Instant Payments Regulation

Written By

scott mcinnes Module
Scott McInnes

Partner
Belgium

I am a partner in the Brussels office of Bird & Bird where, as an expert in payments regulation and competition law, I work closely with our Finance & Financial Regulation group, our EU & Competition law team, as well as our Public Affairs team.

julien sad Module
Julien Sad

Senior Associate
Belgium

I am a senior associate in our Finance & Financial Regulation group and a member of the firm's international payments team.

nassos kalliris Module
Nassos Kalliris

Associate
UK

I am an associate in the Finance & Financial Regulation group in London and a member of the firm's international payments team, specialising in financial services regulation.

Background

On 3 March 2024, the EU co-legislators adopted Regulation (EU) 2024/886 on instant credit transfers in euro, often called the ‘Instant Payments Regulation’ (IPR). 

The IPR was published in the Official Journal of the European Union on 19 March 2024 and entered into force twenty 20 days thereafter (i.e. on 8 April 2024) - the text is available here

Of course, it doesn’t mean that payment service providers (PSPs) will have to comply with all IPR rules right away, but instead the IPR goes together with a number of key implementation deadlines.   

The IPR intends to make instant payments fully available in euro to consumers and businesses across the EU by amending various existing EU payments regulations:

  1. Regulation EU 260/2012 establishing technical and business requirements for credit transfers and direct debits in euro (SEPA Regulation). The IPR introduces new requirements for instant credit transfers, verification of payee, and sanctions screening. This is the main piece of the IPR – the consolidated version of the SEPA Regulation is available here.
  2. Regulation EU 2021/1230 on cross-border payments (CBPR2 – see our clients alerts on CBPR2 here and here). The IPR clarifies the principle of equality of charges in the context of instant credit transfers.
  3. Directive EU 2015/2366 on payment services in the internal market (PSD2). The IPR introduces changes to PSD2 safeguarding requirements and rules on access to payment systems. The consolidated version of PSD2 is available here.
  4. Directive 98/26/EC on settlement finality in payment and securities settlement systems (SFD). The IPR gives rights to payment institution (PIs) and electronic money institutions (EMIs) to access SFD designated payment systems. The consolidated version of SFD is available here.

The IPR has been characterised by many as an ambitious step towards revolutionising the future of payments in Europe. We provide below our initial thoughts on some key features of the IPR, and how it is expected to modernise the European payments landscape in the months and years to come. 

Instant credit transfers 

The IRP introduces a new Article 5a in the SEPA Regulation which lays down uniform rules on instant credit transfers in euro, for both national and cross-border payment transactions. 

Essentially, those PSPs that offer to their payment service users (PSUs) a payment service of sending and receiving credit transfers must also offer to their PSUs a payment service of sending and receiving instant credit transfers. The idea behind this new obligation is to increase the uptake of instant payments in the EU (which currently is only supported by a minority of PSPs).

An ‘instant credit transfer’ is defined as “a credit transfer which is executed immediately [i.e. in less than 10 seconds], 24 hours a day and on any calendar day” (Art. 2(1a) of IPR). For that reason, PSPs offering instant credit transfers must ensure that all payment accounts they maintain for their PSUs are reachable at any moment (i.e. 24/7/365).

However, PSPs located outside the Eurozone may obtain a temporary derogation from their national regulator according to which they don’t have to offer the service of sending instant credit transfers in euro beyond a limit per transaction, from non-euro denominated payment accounts, during the time when those PSPs neither send nor receive non-instant credit transfer transactions in euro with respect to such payment accounts. This “per transaction limit” is defined by the relevant national regulator and based on an assessment of the PSP’s access to euro liquidity, but in any event this limit cannot be lower than EUR 25,000. It is worth noting that such permission is only valid for a year, but can be extended further to national regulator’s re-assessment.

Any charges levied by a PSP on PSUs in respect of sending and receiving instant credit transfers cannot be higher than the charges levied by that PSP in respect of sending and receiving other credit transfers of corresponding type.

Given the nature of instant payments, the IPR provides for specific requirements that diverge from PSD2 (see. e.g. Art. 78 PSD2 on receipt of payment orders, Art. 87 PSD2 on value date and availability of funds, or Art. 89 PSD2 on liability), as well as additional requirements in the SEPA Regulation (see new Art.  5a(4)-(5) which sets out requirements that apply in addition to those for non-instant credit transfers).

Implementation deadlines:

Category of PSPs  Type of service  Date 
Eurozone-based PSPs other than EMIs and PIs Receiving instant credit transfers 9 January 2025
Sending instant credit transfers 9 October 2025
Eurozone-based EMIs and PIs Receiving and sending instant credit transfers 9 April 2027
Non-eurozone-based PSPs other than EMIs and PIs Receiving instant credit transfers
9 January 2027
Sending instant credit transfers 9 July 20271
Non-eurozone-based EMIs and PIs Receiving instant credit transfers
9 April 2027
Sending instant credit transfers 9 July 2027

 

Verification of payee 

The IPR mandates a “service ensuring verification” of the payee for all credit transfers (i.e. instant credit transfers and also non-instant credit transfers). We call this service ‘verification of payee’ (VoP). 

In a nutshell, payer’s PSPs are required to offer VoP in relation to the payee to whom the payer intends to send a credit transfer -i.e. a service for matching the IBAN with the name of the payee/ intended recipient of the funds (it could be the name/ surname for a natural person, or the commercial/ legal name for a legal entity). It works on a basis of different levels of VoP matches (e.g. no match, almost match) that are notified to the payer, so that the payer can decide whether or not to authorise the payment. 

