directive natural or legal persons providing cash in retail stores independently of any purchase provided the following conditions are met:

(a)the service is offered at its premises by a natural or legal person selling goods or services as a regular occupation;

(b)the amount of cash provided does not exceed EUR 50 per withdrawal.

2.This Article shall be without prejudice to Directive (EU) 2015/849 or any other relevant Union or national anti-money-laundering/terrorist financing laws.

Article 38

Services enabling cash withdrawals offered by ATM deployers not servicing payment accounts

1.Natural or legal persons providing cash withdrawal services as referred to Annex I, point 1, and who do not service payment accounts and do not provide other payment services referred to in Annex I, shall not be subject to authorisation but shall register with a competent authority of the home Member State before taking up activity.

2.The registration referred to in paragraph 1 shall be accompanied by the information and documentation referred to in Article 3(3), points (a), (b), (e) to (h), (j), (l), (n), (p) and (q).

For the purposes of the documentation referred to in Article 3(3), points (e) (f) and (l), the natural or legal person registering shall provide a description of its audit arrangements and of the organisational arrangements it has set up to taking all reasonable steps to protect the interests of its users and to ensure continuity and reliability in the performance of the payment service as referred to in point (1) of Annex I.

The security control and mitigation measures referred to in Article 3(3), point (j), shall indicate how the natural or legal person registering will ensure a high level of digital operational resilience in accordance with Chapter II of Regulation (EU) 2022/2554, in particular in relation to technical security and data protection, including for the software and ICT systems used by the natural or legal person registering or the undertakings to which it outsources the whole or part of its operations.

3.Sections 1 and 2 of Chapter 1 shall not apply to the persons providing the services referred to in paragraph 1 of this Article. Section 3 of Chapter 1 shall apply to the persons providing the services referred to in paragraph 1 of this Article, with the exception of Article 25(3).

4.The persons providing the services referred to in paragraph 1 of this Article shall be treated as payment institutions.

Article 39

Duty of notification

1.Member States shall require service providers that carry out either of the activities referred to in Article 2(1), points (j), (i) and (ii), of Regulation XXX [PSR] or carrying out both activities, for which the total value of payment transactions executed over the preceding 12 months exceeds EUR 1 million, to inform the competent authorities about the services offered, specifying under which exclusion as referred to Article 2(1), points (j), (i) and (ii), of Regulation XXX [PSR] the activity is considered to be carried out.

On the basis of that notification, the competent authority shall take a duly motivated decision on the basis of criteria referred to in Article 2(1), point (j), of Regulation XXX [PSR] where the activity does not qualify as a limited network, and inform the service provider thereof.

2.Member States shall require service providers that carry out an activity as referred to in Article 2(1), point (j), of Regulation XXX [PSR] to send a notification to competent authorities and provide competent authorities an annual audit opinion, testifying that the activity complies with the limits set out Article 2(1), point (j), of Regulation XXX [PSR].

3.Member States shall ensure that competent authorities shall inform the EBA of the services notified pursuant to paragraph 1, stating under which exclusion the activity is carried out.

4.The description of the activity notified under paragraphs 2 and 3 shall be made publicly available in the registers referred to in Articles 17 and 18.

TITLE III

DELEGATED ACTS AND REGULATORY TECHNICAL STANDARDS

Article 40

Delegated acts

The Commission shall be empowered to adopt delegated acts in accordance with Article 41 to update the amounts referred to in Article 5, Article 34(1), and Article 37 to take account of inflation.

Article 41

Exercise of the delegation

1.The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2.The power to adopt delegated acts referred to in Article 40 shall be conferred on the Commission for an undetermined period of time from the date of entry into force of this Directive.

3.The delegation of power referred to in Article 40 may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect on the day following the publication of the decision in the Official Journal of the European Union or on a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4.As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

5.A delegated act adopted pursuant to Article 40 shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of 3 months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by 3 months at the initiative of the European Parliament or of the Council.

TITLE IV

FINAL PROVISIONS

Article 42

Full harmonisation

1.Without prejudice to Article 6(3) and Article 34, insofar as this Directive contains harmonised provisions, Member States shall not maintain or introduce provisions other than those laid down in this Directive.

