The European Commission's (EC's) payment services directive (PSD2) has been passing through the review and legislative process since it was first proposed in July 2013. The directive is expected to be approved by the European Parliament in September 2015 and EU countries will then have to implement it into national legislation by the end of 2017.

However, some key aspects of the directive are still causing some discussion in the market. In a blog published on its website yesterday, the European Payments Council (EPC) has clarified its position with regards to two of the key aspects of the agreed PSD2 proposal:

• the unconditional refund right for direct debits and
• the authentication of the bank customer.

Unconditional refund right for direct debits

While the PSD2 should be aligned with the goals of Sepa, the EC believes that the PSD2 could undermine consumer rights for direct debit refunds, as set out by the SEPA Direct Debit (SDD) Core Rulebook.

The SDD grants consumers a ‘no–questions-asked’ refund right during the eight weeks following the debiting of a consumer’s account. However, in article 67(1) of the proposal for PSD2, there is a clause that says that the consumer has a right to a refund “Except where the payee has already fulfilled the contractual obligations and the services have already been received or the goods have already been consumed...”

The EPC has now amended the text to ensure that consumers making SDD payments can continue to rely on the ‘no-questions-asked’ refund right which is vital for the operation of the SDD Core Scheme.

Authentication

Another key question in PSD2 centres on the authentication of the bank customer. Under Article 87 of PSD2, EU member states will be obliged to ensure that payment service providers (PSPs) apply strong customer authentication when the payer accesses their online account, makes a payment or carries out any other action that may expose them to payment fraud.

However, certain ambiguities remain, for example regarding the sharing of the personalised security credentials of the payment service user. The EPC strongly advises against allowing third-party PSPs to use customer's personal security credentials to get access to a customer’s account, and reiterates that personalised security credentials should not be shared with third parties.

For more details about these two issues, read the EPC blog here.