Legal obligations arising from having a payment gateway

The legal obligations in Spain arising from having a payment gateway are set out in Law 16/2022 of 28 April on Payment Services (LSP). This law regulates payment services, which are the services provided by a payment service provider to carry out payment transactions.

Unfortunately, this quiz has a limited amount of entries it can recieve and has already reached that limit.

Time's up

The legal obligations arising from having a payment gateway can be classified into two groups:

1.- General obligations:

These obligations apply to all payment service providers, regardless of the type of payment service they offer. These obligations include:

a) Registration in the General Register of Payment Institutions:

All payment service providers must register in the Banco de España’s General Register of Payment Institutions.

• Application for registration: The application for registration must be submitted to the Banco de España, through its electronic office. The application must be signed by the company’s legal representative.
• Documentation to be submitted: The application must be accompanied by the following documentation:
  • Application form for registration: The application form is available on the Banco de España’s website.
  • Document accrediting the applicant’s personality: The accrediting document may be a certificate of registration in the Commercial Register, a certificate from the Tax Agency or a certificate from the Social Security.
  • Supporting documentation of the company’s incorporation: Supporting documentation can be a certificate of registration in the Commercial Register or a certificate from the Tax Office.
  • Supporting documentation of the company’s address: Supporting documentation can be a copy of the lease contract or a copy of the water, electricity or gas supply bill.
  • Supporting documentation for the representation of the company: Supporting documentation can be a power of attorney or a certificate from the Commercial Register.
• Verification of documentation: Banco de España will verify the documentation submitted. If the documentation is correct, Banco de España will proceed to register the company in the General Register of Payment Institutions.
• Registration in the General Register of Payment Institutions: Once the documentation has been verified, the Banco de España will register the company in the General Register of Payment Institutions. The registration will be published in the Official State Gazette.

The deadline for registration of a payment gateway in the General Register of Payment Institutions is one month from the submission of the application.

b) Issuance of a payment services contract:

The payment service provider must issue a payment service contract that regulates the conditions for the provision of the service. We will shortly publish another monographic entry on this point.

c) Information obligation:

The payment service provider must provide clear and transparent information to users about the payment services it offers.

Si te ha interesado este artículo no dudes en leer:

Validity and limits on cookie consent

The validity and limits of the consent of cookies have recently been questioned by the CEPD. The CEPD, European Committee for Data Protection

2.- Specific obligations:

These obligations apply to payment service providers offering specific payment services. These obligations include:

a) Security obligation:

Payment service providers should take appropriate security measures to protect user data and payment transactions.

Payment gateways should adopt appropriate security measures to protect user data and payment transactions. These measures should include at least the following:

• Data encryption:

User data and payment transactions should be encrypted to prevent interception by third parties. Encryption should use robust and up-to-date encryption algorithms.

• Access control:

Access to user data and payment transactions should be restricted to authorised users. Access control should use strong authentication measures, such as two-factor authentication. This requirement is reinforced in the Draft PSD3 Directive.

• Transaction monitoring:

Payment transactions should be monitored to detect possible fraud. Monitoring should include the detection of unusual or suspicious transactions.

In addition to these measures, payment service providers should take other specific measures to protect user data and payment transactions, depending on the nature of the data and transactions they process. For example, payment service providers processing sensitive data, such as credit card data, should adopt additional security measures, such as data tokenisation.

Payment service providers should regularly assess the effectiveness of the security measures they have adopted. In case they detect any vulnerabilities, they should take the necessary measures to remedy them.

b) Obligation to settle complaints:

Payment service providers should establish a complaints resolution procedure to deal with user complaints. Payment gateways should establish a complaints resolution procedure to deal with user complaints. This procedure should be simple and accessible to users, and should ensure that their complaints are resolved fairly and promptly.

The PSL does not establish a specific complaints resolution procedure, but leaves payment service providers free to establish the procedure they consider most appropriate. However, the PSL establishes a number of requirements that all complaint resolution procedures must meet, including the following:

• • Transparency: The procedure should be transparent and easy for users to understand.
  • Accessibility: The procedure must be accessible to all users, regardless of their place of residence or financial situation.
  • Impartiality: The procedure must be impartial and must ensure that complaints are resolved in a fair and objective manner.
  • Time: The procedure must be sufficiently quick for users to receive a response to their complaints within a reasonable period of time.

Depending on these requirements, payment service providers may establish different types of complaint resolution procedures. The most common complaint resolution procedures in Spain are as follows:

• • Internal procedure: In this procedure, the complaint is settled by the payment service provider itself. This procedure is the simplest and quickest, but may be less impartial than other procedures.
  • External procedure: In this procedure, the complaint is resolved by an independent third party, such as a dispute resolution body or mediator. This procedure is more impartial than the internal procedure, but can be slower and more costly.
  • Mixed procedure: In this procedure, the complaint is settled in two stages. In the first phase, the complaint is resolved by the payment service provider. If the user disagrees with the resolution, he/she can lodge an appeal to an independent third party.

The payment service provider should inform users of its complaint resolution procedure in a clear and transparent manner. This information should include at least the following details:

• • How to file a complaint: The procedure should indicate how users can file a complaint.
  • Time limit for lodging a complaint: The procedure should indicate the deadline for submitting a complaint.
  • How the complaint will be resolved: The procedure should indicate how the complaint will be resolved.
  • Means of challenge: The procedure should indicate the means of challenge that users have at their disposal if they disagree with the resolution of the complaint.

Companies with a payment gateway must comply with these legal obligations to avoid administrative sanctions.

If you enjoyed this article, you may also find it interesting to read the following one:

Regulation on Cookies: GDPR, ePrivacy Regulations and Cookie Act