The Luxembourg law of 20 July 2018
The law was published in the Mémorial A No. 612 as of 25 July 2018 and will enter into force on 29 July 2018.
The full law is available in the Journal officiel du Grand-Duché.
Further information concerning the PSD2 can be found on the website of the European Commission.
The main changes introduced by the Luxembourg Law of 20 July 2018 in comparison to the law of 10 November 2009 are the obligations for the Payment Service Provider (PSP) to make customer data available in a secure manner, and to grant Third Party Providers (TPPs) access to their customer’s accounts.
PSPs are defined as:
The law authorises two new TPPs:
The emergence of new entrants increases the level of competition within the payment sector while creating new business opportunities for PSPs.
In addition, the law is strengthening the PSPs’ obligations in the areas of fees transparency, information to be provided to the customers, and claims resolution. In terms of scope, these new requirements are now applicable also to all transactions towards PSPs that are located outside the EU, in both an EU currency and in a non-EU currency.
The law also introduces new security requirements that must be met by the PSP, such as:
What is next?
The European Banking Authority (EBA), as an independent EU Authority, is mandated, in the area of payments and electronic money, to ensure that payments across the EU are secure, easy and efficient.
The regulatory output (or ‘Level2’ and ‘Level 3’ measures) with respect to the implementation of the PSD2 comprises six Regulatory Technical Standards (RTS) and seven sets of Guidelines. The RTS will be directly applicable (without any transposition or adoption) whereas the Guidelines will need to be adopted in full or in part to be applicable to Luxembourg banks and other PSPs.
You can consult the full list of Technical Standards and Guidelines on the table showed below:
Under the PSD2 transposition, EBA shall produce a set of documents aimed at providing more details/technical requirements with respect to the changes introduced by the Directive.
The most disruptive RTS is the one on SCA and CSC, which will be applicable on 14 September 2019. However, from 14 March 2019, PSPs will need to make the technical specifications of their Application Programming Interfaces (API) available to TPPs, and provide them with a testing facility to carry out trials of the software and applications TPPs will use to offer services to their users.
Further information concerning technical standards, guidelines and recommendations are available on the website of the EBA.
Regulatory & Compliance Advisory Services Partner, PwC Luxembourg
Tel: +352 49 48 48 2111
Luxembourg Digital Leader, PwC Luxembourg
Tel: +352 49 48 48 3533
Partner, PwC Luxembourg
Tel: +352 49 48 48 4131
Director, PwC Luxembourg
Tel: +352 49 49 48 4169