Few initiatives have been more eagerly awaited than the Commission's proposal on the revised PSD2 regime. It has been seven years since PSD2 was adopted and the payment services market has evolved considerably since then. This evolution has revealed multiple shortcomings in the legal framework.
However, anyone expecting a "revolution" from PSD3 will be disappointed. Instead of radical innovations, the proposal is more a “fine-tuning” or “modernisation” of the current payment services regime. As Commission’s Executive Vice-President Valdis Dombrovskis and Financial Services Commissioner Mairead McGuinness have put it in a press conference “this is more an evolution than a revolution. […] We are strengthening protection against payments fraud”.
With the new package, the EU is seeking to ensure that the payment sector is capable of adapting to ongoing digital transformation and addressing the risks and opportunities it presents – in particular for consumers.
But let’s take one step at a time – looking at why PSD2 needs to be updated, the key elements of the proposals and what the next steps are.
1. Why is PSD2 changing?
PSD2 entered into force in 2015 and was required to be implemented across EU member states by January 2018. PSD2 set out an updated framework for payments in the EU and was intended to harmonise the rules for payment service providers (PSP), create an integrated EU payments market and introduce rules on open banking.
However, over time, certain deficiencies in the current legal framework have come to light. In particular, these deficiencies include that consumers have been increasingly exposed to risks of fraud (resulting in reduced confidence) and that an unlevel playing field between banks and non-bank PSP continues to exist.
These issues, among others, were identified as part by the European Commission and European Banking Authority (EBA) (see our blog post) as part of the PSD2 review, which commenced in the summer of 2022.
Following the review, the EU Commission has now proposed two distinct legislative acts: a new directive on payment services and electronic money services (PSD3) and a new regulation on payment services (PSR), which aim to:
- strengthen user protection and confidence in payments;
- improve the competitiveness of open banking services;
- improve enforcement and implementation in EU Member States; and
- improve (direct or indirect) access to payment systems and bank accounts for non-bank PSP.
The proposals are part of a broader Digital Finance package, which includes a related proposal on Financial Data Access (FIDA) and on a Digital Euro.
2. What are the basic differences between PSD3 and PSR?
PSD3 is proposed as a directive and focusses on rules relating to licensing and supervision of payment institutions. Those rules, as for all directives, will need to be implemented by Member States, so there may be divergence in approach between Member States’ implementation.
The accompanying PSR includes, among other things, rules relating to (i) transparency requirements (ii) rights and obligations relating to the provision and use of payment services including open banking, (iii) authorisation of payment transactions and (iv) operational and security risks. Most of the rules which are currently set out in PSD2 will be moved to PSR, meaning that those rules will become directly applicable in all EU Member States and – with certain exceptions – do not have to be transposed into national law. This will give Member States very limited discretion regarding implementation.
3. PSD3 and PSR – what do you need to know?
The key elements of the proposals are as follows:
a) Merging the legal frameworks applicable to electronic money and to payment services
With PSD3, the European Commission proposes repealing the Electronic Money Directive 2009/110/EC (EMD) and integrating into the payment services package, resulting in harmonised rules for payment institutions and e-money institutions going forward (e.g. regarding licensing requirements which apart from the harmonization remain largely unchanged). Although simplification was not part of the purpose of the payment services review, opportunities for simplification were sought, and repealing the EMD was one of the main examples of such simplification.
b) Supervision of payment institutions
Initial capital requirements are proposed to be higher in the future to reflect increased inflation and it is proposed that payment initiation service providers (PISP) and account information service providers (AISP) may hold initial capital instead of professional indemnity insurance.
Safeguarding rules would also remain unchanged with the exception that payment institutions may also hold client funds on an account with a central bank (at the discretion of the relevant central bank).
Specific provisions regarding the cooperation of the competent authorities are proposed to provide clarity for cross-border scenarios where three EU Member States are involved – i.e., the Member State of establishment of the payment institution, that of the agent, and the Member State into which the agent provides services on a cross-border basis (“triangular passporting”).
