Introduction

Luxembourg has finally implemented the EU Payment Services Directive (PSD 2) through the Law of 20 July 2018. As the PSD 2 is a full harmonisation directive,(1) most of Luxembourg's PSD 2 provisions are identical to the legal framework implemented across the European Union. Nonetheless, EU member states were given scope to decide on certain topics and the Grand Duchy seized the opportunity to define its own rules. The regulator has also adapted its procedures in view of the new framework.

This article explores the local implementation of PSD 2 and, in particular, the implementation of the open banking rules by local stakeholders.

Grand Duchy's implementation of PSD 2

The Law of 20 July 2018 amended the Law of 10 November 2009 on payment services (LPS) to implement, among other things, the following changes introduced by the PSD 2:

  • 'One leg' transactions – the LPS's geographic scope has been extended to include transactions where the payment service provider (PSP) is situated in Luxembourg and the other PSP is situated in a third country;(2)
  • Open banking – the LPS's material scope has been extended to cover new services and stakeholders (ie, account information services providers(3) and payment initiation service providers(4)); and
  • Strong customer authentication – strong customer authentication has been introduced as a general rule for electronic payment transactions (including access to online banking).(5)

Local deviation – right of establishment and freedom to provide services In addition to the provisions which had to be implemented, the legislature was free to deliberate on certain topics, such as the supervision of payment institutions exercising their right of establishment and freedom to provide services. Under Articles 29(2) and (4) of the PSD 2, EU member states can strengthen the obligations applicable to such institutions.

The Luxembourg legislature seized this opportunity. As such, Luxembourg's financial sector regulator (the CSSF) can require payment institutions and electronic payment institutions(6) with agents or branches in Luxembourg to report periodically on the activities which they carry out in Luxembourg.(7) Further, payment institutions and electronic payment institutions(8) which operate in Luxembourg through agents and have a head office in another EU member state will appoint a central contact point in the Grand Duchy to ensure adequate communication and information reporting.(9)

Penalties The EU legislature has left it to EU member states to determine the penalties which will apply to parties that infringe the national laws which transpose the PSD 2.(10) In Luxembourg, a distinction has been made between payment institutions and e-money institutions on the one hand and all other institutions subject to the LPS and the Law of 5 April 1993 on the financial sector, as amended (LFS), on the other. The former are subject to the penalties set out in the LPS, whereas the latter are subject to the penalties set out in the LFS.

In both cases, the CSSF has injunction and suspension powers(11) and may, among other things, impose administrative penalties. Where the administrative penalty decided on is a fine, its amount will vary according to the type of institution responsible for the infringement:

  • payment and e-money institutions are subject to administrative fines of up to €12,500; and
  • all other institutions are subject to administrative fines of up to €250,000.(12)

Further, certain breaches of the LPS – irrespective of the type of institution that commits them – are subject to criminal penalties of up to €125,000 and five years' imprisonment.(13)

Local regulator's implementation of PSD 2

As Brexit is at the forefront of everyone's mind, the Grand Duchy reaffirmed its position as a destination of choice for PSPs. In this context, the CSSF once again demonstrated its proactiveness and did not wait for the legislature to take the first steps to implement the PSD 2.

By way of Circulars 18/677(14) and 18/681,(15) the CSSF adopted two European Banking Authority (EBA) guidelines which complemented the PSD 2 in January 2018. In addition, the CSSF updated the various application forms and notification templates for PSPs and introduced an application form for account information services providers to register their sole activity.(16)

These application forms must be used in the following scenarios, for which the administrative procedure will differ:

  • If a company performs only account information services, its file will be reviewed and registered by the CSSF (it will also be registered in the EBA register).
  • If a company performs payment initiation services, it must apply for a payment institution licence. The CSSF will review the file, but the Ministry of Finance will grant the licence.(17)
  • If a company carries out both activities or a PSP wishes to carry out one of these activities, it must apply for a payment institution licence. As in the previous case, the CSSF will review the file, but the Ministry of Finance will grant the licence.(18)

Local stakeholder's implementation of open banking rules

'Open banking' means that banks must grant third-party providers access to information or operations that were previously part of the bank's monopoly and will be a major regulatory and technological challenge for many banks. Luxembourg market players are adapting to the new environment and developing solutions, including as follows:

  • Several tech companies have seized this legal opportunity to develop products and services that will help their clients to comply with the PSD 2's requirements. Four Luxembourg retail banks have also created an external dedicated interface provider which has a Europe-wide perspective.
  • Many banks will adapt to their new competition by becoming account information services providers or payment initiation service providers, which will enable them to offer clients a complete overview of their various accounts or sell financial products that were not commercialised outside the client's circle.
  • The Luxembourg's Bankers' Association, which represents the majority of financial institutions and regulated financial intermediaries in Luxembourg, has been proactive in anticipating the upcoming changes. For example, it has provided input on EBA working papers, organised events and working groups to address the issues encountered by professionals and has been supporting its members in the transition phase.(19)

What's next?

Following the implementation of the LPS, a technical framework is now being established. The European Commission has established regulatory technical standards for strong customer authentication and common and secure open standards of communication,(20) which will apply from 14 September 2019 (except the sandbox availability provisions, which will apply from 14 March 2019). Meanwhile, the EBA has provided substantial guidance on the practical implementation of the PSD 2 and the European Commission's regulatory technical standards via several guidelines and the Single Rulebook Q&A.

For further information on this topic please contact Josée Weydert, Vincent Wellens, Jad Nader or Anne Sophie Morvan at NautaDutilh Avocats Luxembourg by telephone (+352 26 12 29 1) or email ([email protected], [email protected], [email protected] or [email protected]). The NautaDutilh Avocats Luxembourg website can be accessed at www.nautadutilh.com.

Endnotes

(1) Article 107 of the PSD 2.

(2) Article 2 (1quater) of the LPS.

(3) Article 81-3 of the LPS.

(4) Article 81-2 of the LPS.

(5) Articles 1(2bis) and 105-3 of the LPS.

(6) In accordance with Article 111 of the PSD 2, which amended Article 3(1) of the EU E-Money Directive 2009/110/EC.

(7) Article 34(6bis) of the LPS.

(8) In accordance with Article 111 of the PSD 2, which amended Article 3(1) of EU E-Money Directive 2009/110/EC.

(9) Article 34(9) of the LPS.

(10) Article 103 of the PSD 2.

(11) Article 38 of the LPS and Article 59 of the LFS.

(12) Article 46 of the LPS and Article 63 of the LFS.

(13) Article 47 of the LPS.

(14) CSSF Circular 18/677 (Orientations de l'Autorité bancaire européenne sur les informations à fournir pour l'agrément d'établissements de paiement et d'établissements de monnaie électronique et pour l'enregistrement de prestataires de services d'information sur les comptes au titre de l'article 5, paragraphe 5, de la directive (UE) 2015/23661 (EBA/GL/2017/09)).

(15) CSSF Circular 18/681 (Adoption des orientations de l'Autorité bancaire européenne sur les critères à utiliser pour déterminer le montant minimal de l'assurance de responsabilité civile professionnelle ou d'une autre garantie comparable au titre de l'article 5, paragraphe 4, de la directive (UE) 2015/23661 (EBA/GL/2017/08)).

(16) Article 48-1bis of the LPS.

(17) Article 7-1 of the LPS.

(18) Article 7-1 of the LPS.

(19) Further information is available here.

(20) EU Regulation 2018/389 of 27 November 2017 supplementing the PSD 2 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.