25 Amendments of Paul TANG related to 2023/0210(COD)
Amendment 91 #
Proposal for a regulation
Recital 10
Recital 10
(10) To further improve access to cash, which is a priority of the Commission, merchants should be allowed to offer, in physical shops, cash provision services even in the absence of a purchase by a customer, without having to obtain a payment service provider authorisation or being an agent of a payment institution. Those cash provision services should, however, be subject to the obligation to disclose fees charged to the customer, if any. These services should be provided by retailers on a voluntary basis and should depend on the availability of cash byat the retailer.
Amendment 102 #
Proposal for a regulation
Recital 40
Recital 40
(40) To maintain a high level of consumer protection, consumers should have the right to receive information on services' conditions and prices free of charge before being bound by any payment service contract. To enable consumers to compare the services and conditions offered by payment service providers and, in the case of a dispute, to verify their contractual rights and obligations, consumers should be able to request that information and the framework contract on paper, free of charge and at any time during the contractual relationship.
Amendment 113 #
Proposal for a regulation
Recital 66
Recital 66
(66) The review of Directive (EU) 2015/2366 has revealed that account information and payment initiation service providers are still exposed to many unjustified obstacles, despite the level of harmonisation achieved and of the prohibition on such obstacles imposed by Article 32(3) of Commission Delegated Regulation (EU) 2018/38947 . Those obstacles still significantly hamper the full potential of open banking in the Union. Those obstacles are regularly reported by account information and payment initiation service providers to supervisors, regulators and the Commission. They were analysed by the EBA in its June 2020 Opinion on “Obstacles to the provision of third-party provider services under the Payment Services Directiveentitled “Opinion of the European Banking Authority on obstacles under Article 32(3) of the RTS on SCA and CSC”. Despite clarifications efforts made there is still a lot of uncertainty, in the market and with supervisors, as to what constitutes a ‘prohibited obstacle’ to regulated open banking services. It is therefore indispensable to provide a clear and non- exhaustive list of such prohibited open banking obstacles, relying in particular on the work carried out by the EBA. __________________ 47 Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (OJ L 69, 13.3.2018, p. 23).
Amendment 120 #
Proposal for a regulation
Recital 79
Recital 79
(79) Consumers should be adequately protected in the context of certain fraudulent payment transactions that they have authorised without knowing these transactions were fraudulent. The number of ‘social engineering’ cases where consumers are misled into authorising a payment transaction to a fraudster has significantly increased in recent years. ‘Spoofing’ cases where fraudsters pretend to be employees of a customer's payment service provider and misuse the payment service provider's name, e-mail address or telephone number to gain the customers’ trust and trick them into carrying-out some actions, are unfortunately becoming more widespread in the Union. Those new types of ‘spoofing’ or 'impersonation' fraud are blurring the difference that existed in Directive (EU) 2015/2366 between authorised and unauthorised transactions. Means through which the consentpermission may be assumed to be granted are also becoming more complex to identify, as fraudsters can take control of the whole consentpermission and authentication process including of the strong customer authentication completion. The conditions under which the customer authorised a transaction by giving his or her permission to it should be taken into due consideration, including by courts, to qualify a transaction as being authorised or unauthorised. A transaction may indeed have been authorised in circumstances where such authorisation was granted on manipulated premisesthe basis of manipulation, affecting the integrity of the permission. It is therefore no longer possible, as was the case in Directive (EU) 2015/2366, to limit refunds to unauthorised transactions only. It would however be disproportionate and financially very costly to payment services providers to open every fraudulent transaction, authorised or unauthorised, to a systematic refund right. It might also cause moral hazard and a reduction in the customer’s vigilance.
Amendment 131 #
Proposal for a regulation
Recital 98
Recital 98
(98) As acknowledged in the Communication from the Commission on a Retail Payments Strategy for the EU, the good functioning of EU payments markets is of substantial public interest. Therefore, when it is necessary in the context of this Regulation for the provision of payment services and for the compliance with this Regulation, payment service providers and payment system operators should be able to process special categories of personal data as defined in Article 9(1) of Regulation (EU) 2016/679 and Article 10(1) of Regulation (EU) 2018/1725. Where special categories of personal data are processed, payment service providers and payment system operators should implement appropriate technical and organisational measures to safeguard the fundamental rights and freedoms of natural persons. Those measures should include technical limitations on the re-use of data and the use of state-of-the-art security and privacy-preserving measures, including pseudonymisation, or encryption to ensure compliance with the principles of purpose limitation, data minimisation and storage limitation, as laid down in Regulation (EU) 2016/679. The payment service providers and payment system operators should also implement specific organisation measures, including training on processing such data, limiting access to special categories of data and recording such access.
