CEE Legal Matters

Category: Austria

  • Cerha Hempel Helps SES Obtain Regulatory Clearance for Europark Expansion

    Cerha Hempel has advised SES on obtaining regulatory clearance for expanding the Europark shopping center in Salzburg.

    SES is part of the SPAR Austria Group.

    According to Cerha Hempel, with 130 shopping partners, Europark is the largest private employer location in the greater Salzburg area, is located next to SPAR’s corporate headquarters, and is the flagship of its Central European shopping center division SES.

    The Cerha Hempel team included Partners Stefan Huber and Hans Kristoferitsch and Lawyer Claudia Hanslik-Schneider.

  • Schima Mayer Starlinger Advises on Wien Energie, Rhein Energie, Siemens Energy, and Verbund’s Hydrogen Mix Project

    Schima Mayer Starlinger is advising Wien Energie on its joint project with Rhein Energie, Siemens Energy, and Verbund to mix hydrogen into the natural gas powering the steam turbine system of Vienna’s Donaustadt power plant.

    According to the firm, this is a “global premiere for sustainable environmental protection and carbon dioxide reduction.” Testing will be conducted until mid-September to determine the optimal mixture. If successful, the plant will be certified for continuous operation, Schima Mayer Starlinger reported. “With just a 15% volume blend of green hydrogen, the Donaustadt power plant, which generates electricity for approximately 850,000 households, could save around 33,000 tons of carbon dioxide annually.”

    Back in March, Schima Mayer Starlinger also reportedly advised Wien Energie on establishing a geothermal energy joint venture with OMV in the Greater Vienna area (as reported by CEE Legal Matters on March 17, 2023).

    The Schima Mayer Starlinger team is led by Founding Partner Christian Mayer.

    The firm did not respond to our inquiry on the matter.

  • Wolf Theiss Advises Convera on Acquisition of Parts of Western Union Business

    Wolf Theiss has advised Convera on the acquisition of parts of the Austrian business of Western Union.

    Western Union is active in the European Union through its subsidiary Western Union International Bank. According to Wolf Theiss, WUIB sold (parts of) its payment services and derivatives business to Convera Europe Financial S.A. and Convera Europe Financial S.A., two newly established Luxembourg legal entities which obtained respective authorizations by the CSSF and established branches in several EU countries, including Austria.

    The Wolf Theiss team included Partners Claus Schneider, Christian Mikosch, and Matthias Unterrieder, Counsels Christine Siegl, Karin Spindler-Simader, and Paulina Pomorski and Senior Associate Christopher Juenger.

    Wolf Theiss could not provide additional information on the deal.

  • The transposition of the Collective Redress Directive in Austria: What to Expect

    By 25 June 2023, the transitional provisions of the Collective Redress Directive should have been applicable throughout the EU. Austria – like several other EU Member States – did not meet this deadline. The following article deals with potential transposition options, for the Collective Redress Directive, by the Austrian legislator.

    1. Collective redress in Europe and the Collective Redress Directive

    To date, collective redress has been regulated differently among EU member states (“Member States“). Austrian law also provides for various instruments of collective redress (collective action Austrian-style, representative action pursuant to Sec 29 of the Consumer Protection Act, Sec 14 of the Unfair Competition Act). For this reason, a uniform and efficient enforcement of collective consumer interests is hardly possible throughout the EU.

    Directive (EU) 2020/1828 on “representative actions for the protection of the collective interests of consumers” (“Collective Redress Directive“), which is part of the so-called “New Deal for Consumers“, now aims to harmonise collective redress at the European level (and to a certain extent on a national level), whereby it should be emphasised that the Collective Redress Directive does not provide for full harmonisation.

    The centrepiece, and a major innovation, of the Collective Redress Directive are the “redress measures” (Art 3, para 10). This is a genuine collective action for performance in the form of “compensation, repair, replacement, price reduction, contract termination or reimbursement of the price paid“, whereby consumers shall directly benefit from the remedies provided by said redress measure without the need to bring a separate action (Art 9, para 6).

