Stellungnahme zur geplanten Payment Service Regulation

On September 11, 2023, the German Travel Association (DRV) and the Association for Online Travel Distribution (VIR) will submit a statement to the Federal Ministry of Finance regarding the proposed Payment Services Regulation, which is intended to succeed PSD2.

This refers to a previous email dated August 9, 2023, in which a statement on the European Commission’s draft Payment Services Regulation (PSR) was announced.

We have thoroughly reviewed this draft over the past few weeks and, at the end of last week, had our first opportunity to discuss it with our members in our joint DRV-VIR working group on the Payment Services Regulation. Based on this, the DRV and the VIR have prepared the following joint statement:

Both the DRV and the VIR expressly welcome the initiative to further strengthen consumer protection in the area of payments, as the associated efforts to combat fraud ultimately benefit payees and, consequently, our member companies. We also expressly welcome the approach of enacting a regulation rather than a directive, as this ensures uniform implementation across the EU and also reduces distortions of competition resulting from differing national implementation rules and timelines—provided that supervisory authorities monitor and enforce the required implementation. Nevertheless, the mandatory implementation of the directive without the possibility of adapting it to national specificities poses particular challenges for the German tourism industry, especially travel agencies and tour operators—regardless of the respective booking channels such as brick-and-mortar travel agencies, telephone, or online. This is compounded by the fact that harmonized EU law does not yet exist in numerous economic sectors, meaning that an EU-wide Payment Services Regulation consequently encounters differing national legislation in trade and production. This is particularly relevant for the German tourism industry, specifically for the activities of travel agents based on commercial agency law pursuant to Sections 84 et seq. of the German Commercial Code (HGB), where travel agents—unlike in other sectors—regularly act not for a single principal but for a multitude of principals and customers. Hybrid forms regarding the legal classification of certain legal transactions—such as the combination of travel agency services performed as a commercial agent with activities as a principal when collecting service fees for the same trip and the same customer—are certainly an exception in European tourism.

Since the proposed Payment Services Regulation no longer allows for national adaptations, the DRV and VIR strongly emphasize that the national specificities that remain in effect must nevertheless be covered by the future PSR. In our view, it is therefore essential to ensure that the necessary clarifications and additions are incorporated into the regulation during the ongoing adoption process. The DRV had already submitted a statement on the future design of PSD2 to the European Commission’s Retail Financial Services unit (FISMA.B.3), Mr. Nuno Epifanio (Policy Officer – Retail Financial Services), at the end of March. Upon reviewing the current draft of the planned directive, the DRV and VIR have now determined that the specific characteristics of the German tourism industry, as outlined in particular in the DRV document, have only been partially taken into account, meaning that significant challenges are to be expected during implementation. We also note that the EBA RTS to be developed following the adoption of the regulation do not provide a sufficient basis for subsequently addressing certain fundamental aspects of the planned regulation with regard to their practical feasibility in the German travel industry.

In consultation with travel agents and tour operators—who are members of the DRV and VIR and account for 90 percent of the international travel market—we therefore submit the following comments on the draft Payment Services Directive currently under consideration:

1. We expressly welcome the fact that the PSR explicitly defines numerous terms that are relevant to the future application of the provisions. Unfortunately, despite repeated input from the German financial and tourism sectors, the central term remains undefined: electronic transaction or electronic payment. This is, however, the decisive criterion for the application of certain regulations, in particular Strong Customer Authentication (SCA). Thus, it remains unclear whether, for example, data entered into an online form provided via email on a PC to grant a SEPA Core Mandate and subsequently returned via email will be considered an electronic transaction within the meaning of the PSR in the future or not.

2. With regard to the status of commercial agents, this draft explicitly refers to the Commercial Agents Directive 86/653/EEC. However, Article 1(2) of that Directive defines the status as follows: “A commercial agent within the meaning of this Directive is a person who, as an independent trader, is permanently entrusted with the task of arranging the sale or purchase of goods for another person (hereinafter referred to as the principal) or of concluding such transactions in the name and on behalf of the principal.” In the tourism sector, however, it is not goods but predominantly services that are brokered. Although the PSR also mentions the brokerage of services in connection with commercial agents in a later definition, we are concerned that the strict reference to 86/653/EEC will result in precisely these services not being covered by the PSR. Other provisions of German commercial law enshrined in the HGB are also not fully compatible with this Directive. We strongly urge that harmonization take place here so that commercial agents under applicable German law are also considered commercial agents within the meaning of the PSR.

3. The PSR always assumes that commercial agents act on behalf of a single principal. In the tourism industry, however, legal transactions are commonplace in which services from multiple principals (in this case: tour operators and service providers) are booked for a single trip, such as transportation, accommodation, or transfers. It is important to us that these legal transactions continue to be regarded as commercial agency relationships, also in accordance with the PSR.

