PSD3 & PSR: get ready for regulatory changes in the payment services landscape
On 28 June 2023, the European Commission proposed a new set of rules to further modernise payment services and open financial services data. In part, this package revises the Second Payment Services Directive (PSD2) and introduces a new Payment Services Regulation (PSR). According to the Commission, a revision of PSD2 was necessary as the payment services market has changed rapidly in recent years.
We explain how these measures will further level the playing field between banks and fintech companies, and the actions that payment institutions will have to take with respect to their current authorisations. We do not expect implementation to take place before 2026.
Background
After the introduction of PSD2 (which entered into force in the Netherlands in February 2019), the payment services market changed significantly. The change was due to the increased use of cards and other digital means of payment, and the growing presence of new players and services. The Covid-19 pandemic accelerated this transformation and demonstrated the importance of having a secure and efficient digital payment infrastructure. As part of its 2020 Retail Payments and Digital Finance Strategies, the Commission announced that it would review PSD2 in 2021. The purpose of this review was to assess if PSD2 was still fit for purpose, taking into account market developments.
The overall evaluation of PSD2 – which included advice from the European Banking Authority (EBA) as well as a public consultation and a report from an independent consultant – identified several issues, such as uneven implementation of rules that could lead to the encouragement of regulatory arbitrage. Another finding was that while one of PSD2's main objectives is to ensure a level playing field between incumbent and new providers of card, internet and mobile payments, there is still an unlevel playing field between these two types of providers. For example, account information services providers (AISPs) and payment initiation services providers (PISPs) are still experiencing obstacles in obtaining data access from banks. This hinders the development of "open banking", the process by which AISPs and PISPs provide "value added services" if users request these in relation to their banking or payment account or the relevant data on those accounts.
Given the outcome of the evaluation, which was concluded in 2022, the Commission submitted a proposal for the revision of PSD2 (PSD3) and introduced a Payment Services Regulation (PSR). In addition, the E-Money Directive will be integrated in the new Directive, as a result of which payment services and electronic money will become subject to one single PSD regime. The total revision aims to offer consumers a greater choice of payment services providers in the EU market. Below, we describe how: (i) PSD3 further levels the playing field between banks and non-banks, (ii) PSD3 and the PSR facilitate open banking, and (iii) the additional rules for authorisation that current e-money and payment institutions should be aware of.
Measures to further level the playing field between banks and non-banks
During the PSD2 review, the Commission noted that consumers were still not fully able to make use of the potential benefits that new payment institutions and innovative payment services could provide, due to, for example, the difficulties payment institutions have in opening and maintaining payment accounts with banks. To strengthen the position of payment institutions towards banks, the Commission proposes four new measures. First, payment institutions will get the opportunity to hold funds at the central bank to safeguard users' funds. Second, payment institutions will be incorporated into the Settlement Finality Directive, which will allow them to become a participant in these systems. Third, the PSR states that credit institutions can only refuse to open or can only close a payment account for payment institutions, their agents or distributors, or applicants for a license application in exceptional cases where there are serious grounds to refuse access. Such grounds should include serious grounds for suspicion of illegal activities and anti-money laundering. Last, payment system operators must provide direct access for payment institutions to all payment systems and can only inhibit access where this is necessary to safeguard specific risk (such as operational, credit or business risk). Payment system operators will therefore be required to have in place objective, non-discriminatory, transparent and proportionate rules on access to a payment system by authorised or registered payment service providers.
The measures referred to above will drastically reform the payment market; currently, only banks have access to the payment settlement structure, forcing licensed payment institutions to fully rely on banking partners to process their payments. We believe that these measures will further contribute towards creating a level playing field between banks and non-banks, leading to more competition and innovation.
Data sharing
The Commission also established that current restraints in the exchange of data between participants in the payment chain hamper further innovation and improvement of customer experience. This is also referred to as "open finance". Notably, the Commission aims to realise a framework for responsible data sharing, by taking measures such as requiring that account servicing payment service providers (ASPSPs) offer users a permission dashboard to easily manage and withdraw permissions for access to their data.
For banks and payment institutions, too, data sharing should become less cumbersome. On the one hand, banks, which often act as ASPSPs, will be required to offer the permission dashboard to users as well as access to the customer data interface for other PSPs with the aim of promoting open banking. On the other hand, the current requirements become more relaxed, as banks will no longer need to maintain an additional back-up interface for possible disruptions, allowing them to save costs. Payment institutions will benefit from fewer permitted obstacles to data sharing and increased access to data interfaces as a result of the proposed revision.
Safeguards will be put in place to avoid potential clashes with provisions of the GDPR, including clear scoping of the type of data to which the new legislation would apply. For example, data on life, sickness and health insurance will be excluded to avoid undesirable consequences, such as differentiation (for example, in insurance premiums) or even exclusion from a certain product or service. The same applies to data related to creditworthiness assessments. Additionally, data sharing between banks and PSPs will be facilitated for the purpose of combatting payment fraud (see below).
A stricter regime for authorisation
PSD3 will also impose new legal licensing requirements on e-money and payment institutions. For example, these institutions will be required to add a winding-up plan to their licence package that addresses the eventuality of failure (to the extent not already required as part of the application process in the relevant Member State). Also, payment institutions will be subject to increased initial capital requirements and different own funds calculation methods. This means that some payment institutions may be forced to increase their regulatory capital. Last, a best-efforts obligation for payment institutions is introduced to avoid concentration risk by "ensuring that the same safeguarding method is not used for the totality of their safeguarded customer funds. In particular, they shall endeavour not to safeguard all consumer funds with one credit institution". This requirement could also increase the operational costs for payment institutions.
Current e-money institutions and payment institutions will have to submit a new licence application to the national competent authority two years after the PSD3 enters into force, at the latest. In the meantime, existing licences (including passported activities) will remain valid until 30 months after entry into force (with the condition that the new licence application is submitted before the two-year deadline).
Other measures
Further amendments are envisaged to address emerging types of fraud, such as social-engineering fraud, which involves the manipulation of the payment account holder (for example, sending a text message pretending to be someone's friend or relative in order to achieve a money transfer to an illegitimate recipient). Part of the proposal is to make IBAN/name verification even more widely available to all users in the EU (free of charge) as a means to reduce impersonation fraud. For instant payments, this requirement has already been proposed in an amendment to the SEPA Regulation, currently still under discussion. The current proposal aims to introduce the requirement for all credit transfers in the EU (including in different currencies). Another notable part of the proposal is that consumers that fall victim to fraud will be able to claim a refund from their bank or PSP under particular circumstances and provided certain conditions are met (that is, there should not be gross negligence on the side of the fraud victim and the fraud should be notified to the bank or PSP without undue delay, in addition to filing a police report).
Furthermore, amendments are proposed to facilitate the use of Strong Customer Authentication (SCA), introduced by PSD2, by further clarifying the scope of SCA application (for example, with respect to the virtual payment cards stored in a mobile wallet) as well as by ensuring accessibility for all users to different methods of SCA.
Finally, the proposal also includes the better availability of cash as one of its spearheads. This will be achieved by allowing retail stores to provide a "cashback" option without an accompanying purchase; in other words, to provide cash up to an amount of EUR 50 without a licence. The proposed text of PSD3 clarifies that no licence requirement applies to certain ATM operators, with the intention of encouraging the provision of ATM services.
Next Steps
As a next step, both the European Council and the European Parliament will review the proposal and agree on the final text. When member states should implement PSD3 and what the transition period for the PSR will be, has yet to be announced. However, implementation is not expected to take place before 2026.