Start of main content

Main developments introduced by the new Royal Decree 736/2019 on the legal regime of payment services and payment institutions

| Publications | Corporate Law and M&A

Regarding the Royal Decree 736/2019 of 20th December

In order to move forward the transposition of PSD 2[1], Royal Decree 736/2019 of 20 December 2019 on the legal regime of payment services and payment institutions (hereinafter, the "RD") was published in the BOE on 24 December 2019. This Decree develops the provisions contained in Royal Decree Law 19/2018 of 23 November on payment services and other urgent measures in financial matters (hereinafter, the "RDL").

The new Royal Decree entered into force on 25 December 2010, except for two specific provisions that we will comment on below. The previous Royal Decree 712/2010 of 28 May 2010 on the legal regime of payment services and payment institutions was repealed. 

Below are the main developments included in the aforementioned Royal Decree:

Entity approval procedure

- In order to establish more streamlined procedures and avoid unnecessary delays in the context of the authorisation procedure, the competence for the authorisation of payment institutions/e-money institutions is attributed to the Banco de España instead of the Ministry of Economy and Finance.

- Notwithstanding the above, in order to keep the Secretary General of the Treasury and International Finance of the Ministry of Economy duly informed, the Bank of Spain shall send the following information regarding the file at the end of each quarter: (i) identity of the applicant; (ii) date of the application for authorisation; (iii) programme of activities that the entity intends to carry out; (iv) degree of financial innovation based on technology that the proposed business model entails with respect to market practices.

- In addition, for greater ease, the Bank of Spain will publish in the coming months on its website a guide providing information on the procedures, requirements and criteria applied in the authorization and registration procedures.

- In line with the EBA Guidelines (GL/2017/09), in addition to the documentation/information already required by the previous regulations, the application for authorisation must include:

(a) Description of the procedure established for the monitoring, handling and follow-up of security incidents and user complaints, including an incident reporting mechanism

(b) description of the procedure in place to record, control, track and restrict access to sensitive payment data.

(c) a description of the mechanisms to ensure business continuity, in particular a clear delineation of important operational functions, effective contingency plans and a procedure to test and periodically review the adequacy and efficiency of such plans

(d) description of the principles and definitions applied for the collection of statistical data on performance, operations and fraud.

(e) A security policy which includes a detailed risk assessment for its payment services and a description of the security control and risk mitigation measures in place to adequately protect payment service users, including fraud and illegal use of sensitive and personal data.

(f) A description of the payment institution's methods of corporate governance and internal control mechanisms, demonstrating that such methods are proportionate, appropriate, robust and adequate. For the first time in a national standard, explicit reference is made to the requirement for payment institutions to have specific governance arrangements.

Authorization regime / initiation of new players

- The authorisation/registration procedure applicable to providers of payment initiation services and providers of account information services, respectively, is further developed as the latter are exempted from certain requirements.

- The name of account information service providers is also reserved under the acronym "EPSIC".

Development of the regime of exceptions applicable to certain entities 

- The registration regime and conditions for entities exempt from authorisation are developed in line with the provisions of Article 14 of the RDL.

Without prejudice to their exemption from the application of the corresponding regulations, these institutions will be obliged to (i) establish their administration in Spain; (ii) not be able to benefit from the Community passport (either under the freedom to provide services and/or the freedom of establishment); (iii) notify the Bank of Spain of any change in their situation and (iv) send the total value of the payment transactions carried out during the previous calendar year to the said body.

New category for registration in the Bank of Spain 

A new category of Registry is created at the Bank of Spain depending on the type of service provided:

a) Authorised Spanish payment institutions, their branches in other Member States and their agents in Spain and in other Member States (including payment initiation service providers.

b) Entities providing account information services, their branches in other Member States and their agents in Spain and in other Member States

(c) Natural or legal persons exempted from authorisation.

A link to the European Banking Authority's Register will also be included to consult the branches or agents in Spain of payment institutions authorised in another EU Member State.

Pre-authorization in case of structural changes

- In line with what has been applied at the headquarters of credit institutions and investment services companies (ISCs), a system of prior authorisation by the Bank of Spain is established, not only in the event of a merger, but also in the event of any other structural modification involving a payment institution / electronic money institution (including the global or partial transfer of assets and liabilities), as well as any agreement having similar economic or legal effects.

For these purposes, the standard defines partial assignment of assets and liabilities as the transfer en bloc of one or more parts of the institution's assets and liabilities, each of which forms an economic unit, to one or more newly created or existing companies, when the operation does not qualify as a spin-off or a global assignment of assets and liabilities in accordance with the Law on Structural Changes in Commercial Companies.

