Associate Domantas Gudonis
The President of the Republic of Lithuania has signed the amended Law on Payments, the Law on Payment Institutions and the new Law on Electronic Money and Electronic Money Institutions (Amended Laws) which will come into force on 1 August 2018. Part of the provisions of the amended Law on Payments will take effect from 2019. The Amended Laws are supposed to transpose changes introduced by the Second Payment Services Directive (PSD 2) into Lithuanian law.
The PSD 2 has replaced the hitherto effective PSD 1 (on the basis of which the currently valid Law on Payments and the Law on Payment Institutions have been implemented) and has been adopted by the European Commission mainly to increase security of the payments market and safety of the payment service users, to promote competition on the payments market and to adapt the legislation to the changed habits and needs of the payment service users.
The amended and restated Law on Payments will regulate two services (which are not new in practice but have not been regulated until now), namely (i) payment initiation services (PIS) and (ii) account information services (AIS). Each payment initiation service provider (PISP) will be able to initiate a payment order from an account at another payment service provider on behalf of the customer, while the account information services provider (AISP) will be able to provide information about the customer’s payment account (or multiple accounts) opened in another credit institution (or several institutions).
The new regulation will allow the customers to use third party providers (FinTech) to access their bank account information and to manage their finances, having at the same time their money/information safely kept on their bank account.
Therefore, the new Law on Payments is supposed to set authorisation requirements for the payment service providers who intend to seek a licence to provide PIS or AIS. It is important to note, however, that lower authorisation criteria will be applicable to PISPs and AISPs seeking to provide only such kind of services when compared to any other payment service providers though on the other hand, they will be allowed to provide only payment initiation or account information services without the possibility of providing any other payment services (a limited licence). Each payment service provider intending to provide only AIS will be required to have its authorized capital of at least EUR 50 000.
Open Banking appears to be one of the most debated topics in the banking and finance market today because it creates possibilities for the so-called “third party providers” (categorised as PISPs and AISPs) to receive access to data of the payment service user’s payment account(s) maintained by the account servicing payment service provider (ASPSP) subject to such user’s explicit consent (XS2A Rule). ASPSPs (i.e. banks) will be required to provide access to their clients’ data to third party providers even in the absence of contractual relationship between the bank handling the client's accounts and PISP or AISP.
Communication between these payment service providers will be implemented via an application programming interface (API). Security requirements for API implementation are set out in the Regulatory Technical Standards of the European Banking Authority (EBA). ASPSP will be obligated to open their APIs to third party providers (FinTech) before 14 September 2019.
Third party providers will be able to offer new value added services in the payments market on the basis of the banks infrastructure. It is expected that Open Banking will encourage competition in the payments market, especially as regards prevalence of the biggest Scandinavian banks on the Lithuanian market.
Information and payment operations performance requirements will be applicable not only in the Member States for payments made in their currencies but also for payments in non-EU currencies and payments where only one of the payment service providers is located in the EU while the other is located outside the EU (“one-leg transactions”).
In addition to the above, the new Law on Payments will clarify the following exemptions:
According to the new Law on Payments, payment institutions (PIs) and electronic money institutions (EMIs) will have the right to apply to a credit institution for opening a payment account and to make use of direct payment system participant services. The aforementioned services will be provided relying on the principles of objectivity, non-discrimination and proportionality. In the event of the credit institution’s refusal to open a payment account for PI or EMI, the credit institution will notify the Bank of Lithuania to that effect.
The new Law on Payments stipulates that when a payment service user (i) accesses his/her/its payment account online, or (ii) initiates an electronic payment transaction, or (iii) carries out any action through a remote channel which may imply a risk of payment fraud or other abuse, that action needs to be subject to strong customer authentication (SCA), sometimes also referred to as “two-factor authentication”. SCA means that two of the following factors should be present to authenticate the user: something only the user knows (e.g. a password or a PIN) and/or something only the user has (e.g. a card reader, secure key generator or mobile phone) and/or something only the user is (e.g. fingerprint, face or other biometric recognition).
When initiating a remote payment transaction, SCA procedure will have to ensure the dynamic linking of the payment transaction with the amount of the transaction and the payee. Payment service providers rendering remote services will be required to implement technical solutions and have appropriate security measures that will help to protect the confidentiality and integrity of personalized security data, identify unusual payment transactions and manage incidental and fraudulent transactions. In order to ensure these measures, the European Commission has published regulatory technical standards and implementing technical standards under PSD2 that respectively set for the requirements to be transposed to national legislation for payment service providers who will be required to apply them.
The amended Law on Payments introduces some of the exemptions to the principle of SCA. These exemptions are based on the following criteria: (a) the level of risk involved in the service provided; (b) the amount, the recurrence of the transaction, or both; (c) the payment channel used for the execution of the transaction.
Payments service providers will be required to apply SCA from 14 September 2019.
The new Law on Payments provides that “In the case of a major operational or security incident, payment service providers shall, without undue delay, notify the competent authority in the home Member State of the payment service provider”.
In addition, the new Law on Payments provides that “Where the incident has or may have an impact on the ﬁnancial interests of its payment service users, the payment service provider shall, without undue delay, inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident”.
The essential conditions for licensing remains the same. However, PIs and EMIs will be required to submit additional documents to the Bank of Lithuania in order to obtain a license. Payment institutions seeking a license will have to prepare a description of their security policy, business continuity arrangements, procedures for monitoring of security incidents and security related complaints of clients, procedures for filling, monitoring, tracking of sensitive payment data and restriction of access thereto, etc.
As mentioned above, lower capital requirements for PISPs and AISPs will be applicable in order to obtain such license though on the other hand, the aforementioned service providers will be obligated to have professional civil liability insurance coverage or any other equivalent security for their liability (e.g. a guarantee).
To reduce uncertainty for PIs and EMIs, a transitional period for licensing under the Amended Laws will be introduced.
In order to reduce the burden of legal regulation, payment institutions and electronic money institutions will no longer be obligated to set up a supervisory council or a board. According to the Amended Laws, only the manager position will remain mandatory, while the supervisory council and the board will become optional.
The Amended Laws will introduce new monetary sanctions. A monetary fine of up to EUR 50 000 will be imposed on individuals, while a fine of up to 10 % of total annual revenue might be imposed on legal entities.
Apart from that, the Amended Laws introduce the right of the Bank of Lithuania to impose a fine of up to EUR 100 000 on a legal entity when it is impossible/difficult to determine the total annual revenue of such legal entity or when the total annual revenue of the legal entity is less than EUR 1 000 000. The purpose of such supervisory authority’s right is to prevent wrongful or unlawful activities by legal entities where their financial statements have not been prepared or the legal entity has just recently been incorporated and has not received any income or where fictitious revenues have been indicated.
The Bank of Lithuania has also been given the right to suspend rights of shareholders of PIs/EMIs on a temporary basis in case of non-compliance by them with the applicable legal requirements.
Associate Domantas Gudonis