    2. Status quo of transposition

    The Collective Redress Directive entered into force on 24 December 2020 and should have been transposed into national law by 25 December 2022. This deadline has been met by only a few member states. By 25 June 2023, the national transitional provisions of the Collective Redress Directive should have entered into force in every Member State and thus be applicable to those subject to the Directive. Some Member States – such as Austria – did not meet this deadline either.

    Therefore, the transposition process has progressed differently throughout the EU. To date, 16 Member States have enacted a law transposing the Collective Redress Directive. In other Member States, such as Germany, there is only a governmental draft available. A ministerial draft is still pending in Austria.

    3. Possible transposition of the Collective Redress Directive in Austria

    3.1 Who is included?

    The Collective Redress Directive applies exclusively to B2C relationships (Art 2, para. 1). A consumer within the meaning of the Directive is “any natural person who acts for purposes which are outside that person’s trade, business, craft or profession” (Art 3, para. 1, recital 14). Notwithstanding this limitation, based on the Collective Redress Directive, Member States are still entitled to apply provisions of the Collective Redress Directive to areas that do not fall within its scope (recital 18).

    The fact that businesses often also find themselves in consumer-like situations was taken up in the German draft for the transposition of the Collective Redress Directive. According to this draft, small businesses, namely those that employ less than 50 people and whose annual turnover/balance sheet does not exceed 10 million euros, are also to be considered consumers (Sec 1, para. 2 Consumer Rights Enforcement Act “VDuG” (Verbraucherrechtedurchsetzungsgesetz)). In literature, however, this extended transposition is partly criticised; particularly because it gives rise to divergences from the definition of consumer in substantive law. For example, the assumption that small businesses are considered consumers under the VDuG does not change the fact that entrepreneurs are not otherwise subject to the special provisions of consumer law.

    In Austria, group proceedings were already to be introduced within the framework of the Civil Procedure Reform 2007 (“Ministerial Draft 2007“). Although the efforts failed, the Ministerial Draft 2007 provides an indicator for a possible transposition of the Collective Redress Directive. Plaintiffs of the group claim within the meaning of the Ministerial Draft 2007 were “all persons asserting claims in class proceedings” (Sec 629 70/ME 23.GP), whereby the draft referred to B2C relationships (cf. no 1). Against this background, whether Austria will also pursue an extended transposition within the meaning of the German draft, or whether the applicability of the redress measure will be limited to consumer claims only is questionable.

    3.2 Opt-in or opt-out?

    The Directive leaves it up to Member States to provide for an opt-in or opt-out model (or a combination thereof [recital 43]). With opt-in, consumers must actively join the proceedings. Opt-out (cf. American class action) includes all affected parties who do not actively opt out of the proceedings.

    The German draft provides for an opt-in model, according to which consumers can participate in the redress or model declaratory action (Musterfeststellungsklage) until two months after expiry of the first deadline (Sec 46, para. 1, Sec 44 no 7 VDuG). The 2007 Ministerial Draft also provided for an opt-in mechanism (Sec 624 70/ME 23.GP). Furthermore, the Austrian-style collective action provides for an opt-in model. This involves damaged parties assigning their claims to a vehicle for collection; thus, the damaged parties must actively participate in the collective action. It is quite clear that the Austrian legislator will also follow this model when transposing the Collective Redress Directive.

    3.3 How big is the collective interest of consumers?

    A representative action within the meaning of the Directive is an action to protect the “collective interests of consumers” (Art 3, para. 5). It is left to each Member State to decide how many consumers constitute such a collective interest (recital 12).

    The German draft provides in Sec 4, para. 1 VDuG that at least 50 consumers must be affected. In contrast, only 10 consumers need be affected in Poland and only two in Luxembourg. With regard to the Ministerial Draft from 2007, at least three persons were required to appear in a representative action and a total of at least 50 claims had to be asserted. The group action announced in the government programme for the 24th legislative period provided for a minimum number of 100 plaintiffs. It can be assumed that for the Austrian legislator the collective interest will be at least in the double-digit range.

