Malta Payment Services Directive 2: this article provides an overview of the key changes introduced by PSD 2 and their likely impact on Malta.
While Malta’s emergence as a financial services domicile of repute has been very well documented, most press attention has focused on the rapid growth of the jurisdiction as a domicile for funds and more recently fund managers. Less well documented has been the jurisdiction’s contemporaneous and highly encouraging growth as a European hub for financial services technology (FinTech) companies. The FinTech umbrella is a broad one and encompasses a variety of market players that are deploying disruptive new technologies in order to compete with established market players such as retail banks and insurance companies. Malta now plays host to a growing number of market players in this rapidly evolving industry which includes peer-to-peer lenders, crowdfunders, virtual currency operators and online securities intermediaries. However, the FinTech sector that has established itself most prominently in the jurisdiction is the payment services sector, which comprises businesses such as payment account providers, card acquirers and other businesses that seek in one way or another to make the payment process faster, cheaper and better.
In this context it is useful to look at the incoming second Payment Services Directive (“PSD 2” or the “Directive”) and to assess the impact that it is likely to have on this young but burgeoning part of the Maltese financial services ecosystem.
Malta Payment Services Directive 2: Background and context
PSD 2 succeeds PSD 1, which was intended to enhance efficiency, competition and innovation in the European payments sector by introducing a harmonized rulebook governing primarily electronic means of payments. PSD 1 is widely regarded as having achieved an important measure of success and PSD 2 is intended in some sense to ‘finish the job’. In its foreword to PSD 2 (first proposed by the Commission in 2013) the Commission recognizes that while there had been significant and rapid innovation in the sector a certain level of fragmentation remained, admitting that ‘the latest developments in these markets have also highlighted certain gaps in the current legal framework’. PSD 2 seeks to plug these gaps.
Following a period of negotiation, a final compromise text was agreed as a result of trilogue on the 5th of May 2015, following which the draft compromise text was released on the 2nd of June 2015. A European Parliament plenary vote is expected to take place in October 2015.
Some of the key changes introduces by PSD 2 are addressed below. This publication assumes that the approved text will be substantially identical to the text agreed in trilogue.
Malta Payment Services Directive 2: Overview and Summary of Key Changes
Wider Scope
PSD 2 is wider in scope than PSD 1. First of all it creates two new regulated payment services, namely ‘payment initiation services’ and ‘account information services’ (see below). PSD 2 also changes the definition of ‘payment transaction’ from:
an act, initiated by the payer or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee
to
means an act, initiated by the payer or on his behalf or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee;
Thus extending its application to payment transactions initiated on the payer's behalf.
Much of PSD 2 Title III (transparency & information requirements) and PSD 2 Title IV (rights &obligations) will also apply to:
- Transactions in any currency, if both the payer's PSP and the payee's PSP, or the sole PSP, are located in the Union; and
- Payment transactions where only one of the PSPs is in the EU, in respect of those parts of the payments transaction which are carried out in the EU (these arrangements are sometimes referred to as "one leg out" transactions).
Again significantly expanding the scope of the Directive.
Payment Initiation Services
Article 58 of PSD 2 will require the EU Member States to ensure that payers have the right to use a payment initiation service provider (PISP) to obtain payment initiation services.
Article 58 reinforces this rule by requiring account servicing PSPs to:
- securely communicate with payment initiation service providers in accordance with Article 87a, paragraph 1(d);
- immediately after the receipt of the payment order from a payment initiation service provider provide or make available all information on the initiation of the payment transaction and all information accessible to the account servicing payment service provider regarding the execution of the payment transaction to the payment initiation service provider;
- treat payment orders transmitted through the services of a payment initiation service provider without any discrimination for other than objective reasons, in particular in terms of timing, priority or charges vis-à-vis payment orders transmitted directly by the payer himself
One potential challenge worth nothing here is reference to ‘objective reasons’ in 58 (2) (c), a term which is not defined.
Account Information Services
Article 59 of PSD 2 requires the EU Member States to make sure that payment service users have the right to use payment account information services.
In this context, PSD 2 requires the account information service provider:
- to provide services only based on the payment service user's explicit consent;
- to ensure that the personalised security credentials of the payment service user, are not, with the exception of the user and the issuer of the personalised credentials, accessible to other parties and that when they are transmitted by the account information service provider, this is done through safe and efficient channels;
- for each communication session, identify itself towards the account servicing PSP of the payment service user and securely communicate with the account servicing PSP and the payment service user, in accordance with Article 87a, paragraph 1,(d);
- to access only the information from designated payment accounts and associated payment transactions;
- not to request sensitive payment data linked to the payment accounts;
- not to use, access and store any data for purposes other than for performing the account information service explicitly requested by the payment service user, in accordance with data protection rules"; and
PSD 2 requires account servicing PSP to:
- securely communicate with the AISP, in accordance with article 87a, paragraph 1,(d); and
- treat data requests transmitted through the services of an AISP without any discrimination for other than objective reasons".
