On 28th June 2023, the European Commission introduced a draft proposal encompassing a comprehensive Payment Services package. This package includes the third Payment Services Directive (PSD3) and a fresh Payment Services Regulation (PSR), intended to replace the current PSD2 and Electronic Money Directive.

What is PSD3, the EU’s 3rd Payment Services Directive?

PSD3, the upcoming legislation, is designed to regulate electronic payments and the banking ecosystem in the European Union’s single market. PSD3 introduces revised rules to enhance consumer protection and foster competition in electronic payments.

What is PSR?

The PSR will encompass regulations pertaining to all Payment Service Provider (PSP) activities, integrating certain provisions from the Regulatory Technical Standards for Strong Customer Authentication and Common and Secure open standards of Communication (RTS on SCA & CSC), as well as guidelines and opinions from the European Banking Authority.

What is PSD2? Why is it being reviewed?

PSD2, the second Payment Services Directive, was adopted in 2015 to establish a comprehensive set of rules governing retail payments within the European Union (EU), encompassing both euro and non-euro transactions, as well as domestic and cross-border payments. Its predecessor, PSD1, introduced in 2007, aimed to create a unified legal framework for an integrated EU payments market. The revision of PSD2 became necessary to address barriers to emerging payment services, enhance consumer protection, and bolster security measures. The main objectives of PSD2 were as follows:

  1. Promote fair competition: PSD2 aimed to create a level playing field between traditional financial institutions and new providers of card, internet and mobile payments. This fostered innovation and competition within the payments industry.
  2. Enhance efficiency and choice: The directive sought to increase the efficiency, transparency, and variety of payment instruments available to consumers and merchants, facilitating easier and more convenient payment options.
  3. Enable cross-border payments: PSD2 aimed to facilitate the seamless provision of card, internet, and mobile payment services across EU borders. This eliminated barriers and promoted the harmonisation of payment services within the Union.
  4. Foster innovation: PSD2 aimed to support the expansion of innovative payment services, enabling them to reach a wider market. This encouraged the development of new and more convenient payment solutions.
  5. Ensure consumer protection: The directive aimed to provide high protection for payment service users across all EU Member States. It sought to enhance consumer rights, improve transparency, and strengthen security measures to safeguard against fraudulent activities.

The review of PSD2 was necessary to address the evolving payments landscape, emerging technological advancements, and new challenges in the digital realm. By adapting and refining the regulatory framework, the revision aimed to improve the efficiency, security, and accessibility of payment services within the EU.

Evaluation of the PSD2

The evaluation of PSD2 revealed a mixed outcome in achieving its objectives.

The introduction of Strong Customer Authentication (SCA) as a fraud prevention measure has proven highly effective in reducing fraudulent activities. This represents a clear positive impact of PSD2.
Furthermore, PSD2 has successfully enhanced the efficiency, transparency, and choice of payment instruments for consumers by accommodating the emergence of new payment methods. However, the evaluation identified an uneven playing field among payment service providers, largely due to the limited access to non-bank Payment Service Providers (PSPs) for crucial payment finalisation systems.

The introduction of open banking, allowing for the secure sharing of financial data between banks and third-party service providers, was a significant innovation by PSD2. However, its adoption has been met with varying levels of success. Challenges persist in data access for account information service providers (consolidating consumer bank account information) and payment initiation service providers (establishing payment links between payers and online merchants). Additionally, while there has been progress in the cross-border provision of payment services, many payment systems, especially debit card systems, remain predominantly national in scope.

The key changes of the revision of PSD2 to implement PSD3 and new PSR

The revision of PSD2 to implement PSD3 and PSR proposes several key changes that aim to enhance the EU payments framework. The proposed changes are designed to improve the functioning of EU payment markets through the following measures:

  1. Strengthening measures to combat payment fraud.
  2. Granting non-bank payment service providers (PSPs) access to all EU payment systems, subject to appropriate safeguards, and ensuring their right to hold a bank account.
  3. Enhancing the operation of open banking, particularly concerning the performance of data interfaces. This includes removing barriers to open banking services and empowering consumers to have better control over their data access permissions.
  4. Fortifying the enforcement powers of national competent authorities and facilitating the implementation of rules that clarify various elements.
  5. Further improving consumer information and rights.
  6. Enhancing the availability of cash.
  7. New initial capital, own funds and licencing requirements for payment and e-money institutions.
  8. Consolidating the legal frameworks applicable to electronic money and payment services.