    3.4 Who may sue?

    Collective actions may only be brought by qualified entities, to be designated by the Member States (Art 4). It is up to each Member State to determine the requirements to be met by said bodies.

    According to the German draft, qualified consumer associations that are registered in the list pursuant to Sec 4 of the Injunctions Act, and that do not obtain more than 5 per cent of their financial resources through donations from companies, are entitled to file an action (Sec 2, para. 1 VDuG). Accordingly, the purpose of the statutes must be the protection of consumer interests, the association must have at least 75 individual persons or at least three associations active in the same field of activity among its members, it must have been registered in the register of associations for at least one year, it must have been performing the tasks set out in the statutes for the same length of time and it must not act in a commercial manner.

    A group representative as defined in the Ministerial Draft from 2007 could be any individual person or legal entity entitled to act on its own. It can be assumed that the Austrian legislator will refrain from such a broad right of action. The Austrian legislator already provides for certain restrictions on representative actions under Sec 29 of the Consumer Protection Act, Sec 14 of the Unfair Competition Act (e.g. Association for Consumer Information, Austrian Chamber of Commerce, Chamber of Labour) and it can therefore be assumed that it will also impose certain “barriers” related to eligibility with regard to the Collective Redress Directive. Not every self-proclaimed consumer protection organisation will be eligible to file a lawsuit.

    3.5 Which infringements are covered?

    The Collective Redress Directive only covers actions relating to infringements of consumer protection provisions under EU law contained in Annex I. However, Annex I is not an exhaustive list. In the future, whether these 66 legal acts (e.g. data protection, energy, financial services, travel, tourism, telecommunications) should be supplemented by others will be constantly examined at EU level.

    The taxative list has been criticised in literature as experience has shown that consumer rights violations often also violate national legal provisions (especially tort and contract law) and this can open up corresponding gaps in legal protection. In order to avoid this, member states (e.g. Germany) will (have to) extend the scope of application to all civil disputes in B2C relationships.

    3.6 How is jurisdiction determined?

    As the Collective Redress Directive does not contain any special provisions regarding the international jurisdiction of the courts of Member States (Art 2, para. 3), the provisions of the Brussels Ia Regulation apply in case of cross-border situations. This will inevitably cause problems, but discussion of said problems goes beyond the scope of this client alert.

    It is nevertheless questionable whether the Austrian legislator will go their own way in the sense of the Ministerial Draft from 2007, or leave it as a reference to the jurisdiction rules of the Brussels Ia Regulation (e.g. Germany). In the past, it was provided that if the defendant had no general place of jurisdiction in Austria, or if several courts had jurisdiction, the competent court of first instance in the first district of Vienna would have exclusive jurisdiction (Sec 621 70/ME 23.GP).

    4. The way forward

    Although Austria has missed the deadline for the transposition of the Directive on representative actions, it can nevertheless be assumed that transposition will take place in the near future. The Collective Redress Directive grants Member States considerable room for manoeuvre. It remains to be seen what the specific transposition by the Austrian legislator will look like. One thing is clear, however: The Collective Redress Directive would provide the basis for a far-reaching reform of the system of collective redress in Austria. Ultimately, the question is how willing the Austrian legislator is to enact reform.

    By Stephan Kugler, Counsel, and Sophie Vana, Associate, Wolf Theiss

  • The Foreign Subsidies Regulation: Application of the regime as at 12 July 2023

    The Regulation (EU) 2022/2560 on Foreign Subsidies Distorting the Internal Market (FSR) formally entered into force on 12 January 2023, but the regime did not apply until 12 July 2023. On the same day, the respective Implementing Regulation (EU) 2023/1441 was published in the Official Journal.

    The FSR empowers the European Commission to investigate financial contributions granted by non-EU public authorities to companies active in the EU. The FSR tackles both concentrations and public procurement procedures and entails considerable notifications obligations. The Commission can impose measures to redress distortive effects, fines and other payments, and ultimately block concentrations or exclude bidders.

