To be or not to be (a PIS), is that a question?
by Marcus Nasarek
in Recent
Hits: 1829

I had this kind of discussion several times: "We only send the payment order over to the bank and we don't touch credentials at all... it's like sending out an invoice and thus, we can't be seen as a payment initiation service." The question is: What exactly defines the process of "initiating" a payment? 

In the PSD2, you can find definitions of 'payment initiation service' - Art. 4 (15) - and the 'payment initiation service provider' - Art. 4 (18) - but despite the background explanations given in the recitals - which by itself make a third of the PSD's pages - there is no clear description of what exactly 'initiate' in the context of a payment means.

And I wouldn't expect that level of detail in the PSD2, though. One objective of the regulation is to be technologically neutral as recital (21) states: "The definition of payment services should be technologically neutral and should allow for the development of new types of payment services, while ensuring equivalent operating conditions for both existing and new payment service providers."

The PSD2 leaves it to the payment schemes to define the procedures and to assign actions to the roles and thus, applying the legal requirements to certain responsibilities. To understand the meaning of 'initiate', you have to look into the rulebooks. What do we know so far: a 'payment initiation service' is somehow linked to the activity of 'initiate a payment order', it has some interaction with the payment service user, it acts on a payment account and it connects to another payment service provider.  

This is definitely a bit more than just throwing an invoice into a letter-box. It also makes clear, that it heavily depends on the scheme rules: what is a payment order? how is the payment service user involved? what functionalities are related to the payment account? and finally, does the service connect to another payment service provider, and how? This indicates that the comparison with a simple invoice is misleading: An invoice - even an electronic representation - is sent directly to the payment service user and is probably some step before making it a payment order.

But still, how does an invoice become an initiated payment at the end? We definitely need some hint on procedures and here the definition in Art. 4 (14) helps: a 'payment instrument'  "means a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order;". One set of procedures mentioned here is a SEPA Credit Transfers. This is usually the procedure agreed between banks and their customers to make a bank payment within SEPA. So, let's have a look into the SEPA Credit Transfer Rulebook v1.1. This rulebook defines the procedures for a payment based on credit transfer for SEPA.

In Section 3.1 the rulebook defines the actors and one of them is the Originator. In the context of PSD2 it's the Payment Service User. This guy is the "...customer who initiates directly or indirectly the credit transfer by providing the Originator Bank with an instruction. […]“. Here the definitions match: someone provides the PSP with a payment order and no matter of the direct or indirect communication with the PSP, this action is defined as payment initiation (for SEPA credit transfers) - see figure below. This can be different for other schemes, but there is a clear description of actions, roles and procedural rules in the SCT scheme rules.

What changes if someone else submits the payment order and does not touch the PSU's credentials? Well, there is no much difference. The SEPA CT definition is explicitly considering this - by mentioning 'directly or indirectly' and even refers to PSD2 - and thus, defines indirect provision of payment orders still as a payment initiation. The figure below shows what happens if a payment initiation service enters the stage.

The credentials are part of the payment authorization process and can be either (A) sent out-of-band to the customer or (B) passed through the PIS. No matter how the authorization is done, the provision of the payment order followed by execution is defined as a payment initiation and the party handing over the payment instruction is the Originator or the Payment Initiation Service Provider. It's that easy.

Against that background, I can't follow the general arguments of the UK Financial Conduct Authority. In the policy statement 17/10 "Implementation of the revised Payment Service Directive (PSD2): Approach Document and final Handbook changes." they answer the question "When might we be providing a payment initiation service?" with "...In our view, the provider of a service that transmits a payer’s card details, along with a payment order, to the payer’s payment service provider, but does not come into possession of personalised security credentials, is not carrying out a payment initiation service." Indeed, this can be true for other schemes, but not for a SEPA Credit Transfer.

One last point: Certainly, not all parties involved in some services between the customer and the bank providing technical infrastructures to transfer a payment order are by that definition a PIS - may it be the software provider of the browser, the operation system or the network stack technologies. There has to be an active role in creating the payment order or to be in the position to change it. The regulation looks on it from a risk and responsibility perspective. Thus, if the party transforms a (1) request of a payer and (2) data from a payee into (3) a payment order for a SEPA credit transfer (4) submitted to the bank and (5) in relation to the payer's account, that clearly does serve a payment initiation task.

As a disclamer: I'm not a lawyer. Over the recent years, I worked on PSD2 and SEPA payments in different positions and I wrote this article to discuss this specific point from an implementation point of view. I'm happy to see how others respond and if the debate helps to apply the right approach. The policy statement of the FCA might be misleading if applied to different schemes without looking into to procedural details.