The Luxembourg Law of 20 July 2018 implementing the revised Payment Services Directive (EU) 2015/2366 (“PSD2 ”) and amending the Law of 10 November 2009 on payment services (“LPS”), which had implemented the first Payment Services Directive (“PSD1”), entered into force on 29 July 2018.

The main changes introduced to bring the LPS in line with PSD2 can be summarised as follows.

The scope of application of the LPS is modified in different ways, including, in particular:

  • Regulation of two new types of third-party providers ("TPPs") as payment service providers: (i) account information service providers ("AISPs"), which collect and consolidate information on the different bank accounts of a consumer in a single place, and (ii) payment initiation service providers ("PISPs"), which facilitate internet payments by initiating a payment from the user account to the merchant account on the customer’s demand.
  • Revision of certain existing exemptions: limitation of the telecom exemption mainly to micro-payments for digital services, limitation in scope of the limited networks exemption and notification when the activities of limited networks reach a certain value, and limitation of the commercial agents’ exemption to those acting for either the payer or the payee (not both).
  • Geographical scope: extension of certain obligations to transactions with third countries when only one of the payment service providers is located within the EU (so–called "one-leg transactions") and application of the PSD2 framework to intra-EU/EEA payments that are made in a currency other than the euro or another Member State's currency.

Further, banks must grant TPPs access to online payment accounts through an access interface, subject to customer consent. The security of payment transactions is enhanced, however, through the requirement for payment service providers to apply strong customer authentication (“SCA”) for electronic payment transactions. To that end, the Commission adopted Delegated Regulation (EU) 2018/389 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (“RTS”) setting out, in particular, how SCA is to be applied as well as obligations relating to access interfaces. The RTS apply from 14 September 2019.

Other than through enhanced security measures, customer protection is increased through various features: reduced liability (50 euros) for unauthorised payments, improved refund rights, the responsibility of banks managing the account for initiation of unauthorised payments through a PISP, and increased incident reporting obligations on payment service providers as well as the notification of customers in case of major incidents.

Finally, transitional provisions allow AISPs and PISPs already active under the PSD1 regime to continue their activities without authorisation until 14 September 2019, the application date of the abovementioned RTS.