In the previous article I have presented a wide range of institutions that create a Polish Fintech Ecosystem. Ecosystem that seems to be challenging for new entrants. This short analysis showed that many public authorities are involved in the process of licensing, supervising and monitoring of the payment service providers, including banks. Today I will present how a legal framework for payment services is shaped in Poland and what challenges may occur for new players entering the fintech market. To better understand the banking sector and its uniqueness I suggest to read this article (available only in Polish) – mandatory if you want to compete with incumbents! In the next article I will elaborate a bit on the licensing process and administrative procedure that has to be followed during this process.
Legal framework for payment services consists of the following categories of documents that are applicable to institutions:
- National law – acts (ustawy) and implementing acts (rozporządzenia);
- European Union law – directives, regulations and soft law, i.a. opinions and guidelines of European Banking Authority;
- Recommendations, guidelines, statements and communications by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego – KNF).
In addition, many institutions (mainly banks) are following guidelines of the Polish Bank Association, however, such documents are not legally binding and sometimes are not in line with the approach of the KNF. In addition, the central bank (Narodowy Bank Polski) may – through Council for Payment System – issue best practices in the area of payments (as recently published such best practices for prepaid cards).
Payment Services Act and implementing acts
Payment Services Act of 19 August 2011 (as amended – only Polish version available) is a main legal regulation for payments services in Poland. It, in principle, reflects Payment Services Directive 2 (PSD2) provisions with some minor exceptions or additions and purely domestic provision (such as procedural aspects). According to the Act a company may – under certain conditions – provide payment services such as execution of direct debits or payment cards, issuance of payment instruments, provision of payment initiation services or account information services (as enabled by the PSD2).
According to the Act we have a few types of payment service providers, i.a. National Payment Innstitution, E-money Institution, Banks, Payment Service Bureau and other ‘similar” institutions.
The Act envisages also a specific type of payment service provider – small payment institution – which has a limited capacity (e.g. cannot provide AIS service), however, establishment does not require a full licensing process but a simple registration (with certain – narrowed – conditions attached) and requires significantly lower capital. In addition, the Act allows to obtain a registration as an Account Information Service Provider (only such service may be therefore provided to the clients) – especially attractive for ‘pure’ data aggregators.
The Act is accompanied with several implementing acts, e.g. on supervisory fees or capital requirements and more specific requirements. In Polish legal system we have several implementing acts that referring to the Payment Services Act.
How about PSD2?
While the Payment Services Act – in principle – implements the PSD2 provisions, other specific requirements for Third Party Providers – TPP – and banks, including the use of Application Programming Interfaces and Strong Customer Authentication, are indicated in the relevant legislation, in particular Regulation 2018/389. The KNF is also following EBA guidelines, including EBA guidelines on authorization of payment institutions (information about the compliance or non-compliance may be found in the KNF official journal) (read this interesting report by EBA to better understand the whole framework).
It may be also advisable to take a look at the eIDAS certificates issuers in Poland as TPP are obliged to use them in ‘communication’ with banks. One of the most remarkable providers in this area is KIR (Krajowa Izba Rozliczeniowa) that provides eIDAS compliant certificates.
Recommendations and communications
The KNF is not only licensing body but also an important authority that supervises all the activities (at some point AML too) performed by the payment services providers. Therefore, every institution has to follow its guidelines and communications, even thought, such documents are not legally binding. The KNF is trying to keep up pace with developments on the financial market and to address all issues that may ‘interrupt’ day-to-day business of the institutions.
In 2015 The KNF issued a SecurePay recommendation that was way ahead the regulatory developments within the European Union – addressing i.a. Strong Customer Authentication and secure e-payments (eCommerce). In 2017 the KNF published a communication about the use of cloud computing by the financial institutions, however, due to the fact that the EBA developed new guidelines on outsourcing (read a summary in English here) the KNF’s approach may change in the upcoming months.
Following the communications and recommendations of the KNF may significantly reduce a risk of non-compliance with certain regulations. All documents are published on the Regulators webpage.
AML and personal data processing
Anti-money laundering and personal data processing are not directly falling within the payment services legal framework, however, without a legal compliance with AML Act and Personal Data Protection Act the payment institution will not be able to act in line with the expectations of relevant public authorities. This is, however, out of scope of this articles as it is a comprehensive topic.
The KNF has its own register of payment institutions. In Poland we have 39 National Payment Institutions, 30 Small Payment Institutions, 1 E-money institutions and a few hundred banks (including cooperative and commercial banks + branches of credit institutions).
It has to be mentioned that banks have their own legal framework for banking activities that are complemented by the Payment Services Act. Therefore, process for granting a banking license Is not similar to this applicable to payment institutions (is more complex), however, many legal requirements are also applicable to banks. I will elaborate a little bit more in the next article in which I will present information about the licensing process of the payment service providers.
Ah, one more thing. Do not forget that even as a regulated entity you have to comply with certain legal obligations such as those indicated in the Companies Act and/or Act on Entrepreneurship and tax obligations.