The law transposing PSD 2 is finally here. What is specific for Romania?

On November 13, 2019, Law no. 209/2019, the law that transposes PSD 2,* was published in the Official Gazette of Romania. This legislation which comes after the commencement of an EC late transposition procedure, has been much anticipated by local Fintechs, and will become effective on December 13, 2019. From that date, Romanian third party providers (TPPs) will be able to register with the National Bank of Romania and payment service providers have 60 days to ensure conformity of their on-going contracts with titles III and IV of the new law (which refer to transparency requirements, rights and obligations in relation to payment services).

Secondary legislation (National Bank of Romania regulation) required for the full application of PSD 2 was also published and is effective as of 19 December 2019.

Law no. 209/2019 mainly reflects the provisions of PSD 2 and creates an environment for open payment services in Romania. We highlight briefly below the key changes to the existing national payments framework as well as some Romania-specific provisions.

1. Scope and exemptions; Impact on value cards

As opposed to prior legislation, and in line with PSD 2, Law no. 209/2019 extends its scope to cover the so-called one-leg transactions – i.e., payment transactions in all currencies where only one of the payment service providers is located within a member state, for those parts of the transaction which are conducted in a member state.

On the same note, the scope of the exemptions has been reduced. For example, the commercial agent exemption will apply to commercial agents when their involvement is on behalf of only the payer or only of the payee, and not when acting in the interests of both parties as was previously possible.

Also, the limited network exemption was worded in a more precise manner making it more difficult to use loose language as a loophole to escape the law’s payment service obligations. As to Romania specific provisions, additional conditions were added that may impact retailer-issued value cards. On the bright side, the law includes some explicit examples of exempted products such as store cards, fuel cards, membership cards, public transport cards, parking ticketing and meal vouchers.

Importantly, even in cases when the limited network exception applies, if at any time the total value of payment transactions in the preceding 12 months exceeds one million EUR, the National Bank of Romania must be consulted as to whether the exception will continue to apply.

2. New players on the payment services market

As regards the activities of TPPs, Law no. 209/2019 transposes PSD 2 without significant deviations. Three types of regulated TPPs are introduced:

• PISP – a payment service provider that initiates a payment order at the request of a payment service user with respect to a payment account held at another payment service provider. In practical terms, PISPs can simplify transactions by cutting out as many intermediaries as possible in the payment authorization process and are an alternative to traditional debit or credit cards. For example, in e-commerce transactions a PISP would directly initiate a bank transfer from the account of the payer to the account of the merchant.
• AISP – a payment service provider that provides consolidated information about one or more payment accounts held by a payment service user with either another payment service provider or with more than one payment service provider. In other words, AISPs are information aggregators that provide consolidated information about one or more accounts held by their users with one or more different banks.
• CBPII – a payment service provider issuing card-based payment instruments. The functionality of a CBPII is to issue card-based payment instruments in order to execute payment transactions from an account held by the payment service user to a bank (which is not managed by that CBPII).

3. The distribution of liability when PISPs process transactions

In line with PSD 2, in the case of non-executed or defective transactions initiated by a PISP, Law no. 209/2019 provides that the bank has the responsibility to make refunds to the payment service user. The bank then can seek compensation from the PISP if damages are attributable to it.

Law no. 209/2019 does not offer any supplementary guidance in terms of liability or dispute resolution between TPPs and banks. This could prove problematic in practice as, in the almost unavoidable scenario of litigation, the Romanian courts will have limited knowledge on the technical aspects that converge with the rules of liability. To help mitigate these risks and uncertainties, TPPs and banks could enter into detailed liability regimes among themselves. The question of establishment and allocation of liability will remain a key concern as market practice is established over time.

4. Strong Customer Authentication

In line with PSD 2, and with the aim of providing better payment transaction security, Law no. 209/2019 requires strong customer authentication (SCA) which entails using two or more of the following elements categorized as:

• knowledge (something only the user knows), such as a password, PIN, knowledge-based challenge question, passphrase or memorized swiping path.
• possession (something only the user possesses), such as a possession of devices evidenced by a one-time password (OTP) generated by, or received on, a device (hardware or software token generator, SMS OTP) or cards evidenced by a card reader;
• inherence (something the user is), such as fingerprint scanning, voice recognition, retina and iris scanning and even keystroke dynamics or the angle at which the device is held.

5. Difficulties implementing strong customer authentication in e-commerce transactions

The European Banking Authority (EBA), which supervises SCA at the EU level, has recognized the technical difficulties in implementing SCA solutions for e-commerce card-based payment transactions and allowed payment service providers to prepare migration plans that have to be implemented by 31 December 2020. Nevertheless, the EBA stressed that during this period, payment service providers will remain liable for unauthorized transactions when SCA has not been properly applied.

In line with EBA’s indications, the National Bank of Romania is expected to collaborate with the relevant stakeholders in order to supervise and achieve implementation of the migrations plans by the proposed deadline.

*The Directive 2015/2366 of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.