2.A Member State that uses any of the options referred to in Article 6(3) or Article 34, shall inform the Commission thereof and of any subsequent changes. The Commission shall make the information public on a website or other easily accessible means.

3.Member States shall ensure that payment service providers do not derogate, to the detriment of payment service users, from the provisions of national law transposing this Directive except where explicitly provided for therein. However, payment service providers may decide to grant more favourable terms to payment service users.

Article 43

Review clause

1.The Commission shall, by [ OP please insert the date = 5 years after entry into force of this Directive], submit to the European Parliament, the Council, the ECB and the European Economic and Social Committee, a report on the application and impact of this Directive, and in particular on:

(a)the appropriateness of the scope of this Directive, in particular regarding the possibility of extending it to certain services, including the operation of payment systems and the provision of technical services including processing or the operating of digital wallets, which are not covered in the scope;

(b)the impact of the revision of Directive 2014/49/EU on the safeguarding of customer funds by payment institutions.

Where appropriate, the Commission shall submit a legislative proposal together with its report.

2.The Commission shall, by [ OP please insert the date= three years after the date of application of the PSR] submit to the European Parliament, the Council, the ECB and the European Economic and Social Committee, a report on the scope of this Directive, with regard in particular to payment systems, payment schemes and technical service providers. Where appropriate, the Commission shall submit a legislative proposal together with that report.

Article 44

Transitional provisions

1.Member States shall allow payment institutions that have been authorised pursuant to Article 11 of Directive (EU) 2015/2366 by [OP please insert the date = 18 months after the date of entry into force of this Directive] to continue to provide and execute the payment services for which they have been authorised, without having to having to seek authorisation in accordance with Article 3 of this Directive or to comply with the other provisions laid down or referred to in Title II of this Directive until [OP please insert the date = 24 months after the date of entry into force of this Directive].

Member States shall require such payment institutions as referred to in the first subparagraph to submit to the competent authorities all information that enables those competent authorities to assess, by [OP please insert the date = 24 months after the date of entry into force of this Directive], either of the following:

(a)whether those payment institutions comply with Title II and, where not, which measures need to be taken to ensure compliance;

(b)whether the authorisation should be withdrawn.

Payment institutions as referred to in the first subparagraph which upon verification by the competent authorities comply with Title II shall be authorised as payment institutions pursuant to Article 13 of this Directive and shall be entered in the registers referred to in Articles 17 and 18. Where those payment institutions do not comply with the requirements laid down in Title II by [OP please insert the date = 24 months after the date of entry into force of this Directive], they shall be prohibited from providing payment services.

2.Member States may provide for payment institutions as referred to in paragraph 1 to be authorised automatically and be entered in the register referred to in Articles 17 if the competent authorities have evidence that those payment institutions already comply with Articles 3 and 13. The competent authorities shall inform the payment institutions concerned of such automatic authorisation before the authorisation is granted.

3.Member States shall allow natural or legal persons who benefited from an exemption pursuant to Article 32 of Directive (EU) 2015/2366 by [OP please insert the date = 18 months after the date of entry into force of this Directive], and provided payment services as referred to in Annex I to that Directive, to do any of the following:

(a)to continue to provide those services within the Member State concerned until [OP please insert the date = 24 months after the date of entry into force of this Directive];

(b)to obtain an exemption pursuant to Article 34 of this Directive or,

(c)to comply with the other provisions laid down or referred to in Title II of this Directive.

Any person as referred to in the first subparagraph who has not, by [OP please insert the date = 18 months after the date of entry into force of this Directive], been authorised or exempted under this Directive shall be prohibited from providing payment services.

4.Member States may grant natural and legal persons who benefited from an exemption pursuant to Article 32 of Directive (EU) 2015/2366 an exemption pursuant to Article 34 of this Directive and enter those persons in the registers referred to in Articles 17 and 18 of this Directive where the competent authorities have evidence that the requirements laid down in Article 34 of this Directive are complied with. The competent authorities shall inform the payment institutions concerned thereof.