Cross-border activity

- Provision of payment services in EU member countries: it partly develops what was already established in the previous Royal Decree, referring now to the communication regime already included in the Delegated Regulation (EU) 2017/2055 of the Commission, of 23 June 2017, which completes Directive (EU) 2015/2366 of the European Parliament and of the Council as regards technical regulatory standards for cooperation and information exchange between competent authorities in relation to the exercise of the right of establishment and the freedom to provide services of payment institutions (Text with EEA relevance.)

- Provision of services in third (non-EU) countries: greater clarity is provided for the prior authorisation procedure for the provision of payment services either under the freedom to provide services or through a branch in a third (non-EU) country.

With regard to this last point and without prejudice to the fact that it was already required in the past Royal Decree, it will be interesting to understand the applicability of this provision in practice, insofar as many of the payment institutions currently registered with the Bank of Spain provide, in many cases, services to other users domiciled outside the EU.

- Creation or acquisition of holdings in institutions analogous to payment institutions in a non-EU state: the procedure for authorisation by the Bank of Spain is reduced from three (3) to two (2) months in the event of the creation of an institution analogous to a payment institution in a non-EU state or the acquisition of a significant holding or direct or indirect control of an institution analogous to a payment institution.

Agent Regime

- With regard to the system of prior notification/registration introduced by the RDL (Article 23.1), the need to justify the procedures and bodies of internal control and communication that the payment institution will use in its relations with agents, both to prevent and deter money laundering and the financing of terrorism, and to ensure compliance with the applicable sectoral regulations, as well as the procedures they have adopted to select and train their agents, is reinforced.

- On the other hand, the prohibition already contained in the former RD regarding the ability of agents to use sub-agents is excluded, and agents are also allowed to use their bank accounts to accept deposits, directly from customers, of funds from services ordered by them.

Outsourcing of functions

- As one of the main novelties introduced by the RD, it reinforces and develops all the obligations regarding the outsourcing of functions, in particular:

a) The term outsourcing shall include both the delegation of the performance of operational functions by a third party, and the successive delegations that the latter may make, where appropriate.

b) The concept of "significant operational function" is extended, affecting not only substantially the capacity of the institution to comply permanently with the conditions deriving from its authorisation, or its other obligations under the RDL, but also the financial results, the soundness or continuity of its payment services, and the confidentiality of the information it handles.

(c) The "important operational function" includes all those IT systems linked to the provision of payment services.

(d) The content for the prior application for authorisation for the delegation of important functions is extended by presenting (i) a contract setting out the obligations and responsibilities of the parties; and (ii) a self-assessment of the potential impact of any risks incurred in the context of outsourcing.

e) In relation to the contract to be signed with the service provider, it must include a clause providing for direct and unrestricted access by the institution and the Bank of Spain to the institution's information held by third parties, as well as the possibility of verifying, on the latter's own premises, the suitability of the systems, tools or applications used in the provision of outsourced functions. In the event that the third party is based abroad, a clause must be included specifying the jurisdiction of the country to which the contract is subject, so that the entity is aware of the potential legal risks it may incur in the event of a conflict.

Guarantee requirements and equity requirements

  • With regard to the guarantee requirements recognised by the standard, it is clarified that those payment institutions that opt for the procedure set out in Article 21(1)(a) of the RDL (safeguard account), the funds deposited in the separate account may exceed the funds received from the payment service users or received through another payment service provider for the execution of payment transactions, only when this circumstance, as well as the amount of the excess, has been communicated to the Bank of Spain at least one month in advance and the payment institution has, at all times, sufficient equity to continue to meet its capital and equity requirements, once this amount has been deducted.
  • This Royal Decree includes, by means of an Annex, the three methods that the Directive allows to be used to determine its own funds, the application of which must be chosen by the institutions themselves. This choice is a novelty with respect to the previous regulation, where the method of calculation was given to the institutions.
  • Furthermore, every three years, in the month of January, the payment institution shall inform the Bank of Spain which of the three methods set out in the Annex it will apply to calculate the own funds for the following three years. However, the Banco de España, on the basis of the evaluation of the risk management processes, the loss risk databases and the internal control mechanisms of the payment institution, may exceptionally and with reason limit the application of any of the three methods set out in the Annex.