Certain provisions which provide for an exemption from the licensing requirement such as the commercial agent exception or the exemption for cash distributions via ATMs are further clarified.
c) Open banking
PSD2 introduced the open banking legal framework enabling the use of technical interfaces to retrieve payment transaction data and to initiate payment orders at account servicing payment service providers (ASPSP) via third parties, provided that the customer has initiated the payment transactions. The main objective of opening up payment services to third parties was to enable and regulate innovative business models, as well as requiring ASPSP to grant access to appropriately-regulated third parties. The main provisions concerning open banking were not stipulated in the PSD2 itself, but in the Commission’s Delegated Regulation (EU) 2018/389 on strong customer authentication and secure communication under PSD2 (RTS on SCA). Certain provisions within the RTS on SCA are proposed to be incorporated in PSD3 with certain modifications.
As proposed, ASPSP would be obliged to provide at least one dedicated interface for open banking data access. ASPSP would not be obliged to also maintain permanently another “fallback” interface. ASPSP may apply for an exception with the national competent authorities from the general obligation to have in place a dedicated interface and to use alternative interfaces or no interface at all for secure data exchange.
Additional and broader requirements on dedicated interfaces are proposed as regards performance and functionalities.
To enable payment services users (PSU) to manage their open banking permissions in a convenient way, ASPSP are required to offer them a “dashboard”, that is integrated in the user interface, allowing the PSU to withdraw the data access to any given open banking provider.
d) Strong customer authentication (SCA)
One of the key drivers were to combat and mitigate payment fraud by strengthening, among others, the SCA rules. Specifically on SCA, PSP should be required to ensure that all users can benefit from methods to perform SCA which are adapted to their needs and situations and, in particular, that those methods do not depend on one single technology or device. The proposals will further clarify in which circumstances certain types of transactions, such as merchant-initiated transactions or mail orders or telephone orders, may be exempt of the obligation to apply SCA, while also introducing safeguards to ensure that payers remain nevertheless protected from fraud. Also, the PSR aims to simplify the application of SCA in respect of AISP. Other changes focus on strengthening the use for payments of digital passthrough wallets (where a virtual payment card is stored on the wallet).
e) Authorisation of payment transactions and liability regime
The proposed PSR also sets out new liability provisions. Most notably, a PSP should be held liable where a consumer has been manipulated by a third party pretending to be an employee of the consumer’s PSP using lies or deception to authorise a payment transaction, under the condition that the consumer has, without any delay, reported the fraud.
The rules on the authorisation of payment transactions are further detailed and aligned with the Instant Payments proposal (see our blog post).
f) Access to payment accounts and payment systems
Payment system operators would be required to publish their rules and procedures for the admission to that payment system as well as the criteria and methodology they use for the risk assessment of applicants. The requirement for payment system operators to have rules and procedures relating to access which are objective non-discriminatory, transparent, and proportionate would be extended to payment systems designated by a Member State pursuant to the Settlement Finality Directive (98/26/EC).
Currently, there are no harmonised rules whether payment institutions (including e-money institutions) can have direct access to payment systems designated by Member States under the Settlement Finality Directive – the proposal seeks to address this lack of harmonised rules.
Similarly, the rules concerning the opening and closing of payment accounts by payment institutions, their agents or distributors with a credit institution will be strengthened.
g) Enforcement
The proposal also sets out expanded sanction powers of the national competent authorities including comprehensive investigation rights, the right to impose periodic penalty payments on PSP and members of their management body and a requirement to publish decisions on sanctions and administrative measures (“naming and shaming”).
It is also proposed that the EBA will be granted product intervention powers in the field of payment services, enabling the EBA to prohibit or restrict a certain type or a specific feature of a payment service (similar to those powers under the Markets in Financial Instruments Regulation).
4. What’s next?
The proposals will now follow the EU legislative process and will be discussed in parallel by the European Parliament and the Council.
While we understand that MEPs and the Spanish Presidency of the Council plan to commence work after the summer break, the forthcoming European Parliament elections in June 2024 will impact on how much progress can be made during this legislative mandate. We should gain further clarity on how ambitious the institutions are and which elements of this Digital Finance package will be prioritised, in September.
According to the current proposals, PSD3 and PSR will enter into force 18 months after their adoption.