VoP must be offered by the payer’s PSP regardless of the payment initiation channel (e.g. online banking, mobile banking app, ATM) used by the payer to place a payment order directly with that PSP. In other words, VoP is not mandatory on the payer’s account servicing payment service provider (ASPSP)  when the PSU places a payment order through a payment initiation service provider (PISP) . In that scenario, however, there is a requirement on the PISP to “ensure that the information concerning the payee is correct" (Art. 5c(2) SEPA Regulation). This seems in line with the “VoP” mechanism in the proposed payment services regulation (PSR) – see Article 50(7) which states “The matching service ... shall not be required where the payer did not input himself the unique identifier and the name of the payee” (that’s arguably the scenario where the PSU initiates a payment through its PISP).

PSUs can opt-out from VoP service, but only (1) if they don’t qualify as consumers and (2) in relation to multiple payment orders submitted as  a package (which makes that opt-out rather limited compared to the one initially proposed by the EC). 

PSPs’ compliance with VoP is crucial in terms of potential liability for non-execution, defective or late execution of payment transactions:

  • Today under PSD2, if a payment order is executed in accordance with the IBAN, the payment order is deemed to have been executed correctly with regard to the payee, and if the IBAN provided by the payer was incorrect the payer’s PSP cannot be held liable (Art. 88 PSD2).
  • This principle remains the same, but only as long as the payer’s PSP has fulfilled its legal obligations in relation to VoP. In other words, if a payer provided the PSP with an incorrect IBAN, and the payer’s PSP e.g. failed to inform the payer that there was no match, but nonetheless executed the payment, the payer’s PSP will be held liable (of course, there may be inter-PSPs liabilities in that context, but the payer must anyway be refunded by the payer’s PSP).

Implementation deadlines:

 PSPs, incl. EMIs and PIs Dates 
 Eurozone-based PSPs  9 October 2025
 Non-eurozone-based PSPs  9 July 2027

 

Sanctions screening

EU sanctions laws directly apply to all parties conducting business in the EU, including when providing services on a pure cross-border basis (i.e. without physical presence). Those requirements essentially take the form of a prohibition on doing business with anyone appearing on a sanctions list. On that basis, PSPs active in the EU are required to conduct a form of sanctions screening when doing business with other parties, and particularly when executing payment transactions (e.g. sanctions screening the payer, but sometimes also the payee). These sanctions screening obligations are separate from any (potential) customer due diligence (CDD) obligations that would arise under national anti-money laundering regulations. 

The IRP introduces specific sanctions screening obligations in the SEPA Regulation by requiring PSPs offering instant credit transfers to verify whether any of their PSUs are persons or entities subject to “targeted financial restrictive measures” (which is defined as “an asset freeze imposed on a person, body or entity or a prohibition on making funds or economic resources available to a person, body or entity, or for its benefit, either directly or indirectly, pursuant to restrictive measures adopted in accordance with Article 215 TFEU”).

Admittedly, performing sanctions screening when executing an instant credit transfer (i.e. in less than 10 seconds) may prove to be rather challenging. Accordingly, PSPs must sanctions screening their PSU periodically (i.e. immediately after the entry into force of any new targeted financial restrictive measures, and immediately after the entry into force of any amendments to such targeted financial restrictive measures), and at least on a daily basis

All PSPs, including EMIs and PIs, must comply with their new sanctions screening obligations by 9 January 2025.

Changes to provisions on access to SFD-designated payment systems and safeguarding

EMIs and PIs must be able to offer euro denominated instant credit transfers that are efficient and competitive, and therefore must be able to gain direct access to SFD-designated payment systems. Currently, EMIs and PIs can only access those systems through participating credit institutions, which doesn’t allow a proper level playing field. As a result:

  1. Until now Article 35 PSD2 on access to payment systems didn’t apply to SFD-designated payment systems. Article 35 PSD2 is being amended so that SFD-designated payment systems will be subject to Article 35 PSD2.
  2. A new Article 35a is inserted in PSD2, which sets out specific conditions for EMIs and PIs requesting participation in SFD-designated payment systems. Those conditions are meant to safeguard the stability and integrity of those payment systems.
  3. Article 2 SFD is amended so that EMIs and PIs will now qualify as “institutions” and therefore as (direct) “participant” to an SFD-designated payment system (see Art. 2(b) and 2(f) of the revised SFD).

In addition, Article 10 PSD2 is amended in that EMIs and PIs can now safeguard PSUs’ funds directly in an account maintained by a central bank (although, at the discretion of that central bank), as an alternative to safeguarding funds with credit institutions. 

EU Member States must transpose into national laws and apply the above requirements by 9 April 2025.   

1. However, until 9 June 2028, those PSPs that are located in a Member State whose currency is not the euro will not be obliged to offer PSUs the payment service of sending instant credit transfers in euro from payment accounts denominated in the national currency of that Member State, during the time when those PSPs neither send nor receive non-instant credit transfer transactions in euro with respect to such accounts.

 

Latest insights

More Insights
Curiosity line teal background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

Update on recent UK data protection guidance in the financial services space

3 minutes Dec 19 2024

Read More
Bank card propped up against laptop

Germany: BaFin updates AML guidance

Dec 19 2024

Read More