Flash News - The transposition of Payment Services Directive (PSD2) into Luxembourg law


In brief

The Luxembourg law of 20 July 2018

  • transposes the Directive 2015/2366/EU of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC - Payment Services Directive (PSD2).
  • modifies Luxembourg law of 10 November 2009 in relation to payment services

The law was published in the Mémorial A No. 612 as of 25 July 2018 and will enter into force on 29 July 2018.

The full law is available in the Journal officiel du Grand-Duché.

Further information concerning the PSD2 can be found on the website of the European Commission.


In detail

The main changes introduced by the Luxembourg Law of 20 July 2018 in comparison to the law of 10 November 2009 are the obligations for the Payment Service Provider (PSP) to make customer data available in a secure manner, and to grant Third Party Providers (TPPs) access to their customer’s accounts.

PSPs are defined as:

  • Credit institutions
  • Electronic money institutions
  • Post office giro institutions
  • Payment institutions
  • The ECB and national central banks
  • Member States and regional/local authorities when not acting as public authorities

The law authorises two new TPPs:

  • Payment Initiation Service Providers (PISP), which can initiate transactions on the customer’s behalf and
  • Account Information Service Providers (AISP), which can collect and consolidate the customer’s accounts information.

The emergence of new entrants increases the level of competition within the payment sector while creating new business opportunities for PSPs.

In addition, the law is strengthening the PSPs’ obligations in the areas of fees transparency, information to be provided to the customers, and claims resolution. In terms of scope, these new requirements are now applicable also to all transactions towards PSPs that are located outside the EU, in both an EU currency and in a non-EU currency.

The law also introduces new security requirements that must be met by the PSP, such as:

  • Strong Customer Authentication (SCA), an authentication procedure based on the use of two or more elements categorized as:
    • Knowledge (something only the user knows),
    • Possession (something only the user possesses) and
    • Inherence (something the user is).
  • and Common and Secure open standards of Communication (CSC) urging PSPs to adapt to
    • TPPs identification and management,
    • Test and sandboxing environments,
    • Architectural and application monitoring and
    • Evolution of fraud detection systems.

What is next?

The European Banking Authority (EBA), as an independent EU Authority, is mandated, in the area of payments and electronic money, to ensure that payments across the EU are secure, easy and efficient.

The regulatory output (or ‘Level2’ and ‘Level 3’ measures) with respect to the implementation of the PSD2 comprises six Regulatory Technical Standards (RTS) and seven sets of Guidelines. The RTS will be directly applicable (without any transposition or adoption) whereas the Guidelines will need to be adopted in full or in part to be applicable to Luxembourg banks and other PSPs.

You can consult the full list of Technical Standards and Guidelines on the table showed below:

PSD2 regulatory framework (status as of July 2018)

Under the PSD2 transposition, EBA shall produce a set of documents aimed at providing more details/technical requirements with respect to the changes introduced by the Directive.

The most disruptive RTS is the one on SCA and CSC, which will be applicable on 14 September 2019. However, from 14 March 2019, PSPs will need to make the technical specifications of their Application Programming Interfaces (API) available to TPPs, and provide them with a testing facility to carry out trials of the software and applications TPPs will use to offer services to their users.

Further information concerning technical standards, guidelines and recommendations are available on the website of the EBA.

Contact us

Emmanuelle Henniaux

Regulatory & Compliance Advisory Services Partner, PwC Luxembourg

Tel: +352 49 48 48 2111

Patrice Witz

Luxembourg Digital Leader, PwC Luxembourg

Tel: +352 49 48 48 3533

Jörg Ackermann

Partner, PwC Luxembourg

Tel: +352 49 48 48 4131

Florian Bewig

Director, PwC Luxembourg

Tel: +352 49 49 48 4169

Thomas Thiel

Director, PwC Luxembourg

Tel: +352 49 48 48 4452

Isabelle Melcion-Richard

Director, PwC Luxembourg

Tel: +352 49 48 48 2469

Follow us