Article by Reff & Associates - member of Deloitte Legal.

Key provisions of the National Bank of Romania Regulation 4/2019 on payment institutions and account information service providers

For the impact of PSD2 on online shopping, please click here (available in Romanian only)

Legea care transpune PSD 2 este ?n sfar?it aici. Ce este specific pentru Romania?

?n data de 13 noiembrie 2019, Legea nr. 209/2019 care transpune PSD 2* a fost publicat? ?n Monitorul Oficial al Romaniei. Aceast? reglementare, care vine dup? ce Comisia European? a ?nceput o procedur? de infringement pentru transpunere ?ntarziat?, a fost ?ndelung a?teptat? de fintech-urile locale ?i va intra ?n vigoare ?n data de 13 decembrie 2019. ?ncepand cu aceast? dat? prestatorii de servicii ter?i romani (TPP) vor putea ?ncepe procesul de ?nregistrare la Banca Na?ional? a Romaniei ?i prestatorii de servicii de plat? vor avea 60 de zile pentru a asigura conformitatea contractelor aflate ?n derulare cu dispozi?iile titlurilor III ?i IV din noua lege (care vizeaz? cerin?e de transparen??, drepturi ?i obliga?ii legate de serviciile de plat?).

Legisla?ia secundar? necesar? pentru aplicarea ?n totalitate a PSD 2 a fost de asemenea aprobat? de Banca Na?ional? a Romaniei, si produce efecte de la data de 19 decembrie 2019.

Legea nr. 209/2019 reflect? ?n principal prevederile din PSD 2 ?i creeaz? ?n Romania un mediu de servicii de plat? deschise. Prezent?m mai jos pe scurt principalele modific?ri aduse de Legea nr. 209/2019 cadrului na?ional de pl??i existent, dar ?i o serie de reglement?ri specifice Romaniei.

1. Domeniul de aplicare ?i excep?iile. Impactul asupra cardurilor de valoare emise de comercian?i

Spre deosebire de legisla?ia anterioar? ?i ?n linie cu PSD 2, Legea nr. 209/2019, ??i extinde domeniul de aplicare pentru a include ?i tranzac?iile ?one-leg” – i.e. opera?iunile de plat? ?n toate monedele ?n situa?ia ?n care doar unul dintre prestatorii de servicii de plat? este situat ?ntr-un stat membru, ?n ceea ce prive?te p?r?ile din opera?iunea de plat? care sunt efectuate ?ntr-un stat membru.

?n aceea?i linie, domeniul de aplicare al excep?iilor a fost redus. De exemplu, excep?ia agentului comercial se va aplica acelor agen?i comerciali implica?i ?ntr-o tranzac?ie care ac?ioneaz? doar pe seama pl?titorului sau doar pe seama beneficiarului pl??ii ?i nu ?n interesul ambelor p?r?i a?a cum era posibil anterior.

?n plus, excep?ia re?elei limitate a fost formulat? de o manier? mai precis? astfel ?ncat s? descurajeze ?ncerc?rile de a profita de un limbaj imprecis ?i astfel s? se eludeze obliga?iile impuse de legisla?ia serviciilor de plat?. Legiuitorul roman a mers mai departe ?n ceea ce prive?te excep?ia re?elei limitate ?i a prev?zut condi?ii suplimentare care ar putea avea impact asupra cardurilor de valoare emise de vanz?tori. Din fericire, legea include o serie de exemple de produse exceptate, cum ar fi cardurile emise de un comerciant, cardurile de combustibil, cardurile de membru, cardurile pentru transportul public, tichetele de parcare sau tichetele de mas?.

Este important de men?ionat c? ?i ?n acele cazuri ?n care excep?ia re?elei limitate se aplic?, dac? valoarea total? a opera?iunilor de plat? ?n ultimele 12 luni a dep??it un milion de euro, opinia B?ncii Na?ionale a Romaniei trebuie solicitat? cu privire la aplicarea ?n continuare a excep?iei.

2. Noi juc?tori pe pia?a serviciilor de plat?

?n ceea ce prive?te activitatea TPP-urilor, Legea nr. 209/2019 respect? liniile directoare ale PSD 2 cu minime diferen?e. Trei tipuri de TPP-uri sunt reglementate:

• PISP - prestator de servicii de plat? care ini?iaz? a unui ordin de plat? la cererea utilizatorului serviciilor de plat? cu privire la un cont de pl??i de?inut la un alt prestator de servicii de plat?. 

Din punct de vedere practic, PISP-urile pot simplifica tranzac?iile prin eliminarea cat mai multor intermediari ?n procesul de autorizare a pl??ilor ?i astfel s? devin? o alternativ? pentru tradi?ionalele carduri de debit sau de credit. De exemplu, ?n cazul tranzac?iilor de tip comer? electronic, un PISP poate ini?ia direct un transfer bancar din contul pl?titorului ?n cel al comerciantului.