Amendment 133 #
Proposal for a regulation
Recital 100
Recital 100
(100) Fraudsters often target the most vulnerable individuals of our society. The timely detection of fraudulent payment transactions is essential, and transaction monitoring plays an important role in that detection. It is therefore appropriate to require payment service providers to have in place transaction monitoring mechanisms, reflecting the crucial contribution of those mechanisms to fraud prevention, going beyond the protection offered by strong customer authentication, in respect of payment transactions, including transactions involving payment initiation services.
Amendment 138 #
Proposal for a regulation
Recital 108
Recital 108
(108) SCA should not be circumvented notably by any unjustified reliance on SCA exemptions. Clear definitions of Merchant Initiated Transactions (MITs) and of Mail Orders or Telephone Orders (MOTOs) should be introduced by the EBA since these notions, which may be relied upon to justify non- application of SCA, are diversely understood and applied and are subject to abusive reliance. Regarding MITs, strong customer authentication should be applied at the set-up of the initial mandate, without the need to apply SCA for subsequent merchant-initiated payment transactions. Regarding MOTOs, only the initiation of payment transactions - not their execution - should be non-digital for a transaction to be considered as a MOTO and, therefore, not be covered by the obligation to apply SCA. However, payment transactions based on paper-based payment orders, mail orders or telephone orders placed by the payer should still entail security requirements and checks by the payment service provider of the payer allowing authentication of the payment transaction. SCA should also not be circumvented by practices including resorting to an acquirer established outside of the Union to escape the SCA requirements.
Amendment 144 #
Proposal for a regulation
Recital 120
Recital 120
(120) Where technical service providers or operators of payment schemes provide services to payees or to the payment service providers of payees or of payers, they should support the application of strong customer authentication within the remit of their role in the initiation or execution of payment transactions. Given the role that they play in ensuring that key security requirements concerning retail payments are properly implemented, including by providing appropriate IT solutions, technical service providers and operators of payment schemes should be held liable for the financial damages caused to payees or to the payment service providers of the payees or of the payers in case they fail to supportenable the application of strong customer authentication.
Amendment 148 #
Proposal for a regulation
Recital 141
Recital 141
(141) The Annex to Regulation (EU) 2017/2394 of the European Parliament and of the Council57 should be amended to include a reference to this Regulation to facilitate cross-border cooperation on the enforcement of this Regulation. __________________ 57 Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004 (OJ L 345, 27.12.2017, p. 1– 26).
Amendment 151 #
Proposal for a regulation
Article 2 – paragraph 2 – point j – point i
Article 2 – paragraph 2 – point j – point i
(i) instruments allowing the holder to acquire goods or services only in the physical or virtual premises of the issuer or within a single limited network of service providers under direct commercial agreement with a professional issuer;
Amendment 176 #
Proposal for a regulation
Article 3 – paragraph 1 – point 11
Article 3 – paragraph 1 – point 11
(11) ‘payer’ means a natural or legal person who holds a payment account and places a payment order from that payment account, or, where there is no payment account, a natural or legal person who places a payment order;
Amendment 182 #
Proposal for a regulation
Article 3 – paragraph 1 – point 35
Article 3 – paragraph 1 – point 35
(35) ‘strong customer authentication’ means an authentication which is based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and, inherence (something the user is) and behaviour (the way user behaves) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data;
Amendment 187 #
Proposal for a regulation
Article 3 – paragraph 1 – point 46
Article 3 – paragraph 1 – point 46
(46) ‘group’ means a group of undertakings that are linked to each other by a relationship as referred to in Article 22(1), points (2) or (7) of Directive 2013/34/EU of the European Parliament and of the Council63 or undertakings as referred to in Articles 4, 5, 6 and 7 of Commission Delegated Regulation (EU) No 241/201464 , which are linked to each other by a relationship as referred to in Article 10(1) or Article 113(6), first subparagraph, or 113(7), first subparagraph of Regulation (EU) No 575/2013; __________________ 63 Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Council Directives 78/660/EEC and 83/349/EEC (OJ L 182, 29.6.2013, p. 19). 64 Commission Delegated Regulation (EU) No 241/2014 of 7 January 2014 supplementing Regulation (EU) No 575/2013 of the European Parliament and of the Council with regard to regulatory technical standards for Own Funds requirements for institutions (OJ L 74, 14.3.2014, p. 8).
Amendment 194 #
Proposal for a regulation
Article 3 – paragraph 1 – point 54
Article 3 – paragraph 1 – point 54
(54) ‘ATM deployer’ means operators of automated teller machines who do not servicehold payment accounts.