These proposed changes aim to foster a more secure and efficient payment ecosystem within the European Union.

PSD3 proposal: Fraud and liability

The key changes of the revision of PSD2 to implement PSD3 and new PSR concerning payment fraud.

The Issue:

The existing PSD2 framework is not equipped to address new types of fraud that have emerged, such as “spoofing” or impersonation fraud.

In these cases, the fraudster manipulates the customer’s consent for a transaction by using deceptive techniques like the bank’s telephone number or email address, blurring the line between authorised and unauthorised transactions.

Current prevention mechanisms like Strong Customer Authentication (SCA) have proven insufficient in preventing such frauds.

The proposal:

  1. Extending IBAN/name matching verification services to all credit transfers, including regular and instant ones, benefiting all consumers.
  2. Providing a legal framework for payment service providers (PSPs) to share fraud-related information among themselves through dedicated IT platforms while ensuring compliance with GDPR.
  3. Strengthening transaction monitoring capabilities.
  4. Requiring PSPs to conduct educational initiatives to raise awareness of payment fraud among customers and staff.
  5. Expanding consumer refund rights in specific situations.
  6. Improving Strong Customer Authentication.

When are victims of fraud entitled to a refund?

Firstly, consumers who suffer damages due to the failure of the IBAN/name verification service to detect a mismatch between the payee’s name and IBAN will be eligible for a refund. Secondly, consumers who fall prey to a “spoofing” fraud, where a fraudster impersonates a bank employee and deceives the consumer into carrying out actions that result in financial losses, will also have refund rights.

The new IBAN/name verification service

Under the new regulations, the payee’s payment service provider (PSP) must verify the match between the payer’s provided unique identifier (IBAN) and the payee’s name upon request from the payer’s PSP. If a discrepancy is identified, the payer’s PSP must inform the payer of the mismatch before finalising the payment order.

Improvement of Strong Customer Authentication

The proposal aims to introduce the following changes:

  1. Provide clear guidelines on the circumstances under which certain types of transactions may be exempt from the requirement to apply Strong Customer Authentication (SCA).
  2. For remote payments, the specific amount and the payee must be explicitly linked to the transaction, which is to be authenticated by the payer.
  3. Streamline and simplify the application of SCA specifically for payment account information services.
  4. Enhance the effectiveness of digital passthrough wallets for payments, where a virtual payment card is stored, by mandating that SCA must be performed during the enrolment stage of a payment instrument under the responsibility of PSPs.
  5. Require payment service providers to ensure that all users have access to and can utilise methods for performing SCA.

PSD3/PSR proposal: Consumer rights and information

New information requirements for payment service providers

The proposal:

  1. Increased transparency for credit transfers and money remittances from the EU to third countries: PSPs must inform users about the estimated charges for currency conversion.
  2. Enhanced transparency for payment account statements: PSD2 does not specify whether a payee’s legal or commercial name (such as a merchant) should be used on payment account statements. The Commission proposes measures to ensure clearer and more informative payment account statements.
  3. Improved transparency for ATM charges: To enhance transparency regarding ATM charges, PSPs will be required to provide users with information about all applicable charges imposed by other ATM operators within the same Member State.

Consumers’ protection when funds are blocked on a payment card

The issue:

Typically, when a payment card is used for transactions such as those at petrol stations, hotels, or car rentals, an initial estimated amount is blocked on the card by the payer’s payment service provider (PSP). These blocked funds can pose financial challenges as they remain unavailable for spending until released.

The proposal:

To tackle this concern, the Commission proposes changes to expedite the release of unused blocked funds. Additionally, it advocates for the blocked amount to be proportionate to the expected final amount, ensuring a fair and reasonable approach to fund blocking.

Improvements in the availability of cash

The issue:

Retailers can provide cash to customers as part of a purchase (cashback) without requiring a license or supervision as a payment service provider (PSP). Also, distributing cash through ATMs typically requires a license, creating challenges in applying certain exclusions under PSD2 for specific ATM operators.