4. The status of broker, which is also common in Germany, is not explicitly mentioned in the PSR. However, this status is also relevant in the tourism sector, for example in insurance brokerage or in connection with flight services provided by scheduled airlines. We advocate treating the status of broker on an equal footing with that of commercial agent and distinguishing both from the status of merchant.

5. While the present draft stipulates that the transmission of payment data by a commercial agent to the payee (principal) is not subject to SCA, the draft lacks clarification regarding the extent to which a commercial agent is responsible to payers and payees for the correct transmission of the data. In the tourism industry, for example, cancellation policies—such as those of airlines—often result in costs incurred immediately upon booking a service. Is a commercial agent liable in such cases if the payment data they transmit is incorrect and, as a result, the payee cannot execute a PSR-compliant payment?

6. In general, there is a lack of clear guidance on the extent to which a commercial agent is liable to the payee for payments that cannot be processed based on the payment data transmitted by the commercial agent. For example, what happens if a commercial agent transmits credit card data, but the card has already expired by the time the payee initiates the payment? It is important to note here that tour operators and service providers often split payments for trips into down payments and final payments, meaning that by the time the final payment is initiated, the credit card used for the down payment may no longer be valid. The same applies in cases where a debit or credit card is technically valid, but the necessary funds (e.g., the credit limit) to cover the payment amount are not available at the time the payment is triggered by the payee.

7. Although the PSR explicitly addresses past conflicts between data protection and PSD2 and provides solutions, it generally fails to take into account the legal provisions based on the Package Travel Directive (PTD), which has been implemented in Germany in travel contract law pursuant to Sections 651a et seq. of the German Civil Code (BGB). A key criterion for classifying a trip as travel agency services or a package tour is payment processing. Here, the procedures currently described in the PSR—particularly with regard to a single payment transaction for different services provided by various tour operators and service providers for a single trip—lead to a change in the legal classification of an agency service, i.e., the travel agent would thereby assume the status of a tour operator. This has significant liability and legal consequences. In our view, it is essential that the PSR and PTD be harmonized in this regard so that changes in legal status—particularly for travel agents—cannot occur solely due to the execution of payments without the agent’s active consent.

8. With regard to travel bookings made by commercial agents, there are no provisions specifying whether, and to what extent, the intermediary has a duty to cooperate in the payment processing. Since the initiation of payment by the payee—such as a tour operator—may be subject to SCA requirements in certain areas (for example, when granting a mandate for MIT or SEPA), the current draft lacks provisions addressing the following points:

• Is the merchant required to provide the payee with contact information for the payer that the payee can use to initiate strong customer authentication (SCA) for an electronic transaction (e.g., an email address)? If not: how is a payee supposed to initiate a payment covered by the Payment Services Regulation (PSR) if they do not have the customer’s contact information and cannot involve the customer in an SCA process?
• Can a merchant require a sales representative to obtain the customer’s consent for Strong Customer Authentication (SCA) as part of the payment data capture process when authenticating a payment method? If so, does this apply to all booking channels—i.e., in-person, by phone, and online?
• Is the financial sector required to provide payment processing tools that support and execute the processes for electronic payments—which may be split between the sales representative and the payee depending on the answers to a. and b.—and carry them out?

9. Regarding the provision required by the PSR “for people with disabilities, older adults, people with low digital literacy, and individuals who do not have access to digital systems at the time of initiating a payment,” the objective is not yet entirely clear to us: in our understanding, if people do not have access to digital systems, they cannot initiate electronic payments and are therefore already outside the scope of the PSR. If the statement regarding access is not intended to refer to people with disabilities, older adults, and those with low digital literacy, clear criteria must be established urgently to classify potential payers; otherwise, on the one hand, differing implementations within the EU are likely, and on the other hand, it remains unclear how payment initiators or payees are to demonstrate to the financial sector that the conditions described here apply.

10. The DRV and VIR expressly welcome the fact that data may be forwarded to the financial sector for the purpose of fraud prevention—even if this would not in itself be provided for or possible under the GDPR. In our view, however, there is a lack of clear criteria and explanations regarding the conditions under which the financial sector should have access to which information (both ex post and ex ante to the payment transaction). Furthermore, it is not specified whether this data is to be read and forwarded during the collection of payment data (for example, by the merchant) or during the processing of the transmitted data by the payee.

11. The PSR lacks guidance on how the defined exceptions to the PSR must be identified within payment processes. This applies, on the one hand, to exceptions based on the legal status of commercial agents and, on the other hand, to exceptions based on the payment channel, such as Moto in particular.

12. In our view, the rule that hold amounts for potential risks (e.g., refueling rental cars or hotel minibars) must not be released until after 8 weeks is impractical, as this would dramatically limit the available credit card limit, particularly for frequent travelers. A provision should be established here stipulating that such blocks must be released no later than the day after the planned end of the trip. This would also address the issue that certain travel products (e.g., long-stay packages for seniors or extended cruises) sometimes exceed a travel duration of 8 weeks.