Article 45

Transitional provision – electronic money institutions authorised under Directive 2009/110/EC

1.Member States shall allow electronic money institutions which were defined in Article 2, point 1, of Directive 2009/110/EC that have taken up, before [OP please insert the date = 18 months after the date of entry into force of this Directive], activities in accordance with national law transposing Directive 2009/110/EC as electronic money institutions in the Member State in which their head office is located in accordance with national law transposing Directive 2009/110/EC, to continue those activities in that Member State or in another Member State without having to seek authorisation in accordance with Article 3 of this Directive or to comply with the other provisions laid down or referred to in Title II of this Directive.

2.Member States shall require the electronic money institutions referred in paragraph 1 to submit to the competent authorities all information that those competent authorities need to assess, by [OP please insert the date = 24 months after the date of entry into force of this Directive], whether those electronic money institutions comply with this Directive. Where such assessment reveals that those electronic money institutions do not comply with those requirements, the competent authorities shall decide which measures need to be taken to ensure such compliance, or to withdraw the authorisation.

Electronic money institutions as referred to in the first subparagraph which upon verification by the competent authorities comply with Title II shall be authorised as payment institutions pursuant to Article 13 of this Directive, shall be entered in the registers referred to in Articles 17 and 18. Where those electronic money institutions do not comply with the requirements laid down in Title II by [OP please insert the date = 24 months after the date of entry into force of this Directive], they shall be prohibited from providing electronic money services.

3.Member States may allow electronic money institutions as referred to in paragraph 1 to be authorised automatically as payment institutions and entered in the register referred to in Article 17 where the competent authorities have evidence that the electronic money institutions concerned comply with this Directive. The competent authorities shall inform the electronic money institutions concerned thereof before such automatic authorisation is granted.

4.Member States shall allow legal persons that have taken up, before [OP please insert the date = 18 months after the date of entry into force of this Directive], activities in accordance with national law transposing Article 9 of Directive 2009/110/EC, to continue those activities within the Member State concerned in accordance with that Directive until [OP please insert the date = 24 months after the date of entry into force of this Directive], without being required to seek authorisation under Article 3 of this Directive or to comply with the other provisions laid down or referred to in Title II of this Directive. Electronic money institutions as referred to in paragraph 1 which, during that period, have been neither authorised nor exempted within the meaning of Article 34 of this Directive, shall be prohibited from providing electronic money services.

Article 46

Amendments to Directive 98/26/EC

Article 2 of Directive 98/26/EC is amended as follows:

(1)    point (b) is replaced by the following:

 ‘(b) ‘institution’ shall mean any of the following:

— a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council* ;

— an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU of the European Parliament and of the Council**), excluding the institutions set out in Article 2(1) thereof ,

— public authorities and publicly guaranteed undertakings,

— any undertaking whose head office is outside the Union and whose functions correspond to those of the Union credit institutions or investment firms [as defined in the first and second indent] ,

which participates in a system and which is responsible for discharging the financial obligations arising from transfer orders within that system ;

— a payment institution as defined in Article 2, point (4), of Directive XXX [PSD3], with the exception of payment institutions benefitting from an exemption pursuant to Articles 34, 36 and 38 of that Directive,

which participates in a system whose business consists of the execution of transfer orders as defined in point (i), first indent, and which is responsible for discharging the financial obligations arising from such transfer orders within that system.

If a system is supervised in accordance with national legislation and only executes transfer orders as defined in point (i), second indent, as well as payments resulting from such orders, a Member State may decide that undertakings which participate in such a system and which have responsibility for discharging the financial obligations arising from transfer orders within this system, can be considered institutions, provided that at least three participants of that system are covered by the categories referred to in the first subparagraph and that such a decision is warranted on grounds of systemic risk; ’;

(2)    point (f) is replaced by the following:

‘(f)    “participant” shall mean an institution, a central counterparty, a settlement agent, a clearing house, a payment system operator or a clearing member of a CCP authorised pursuant to Article 17 of Regulation (EU) No 648/2012.

According to the rules of the system, the same participant may act as a central counterparty, a settlement agent or a clearing house or carry out part or all of those tasks.