    Scope

    The purpose of the FSR, as stipulated in its first Article, is to contribute to the proper functioning of the internal market by establishing a harmonised framework to address distortions caused, directly or indirectly, by foreign subsidies, with a view to ensuring a level playing field. The FSR aims to close a regulatory gap for non-EU subsidies, which are currently not subject to the same strict rules as subsidies granted by EU Member States under the EU State aid regime. However, please note that the various notification requirements imposed by the FSR are triggered not by foreign subsidies but rather by foreign financial contributions, which have a much broader scope than foreign subsidies. Financial contributions are widely defined to include any transfer of financial resources form a non-EU public authority, including even the payment for goods or services on market terms. The FSR introduces three new tools for addressing financial contributions.

    The new tools

    • A notification-based concentrations tool enabling the Commission to investigate and potentially block or unwind mergers, acquisitions or joint ventures involving financial contributions granted by non-EU governments, where the acquired company, one of the merging parties or the joint venture generates an EU turnover of at least €500 million, and where the transaction involves foreign financial contributions of more than €50 million in the three years preceding the signing of the relevant transaction agreements.
    • A notification-based public procurement tool that empowers the Commission to investigate and potentially require the exclusion of a bidder in public procurement procedures for high-value public contracts involving financial contributions by non-EU governments, where the estimated contract value is at least €250 million and the bid involves a foreign financial contribution of at least €4 million per third country over the last three years, prior to notification.
    • A general ex-officio tool allowing the Commission to open investigations into any suspected foreign subsidies that may distort the EU internal market, and to investigate all other market situations where the Commission can start a review on its own initiative.

    Procedure

    As to the notification-based concentrations and procurement tools, the parties will have to notify financial contributions received from non-EU public authorities prior to concluding a concentration or a public procurement procedure above the relevant thresholds. With respect to smaller concentrations and public procurement procedures, the Commission is entitled to request ad-hoc notifications if it suspects the existence of distortive subsidies. Pending the investigation or review conducted by the Commission, the concentration in question cannot be completed and the investigated bidder cannot be awarded the contract. If the Commission establishes that a foreign subsidy is distortive, it will balance the negative effects of the subsidy, in terms of the distortion, with its positive effects to determine appropriate redressive measures or to accept commitments. As to the redressive measures and commitments, the FSR includes several structural or non-structural remedies, such as the divestment of certain assets or providing access to infrastructure. As mentioned, in the case of notified transactions, the Commission can also prohibit the concentration or the award of the public procurement contract to the bidder.

    The general investigation tool allows the Commission to start investigations on its own initiative. This will regularly cover other types of market situations, such as greenfield investments.

    Fines and periodic penalty payments

    An investigation under the notification-based concentrations tool may ultimately prompt the Commission to block or unwind mergers, acquisitions or joint ventures involving financial contributions granted by non-EU governments. An investigation under the notification-based public procurement tool may ultimately trigger the exclusion of a bidder. However, during the investigation, the Commission already wields considerable sanctioning powers for non-compliance. For example, failing to submit a mandatory notification of a concentration, or of participation in a public procurement procedure, or implementing the transaction or the contract prior to receiving clearance from the Commission, may result in fines of up to 10% of the aggregate turnover of the undertaking concerned in the preceding financial year. The Commission may also decide to impose periodic penalty payments of up to 5% of the average daily aggregate turnover of the undertaking concerned in the preceding financial year for each day of non-compliance.

    Implementing Regulation

    When the FSR entered into force on 12 January 2023, it stipulated and allowed the drafting of an Implementing Regulation. Commission Implementing Regulation (EU) 2023/1441 of 10 July 2023 on detailed arrangements for the conduct of proceedings by the Commission, pursuant to Regulation (EU) 2022/2560 of the European Parliament and of the Council on foreign subsidies, related to the distorting of the internal market, was published in the Official Journal of the European Union on 12 July 2023. The Implementing Regulation provided for the notification forms for notifying concentrations and public procurement procedures, as well as the form for the declaration that has to be made in the event that no reportable financial contribution was granted to the companies involved in a procurement procedure exceeding the estimated contract value of €250 million. Moreover, the Implementing Regulation contains several procedural provisions.