The proposal:

To enhance access to cash, the proposal enables retailers to offer cash provision services even without a customer making a purchase. This means retailers can provide customers cash independently without needing a license or acting as agents of a Payment Institution.

Moreover, the proposal explicitly allows certain ATM operators to operate ATMs without a license.

The interaction between payments and General Data Protection Regulation

The proposal:

  1. Limiting Access to Customer Data: payment service providers can only access and process personal data necessary for providing the specific payment services agreed upon with their customers.
  2. Enhanced Data Protection in Open Banking: limiting the data accessed by Third-Party providers – only the minimum necessary data. Additionally, banks must provide users with a “dashboard” to visualise and manage permissions granted to third-party providers.
  3. Processing Personal Data in Payment Transactions: payment service providers may need to process the personal data of the parties involved in payment transactions. This includes personal data categorised as “special categories of data” under GDPR.

PSD3/PSR proposal: Improvements to Open Banking

Changes in the functioning of open banking

Data access interfaces: The proposal introduces significant requirements for data access interfaces, including a list of prohibited barriers to data access. Banks will no longer have to maintain two permanent data access interfaces unless exemptions are applicable. However, open banking providers will have access to contingency data access options in specific and temporary situations.

Consumer Dashboard for Data Access Rights: Banks and other payment account providers must create a “dashboard” to have a clear view of the data access rights they have granted and to whom.

Protection of the business continuity of open banking providers

Alternative Interface in Case of Outage: If a bank’s open banking interface experiences an outage, potentially disrupting data access for AISPs and PISPs providers, and the bank cannot promptly provide an effective alternative solution, providers have the option to request their national authority’s permission to use another interface, such as the one used for the bank’s customers. The providers can use this alternative interface until their dedicated interface is restored to functioning.

Penalties and Damages: The national authority can set a deadline for using the alternative interface, and banks may face penalties if they fail to comply. Open banking providers also retain the right to claim damages from the bank for any loss of business caused by the outage.

PSD3/PSR proposal: Competition and level playing field

The issue:

PIs and EMIs face challenges in obtaining a license as they are required to have an account with a commercial bank. Additionally, accessing key payment infrastructures necessary for executing and settling payments can be difficult for them. Commercial banks often refuse to open accounts or close existing ones due to concerns about anti-money laundering controls.

The proposal:

Banks will be obligated to provide clear explanations for refusals and account closures, considering the specific circumstances of the payment institution (PI). Justifications for refusal must be based on serious suspicions of illegal activities conducted by or through the PI or if the PI’s business model or risk profile poses significant risks to the credit institution. In case of a bank’s decision not to open or close an account, the PI can appeal to a national authority. Besides commercial banks, central banks can offer account services to non-bank PSPs.

The initiative also introduces strengthened regulations for including payment institutions as participants in payment systems. Payment system operators must conduct thorough risk assessments during the admission process.

PSD3/PSR proposal: Simplification

Merging of e-money and payment institutions regimes

The issue:

There have been challenges for supervisory authorities in effectively differentiating between e-money businesses and the services provided by payment institutions. This is due to the distinct licensing requirements and key concepts that govern the e-money industry, such as e-money issuance, distribution, and redeemability. These aspects differ significantly from the services offered by payment institutions, creating practical difficulties in delineation between the two regulatory frameworks.

The proposal:

To address the practical challenges supervisory authorities face in distinguishing between e-money institutions and payment services, a proposed change involves merging the two regulatory regimes into a single piece of legislation. This merger aims to harmonise and simplify the legal requirements for payment and former e-money institutions, ensuring greater consistency and ease of application.

Changes to enhance enforcement of the rules

The issue:

In regulations applicable to Payment Service Providers (PSPs), there are unclear or ambiguous points, including the definition of terms such as “funds,” “payment account,” and “payment instrument.”
Lack of rules for the smooth functioning of open banking and a lack of guidelines for competent authorities on how they must enforce the rules.

