Today, 18 February 2019, the Bulletin of Acts and Decrees announced that the Implementation Act for the revised Payment Services Directive (PSD2) and the implementation decree will enter into force in the Netherlands on 19 February 2019. This means that from 19 February it will be possible to submit the prescribed applications for licences, registrations and notifications to De Nederlandsche Bank (DNB).
So be aware: the licensing requirement for innovative payment services will be upon us in the very near future! Make sure you get a licence for your payment services as soon as possible (such as account information and payment initiation services). Otherwise you will miss out on some interesting opportunities in the payment market. So contact a PSD2 specialist at Dirkzwager to help you with the DNB licence application procedure.
Why has the Netherlands taken so long to implement the directive?
Concerns about privacy during the previous year postponed the implementation of PSD2 in the Netherlands.
On 14 June, Finance Minister Wopke Hoekstra notified the House of Representatives that the implementation of the PSD2 would be further delayed. The reason for the delay given by the minister was that, among other things, it is necessary to have better privacy safeguards under the directive.
The discussion revolved around the transposition of Article 94(2) of the revised directive. This article relates to data protection with regard to payment services. On the transposition of the directive, the Dutch legislator must allow the payment system and service providers to process personal data if it is necessary for preventing, investigating and detecting payment fraud. Payment service providers may only obtain access to the personal data required for the offering of their payment services, and process and store this data, with the express permission of the payment service user.
The Dutch transposition of this article is based on the Dutch Financial Supervision Act [Wet op het financieel toezicht], meaning (briefly) that DNB is charged with supervising the processing of personal data under PSD2. In a response to the minister on 20 December 2017, the Dutch Data Protection Authority (‘DPA’) indicated that this is contrary to the division of powers under the General Data Protection Regulation (GDPR). On the basis of the GDPR, the DPA is the appointed supervisory authority.
The DPA thus argued for a consistent application of the rules on data protection in the context of payment services. According to the DPA, in view of European harmonisation, the supervision should be allocated to them.
On 19 June 2018, the DNB and DPA agreed on how supervision should be regulated in Dutch law. The privacy supervision for PSD2 will be fully vested in the DPA. The original bill stipulated that the DNB would take responsibility for some aspects of the supervision.
Other PSD2 debates
The privacy issue was not the only discussion that took place. For instance, the following ‘issues’ also occurred:
- In the relationship between PSD2 and the GDPR, how is the sharing of payment details of third parties (who have not given explicit permission) dealt with? Read more on this from page 16 et seq. of Samenspraak (April 2018).
- When obtaining payment details, must payment services use protected environments or can they use ‘screen scraping’? On this issue, the European supervisory body stated that screen scraping is not permitted. Read more on this in the FD.