    Timeline

    The full application of the FSR will be implemented in steps which should grant addressees a certain period of time to prepare. While the FSR formally entered into force on 12 January 2023, the regime did not apply until 12 July 2023. From that date forward, the Commission is empowered to launch ex officio investigations. The mandatory notification requirements under the concentrations and public procurement tools will subsequently enter into force on 12 October 2023. Certain inspections, in which officials authorised or appointed by the Member State in whose territory the inspection is to be conducted, shall assist the Commission and the enforcement of said inspections shall be applicable as of 12 January 2024.

    By Manfred Essletzbichler, Partner, and Philipp J. Marboe, Counsel, Wolf Theiss

  • DLA Piper Advises on S Immo EUR 75 Million Green Bond Issuance

    DLA Piper has advised Erste Group Bank on S Immo’s EUR 75 million green bond issuance under its EUR 300 million issuance program. Cerha Hempel reportedly advised S Immo.

    The new green bond has a maturity of five years and an interest rate of 5.5% per annum.

    Erste Group Bank was the sole arranger, dealer, and bookrunner.

    S Immo is a real estate investment company based in Vienna. The real estate portfolio of S Immo consists mainly of offices, but also of commercial properties, hotels, and residential properties.

    The DLA Piper team included Partner Christian Temmel and Counsel Christian Knauder.

    Editor’s Note: After this article was published, Cerha Hempel confirmed its involvement to CEE Legal Matters. The firm’s team included Partner Volker Glas and Senior Counsel Christian Aichinger.

  • Third Time’s the Charm? EU-US Data Privacy Framework Revamped and Reloaded

    On 10 July 2023, the European Commission adopted an adequacy decision for a lawful data transfer from the EU to the USA for the third time. This means that personal data may again be lawfully transferred to the US. This will facilitate the use of US service providers for EU companies.

    Background

    The recent adequacy decision is based on the EU-US Data Privacy Framework (“DPF”) that US president Joe Biden and EU Commission president von der Leyen agreed upon back in March 2022. It acknowledges the satisfactory safeguarding of personal data transferred from EU entities to US companies that are parties to the principles of this new EU-US Data Privacy Framework.

    This marks the third attempt after the DPF’s predecessors – the 2000 Safe Harbour and the 2016 Privacy Shield – were ruled invalid by the European Court of Justice. This decision could potentially end a years-long journey that began back in 2000 with the Commissions’ “Safe Harbour” decision. 

    Improvements

    According to the Commission, the recent adequacy decision addresses the main points raised by the ECJ in its Schrems II decision to guarantee appropriate protection of EU inhabitants’ personal data in the US. Mainly, the adequacy decision follows an Executive Order of the President of the United States that introduced new binding safeguards to ensure that data can be accessed by US intelligence agencies only to the extent necessary and proportionate and to establish an independent and impartial redress mechanism to handle and resolve complaints from EU inhabitants concerning the collection of their data for national security purposes.

    The key principles of the new EU-US Data Privacy Framework include:

    • Free and safe data flow: The “adequacy decision” principle allows personal data to flow freely and safely between the EU and participating US companies.
    • New binding safeguards: These safeguards limit access to data by US intelligence authorities to what is necessary and proportionate for national security. This principle is in line with President
    • Biden’s Executive Order in October 2022, and internal procedures of US intelligence agencies have been adjusted to meet these principles as of 3 July 2023.
    • Two-tier redress system: A new redress system, including the establishment of a Data Protection Review Court, will investigate and resolve complaints about data access by US intelligence agencies.
    • The court, an administrative body under the executive, maintains a level of independence due to its judges appointed by the US General Attorney.
    • Self-certification by companies: Companies processing data transferred from the EU must self-certify their adherence to these standards through the US Department of Commerce. The department also monitors ongoing compliance, and the US Federal Trade Commission is tasked with enforcement if these companies fail to uphold their obligations.
    • Regular reviews: The European Commission will undertake regular reviews of the Framework, with the first occurring one year after its adoption. These reviews will assess relevant developments in the US and the effectiveness of the legal framework in practice and will take place at least every four years.

