On 28 June 2023, the European Commission published draft legislation for financial services in the EU including the Third Payment Services Directive (PSD3) and a Payment Services Regulation (PSR) that will replace the PSD2 and the Electronic Money Directive.
The European Electronic Payment Landscape
What is PSD2?
PSD2, the Second Payment Services Directive adopted in 2015, is the EU legislative framework for all retail electronic payment in € and non-€, domestic and cross-border. It contains both rules on the provision of payment services by Payment Services Providers (PSPs) and rules on the licensing and supervision of one specific category of PSP, namely Payment Institutions (PIs). The objective of this set of rules was to increase the level of consumer protection, the security of transactions, the licensing and the supervision of payment service providers
Why PSD2 has been reviewed?
Given (i) all the market developments since 2015 – the retail payment services market underwent significant changes resulting in the emergence of newer frauds and newer players/PSPs; (ii) innovations that reshaped the electronic payments landscape – decreasing use of cash, new payment practices, digital wallets, QR codes…; (iii) the importance of having an effective and efficient retail payment system for the smooth running of the economy highlighted in the Commission’s Retail Payment Strategy of 2020; and (iv) the confirmation in the 2022 State of the Union letter of intent that data access in financial services is among the key new initiatives for 2023; the Commission was required to evaluate and review PSD2.
PSD2 Evaluation’s findings
PSD2 has had varying degrees of success in achieving its objectives.
- Better fraud prevention by the introduction of the Strong Customer Authentication (SCA);
- Increase of the efficiency, transparency and choice of payment instrument for consumers.
Key problems identified:
- Consumers are at risk of fraud and there is a lack of confidence in payments;
- The open banking sector functions imperfectly;
- Supervisors in the EU Member States have inconsistent powers and obligations;
- There is an unlevel playing field between banks and non-bank PSPs.
Introduction of a new legislation: PSD3 and PSR
Following this evaluation done in 2022, the Commission proposed amendments to PSD2 and the Electronic Money Directive and published draft proposals composed of 2 legislative acts:
- a Directive on payment services and electronic money services in the Internal Market (PSD3)
- a Regulation on a framework for Financial Data Access – Payment Services Regulation (PSR)
Scope of application of PSD3 and PSR
PSD3 focuses on (i) authorisation to provide payment services and electronic money services, (ii) supervisory requirement for Payment Institutions – Electronic Money Institutions category will be replaced, (iii) Account information Services Providers (AISPs) and cash withdrawal services.
PSR will address all rules concerning PSPs activities, and rights and obligations of all categories of PSPs and payment services users.
Objectives of PSD3 and PSR
Introducing PSD3 and PSR, the EU regulators’ purpose is to improve the functioning of the EU payment market with a focus on four key objectives:
Objective 1: Strengthening user protection and confidence in payments
- Fraud and liability improvements
- Extend IBAN/name matching verification services to all credit transfer, regular and instant credit.
- Strengthen transaction monitoring by introducing a legal basis to facilitate the multilateral sharing of fraud data information (fraudulent credit transfer, manipulation techniques, unique identifiers IBAN).
- Extend refund rights of consumers in case of failure of IBAN/name verification or for consumers that are victims of “spoofing” fraud (the fraudster contacts the consumer pretending to be an employee of the consumer’s bank) – subject to conditions.
- Oblige the PSPs to enhance awareness among their users and employees concerning emerging new forms of payment fraud and trends.
- Improve Strong Customer Authentication (SCA).
- Customer rights and information improvements
- Obligation to inform the customer on estimated charges for currency conversion for credit transfers and money remittances from the EU to third countries.
- Obligation to provide information on the payment account statement that enable the customer to clearly identify the payee.
- Obligation to inform the customer on all applicable charges made by other ATM operators.
- Strengthening the protection of the customer’s data in accordance with GDPR by limiting the data which can be access to the minimum necessary for delivering the payment service.
Objective 2: Improving competitiveness of the open banking services
- Obligation for the data holder to offer a dedicated data access/exchange interface. Prohibited obstacles to data access has been listed and must be removed.
- Removal of the permanent fall-back interface obligation for banks.
- To ensure the continuity of their business, PSPs can request the National authorities to be allowed to use an effective alternative interface in case the dedicated interface is down.
- Financial data access permission dashboards: obligation for data holders/banks/credit institutions to build permission dashboards that allow customers to monitor and manage, in real time, permissions granted to data users/PSPs to access their financial data, with a withdrawal functions.
- Cash withdrawal offering services without authorisation: for independent ATM deployers and a retail store (without a purchase but limited to EUR 50).
Objective 3: Improving the enforcement and implementation in Member States
- Shifting elements of PSD2 into the new PSR, a Regulation that apply directly and consistently across the EU, without need of transposition into national law, limiting room for interpretation.
- Merging the level framework applicable to electronic money and payment services: one single piece of legislation for a higher degree of harmonisation, simplification and consistent application.
- Defining administrative sanctions and measures that the authorities can take when encountering infringements to the rules.
Objective 4: Improving direct and indirect access to payment systems and bank accounts for non-bank PSPs
- Improvement in the access to payment systems and payment accounts: additional requirement to grant PSPs non-discriminatory access to payment systems and accounts held by credit institutions. In case of access refusal, the credit institution must explain and justify the refusal.
- Option for PSPs to substitute the requested professional indemnity insurance by an initial capital of EUR 50.000
- Safeguarding: options is offered for the PSPs to safeguard user’s funds in an account at a Central Bank
PSD3 and PSR Timeline
- In terms of timeline, the proposals will first be reviewed by the European Parliament and Council. While PSR will become applicable 18-24 months after its publication in Official Journal of the EU; PSD3, as an EU directive, will need to be transposed into national laws – State Member are usually granted 18 months for transposition. Therefore, PSR/PSD3 will likely start to be applicable by 2026. However, given the European election that will take place in June 2024, timeline can be postponed to a further date.
- Payment Institutions and Electronic Money Institutions are granted a 24-month period (after PSD3/PSR enter into force) to re-submit a request for authorisation under the new legislation.
Further information on PSR Financial Data Access Framework (FIDA framework)
Why a financial data access framework?
Actual situation: problem in the current data flow process in the financial sector
Why is access to data limited?
What are the objectives of the FIDA framework?
The objective of the PSR is to establish a financial data access framework for a responsible access to individual and business customer data across a wide range of financial services (“open finance”) that is also in line with the General Data Protection Regulation (GDPR). This is to make possible for consumers and firms to benefit from financial products and services that are tailors to their needs.
Future situation: Customer data flows after the implementation of financial data access framework
What would be the benefits of FIDA implementation?
For the customers:
- More transparency and control over their data sharing relationships
- Increased trust and confidence in data sharing
- More innovative and cheaper financial services to choose from
For the data users:
- Increased access to key customer data sets would boost innovation
- Enabling new services and revenue streams for data users
What is the Data concerned?
The data in the scope of the proposal is customer data that is typically collected, stored and processed by financial institutions as part of their normal interaction with customers:
- “transmitted data”: data transmitted by the customers themselves
- “transaction data”: data arising from the customer’s interactions with their financial service providers
PSD3/PSR brings new challenges for Banks PSPs and non-banks PSPs and will require development and cooperation between financial sector players. These regulatory updates should have a positive impact in terms of consumer protection, security of transactions, fair competition and open market enabling the consumer to realise gains from better financial products and services.
In its press release document, the Commission indicated that the amendments to PSD2 are an evolution of the EU payments framework, “not a revolution”. The EU regulators’ aspiration is a unified approach and a greater harmonisation in electronic payments.