Challenges Faced by PSD2 and the Need for PSD3
On 28 June 2023, the European Commission presented a series of proposals comprising the Payment Services Directive 3 (PSD3)1 and the Payment Services Regulation (PSR). These new rules are the successors of the Payment Services Directive 2 (PSD2)2, which was introduced to transform the European Union payment market by enhancing user protection, fostering innovation and creating a fair environment for payment service providers (PSPs).
While PSD2 has brought notable improvements, it has faced particular challenges that have required updating the regulatory framework to adapt to the rapidly changing payment landscape.
Significant progress was made under PSD2. In particular, strong customer authentication (SCA) was introduced, which could be interpreted as a crucial step in the fight against fraud. In addition, PSD2 improved the efficiency, transparency and choice of payment instruments for users, offering them enhanced options and greater control over their payments.
However, PSD2 also faced difficulties in creating a level playing field for all PSPs. Non-bank PSPs often needed direct access to major payment systems, which created an imbalance between bank and non-bank PSPs. This imbalance hindered fair competition and innovation in the payment market.
Open Banking also faced challenges related to data access interfaces for service providers, and cross-border payment services expanded while payment systems remained centred in individual Member States. This led to differences in regulation and forum shopping3 between service providers, which further required regulatory changes.
PSD3’s main changes
Despite the excitement of the European Commission’s initial announcements about the need to reform European payment services legislation rather than radical changes, PSD3 introduces enhancements that are unlikely to require significant infrastructure changes but will improve security and service levels.
As digital innovation reshapes financial services, PSD3 becomes a critical step to strengthen customer protection and create a level playing field for non-bank payment service providers.
- Stricter requirements for strong customer authentication (SCA)
One of the key changes in PSD3 is more comprehensive requirements for strong customer authentication (SCA), which will add a layer of security to payment transactions. Additional proposed preventative measures include:
- Require PSPs to verify that the payee’s name and unique identifier match before initiating credit transfers;
- Providing a legal basis for PSPs to share fraud-related information;
- Improved transaction monitoring;
- Improve consumer rights;
- Introducing an obligation for PSPs to inform their employees and customers about the risks and consequences of payment fraud.
- Increase consumer protection and trust in payments
Additional attention is being paid to combating fraud, including complex cases such as “spoofing“4. Using IBANs and enhanced transaction monitoring represent new security measures to increase protection.
Open Banking, introduced by PSD2, will also change PSD3. New standards and more efficient data exchange mechanisms will be introduced to improve the concept further. In addition, consumer rights will be enhanced through more transparent communication and the provision of information on payment fees and delayed funds. Separately, more strictly obliging banks to provide bank account services to non-bank PSPs should be emphasised. With appropriate safeguards, this component of PSD3 gives these non-bank PSPs the right to have a bank account. This indicates a “levelling of the playing field” between banks and payment institutions.
- New opportunities for customers
PSD3 aims to increase the availability of cash by providing new methods, such as cashback without compulsory purchases in shops and incentivising an increase in the number of ATMs. New rules for managing temporarily held funds will ensure that unused funds are quickly returned to the customer.
Thus, PSD3 represents not only a change in legislation but also a strategic improvement of the payments system aimed at ensuring security, transparency and protection of the interests of all financial market participants in the EU. Nevertheless, in our view, the PSD3 innovations should not be considered “revolutionary” but rather “evolutionary” changes, representing a significant step towards a world of open finance.
What should we prepare for?
The potential effects of PSD3 on financial institutions, payment service providers, consumers, regulators and others falling within the scope of the Directive could be as follows:
- Increased competition in the financial market
In light of the fact that PSD3 emphasises the importance of providing PSPs with direct and indirect access to all EU payment systems, including bank accounts and digital banking schemes, and states that credit institutions will be obliged to provide PSPs with access to bank accounts in the future, the Directive essentially takes a position where full integration of PSPs into banking is required, giving them unrestricted access to financial instruments within the European Union.
- Changes in the banking landscape
Banks contemplating expansion in Europe or beyond are advised to explore the implementation of Open Banking. The possibility of more accessible access to payment systems may incentivise a bank looking to expand its global footprint to view itself as an electronic money institution (EMI) rather than obtaining a full banking licence.
- Improving the level of security of payment transactions
More burdensome payment security requirements will require payment service providers to implement advanced technologies for solid authentication, improve payer data verification systems, actively engage in fraud information sharing, implement more effective transaction monitoring mechanisms, and adapt to new regulations that expand consumers’ refund rights.
Implementation of PSD3 in the Legislation of the EU Member States
The implementation of PSD3 in the Member States of the European Union will follow a structured timetable similar to previous directives. The European Commission will publish the final text of PSD3, specifying its provisions and requirements. EU member states will have a set period to transpose the Directive into national legislation.
The timeframes for transposition may vary but usually range from one to two years after the publication of the final text.
During this period, each Member State must adapt its existing laws and regulations to align them with the provisions of PSD3, ensuring uniformity and consistency across the EU.
Implementing the PSD3 into national law is a pivotal step to ensure its effective implementation. It involves the relevant public authorities of each Member State taking the necessary legislative measures to implement the requirements of the PSD3 in their national jurisdictions. This process may require the amendment of existing laws or the adoption of new legislation to comply fully with the Directive’s provisions.
Entry into Force
The final implementation schedule for PSD3 and PSR has yet to be determined. Final versions should be available by the end of 2024. Typically, Member States are given a transition period of 18 months, which implies that PSD3 and PSR could enter into force around 2026.
In conclusion, all persons subject to the scope of the new rules require a clear strategy, risk assessment, and diligent execution to successfully manage the potential consequences of the entry of the regulations under PSD3 and PSR into force.
It is critical for financial institutions to remain informed of all changes affecting them and to clearly define the overall strategy and interim steps to achieve compliance with such changes.
COREDO’s team of experts can advise you on any of the above points and their potential impact on your business and help you better navigate the new regulatory landscape.
By Dmitry Vyalkov, LLM, lawyer at COREDO.
————-
1 Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on payment services and electronic money services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC
2 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (Text with EEA relevance)
3 “forum shopping” refers to the practice of selecting the more “appropriate” court that will view a lawsuit most favourably.
4 “Spoofing” is an impersonation fraud that blurs the distinction between unauthorised and authorised transactions because the consent given by the customer to authorise the transaction is subject to manipulative techniques by the fraudster, who, for example, uses the bank’s phone number or email address.