Note however that, "An account servicing PSP may deny access to the payment account for an AISP or a PISP for objectively justified and duly evidenced reasons related to unauthorised or fraudulent access to the payment account”. In such cases the account servicing PSP must inform the payer of the denial and the reasons for it. The account servicing PSP must allow access to the payment account once the reasons for denying access no longer exist. Again the term ‘objective reasons’ is undefined.
Customer Authentication
Under article 87 of PSD 2, the EU Member States will be obliged to ensure that PSPs apply ‘strong customer authentication’ when the payer:
- Accesses his payment account on-line
- Initiates an electronic remote payment transaction
- Carries out any action, through a remote channel, which may imply a risk of payment fraud or other abuses
Strong customer protection is defined as follows:
- "an authentication based on the prompt use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is)…that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data"
Member States must also ensure that PSPs:
- Meet specific security requirements to "protect the confidentiality and integrity of payment service users' personalised security credentials"; and
- (Where a payer initiates an electronic remote payment transaction) adopt "strong customer authentication that shall include elements dynamically linking the transaction to a specific amount and a specific payee".
The European Banking Authority is expected to develop draft regulatory technical standards within 12 months of the entry into force of the Directive, addressing the following matters:
- the requirements of the strong customer authentication procedure;
- the exemptions to the application of strong customer authentication;
- the requirements that technical security measures have to comply with to protect the confidentiality and the integrity of the payment service users' personalised security credentials; and
- common and secure requirements for communication for the purpose of authentication, notification and information, as well as for implementation of security measures between the various stakeholders
Lost or stolen payment instruments, unauthorised payment transactions and liability issues
Articles 61 to 66 of PSD 2 establish the obligations of payment services users and PSPs in relation to payment instruments. Users of payment instruments are required to use the payment instrument in accordance with its terms, which must be objective, non-discriminatory and proportionate. Users are also required to notify the PSP on becoming aware of loss, theft or misappropriation of the payment instrument or of its unauthorised use. A PSP issuing a payment instrument is required to ensure that appropriate means are available at all times to enable the payment service user to make a such notification and to enable the payer make such notification free of charge and to charge, if at all, only replacement costs directly attributed to the payment instrument.
PSD 2 will continue to require the PSP to provide rectification to the payment service user if the payment service user "notifies the PSP without undue delay on becoming aware of any unauthorised or incorrectly executed payment transactions giving rise to a claim". However, it will also require that the credit value date for the payer's payment account be no later than the debit date and that where a transaction is initiated through a PISP the account servicing PSP must refund immediately the amount of the unauthorised payment transaction before seeking compensation from the PISP if appropriate.
The payer may be obliged to pay up to a maximum of €50 (reduced from €150 under PSD 1) for losses relating to any unauthorised payment transactions resulting from the use of a lost or stolen payment instrument or from the misappropriation of a payment instrument.
Internal Dispute Resolution
PSD 2 introduces stricter requirements with respect to internal dispute resolution systems. More specifically, PSD 2 requires PSPs to:
- Put in place and apply adequate and effective complaint resolution procedures for the settlement of complaints of payment service users which shall be applied in every Member State where the PSP offers the payment services.
- Make every possible effort to reply to the payment service users' complaints addressing all points raised at the latest within 15 business days of receipt of the complaint (except in exceptional circumstances)
Impact of PSD 2 on Malta
It is clear that there is a certain tension in the PSD 2. On the one hand it is clear that the Directive is intended to promote innovation and competition in the sector; on the other hand the stiffening of various rules may introduce a certain level of friction in the payment experience that runs counter to the efforts being made towards streamlined and cost effective solutions. That said, it is likely that the industry will benefit from further harmonization. Focusing on Malta, the increased regulatory cohesion is certainly a positive development; its various attractions as a hub for international business and proven track record in the financial services sector place it in an ideal position for new entrants to the payment services market looking for a platform for conducting business throughout an increasingly accessible and streamlined Europe.
Copyright © 2025 Chetcuti Cauchi. This document is for informational purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking any action based on the contents of this document. Chetcuti Cauchi disclaims any liability for actions taken based on the information provided. Reproduction of reasonable portions of the content is permitted for non-commercial purposes, provided proper attribution is given and the content is not altered or presented in a false light.