• AISP - prestator de servicii de plat? care furnizeaz? informa?ii consolidate ?n leg?tur? cu unul sau mai multe conturi de pl??i de?inute de utilizatorul serviciilor de plat? la alt prestator de servicii de plat? sau la mai mul?i prestatori de servicii de plat?. Cu alte cuvinte, AISP-urile sunt agregatori de informa?ie care furnizeaz? date consolidate cu privire la unu sau mai multe conturi de?inute de utilizatori la una sau mai multe b?nci diferite.
• CBPII - prestator de servicii de plat? care emite instrumente de plat? bazate pe card. Scopul CBPII-urilor este s? emit? instrumente de plat? pe baz? de card pentru a executa opera?iuni de plat? dintr-un cont de?inut de utilizatorul serviciilor de plat? la o banc? (cont care nu este administrat de CBPII).

3. ?mp?r?irea r?spunderii atunci cand PISP-urile proceseaz? tranzac?ii

Urmand registrul impus de PSD 2, Legea nr. 209/2019 prevede c? ?n cazul opera?iunilor de plat? ini?iate de un PISP care sunt neexecutate sau incorect executate, banca este cea care desp?gube?te utilizatorul serviciilor de plat?. Ulterior, banca poate fi compensat? de c?tre PISP ?n cazul ?n care acesta este responsabil de prejudiciu.

Legea nr. 209/2019 nu ofer? clarific?ri suplimentare cu privire la r?spundere sau solu?ionarea disputelor ?ntre TPP-uri ?i b?nci. Acest lucru ar putea pune probleme ?n practic? din moment ce, ?n cazul aproape de neevitat al unui litigiu, instan?ele romane vor avea o experien?? redus? ?n ceea ce prive?te ?ntrep?trunderea aspectelor tehnice cu cele de r?spundere. Pentru a minimiza aceste riscuri ?i incertitudini, TPP-urile ?i b?ncile pot recurge la ?n?elegeri contractuale ?n care s? detalieze regimul r?spunderii. Cu toate acestea, subiectul stabilirii ?i ?mp?r?irii r?spunderii va r?mane de actualitate pe m?sur? ce practica pie?ei se va cristaliza.

4. Autentificarea strict? a clien?ilor

?n concordan?? cu PSD 2 ?i cu scopul de a asigura o mai bun? securitate a opera?iunilor de plat?, Legea nr. 209/2019 introduce autentificarea strict? a clien?ilor (SCA) care presupune utilizarea a dou? sau mai multe elemente care sunt incluse ?n categoria:

• cuno?tin?elor (ceva ce doar utilizatorul cunoa?te) cum ar fi parol?, PIN, ?ntreb?ri bazate pe cuno?tin?e, fraze de acces sau modele de swiping path.
• posesiei (ceva ce doar utilizatorul posed?) cum ar fi dispozitive eviden?iate de o parol? de unic? folosin?? (OTP) generat? de sau primit? pe un dispozitiv (generator token de tip hardware sau software, SMS OTP) sau carduri eviden?iate de un cititor de carduri;
• ineren?ei (ceva ce utilizatorul este) cum ar fi scanarea amprentei, recunoa?tere vocal?, scanarea retinei sau a irisului ?i chiar dinamica tast?rii sau unghiul ?n care dispozitivul este ?inut.

5. Dificult??i ?n implementarea autentific?rii stricte a clien?ilor ?n comer?ul electronic 

Autoritatea Bancar? European? (EBA), autoritatea care supervizeaz? implementarea SCA la nivelul Uniunii Europene, a recunoscut dificult??ile tehnice cu privire la implementarea unei solu?ii SCA pentru tranzac?iile cu cardul din comer?ul electronic ?i le-a permis prestatorilor de servicii de plat? s? preg?teasc? planuri de migrare care ar trebui implementate pan? la 31 decembrie 2020. Cu toate acestea, EBA a dorit s? men?ioneze c? pe parcursul acestei perioade, prestatorii de servicii de plat? vor r?spunde ?n continuare pentru tranzac?iile neautorizate ?n cazul ?n care SCA nu este aplicat? ?n mod corespunz?tor.

?n baza indica?iilor EBA, este de a?teptat ca Banca Na?ional? a Romaniei s? colaboreze cu toate p?r?ile interesate pentru a superviza ?i a ob?ine implementarea planurilor de migrare pan? la termenul propus.

*Directiva 2015/2366 a Parlamentului European ?i a Consiliului privind serviciile de plat? ?n cadrul pie?ei interne, de modificare a Directivelor 2002/65/CE, 2009/110/CE ?i 2013/36/UE ?i a Regulamentului (UE) nr. 1093/2010, ?i de abrogare a Directivei 2007/64/CE

Articol pregatit de Reff & Associates - member of Deloitte Legal.

Prevederi cheie ale Regulamentului BNR nr. 4/2019 privind institu?iile de plat? ?i furnizorii specializa?i ?n servicii de informare cu privire la conturi,

Pentru impactul PSD2 asupra comertului online gasiti informatii aici.