A Member State may, for the purposes of this Directive, consider an indirect participant to be a participant where that is justified on the grounds of systemic risk, which shall, however, not limit the responsibility of the participant through which the indirect participant passes transfer orders to the system;’.

Article 47
Amendment to Directive (EU) 2020/1828

In Annex I to Directive (EU) 2020/1828, the following point is added:

‘(68) Regulation (EU) 20../…. of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554 (OJ L[…], [……….], [p. ..]).’

Article 48

Repeal

Directive (EU) 2015/2366 is repealed with effect from [ OP please insert the date= 18 months after entry into force of this Directive].

Directive 2009/110/EC is repealed with effect from [ OP please insert the date= 18 months after entry into force of this Directive].

All references made to Directive (EU) 2015/2366 and to Directive 2009/110/EC in legal acts that are in force at the time this Directive enters into force shall be construed as references to this Directive or Regulation XXX [PSR] and shall be read in accordance with the correlation table in Annex III to this Directive.

Article 49

Transposition

1.Member States shall adopt and publish, by [ OP please insert the date= 18 months after entry into force of this Directive] at the latest, and within [ OP please insert the date= 6 months after entry into force of this Directive] for Article 46, the laws, regulations and administrative provisions necessary to comply with this Directive. They shall forthwith communicate to the Commission the text of those provisions.

2.They shall apply those measures from [ OP please insert the date= 18 months after entry into force of this Directive] and from [ OP please insert the date= 6 months after entry into force of this Directive] for Article 46.

When Member States adopt those measures, they shall contain a reference to this Directive or be accompanied by such reference on the occasion of their official publication. Member States shall determine how such reference is to be made.

3.Member States shall communicate to the Commission the text of the main measures of national law which they adopt in the field covered by this Directive.

Article 50

Entry into force

This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Article 51

Addresses

This Directive is addressed to the Member States.

Done at Brussels,

(1)    Directive (EU) 2015/2366 of 25 November 2015 on payment services in the internal market.

(2)    Directive (EU) 2007/64 of 13 November 2007 on payment services in the internal market.

(3)    Regulation (EU) No 575/2013 on prudential requirements for credit institutions, Directive 2013/36/EU on access to the activity of credit institutions and the prudential supervision of credit institutions.

(4)    Directive 2009/110/EC on the taking up, pursuit and prudential supervision of the business of electronic money institutions.

(5)    COM (2020) 592 final, of 24 September 2020.

(6)    Regulation (EU) No 260/2012 of 14 March 2012.

(7)    COM(2022) 546 final.

(8)    Regulation (EU) 2021/1230 of 14 July 2021 on cross-border payments in the Union.

(9)    Regulation (EU) 2015/751 of 29 April 2015 on interchange fees for card-based payment transactions.

(10)    Directive 98/26/EC of 19 May 1998 on settlement finality in payment and securities settlement systems.

(11)    Regulation (EU) 2023/1114 of 31 May 2023 on markets in crypto-assets. 

(12)    Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector.

(13)        COM (2020) 591 final of 24 September 2020.

(14)        COM (2021) 32 final of 19 January 2021.

(15)    Regulation (EU) 2016/679 of 27 April 2016. See also below, under “fundamental rights”.

(16)    Directive 2009/110/EC of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of E-Money Institutions.

(17)    Such as prudential rules for banks or rules on securities markets.

(18)    SWD 2023/231 final. 

(19)     https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13331-Payment-services-review-of-EU-rules/public-consultation_en  

(20)     https://finance.ec.europa.eu/regulation-and-supervision/consultations/finance-2022-psd2-review_en  

(21)     https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13331-Payment-services-review-of-EU-rules_en  

(22)    EBA/Op/2022/06 of 23 June 2022.

(23)    Available at this link : https://data.europa.eu/doi/10.2874/996945 . Contract reference FISMA/2021/OP/0002.

(24)    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

(25)    Directive (EU) 2019/879 of 20 May 2019 amending Directive 2014/59/EU as regards the loss-absorbing and recapitalisation capacity of credit institutions and investment firms and Directive 98/26/EC.

(26)    COM(2023)228 final.

(27)    OJ C , , p. .

(28)    OJ C , , p. .

(29)    Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35).