    Effects of the recent decision

    To qualify for a data transfer based on the adequacy decision, US companies must self-certify under the DPF and declare compliance with the DPF, including by updating their privacy policies. The DPF will be governed by the US Department of Commerce (“DoC”), which will process the certification applications. US entities that have already certified compliance with the (then applicable) Privacy Shield principles and still have an active certification may begin relying immediately on the DPF. The DoC also monitors whether these companies continue to meet the certification requirements. A website dedicated to the DPF, which also provides for the possibility to self-certify, has already been launched.

    Following the recent adequacy decision, the transfer of personal data from the EU to the US is deemed lawful. This means that the use of service providers based in the US is, in principle, possible again. However, the European entity (controller) must ensure that certain conditions are met before the transfer. In particular, the European controller is obliged to ensure that the data processing, which also includes the transfer, fulfils the following criteria:

    • based on a lawful legal basis pursuant to Art 6 or 9 GDPR;
    • the main principles of the GDPR under Art 5 are met;
    • data protection by design and default is implemented pursuant to Art 25 GDPR;
    • a data processor agreement pursuant to Art 28 GDPR is concluded with the service provider;
    • the security of processing pursuant to Art 32 GDPR is ensured;
    • all relevant documentation and assessments are conducted and held available for a possible inspection by the Authority;
    • the data receiving US service provider is certified under the DPF.

    US-based companies will have to implement internal and external policies and processes if they want to self-certify under the DPF and rely on the adequacy decision for a lawful data transfer. Their privacy policies in particular must be amended to incorporate the new DPF principles and potential existing certifications under the old Privacy Shield must be updated or recertified and the necessary fees paid.

    DPF: here to stay?

    The European Data Protection Board (EDPB) acknowledged that the new agreement shows “significant improvements” over its predecessors. However, it noted that the GDPR still falls short in some areas of protection. The European Parliament opposed the new agreement, pointing out that it allows a certain level of mass data collection and does not provide adequate data protection safeguards for Europeans (however, not binding on the EC). At the same time, the NGO NOYB announced its intention to challenge the decision again, criticising it as “essentially a repeat of the Privacy Shield”.

    It therefore seems crucial to maintain an alternative for engaging US providers, as a third potential annulment of the adequacy decision by the European Commission could abruptly disrupt enterprise-wide data processing (again). As this process continues, we will keep you updated on further steps to ensure the safe and unimpeded flow of data between the EU and the US. In the meantime, please do not hesitate to contact us if you require assistance in preparing the necessary aspects for an immediate, compliant data transfer.

    By Veronika Wolfbauer, Counsel, and Florian Terharen, Associate, Schoenherr

  • Schoenherr Advises Tello Holding on Acquisition of VA Intertrading

    Schoenherr has advised Tello Holding on the acquisition of a majority stake in VA Intertrading Aktiengesellschaft by taking over Kairos Industrie Holding from Hanno Baestlein. DSC Doralt Seist Csoklich reportedly advised the seller.

    Tello Holding had previously acquired 14.99% of the shares in VAIT. According to Schoenherr, “the former VA-Tech CFO Hanno Baestlein has sold 100% of his shares in Kairos Industrie Holding to Tello Holding, which is owned by Swiss Attorney-at-Law and investor Wolfram Kuoni. Kairos Industrie Holding holds 37.34% of the shares in VAIT, which is a world-renowned trading company in food and feed, steel products, pharmaceutical products, and agricultural machinery.”

    According to the firm, “the origin of VA Intertrading lies in the Voestalpine and the steel trade industry. Over the course of more than 40 years, its range has been extended to include many other goods and services, making the company Austria’s long-running leading commodities trading company. The company employs about 770 people in 31 locations worldwide and has an average annual turnover of about EUR 800 million.”