Application of transparency rules in the granting of loans

  • It is clarified that the credit activity authorised for payment institutions will be subject to the transparency and customer protection provisions set out in Article 5 of Law 10/2014 of 26 June and its implementing regulations, as well as Law 16/2011 of 24 June on consumer credit agreements. It is also clarified that the payment institution may formalise the credit both at the same time as the execution of the payment order for which it is granted and subsequently.

Hybrid payment institutions

  • No major novelties are introduced beyond establishing a period of three (3) months for the resolution by the Bank of Spain when assessing the need to create a separate payment institution, if the additional services impair the financial soundness of the institution.

Limited networks

  • The RD elaborates on the existing casuistry regarding the exception contained in article 4 k) of the RDL, clarifying:

a) That the instruments that can be used to buy in establishments of affiliated merchants, will be applicable to them the regulatory regulation of the payment services.

(b) If a specific-purpose payment instrument becomes a more general-purpose instrument, it shall be considered to fall within the scope of the rules governing payment services.

In view of the above, the issuer of the payment instrument (e.g. card) shall expressly inform the payment service user of this circumstance, informing him of his rights and obligations in relation to the payment instrument and, where appropriate, propose to him to amend the contractual conditions as far as necessary to adapt them to the provisions of the contract.

(c) The exclusion shall apply to meal vouchers, restaurant cards or any other similar payment instrument given by the employer to an employee for payment in kind.

d) Payment transactions for urban mobility services, including shared use services, as well as tickets to services of a cultural nature, and other similar services (which may be determined by the Bank of Spain), shall be considered to be excluded from the application of the regulations on payment services.

Sanctioning, monitoring and cooperation with competent authorities of other Member States

  • The Royal Decree extends the sanctioning regime applicable to credit institutions to all payment service providers.

The Bank of Spain shall notify the Commercial Registry of the sanctions of suspension, separation and disqualification imposed on those who hold administrative or management positions.

  • A communication regime is established between host and host regulators in order to carry out controls and apply the necessary measures for the supervision of payment institutions authorised or registered in Spain which exercise the right of establishment or the freedom to provide services in another European Union Member State.

Obligations for reporting of conduct

  • Payment institutions must submit to the Bank of Spain, in the form and at the intervals required by the latter, which shall be at least once a year, the statements and information it considers necessary to fulfil its function of supervising the rules of conduct applicable to payment institutions. These statements and information may be of a public or confidential nature, as established by the Bank of Spain.

The provisions of this Royal Decree are supplemented by two additional provisions, a repealing provision, six final provisions and an annex.

  • - First additional provision: Directors who are going to have direct participation in the management of payment services must be registered in the Bank of Spain's Registry of Senior Officers, and a deadline must be established for their registration.
  • - Second additional provision: This develops the provisions of article 69 of the RDL in relation to the requirements to be met by the customer service and the customer ombudsman, where applicable, the procedure to be followed in the processing of complaints and claims, the procedure for administrative verification of operating regulations and the minimum content that their annual reports must have.
  • - Sole derogatory provision: it repeals Royal Decree 712/2010, of 28 May.
  • - First final provision: includes the title of competence, stating that this Royal Decree is issued under the provisions of article 149.1. 6, 11 and 13 of the Constitution, which attribute to the State the exclusive competences on commercial legislation, bases of credit management, banking and insurance, and bases and coordination of the general planning of economic activity, respectively.
  • - Second final provision: contains a profound modification of Royal Decree 778/2012 of 4 May on the legal regime of electronic money institutions, which implements Law 21/2011 of 26 July on electronic money. In view of the amendments made by Royal Decree-Law 19/2018 of 23 November to Law 21/2011 of 26 July, it is now necessary to adapt its regulations both to these changes and to the novelties introduced by this Royal Decree. This adaptation is essential given the necessary harmonisation that must exist between both regulations.
  • - The third final provision includes an amendment to Royal Decree 84/2015 of 13 February implementing Law 10/2014 of 26 June on the organisation, supervision and solvency of credit institutions. The purpose of this amendment is to include the behavioural reporting obligations for credit institutions, in the same way as Article 30 of this Royal Decree and the second final provision relating to Article 28 of Royal Decree 778/2012 of 4 May, for payment institutions and electronic money institutions, respectively.
  • - Fourth to sixth final provisions: these contain, respectively, the declaration of incorporation into European Union law, the authorisations for the holder of the Ministry of Economy and Enterprise and the Bank of Spain to implement various provisions, and the date of entry into force of the royal decree.

For more information please contact:

Miguel Prado

Patricia Serna

You can download the complete document at the following link

End of main content