Royal Decree 19/2018, on payment services and other urgent measures for the financial sector, was published on 24 November. This implements, among others*, EU Directive 2015/2366 on payment services, known as PSD2 (Payment Service Providers).

The regulation, the draft of which we discussed in Progreso 14, adapts existing regulations to new technology, providing greater security and reliability for consumers of new payment services.

Payment services

Defined as business activity that enables cash to be paid and withdrawn from a payment account together with all the transactions that may be needed to manage it, fund transfers, execution of payment transactions when the funds are covered by a line of credit and money orders. A new feature of the law is the widening of the scope of regulation to include two new payment services that drive innovation:

• Payment initiation services: These allow a payment order to be initiated on the service user's request, in the case of an account that is open with another payment service provider. In other words, these services allow the payment initiation service provider to give the beneficiary of the payment order the certainty that the payment order has been activated.
• Account information services: these enable payment service users to have a complete and instant view of their financial situation, providing them with online aggregate information about the payment accounts of which they are the title owners.

User protection

The law increases protection of payment service users' rights, enables transactions to be carried out more securely and provides access to a growing offering of innovative services, to which end:

• It cuts to fifteen working days the maximum response time acceptable for resolving complaints made by payment service users.
• It raises the service levels required of payment service providers: in the case of fraudulent payments the user's liability threshold is EUR 50, except in cases of negligence.
• It cuts from EUR 150 to EUR 50 the upper threshold of the payer's liability for losses resulting from unauthorized payment transactions deriving from the use of a lost or stolen payment instrument.
• It makes the identification process of clients for online access more rigorous.
• It submits the activities regulated under this law to Spanish and EU legislation on data protection, data processing and transfer.
• It contains a set of penalties that may be applied to payment institutions.

Transparency for the user

The law regulates the arrangements for transparency insofar as they have a bearing on the conditions and information requirements applicable to payment services, respecting in turn the principle of contract freedom when the payment service user is neither a consumer nor a micro-enterprise. The payment service provider must give the user all the information and conditions about the payment service provision free of charge and in an easily accessible format; but may set charges for further communication.

Operating and security risks

The legislation has a chapter on regulating the management of operating and security risks. So, it requires payment service providers to set a framework with control mechanisms for managing operating and security risks associated with their provision of payment services. In addition, they will have to give the Bank of Spain regular assessments of operating and security risks associated with their provision of payment services and an evaluation of whether the palliative measures are fit for purpose. They will also have to notify the Bank of Spain immediately in the case of any serious operating or security incident.

Adaptation to the Securities Market Law

This Royal Decree adapts domestic regulations to several pieces of EU legislation that improve the legal certainty of market operators and their working efficiency.  These include Regulation 596/2014 on market abuse, Regulation 2016/1011 on benchmark indexes, and Regulation 2015/2365 on the transparency of transactions to finance and reuse securities; the provisions necessary to grant the National Securities Market Commission (CNMV) the authority to supervise, inspect and impose sanctions have been added to the Securities Market Act, laying out the breaches and the penalties applicable.

It also contains a channel in the Bank of Spain for whistleblowers to report on credit institutions’ liquidity and increases the information-sharing obligations incumbent on the CNMV and the Bank of Spain to improve cooperation and coordination between the various EU authorities involved in these issues.