    The remaining shares of VA Intertrading AG are held by employee and management shareholding companies.

    The Schoenherr team included Partner Michael Magerl and Associate Thomas Reich.

  • Wolf Theiss and DLA Piper Advise on UBM Development EUR 50 Million Green Bond Issuance

    Wolf Theiss has advised joint lead managers and bookrunners Raiffeisen Bank International and MM Warburg on the subscription and placement of UBM Development’s EUR 50 million issuance of 7% green bonds. DLA Piper advised the issuer.

    The green bonds have a maturity of four years and were placed with institutional and retail investors with a coupon of 7% per annum. The green bonds are listed on the Official Market of the Vienna Stock Exchange.

    UBM Development AG is an Austrian real estate developer of timber construction projects. Its strategic focus is on timber construction, green buildings, and smart offices in major CEE cities such as Vienna, Munich, Frankfurt, or Prague.

    According to DLA Piper, “an amount equal to the net proceeds is intended to finance and/or refinance, in whole or in part, new or existing eligible projects in accordance with UBM’s Green Finance Framework.”

    Both Wolf Theiss and DLA Piper had also advised on UBM Development’s previous bond issuances (as reported by CEE Legal Matters in November 2018June 2019, and November 2019).

    The Wolf Theiss team was led by Partner Claus Schneider and included Counsel Eva Stadler, Associate Sebastian Prakljacic, and Legal Trainee Caroline Zeitlberger.

    The DLA Piper team included Partner Christian Temmel and Counsel Christian Knauder-Sima.

  • Payment Services Directive 3 – Shaping the Path for Future Payments in the EU

    On 28 April 2023 the European Commission (“Commission”) put forth a proposal (Link) to revise Directive (EU) 2015/2366 (Payment Services Directive, “PSD2”), which was adopted on the EU level in 2015 and transposed into Austrian law by the Payment Services Act (Zahlungsdienstegesetz 2018 – ZaDiG 2018).

    The package is part of the EU’s retail payments strategy to amend and modernise the payment services framework, given market developments and innovations over the past years. The package of drafts includes:

    • an amended Payment Services Directive (“PSD3”), which mainly amends Title II of PSD2 and repeals Directive 2009/110/EC (Electronic Money Directive, “EMD”);
    • a Payment Services Regulation (“PSR”, together with PSD3 the “PSD3 Package”), which will clarify and substitute Title III and IV of PSD2.

    By proposing a directly applicable regulation (the PSR), the Commission intends to further harmonise EU payment services markets.

    Based on a report by the Commission evaluating PSD2, the proposals present amendments and improvements which aim to achieve five key objectives:

    1. combatting and mitigating payment fraud;
    2. improving consumer rights;
    3. further levelling the playing field between banks and non-banks;
    4. strengthening user protection and confidence in payments;
    5. improving competitiveness;
    6. extending the supervisory and enforcement powers of regulators.

    Timeline

    The EU Commission’s proposal presents the first step in the EU’s ordinary legislative procedure towards PSD3 being published in its final form. The proposal is now being reviewed by the co-legislators, the Council and the European Parliament, and it is currently expected that the final text of the PSD3 will be approved and published towards the end of 2024 or early 2025.

    The draft PSR stipulates that it will enter into force and begin to apply directly 18 months after its publication. At the same time, Member States will have 18 months after the publication of PSD3 to transpose it into national law. Given the projected time horizon, this will mean that the PSD3 Package will apply approximately from 2026 onwards, which gives payment service providers a similar period of time to prepare as with PSD2.