Amendment 321 #
Proposal for a regulation
Article 43 – paragraph 4 – introductory part
Article 43 – paragraph 4 – introductory part
4. The account servicing payment service provider and the account information service or payment initiation service provider to which permission has been granted shall cooperate to make information available to the payment service user via the dashboard in real-time. For the purposes of paragraph 2 points (a), (b), (c) and (e):
Amendment 326 #
Proposal for a regulation
Article 44 – paragraph 1 – subparagraph 2 – point a
Article 44 – paragraph 1 – subparagraph 2 – point a
(a) preventing the use by payment initiation services providers or account information services providers of the personalised security credentials issued by account servicing payment service providers to their payment services users;
Amendment 335 #
Proposal for a regulation
Article 45 – paragraph 2 – subparagraph 2
Article 45 – paragraph 2 – subparagraph 2
Amendment 343 #
Proposal for a regulation
Article 49 – paragraph 7
Article 49 – paragraph 7
7. TAt any time the payment service user may withdraw permission to execute a payment transaction or to access a payment account for the purpose of payment initiation services or account information services may be withdrawn by the payment service user at any time. The payment service user may also withdraw permission to execute a series of payment transactions, in which case any future payment transaction shall be considered to be unauthorised.
Amendment 359 #
Proposal for a regulation
Article 53 – paragraph 1 – point c
Article 53 – paragraph 1 – point c
(c) ensure that appropriate means, including a free of charge telephone line allowing for personal human support in the language of the host Member State, are available at all times to enable the payment service user to: (i) make a notification pursuant to Article 52 point (b), or to request unblocking of the payment instrument pursuant to Article 51(4); (ii) notify a fraudulent transaction; (iii) receive feedback when the payment service user suspects a fraud; (iv) notify about problematic issues concerning conducted payments, such as errors of the payment machines during the payments.
Amendment 444 #
Proposal for a regulation
Article 80 – paragraph 1 – introductory part
Article 80 – paragraph 1 – introductory part
Payment systems and payment service providers shall be allowed to process special categories of personal data as referred to in Article 9(1) of Regulation (EU) 2016/679 and Article 10(1) of Regulation (EU) 2018/1725 when necessary for the prevention, investigation and detection of payment fraud, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons, on the basis that such prevention, investigation and detection is a substantial public interest as referred to in Article 9(2), point (g), of Regulation (EU) 2016/679 and on the basis of Article 6(1), points (c) and (d) of Regulation (EU) 2016/679. Without prejudice to the above, payment service providers shall only access, retain and process personal data necessary for the provision of payment services, and only with the consent of the payment service user. Payment systems and payment service providers shall be allowed to process special categories of personal data as referred to in Article 9(1) of Regulation (EU) 2016/679 and Article 10(1) of Regulation (EU) 2018/1725 to the extent necessary for the provision of payment services and for compliance with obligations under this Regulation, in the public interest of the well-functioning of the internal market for payment services, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons, including the following:
Amendment 500 #
Proposal for a regulation
Article 85 – paragraph 1 a (new)
Article 85 – paragraph 1 a (new)
1 a. Payers should not experience strong customer authentication more than once in a single customer journey if the trust it creates can be reused by involved parties without being detrimental to security, data protection or consumer rights.
Amendment 505 #
Proposal for a regulation
Article 85 – paragraph 7
Article 85 – paragraph 7
7. Payment transactions for which payment orders are placed by the payer with modalities other than the use of electronic platforms or devices, such as paper-based payment orders, mail orders or telephone orders, shall not be subject to strong customer authentication, irrespective of whether or not the execution of the transaction is performed electronically, provided that security requirements and checks are carried out by the payment service provider of the payer allowing a form of authentication of the payment transactionnother form than strong customer authentication for authentication of the payment transaction. The possible forms of authentication in such cases shall be described by the national competent authority.
Amendment 515 #
Proposal for a regulation
Article 85 – paragraph 12
Article 85 – paragraph 12
12. The two or more elements referred to in Article 3, point (35), on which strong customer authentication shall be based do not necessarily need to belong to different categories, as long aexcept when they are based on the inherence category. Always their independence isof the elements shall be fully preserved.
Amendment 520 #
Proposal for a regulation
Article 86 – paragraph 1
Article 86 – paragraph 1
1. Article 85(8) and (9) shall also apply where payments are initiated through a payment initiation service provider. Article 85(10) shall also apply where payments are initiated through a payment initiation service provider and when the information is requested through an account information service provider.
Amendment 554 #
Proposal for a regulation
Article 105 – paragraph 1
Article 105 – paragraph 1
The Commission is empowered to adopt delegated acts in accordance with Article 106 to amend this Regulation by updating the amounts referred to in Article 5860(1).