PSD 2 Guidelines and implementing texts

On 14 March 2019, the CSSF issued two circulars relating to aspects of  PSD2¹  addressed in two sets of guidelines of the European Banking Authority (“EBA”), with which the CSSF commits to comply and which are annexed to these circulars:

• Circular 19/712 relates to guidelines EBA/GL/2018/05, which provide details on statistical data on fraud related to different means of payment that payment service providers have to report to their competent authorities as well as on the aggregated data that competent authorities have to share with the EBA and the European Central Bank as provided by Article 105-2 (3) of the Law of 10 November 2009 on payment services, as amended (“Law”). It will be applicable as of 1 January 2020.
• Circular 19/713 encompasses EBA guidelines EBA/GL/2017/17 on the security measures for operational and security risks of payment services as set out in Article 105-1 (2) of the Law. It became applicable with immediate effect. These guidelines provide details with regard to (i) the annual auditing requirements as regards the security measures taken, and (ii) the annual reporting requirements regarding the assessment of major operational and security risks.

In addition, on 15 March 2019, two regulations of the European Commission were published relating to the practical implementation of the PSD2 requirement imposing on EBA to develop, operate and maintain an electronic central register containing information on payment service providers in the EU Member States:

• Commission Implementing Regulation (EU) 2019/410 lays down implementing technical standards with regard to the details and structure of the information to be notified by competent authorities to EBA; and
• Commission Delegated Regulation (EU) 2019/411  sets out technical requirements on the development, operation and maintenance of the electronic central register and on access to the information contained therein.

These regulations entered into force on 4 April 2019.