13. The inclusion of guarantee blocks in the PSR is generally welcome; however, the current provisions apply only when the service provider (e.g., a hotel) is in direct contact with the customer. This excludes the issue of no-shows—that is, all cases in which the customer fails to show up despite having booked the service (and has not canceled in advance). In this scenario, payees have neither the option to implement a guarantee block in advance as described in the draft, nor are guarantee blocks or substitute payments defined as exceptions to the SCA requirement in this case.

14. As part of the data transfers to the financial sector, information regarding the payer’s location is also to be transmitted. According to the DRV and VIR, this does not take into account modern systems such as VPNs, through which either the payer themselves or others involved in the process of transmitting payment data can use modern software solutions to virtually specify locations other than their actual location. There are no regulations here regarding who is liable to what extent for the accuracy of the transmitted data.

15. In our view, there is a lack of a binding requirement obligating the financial sector to provide merchants, brokers, and commercial agents with technical solutions that they can integrate into their existing systems (e.g., as a plugin). The DRV and VIR are deeply concerned that the financial sector will not offer its own solutions—particularly for commercial agents and brokers—that provide practical support for the process. The result would thus be either the impossibility of certain financial transactions in travel distribution or significant additional costs for the tourism industry, which would then have to develop such solutions at its own expense to interface with the financial sector’s existing APIs. In our view, however, it is unacceptable that the adaptation and implementation costs for enforcing applicable regulations for the financial sector should be borne by the financial sector’s customers, who are directly and indirectly affected.

16. The PSR does not specify the extent to which companies receiving data (via online forms, call centers, or manual entry at staffed sales counters) are required to verify transactions that are not covered by the PSR.

17. The future processes described in the PSR almost without exception require that companies collecting payment data work with exactly one or a very small number of payment service providers. However, the status of commercial agents in the tourism industry and the prevalence of direct collection (meaning that the end customer pays not to their booking agent, e.g., the travel agency, but directly to the tour operator or service provider) result in each payee selecting their own payment service provider. For booking agents, this results in the following at the counter, over the phone, and online: a) there is no information available regarding which payee actually works with which payment service provider, and b) how to ensure that payment data captured online or during assisted sales is forwarded to the service provider selected by the payee. For the German tourism industry, it is essential that all payment processes and the transmission of associated information function independently of the payee’s respective payment service provider.

18. Article 58 refers to technical service providers and their liability. From the perspective of the tourism industry, it would be very important for the federal government to ensure that providers of tourism booking and reservation systems (such as GDSs like Amadeus) as well as internal systems for customer and booking management (midoffice systems) are not considered technical service providers within the meaning of the PSR. We expressly point out that, particularly in the case of booking systems, but also other industry systems, providers are frequently used whose headquarters are located outside the EU and who are therefore not obligated to implement the PSR. This can lead to significant challenges, as the large GDSs in particular hold a dominant position in travel bookings, making clarity regarding potential liability indispensable.

19. We believe there is still a significant need for clarification regarding the comparison between a unique identifier and the payee announced in the PSR. In particular, it is unclear on what information this comparison is to be based and what the permissible margin of deviation is. In the tourism sector, this also affects us in the context of refunds to customers, as the traveler becomes the payee in such cases. Furthermore, the tourism sector has the unique characteristic—in both private and business travel—that the person making the booking, the traveler, and the payer are not always the same individuals. Furthermore, the current draft does not clearly specify when and by whom this verification must be performed. This is relevant for the tourism industry in that verification at the time of recording and transmitting payment information can only be ensured using new systems and tools to be provided by the financial sector. However, this would ultimately result in commercial agents being reintegrated, at least partially, into the payment processing workflow.

20. The PSR defines the consequences regarding liability in the event of a “failure to use an SCA.” In our view, however, this term is not sufficiently defined. We assume that exceptions to the SCA or PSR that are explicitly listed do not fall under this term, but rather only transactions for which an SCA should have been performed but was not, for reasons other than those described.

21. We welcome the equal treatment of MIT and SEPA. However, the PSR in the current draft does not specify whether MIT and/or SEPA can be issued by the customer exclusively for exactly one payment transaction, exactly one trip involving one or more payment transactions, or for exactly one customer with one or more trips and payment transactions within a defined payment period or until revoked by the customer. Processes in the tourism industry would be greatly simplified if MIT and SEPA were valid for the customer/payer at least per trip, and ideally (as an option to be selected by the customer) alternatively also until revoked for all trips booked with the same payee.

Based on our experience with PSD2, we expect that further questions will arise during the drafting of the EBA RTS and its subsequent implementation by the financial sector.

To ensure the competitiveness of the German tourism industry and to avoid additional bureaucratic burdens resulting from new processes and documentation requirements for companies involved in payment processing—not to mention more complex and less cost-effective processes—we would greatly appreciate it if the Federal Government would advocate for the German tourism industry as part of the ongoing legislative process in Brussels and seek clarifications or additions in line with the challenges outlined in this statement.

The statement is available for download here as a PDF.