On 17 October 2019 the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, “BaFin”) announced that it would not object if German-domiciled payment service providers („PSPs“) execute card payments on the internet without strong customer authentication („SCA“) – as required by the EU Payments Services Directive (EU) 2015/2366 („PSD2“) and the SCA Regulatory Technical Standards Delegated Regulation (EU) 2018/389 („SCA RTS“) – until 31 December 2020.
bareBaFin’s announcement gives PSPs time to implement measures required to fulfil the requirements of SCA, but raises questions about the consequences and what objections National Competent Authorities („NCAs“) might have in the future. We assess the position under German law.
The negative consequences under PSD2 and SCA RTS where SCA is not applied
PSD2 contains detailed provisions on liability for unauthorised transactions where SCA has not been applied, but leaves the specification of administrative penalties – as is usually the case in Directives – to the Member States.
PSD2 requires PSPs to apply SCA (Art. 97). If SCA is not applied, the payers shall bear the loss in case of unauthorised transactions only if they have acted fraudulently (Art. 74). Instead, PSD2 allocates the risk of such transactions, in the first instance, to the payer’s PSP, which has to offer SCA measures to both the payer and the payee’s PSP – or even the payees itself, if they do not accept SCA measures provided for by the payer’s PSP (Art. 74). Germany has transposed these requirements into national law.
European Directives usually give Member States a degree of discretion over which specific penalties they will apply in order to ensure the applicability and enforcement of the national transposition rules of the relevant directive. This also applies in relation to PSD2. The Directive requires Member States to lay down rules on penalties applicable to infringements of the national law transposing PSD2 (Art. 103). Member States must also take all necessary measures to ensure that they are implemented in national law. Such penalties are required to be effective, proportionate and dissuasive (Art. 103). However, PSD2 does not specify such penalties. Likewise, the SCA RTS do not provide for any penalties where PSPs do not apply SCA.
Penalties against PSPs domiciled in Germany
So, what penalties – or other negative administrative consequences – might BaFin apply against PSPs that do not apply SCA? Under German law, the penalties are mainly provided for in the Payment Act (Zahlungsdiensteaufsichtsgesetz, „ZAG“) for PSPs without a full banking licence and in the Banking Act (Kreditwesengesetz, „KWG“) for PSPs that have a full banking licence.
If a PSP does not apply SCA, this would constitute a breach of Section 54 ZAG, which applies to PSPs either with or without a full banking licence. However, neither the provisions of ZAG nor the provisions of KWG provide for a specific penalty fee where a PSP does not apply SCA. This is surprising as the requirement of SCA for payment transactions is a key element of PSD2.
This does not mean that PSPs can refrain from applying SCA. PSPs must ensure they provide for appropriate corporate government measures, control mechanisms and procedures to ensure that the PSP fulfils its obligations (§ 27 (1) ZAG, § 25a (1) KWG). BaFin might consider that a PSP that does not apply SCA does not have appropriate procedures in place to ensure that it fulfils its obligations, and is therefore in breach of § 27 (1) ZAG or § 25a (1) KWG respectively. If BaFin finds that a PSP does not apply SCA and assesses that it therefore does not have appropriate measures in place to comply with applicable provisions, it may issue an administrative order against a PSP to apply SCA in the future. In the event of such a finding, however, BaFin is unlikely to immediately impose a penalty fee on the PSP, but would rather order that the PSP shall change its SCA measures.
BaFin’s administrative orders generally have immediate effect (§ 9 ZAG, § 49 KWG). German law provides for BaFin to impose a penalty fee on a PSP if it breaches an effective administrative order. BaFin could therefore issue an administrative order and require a PSP to apply SCA. If the PSP does not subsequently apply SCA and comply with this administrative order, BaFin can impose a penalty fee on the PSP. For a PSP that does not have a full banking licence, the penalty fee can be up to EUR 100.000,00 (§ 64 (3) No. 5 ZAG); for a PSP that has a full banking licence, the penalty can be up to EUR 5.000.000.00 (§ 56 (2) Nr. 3 F KWG).
At this stage, it is unclear whether BaFin will take this approach as the rules on appropriate business organisational measures in ZAG and KWG do not specifically refer to the rules of SCA. However, if BaFin intends to impose penalty fees on PSPs, it is likely that it would base such penalty fees on a lack of appropriate business organisational measures. BaFin also has the ability to revoke the permission of a PSP that does not have a full banking licence, as one of the requirements of obtaining and keeping the permission to provide payment services is to have appropriate organisational systems and processes in place. If BaFin finds that a PSP does not have such measures in place, it may consider revoking the permission. However, this is likely to be an ultima ratio decision of BaFin.
If a PSP has a full banking permission, it does not need to apply for an additional permission for payment services (and such permission can in consequence not be revoked by BaFin). However, BaFin might also consider such PSP to have no appropriate business organizational measures in place, if it does not apply SCA and could (as ultima ratio) revoke of the banking permission of the PSP.