Changes are being proposed to European payments law that will affect service providers who send payments data from retailers to financial institutions. This post explains how they may be affected, and what they may be able to do about it.
Most retailers rely an external service provider to send their payments data to a financial institution for processing. Sometimes the financial institution itself handles the data transfer as part of its acquiring service. But often a third party agrees to do that on the retailer's behalf, particularly for online payments. The financial institutions call such service providers "third party gateways" because the institution typically has no contract with them and it's up to the retailer to ensure the data gets to the financial institution. From a regulatory standpoint, the gateway provider doesn't handle any funds, so they are currently also exempt from payments regulation as 'technical service providers'.
But under proposals for a new Payment Services Directive (PSD2), such service providers will only be exempt if they contract with financial institutions (e.g. merchant acquirers), rather than retailers or other payment service users. That may help the financial institutions control the quality of the data that flows their way, but it does undermine the ability for large retailers to control transaction processing.
In addition, “acquiring of payment transactions” will be regulated where the service provider contracts with the retailer to accept and process payment transactions, and this 'results' in a transfer of funds to the retailer. Not only is this aimed at certain merchant acquirers and bill payment operators who believe they are outside the scope of the current PSD, but it could also catch third party gateways, since it appears that the service provider does not have to be the one actually transferring the funds.
It is also possible that the activities of technical service providers may fall within the scope of other regulated activities, particularly 'payment initiation services', 'account information' services, or perhaps even 'issuing payment instruments' (see my longer article for the SCL).
However, technical service providers may find that it isn't commercially feasible to remain exempt. In that case, the options are to either get authorised as an e-money institution or payment institution (or perhaps a registered as a small EMI or PI), or operate as an agent of someone who else or is.
Whether or not they are exempt, however, anyone providing technical services will need to be familiar with the proposed new security requirements, and the related standards that will eventually be issued by the European Banking Authority (see my longer article for the SCL).