(30)    Communication of the Commission of 24 September 2020 to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on a Retail Payments Strategy for the EU COM/2020/592 final.

(31)    Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC (OJ L 267, 10.10.2009, p. 7).

(32)    Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150, 9.06.2023, p. 40).

(33)    Regulation (EU) 2015/751 of the European Parliament and of the Council of 29 April 2015 on interchange fees for card-based payment transactions (OJ L 123, 19.5.2015, p. 1).

(34)    Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC (OJ L 319, 5.12.2007, p. 1).

(35)    European Banking Authority, EBA/REP/2023/01, Peer Review Report on authorisation under PSD2.

(36)    Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).

(37)    Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

(38)    Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC.

(39)    Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC (OJ L 133, 22.5.2008, p. 66).

(40)    Commission Delegated Regulation (EU) 2019/411 of 29 November 2018 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards setting technical requirements on development, operation and maintenance of the electronic central register within the field of payment services and on access to the information contained therein (OJ L 73, 15.3.2019, p. 84).

(41)    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(42)    Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

(43)    Commission Delegated Regulation (EU) 2017/2055 of 23 June 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for the cooperation and exchange of information between competent authorities relating to the exercise of the right of establishment and the freedom to provide services of payment institutions (OJ L 294, 11.11.2017, p. 1).

(44)    Commission Delegated Regulation (EU) 2021/1722 of 18 June 2021 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards specifying the framework for cooperation and the exchange of information between competent authorities of the home and the host Member States in the context of supervision of payment institutions and electronic money institutions exercising cross-border provision of payment services (OJ L 343, 28.9.2021, p. 1).

(45)    Commission Delegated Regulation (EU) 2020/1423 of 14 March 2019 on supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards on the criteria for appointing central contact points within the field of payment services and on the functions of those central contact points (OJ L 328, 9.10.2020, p. 1).

(46)    Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12).

(47)    Directive 98/26/EC of the European Parliament and of the Council of 19 May 1998 on settlement finality in payment and securities settlement systems (OJ L 166, 11.6.1998, p. 45).

(48)    Regulation (EU) 20../…. of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554.

(49)    Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p. 1).

(50)    COM(2023)228 final.

(51)    Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Council Directives 78/660/EEC and 83/349/EEC (OJ L 182, 29.6.2013, p. 19).

(52)    Commission Delegated Regulation (EU) No 241/2014 of 7 January 2014 supplementing Regulation (EU) No 575/2013 of the European Parliament and of the Council with regard to regulatory technical standards for Own Funds requirements for institutions (OJ L 74, 14.3.2014, p. 8).

(53)    Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73).

(54)    Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (OJ L 141, 5.6.2015, p. 1).

(55)    Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC (OJ L 157, 9.6.2006, p. 87).

(56)    Council Directive 86/635/EEC of 8 December 1986 on the annual accounts and consolidated accounts of banks and other financial institutions (OJ L 372, 31.12.1986, p. 1).

(57)    Regulation (EC) No 1606/2002 of the European Parliament and of the Council of 19 July 2002 on the application of international accounting standards (OJ L 243, 11.9.2002, p. 1).

(58)    Commission Implementing Regulation (EU) 2019/410 of 29 November 2018 laying down implementing technical standards with regard to the details and structure of the information to be notified, in the field of payment services, by competent authorities to the European Banking Authority pursuant to Directive (EU) 2015/2366 of the European Parliament and of the Council (OJ L 73, 15.3.2019, p. 20).

EUROPEAN COMMISSION

Brussels, 28.6.2023

COM(2023) 366 final

ANNEXES

to the

Proposal for a
DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on payment services and electronic money services in the Internal Market amending Directive 98/26/EC, and repealing Directives 2015/2366/EU and 2009/110/EC

{SEC(2023) 256 final} - {SWD(2023) 231 final} - {SWD(2023) 232 final}

ANNEX I

PAYMENT SERVICES

(as referred to in point 3 of Article 2)

1.Services enabling cash to be placed on and/or withdrawn from a payment account.

2.Execution of payment transactions, including transfers of funds from and to a payment account, including where the funds are covered by a credit line with the user´s payment service provider or with another payment service provider.