    Key takeaways

    Open banking: The EU Commission described challenges regarding effective and efficient access by account information service providers (“AISPs”) and payment initiation service providers (“PISPs”), collectively known as third-party providers (“TPPs”), to data held by banks. Although this is controversial, the PSD3 proposal introduces extended financial information data access (FIDA), which includes the following measures:

    • Interface for TPPs: Banks must provide dedicated secure interfaces for the exchange of information to TPPs; but, they will no longer be required to continue to maintain a “fallback” interface if the primary interface fails as under PSD2.
    • Dashboard: Banks must provide consumers with an access and permissions dashboard giving an overview of data access rights granted to TPPs and enable any access granted at any time to be withdrawn. This will be particularly relevant as the proposal for a regulation on financial data (Link), which was also published on 28 June 2023, also provides for a permission dashboard for access granted to third parties.

    Consumer measures and anti-fraud protection: With new innovations, new types of fraud schemes emerged (including social engineering fraud). To tackle these new types of fraud the proposals include the following measures:

    • IBAN/name verification: All (regular and instant) credit transfers will be subject to IBAN and name matching verification services, which means payment is only completed once the check is completed and the consumer is notified. In case of a discrepancy, the consumer may, following the notification, proceed with the transfer. If, however, the payer is not notified of any discrepancy, the PSP may be liable for any resulting losses if the transfer is executed.
    • Transaction monitoring: Payment service providers (PSPs) will be required to implement additional transaction monitoring mechanisms and may share fraud-related information with other PSPs in instances where a PSP has sufficient evidence to assume that a fraudulent payment transaction has occurred.
    • Liability for spoofing: PSPs are liable in case of impersonation fraud (so-called “spoofing”) if the consumer was manipulated by a third party impersonating an employee of the PSP and this manipulation resulted in subsequent fraudulent authorised payment transactions, provided the consumer has reported such fraud to the police and notified the PSP without delay (exception: the obligations do not apply if the consumer acted fraudulently or with gross negligence). It remains to be seen whether this far-reaching liability for banks and PSPs is adequate and will be included in the final package.

    Level playing field:

    The Commission finds that PSD2 is limited in its effectiveness as non-bank PSPs lack direct access to key payment systems and bank accounts. To create a level playing field between banks and non-bank PSPs, the PSR sets forth that EU Member States may not unduly restrict access to key payment systems and thus extends the access requirements of the Settlement Finality Directive to non-bank PSPs. Furthermore, banks may only refuse to open or unilaterally close a payment institution’s payment account in certain limited situations.

    Further notable amendments:

    • Narrower exclusions of PSD3/PSR: The commercial agent and the limited network exclusion will be narrower under the PSD3 Package, which requires market participants to review whether they can still rely on either exemption.
    • Repeal of the Electronic Money Directive: The EMD will be repealed and electronic money institutions will have to get reauthorisation under the PSD3 Package as payment institutions providing electronic money services.
    • Own funds: The PSD3 Package stipulates increased own funds requirements and by default links the calculation of own funds to payment transactions volumes instead of percentage of fixed overheads expenditures for the preceding year or based on operating income.
    • Winding-up plans: As a condition of their authorisation, PSD3 requires payment institutions (including firms currently authorised as electronic money institutions) to maintain winding-up plans to describe what would happen in the event of the firm’s failure.
    • Safeguarding: Payment institutions will be required to avoid concentration risks in safeguarding customer funds, meaning all customer funds may not be held with only one credit institution.
    • Independent ATMs: Cash providers that do not service payment accounts (e.g. independent ATMs) need to register pursuant to PSD3.

    Conclusion

    As the proposals may still be subject to further discussions and the trilogue negotiations between the three EU institutions, the final texts may deviate from the current proposals. Nevertheless, the proposals already show the directions of how payment services in the EU will progress moving from PSD2 to the PSD3 Package.

    As the changes of the PSD3 Package will require electronic money institutions to seek reauthorisation within 24 months of the new PSD3 coming into force and existing payment institutions to assess whether they comply with the new prudential requirements, it is sensible to prepare (eg. drawing up winding-up plans, review internal policies in line with PSD3 / PSR and check whether the exemption still applies) well in advance to fulfil all legal requirements on time.

    By Matthias Pressler, Counsel, Maximilian Nusser, Associate, Schoenherr