Over the last years we have witnessed a continuous trend of increase in cashless and online payments, dynamic development of technologies in the financial sector and new entrants in the market. In this regard, initiatives have been taken on both European and national level aiming to improve the legal framework in the area of payment services with a focus on payment security, ensuring a level playing field for market participants and improving customers’ awareness.
Common and Secure Open Standards of Communication
In accordance with the provisions of Chapter 5 of Commission Delegated Regulation (EU) 2018/3891, account servicing payment service providers that offer to a payer a payment account that is accessible online, must have in place at least one interface which enables the providers of the two new payment services to identify themselves towards the account servicing payment service provider, as well as to communicate with it securely and in a secure environment.
In order to fulfil this obligation, Delegated Regulation (EU) 2018/389 provides two options: by enabling the providers of the new types of services to communicate with the account servicing payment service providers through the interfaces, intended for payment services users (e.g. internet banking of the respective bank) or by establishing a dedicated interface (so-called application programming interface – API). Where an account servicing payment service provider chooses to use a dedicated interface allowing access (API), it should provide a fallback mechanism that will allow the providers of the new types of services to use the customer interface of the relevant account servicing payment service provider in case of problems with the dedicated interface.
The Regulation provides the possibility for the competent authorities responsible for implementing Directive (EU) 2015/23662, such as the Bulgarian National Bank (BNB), to exempt an account servicing payment service provider from the obligation to set up and run such a fallback mechanism on its dedicated interface (API) if the conditions of the Regulation, relating to availability and service level, publication of data, performance of stress-tests, design and testing facility of the interface, its wide usage, as well as problem resolution, are complied with.
In the interest of clarity regarding interpretation of the conditions for exemption, the European Banking Authority (EBA) has adopted Guidelines on the conditions to benefit from an exemption from the contingency mechanism under Article 33 (6) of Commission Delegated Regulation (EU) 2018/389, which the BNB will follow.
According to the requirements of the Commission Delegated Regulation (EU) 2018/389 in deciding to grant a particular account servicing payment service provider an exemption from the obligation to set up a contingency mechanism, the respective competent authority (e.g. BNB) shall consult EBA in order to ensure that the conditions are consistently applied. Due to the expected significant number of applications for exemption from the contingency mechanism, a simplified procedure for consulting EBA is envisaged until the end of 2019.
The Bulgarian National Bank has established a procedure for prompt handling and examination of applications for exemption. This will enable the account servicing payment service providers, which comply with the requirements of the Regulation, to be exempted from obligation prior to the entry into force of the requirement for providing a fallback mechanism on 14 September, 2019.
Strong Customer Authentication
According to the provisions of Commission Delegation Regulation (EU) 2018/389 – by 14 September, 2019 the payment service providers in the country must fully implement the requirements for strong customer authentication in respect of all electronic payment transactions. The focus is on the use of at least two independent authentication elements from different categories. The two elements should refer to one of the categories of knowledge (e.g. static password), possession (SMS OTP or generated by token device) or inherence (e.g. fingerprint scanning). Commission Delegated Regulation (EU) 2018/389 exhaustedly stipulates the cases for which payment service providers are allowed not to supply strong customer authentication.
Where a payment service provider wishes to benefit from any of the exemptions, it will have to notify BNB in advance, indicating the particular payment service to be exempted. In addition, in cases pursuant to Article 17 of Regulation (EU) 2018/389 regarding corporate payment processes and protocols, a payment service provider will have to submit to the BNB an audit report performed by auditors with expertise in IT security and payments. The audit report should certify that those processes or payment protocols guarantee at least equivalent levels of security to those provided for strong customer authentication as per Article 100 of the Law on Payments Services and Payment Systems. The provider must notify the BNB of any change in the application of exemptions from strong customer authentication. In addition to these requirements, payment service providers applying the exemptions should perform the monitoring, as stated in Article 21 of Commission Delegated Regulation (EU) 2018/389, and make the results available to BNB upon request.
Charges on Cross-border Payments in Euro and Currency Conversion Charges
Regulation (EU) 2019/5183 introduces the requirement for payment service providers in non-euro area Member States to levy equal charges for cross-border payments in euro and for corresponding national payments of the same value in the national currency of the respective Member State. Such a legal requirement has existed so far only in respect to equal charges for national and cross-border payments in euro. The requirement for equal charges will become mandatory for payment service providers as of 15 December, 2019.
In addition to the requirement for equal charges, the new Regulation envisages requirements with respect to currency conversion charges related to card payments and electronic credit transfers which are expected to increase transparency and to ensure comparability in cases where a payment service user is faced with a choice between currency conversion alternatives f. According to the requirements concerning currency conversion charges related to card payments, payment service providers and the parties providing currency conversion services at an automated teller machine (ATM) or at the point of sale shall provide information prior to the initiation of the payment transaction for the total currency conversion charges expressed as a percentage mark-up over the latest available euro foreign exchange reference rates issued by the European Central Bank. In addition, the payer must also be provided, prior to the initiation of the payment transaction, with information about the amount to be paid to the payee in both the currency used by the payee and in the currency of the payer’s account. With regard to the requirements for currency conversion charges related to electronic credit transfers, payment service providers will be obliged to inform the payer prior to the initiation of the payment transaction about the expected currency conversion charges applied to the credit transfer, the expected amount of the credit transfer in the currency of the payer’s account, as well as about the expected amount which will be transferred to the payee in the currency used by the payee. Payment service providers will have to apply these requirements as of 19 April 2020.
With regard to Regulation (EU) 2019/518, Regulation (EU) 2018/389 and the Corrigendum of Directive (EU) 2015/2366, amendments to the Law on Payment Services and Payment Systems have been prepared which are due to be adopted by the end of 2019.