The proposal:

To enhance the enforcement of rules, a significant portion of the payment regulations applicable to Payment Service Providers (PSPs) will be incorporated into a directly applicable regulation. This regulation will clarify previously unclear or ambiguous points. It will also establish detailed guidelines on how competent authorities should enforce these rules. The legislation will include a list of specific breaches for which corresponding sanctions must be implemented, ensuring consistent enforcement across jurisdictions.

Recognising the importance of national supervision for the effective functioning of open banking, the proposed changes include specific enforcement provisions for open banking rules. These provisions aim to facilitate smooth operations within the open banking framework by ensuring robust national oversight and adherence to regulatory requirements.

PSD3 proposal: Initial capital and own funds requirements

The initial capital requirements for payment and e-money institutions upon authorization are as follows:

  • If the payment institution offers only money remittance, it must maintain capital of at least EUR 25,000 at all times.
  • If the payment institution provides payment initiation services, it must maintain capital of at least EUR 50,000 at all times.
  • If the payment institution provides other payment services, it must maintain capital of at least EUR 150,000 at all times.
  • For payment institutions offering electronic money services, the required capital must not fall below EUR 400,000 at any time.

In addition to the existing own funds calculation methods the PSD3 foresees additional own funds calculation methods for PIs.

PSD3 proposal: A reapplication process for existing PIs and EMIs

Under the implementation of PSD3, the current Payment Institutions and Electronic Money Institutions are required to undergo a reapplication process. Within 24 months of PSD3 coming into effect, these PIs and EMIs must submit a new license application. The authorization will be granted if they can demonstrate their adherence to the new requirements. Existing licenses will remain valid for 30 months from the date of PSD3’s enforcement, provided that the aforementioned reapplication has been submitted.

PSD3/PSR proposal: Framework for Financial Data Access

The issue:

  • Some data users currently have unauthorised access to certain types of customer data through technical interfaces established by data holders. However, this unregulated and unsupervised access poses risks to customers.
  • Presently, customers lack control over their data when accessing data-driven services beyond basic payments. Due to potential risks, clear data access and usage rules undermine customer confidence in sharing their data. Without effective tools to manage data-sharing permissions, customers feel a lack of control, leading to hesitancy in sharing their data.
  • Even in cases where customers are willing to share their data, there is a lack of clear and comprehensive rules governing data-sharing practices.
  • High costs often accompany data sharing due to the lack of standardisation in the data and the technical infrastructure required for seamless sharing.

The proposal:

This initiative aims to tackle these challenges and facilitate improved access to financial data for both consumers and businesses. By doing so, it aims to unlock the potential benefits associated with enhanced financial products and services. By combining data from various sources, innovative services can be developed for customers willing to grant access to their data.

The proposed regulation establishes a comprehensive framework for responsible access to individual and business customer data across a broad spectrum of financial services, commonly called “open finance.” Adopting a customer-centric approach, the proposal prioritises the empowerment of all consumers and firms, ensuring they have effective tools to control the utilisation of their financial data.

In alignment with the General Data Protection Regulation (GDPR), the proposal includes additional measures to guarantee personal data protection. Moreover, it adheres to the general principles of business-to-business data sharing outlined in the Data Act proposal. The initiative aims to foster responsible and secure data practices by incorporating these safeguards while promoting transparency and customer trust.

The type of data included in the scope of the proposal

The proposal addresses the collection, storage, and processing of customer data by financial institutions, encompassing natural persons and business customers. This includes data provided by customers (transmitted data) and transaction data resulting from their interactions with financial service providers.

To mitigate risks associated with sensitive data, such as life, sickness, and health insurance data, as well as creditworthiness data of individuals, these types of data will be excluded from the scope of the proposal.


Sources:

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on payment services and electronic money services

Payment services: revised rules to improve consumer protection and competition in electronic payments

About Advapay

Advapay is a technology company providing the Digital Core Banking platform to empower fintech clients or digital banks to start their businesses and accelerate digital transformation. The platform delivers all essential functionalities, a front-to-back system and a set of tools to customise and bring new integrations. With Advapay, potential and existing customers can connect either to the cloud-based SaaS or on-premise software. Besides the technical infrastructure, the company provides business advisory and fintech licensing services. Interested to learn more, please drop us a message

Share this post