1. What's changed?
On 30 July 2018, a new transposition law was published in the Belgian State Gazette: the law of 19 July 2018 amending and implementing certain provisions relating to payment services in several books of the Belgian economic law code.
The law entered into force on 9 August 2018 and implements the conduct of business rules of PSD II1. PSD II is a European Union directive creating a harmonized framework for payment services, repealing the original PSD2. The reform was deemed necessary by the European legislator in light of recent technological changes and the emergence of new types of payment services and payment service providers. PSD II introduces significant changes for payment service providers and payment service users.
The transposition law mainly amends Book VII of Belgium's economic law code, which deals with payment services and credit services. By amending the code of economic law, the private law aspects or PSD II's conduct of business rules have now been implemented as well. The prudential provisions, which regulate the public law aspects of PSD II, such as licensing requirements, were implemented earlier this year in a separate law of 11 March 20183.
2. What does it mean?
Broader scope of application
The scope of application of the conduct of business rules has been significantly broadened, both territorially and materially.
Previously, the conduct of business rules only applied to payment transactions executed in an EEA currency. In addition, the payment service providers of both the payer and the payee needed to be located in the EEA ("both legs in"). From now on, payment transactions carried out in the EEA in a non-EEA currency and transactions whereby only one payment service provider is located in the EEA ("one leg in") will be in scope as well, apart from a few rules that will not apply to such transactions.
For example, a payment made from Belgium to the Netherlands in American dollars will be regulated under the new rules, which would not have been the case previously. Moreover, if there is an unauthorized card transaction in the United States, the payment card of a Belgian cardholder will need to be blocked in accordance with the relevant Belgian rules.
Two new payment services are brought in scope as well: payment initiation services and account information services, both commonly referred to as "third-party payment services" or "TPPs". Payment initiation services allow a connection to be established between the merchant's website and the customer's internet banking platform. These services provide comfort to a payee that a payment has been initiated, and provide an incentive to the payee to release the goods or to deliver the service without undue delay. Account information services provide the payment service user with aggregated online information on one or more payment accounts held with one or more other payment service providers, which can be accessed via online interfaces. The payment service user thus has an overview of their financial situation at any given moment, for example through an application on their mobile phone.
Importantly, the introduction of these new services requires account servicing payment service providers to grant TPPs (limited) access to the customer's payment or bank accounts. The customer must explicitly consent to such access, however.
Strong customer authentication
Payment service providers will have to apply strong customer authentication when a customer accesses its payment accounts online, initiates an electronic payment or carries out any action through a remote channel that may imply a risk of payment fraud or other abuse.
Strong customer authentication is an authentication based on the use of two or more of the following elements:
- knowledge: something only the user knows, such as a PIN code
- possession: something only the user possesses, such as a payment card or card reader
- inherence: something the user is, such as a fingerprint or facial recognition
These elements are to be used to identify and confirm the user's consent for a transaction. When a payment service provider does not require strong client authentication of a payer, the payer will not be accountable for financial losses in case of an unauthorized transaction, except in the case of fraud.
Strong customer authentication may not be required for certain low-risk payments, such as contactless payments at the point of sale, payments at a highway toll booth or payments between a customer's own bank accounts held at the same bank.
The legal requirements in relation to strong customer authentication will only have to be applied as of 14 September 2019, as they are subject to further implementation through so-called regulatory technical standards of the European Banking Authority.
Prohibition on surcharge
Merchants are prohibited to charge the payer for any costs related to the use of a payment instrument, regardless of the type of payment instrument. This includes debit card transactions with, for example, Bancontact, Maestro or V-Pay, and credit card transactions with, for example, Mastercard, Visa, American Express or Diners Club. Accordingly, it will no longer be possible to pass on the costs of debit card and credit card transactions to the consumer for both in-store and online purchases.
Liability for unauthorized transactions
Under the new rules, the payment service user will only be liable for unauthorized payment transactions resulting from the use of a lost or stolen payment instrument for a maximum amount of EUR 50, compared to EUR 150 under the old rules. No losses shall be borne by the payment service user as of the moment they reported the loss or theft of their payment instrument. However, the payer will bear all losses in the case of fraud or if they acted intentionally or with gross negligence.
The payment service provider will also have to bear the losses in the case of the user's gross negligence where the payment service provider did not require strong customer authentication when executing the contested payment transaction.
When an unauthorized payment transaction takes places through a TPP, the payer shall also be able to obtain financial rectification from their account servicing payment service provider. This is to avoid the payer falling prey to different professional payment service providers trying to shift responsibility to one another.
Belgium did not make use of the Member State option to treat micro-enterprises the same way as consumers, meaning that the corporate opt-out possibility for certain business of conduct rules can be used for micro-enterprises as well. Belgium did not make use of this option under PSD either.
The blocking of payment instruments will need to be provided free of charge and needs to be accessible 24/7. This means that the telephone number that the cardholder can call to block their card cannot be more costly than a regular phone call. This service is currently provided by Card Stop in Belgium.
The digital or telecom exemption, which already existed under PSD, has been slightly amended so that payments made through telecom operators for the purchase of digital services such as music and digital newspapers are exempted from scope when they fall below the threshold of EUR 50 per transaction and EUR 300 per billing month.
The information obligations under PSD II have largely remained unchanged. The main change in this regard is that payment initiation service providers and payment account information providers are now also subject to these obligations.
Under the new rules, the payment service provider will have to keep a register of all payment transactions for a period of 10 years, while this used to be only five years. This is to ensure consistency with Belgian anti-money laundering rules, which prescribe a document retention period of 10 years.
Payment service providers must respond to clients' complaints within 15 working days under the new rules, while this used to be 30 working days.
New rules have also been introduced with respect to the practice of "pre-authorization", whereby funds on a payer's payment account are temporarily blocked. This is used, for example, in gas stations or hotels as a means of security. From now on, funds may only be blocked if the payer consents to the exact amount of the funds to be blocked. The funds must be released without undue delay after receipt of the information about the exact amount of the payment transaction and at the latest immediately after receipt of the payment order.
The new rules entered into force on 9 August 2018, but payment service providers have been granted a four months period as of the entry into force in order to adapt their contractual documentation to the new rules.
3. Want to read more?
For more information on the changes introduced in Belgium with respect to the implementation of PSD II's conduct of business rules, you may wish to consult the text of the law directly by clicking here or the text of the preparatory works to the law by clicking here.
1 Directive 2015/2366 of the European Parliament and the Council of 25 November 2015 on payment services on the internal market ("PSD II").
2 Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market ("PSD I").
3 The law of 11 March 2018 on the legal status and supervision of payment institutions and electronic money institutions, the access to the undertaking of payment service provider and to the activity of issuing electronic money, and the access to payment systems.
This was first published in Lexology.com.