PSD3 & PSR: advancing the payments market in Europe

Written By Nicoletta Kouvara

The second Payment Services Directive (EU) 2015/2366 (PSD2) transformed the EU regulatory framework governing payment services, building upon the foundation laid by the initial Payment Services Directive (EU) 2007/64/EC (PSD1). Since its adoption, the payment market has undergone significant changes, from the introduction of new innovative payment solutions to the emergence of more sophisticated types of fraud. In July 2023, in an aim to keep up with such developments, the EU Commission put forward proposals for a Payment Services Directive 3 COM/2023/366 (PSD3) and a Payment Services Regulation COM/2023/367 (PSR) which will replace the PSD2. 

The five key objectives of the PSD3 and the PSR are to:

1.      Reduce payment fraud

In response to the escalating risk of payment fraud, PSD3 and PSR aim to improve customer confidence and trust. To achieve this, the primary focus lies in facilitating the secure exchange of fraud-related information among payment service providers in line with data protection laws. Additionally, this legislative package will improve strong customer authentication, promote consumer awareness, extend refund rights applicable to consumers who fall victims to fraud and extend IBAN/account name matching verification to encompass all credit transfers.

2.      Strengthen consumer rights

In its efforts to ensure robust consumer protection, the EU Commission is proposing that more transparent practices are implemented, especially when it comes to credit transfers and money remittances from the EU to third countries, in relation to the estimated charges applicable for currency conversion, as well as, the estimated time for funds to be received by the payee’s payment service provider. These measures will provide more clarity regarding the identification of the payee in payment account statements and ATM charges.

3.      Improve Open Banking

To remove remaining obstacles and improve the functioning of open banking (i.e. the secure sharing of financial data between banks and payment service providers upon the payment service user’s request), the EU Commission is proposing that payment account providers be required to set-up a dashboard allowing consumers to manage data access permissions granted to open banking providers and allow them to withdraw such permissions at any given time. Additionally, the proposals include measures to ensure the business continuity of open banking providers by allowing them, for a limited time, to utilise alternative interfaces when their own interface is down, thus eliminating data access disruption.

4.      Level the playing field between banks and non-bank payment service providers

Non-bank payment service providers such as payment institutions (PIs) and e-money institutions (EMIs) are usually at a disadvantage when competing with banking institutions in providing payment services. This is because banking institutions often make it difficult for non-bank payment service providers to open and maintain bank accounts with them, which are necessary to secure a payment services licence. To tackle this, the EU Commission is introducing certain requirements that will enable smooth access to bank accounts for PIs, EMIs and other non-bank payment service providers. For instance, justifications provided by banks to such non-bank payment service providers for the refusal of access to a bank account will have to be more substantive, e.g. they must indicate serious grounds of suspicion of illegal activities.

5.      Strengthen harmonisation and enforcement

As the EU Commission noted in its proposals, the internal market for payments is fragmented, resulting in ‘forum shopping’ which distorts competition in the market. This occurs when payment service providers, in their effort to offer cross-border services throughout the EU, select a Member State that adopts more favourable payment service rules as their ‘home countries’. To address this, the EU Commission seeks to move certain provisions from the PSD2, being an EU directive, to the PSR, which is an EU regulation. This will provide a harmonised legal framework across all Member States, since an EU regulation is directly applicable and imposes the same rules on all Member States, compared to an EU directive which needs to be transposed into national law by each Member State and may allow some Member States to ‘opt out’ from certain provisions and impose softer rules than others.

Therefore, to harmonise payment services rules and enhance enforcement, the EU Commission proposed that PSD2 be divided into two different instruments, namely:

  • the PSD3 which will merge and replace the PSD2 which regulates PIs and the existing second e-money directive (EU) 2009/110/EC (the “EMD2”) which regulates EMIs; and

  •  the PSR.

What will PSD3 cover?

The PSD2 contains rules for the authorisation and supervision of PIs and the EMD2 regulates the authorisation and supervision of EMIs. Given the similarities in the rules found in these two EU directives, the introduction of a single directive regulating the authorisation and supervision of both types of institutions will simplify processes and remove certain ambiguities.

The proposed PSD3 will cover the authorisation process for PIs, which will now also include EMIs. As a result, PIs under PSD3 may be granted authorisation to offer e-money services in addition to the other payment services. Since licensing and authorisation of payment service providers falls within the competence of the national authorities of each EU Member State, a single all-encompassing EU directive in this case is the most suitable instrument.

The PSD3 will also bring clarity to areas that remained somewhat ambiguous under PSD2 by bringing in clearer and more detailed rules on authorisation and supervision. This includes, providing clearer rules on certain practical issues that PIs and EMIs faced under current legal framework. For example, PIs and account information service providers (AISPs) will be given the option to hold €50,000 initial capital instead of professional indemnity insurance and PIs’ initial capital requirements will be adjusted to reflect inflation. The ‘own funds’ calculations methods under the PSD2 remain but under PSD3 method B which is calculating transaction volumes will be the default method. Certain PIs will be permitted to use alternative ‘own funds’ calculations. Under safeguarding rules, we see a notable addition of the ability to secure funds in an account held at a Central Bank.

What will PSR cover?

The PSR, being the very first directly applicable EU regulation in the payment services regulatory industry, will cover the conduct of the payment services activity previously contained in the PSD2, and introduce certain amendments to such rules.

These will include, among other, the transparency and information requirements, the rights and obligations of the parties involved in a payment transaction, transaction risk analysis (TRA), strong customer authentication (SCA) and clear guidelines on exemptions from the application of the SCA, authorisation of payment transactions, contractual requirements that PIs need to comply with and operational and security risks that must be taken into account.

How are existing PIs and EMIs affected?

PIs and EMIs currently licensed under the PSD2 or EMD2 framework will benefit from a grandfathering clause which will allow them to continue their operations using their existing licences for a period of 30 months following the PSD3 entering into force.

During this interim period and no longer than 24 months after the PSD3 will enter into force, such institutions will need to apply for a licence and provide the necessary information to their respective National Competent Authorities (NCAs) in order to demonstrate their conformity with the updated authorisation criteria. NCAs may automatically authorise existing institutions if there is already sufficient evidence to demonstrate their compliance with the new requirements.

Timing

As the proposals for the PSD3 and PSR will now be subject to review by the EU Council and the EU Parliament, which is anticipated to come to an end by the end of 2024 and considering that Member States are usually granted an 18-month transition period, the initial indication is that the PSD3 and the PSR are expected to become applicable in 2026.

More information

If you would like to discuss the impact of the upcoming PSD3 and PSR on your business and prepare for the changes to ensure timely compliance, please contact Aptus Legal by clicking here or send an email to info@aptuslegal.com.

Nicoletta Kouvara
Previous

Network and Information Security: a dive into the new EU NIS 2 Directive

Next

E-Evidence Regulation: Facilitating Cross-Border Access to Electronic Evidence