Implementation of PSD2 Directive in Poland
The new Act of 10 May 2018 amending the act on payment services and some other acts, which entered into force on 20 June 2018, implements the provisions of the EU Directive No. 2015/2366 of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC, 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (also known as the PSD2 Directive). The Directive aims to create a legal framework for the functioning of payment services, in addition to traditional banks, also to third parties, the so-called TPP – Third Party Payment Service Provider.
New types of payment services
First of all, the Directive regulates the provision of two new types of payment services by market entities: 1) Payment Initiation Service and 2) Account Information Service, which allows TPP to independently use the rights that were previously entitled to banks. By applying to TPP also additional requirements, although not as strict as in the case of banks, the Directive provides better protection for customers and, at the same time, increases trust in entities from the FinTech market.
Requirements regarding the activity of Third Party Payment Service Provider
Following the EU Directive, the Polish Act, among others introduces the following requirements for the activity of TPP:
1) strong customer authentication, i.e. at least two-stage transaction confirmation (eg by logging into the payment system and confirmation of payment via SMS code). If a transaction is made in violation of this principle, the provider will be obliged to return to the payer the amount of the non-executed or improperly executed payment transaction. The burden of proving that the payment transaction has been duly authenticated lies on the provider providing the transaction initiation service,
2) an obligation to respond to complaints of users within 15 business days of its receipt. In particularly complex cases, this period may be extended to 35 working days. Compliance with this obligation will be supervised by the Polish Financial Supervision Authority (KNF),
3) measures to limit the risk and the introduction of control mechanisms taken by the payment service provider to manage operational risk and the risk of security breaches in the provision of payment services. To meet these requirements, providers are required to maintain an effective incident management procedure, perform ongoing assessment and update procedures for operational risk management and security breach risk as well as risk mitigation measures and controls.
Accordingly, the provider annually, by 31 January of the following year (and for the first time – until 31 January 2019 for 2018), is obliged to provide the KNF or other competent supervisory authority with annual information on the assessment and update of the above procedures and the means and mechanisms of control, as well as information on any serious operational incident or security incident that the provider must provide immediately.
Feel free to contact our lawyers at [email protected]