On June 28, 2023, the European Commission presented a set of proposals aimed at modernizing the current Payment Services Directive (PSD2), which will become PSD3, and the broader financial sector through digital transformation. On the same day, the Commission also published proposals for a new Payment Service Regulation (PSR).
Both sets of proposals prioritize trust, security, and the interests of consumers, aiming to strengthen consumer protection and foster competition within electronic payments, enabling consumers to securely share their data and access a wider selection of improved and more affordable financial products and services.
What is PSD3?
PSD3 is the proposed revision of PSD2, focusing on authorization and supervision requirements of Payment Institutions (PIs) and Electronic Money Institutions (EMIs).
PSD3 is set to include EMIs as a sub-category of PIs. Consequently, it will encompass and eventually replace the current Electronic Money Directive (Directive 2009/110/EC).
The main focus of PSD3 will involve tackling these topics:
- Authorization for providing payment services, which may involve licensing or registration processes.
- Supervision of Payment Institutions (PIs) and Electronic Money Institutions (EMIs) to ensure compliance and proper functioning.
- Addressing the provision of cash withdrawal services by retailers without purchase and independent ATM deployers.
Learn more: What is PCI compliance?
What is PSR?
The second legislative act of the European Commission's proposal focuses on introducing the Payment Services Regulation (PSR), which will encompass all regulations related to payment service provider (PSP) activities.
PSR will also integrate certain provisions from the Regulatory Technical Standards for Strong Customer Authentication (SCA) and common and secure open standards of Communication (RTS on SCA & CSC), along with requirements derived from guidelines and opinions issued by the European Banking Authority.
Why is PSD2 changing to PSD3 & PSR?
PSD2 was introduced to transform the payment market within the European Union (EU) by enhancing user protection, fostering innovation, and establishing fair competition among PSPs. The Commission acknowledges the achievements of PSD2 in certain areas. One notable success is the implementation of Strong Customer Authentication (SCA), and its impact on combating fraud.
However, the Commission also recognizes the challenges faced by PSD2 in achieving a level playing field for all PSPs. Non-bank PSPs often lack direct access to key payment systems, leading to an imbalance between bank and non-bank PSPs, which negatively impacts fair competition and innovation within the payment market. PSD3 aims to address this by amending the Settlement Finality Directive, adding payment institutions to the list of firms able to participate directly in payment systems. This change does not extend access to securities settlement systems.
Issues also persisted with open banking concerning data access interfaces for these service providers. Then when you consider how EU supervisors have inconsistent powers under PSD2 that cause a fragmented payment market, it’s clear why PSD2 is changing to PSD3.
Objectives of PSD3 and PSR
PSD3 and PSR will focus on the following four objectives, all designed to address gaps identified by the Commission in today’s payments landscape:
1. Strengthen user protection and confidence in payments
The verification process for credit transfers, especially instant payments in euros, will now include an extended IBAN/name-matching verification. PSPs will be allowed to share fraud-related information to enhance transaction monitoring.
PSPs will be obliged to provide education on payment fraud awareness for their customers and staff, while refund rights will be extended for victims of IBAN/name verification failure or "spoofing" fraud.
Strong customer authentication (SCA) will be improved by diversifying SCA methods and not relying solely on a single technology, device, or mechanism like smartphones. For Account Information Service Providers (AISPs), banks will apply SCA only for the first access to payment account data, with AISPs responsible for subsequent data accesses unless there are fraud suspicions.
PSPs are required to inform users about estimated charges for currency conversion when conducting credit transfers and money remittances from the EU to third countries. Then, clear information on payment account statements must be provided to unambiguously identify the payee.
The Commission has also committed to clarifying the relationship between payments and the General Data Protection Regulation (GDPR), allowing PSPs to process necessary special categories of personal data for providing payment services in line with GDPR guidelines.
2. Improve the competitiveness of open banking services
The latest regulations require dedicated data access interfaces to be free from hindrances. Existing obstacles, such as additional checks on permissions granted to Payment Initiation Service Providers (PISPs) or AISPs, and restricting payment initiation only to specific beneficiaries, are no longer allowed.
Banks are no longer required to maintain a permanent "fall-back" interface. Instead, both banks and PSPs must create a dashboard for open banking consumers, which will give users a clear overview of their granted data access rights, including recipients, and provide a withdrawal function for added control.
To ensure uninterrupted open banking services, PSPs can seek approval from the national authority to use an effective alternative interface, like the one used for bank customers, in case the dedicated interface experiences downtime and the bank cannot offer immediate alternatives.
3. Improve the enforcement and implementation in Member States
By moving the ongoing obligations of PSPs into a regulation, PSR will ensure that these provisions are directly and uniformly applicable across all EU member states.
As part of this integration, the Electronic Money Directive (EMD) will merge with PSD3 and the PSR, resulting in the discontinuation of the EMD. This means e-money institutions will no longer exist, and Payment Institutions will be eligible to offer e-money services after obtaining authorization.
By making these changes, the Commission is seeking to avoid regulatory arbitrage between the different member states.
Today, due to differing interpretations of PSD2 across member states, a PSP could choose a ‘home country’ where its application is more advantageous and then passport into other member states with a stricter interpretation of the rules.
The new PSR laws will seek to level the playing field through new uniform review and enforcement mechanisms. For example, there are going to be RTS promulgated on the ways that countries assess whether an applicant’s license application is granted or not.
4. Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs
The proposal suggests stricter criteria for banks to provide bank account services to non-bank PSPs. Banks must clearly explain and justify any refusals, considering specific circumstances, especially if there are compelling reasons to suspect illegal activities by the Payment Institution.
Payment Institutions might have the option to hold users' funds at a central bank, adding an extra layer of protection. Meanwhile, non-bank PSPs could be allowed direct participation in payment systems, potentially enhancing efficiency and accessibility in the industry.
Differences between PSD3 and PSR
PSD3 will remain an EU Directive, containing rules governing the authorization of payment institutions. As a Directive, it requires transposition into the national laws of individual EU Member States.
PSR is an EU Regulation that will apply directly across all EU Member States, requiring no further implementation in national laws.
PSR focuses on:
- Ensuring transparency of conditions and information requirements for payment services
- Establishing rights and obligations related to the provision and use of payment services, including provisions on open banking.
The PSR's advantage for payment service providers lies in the creation of a unified legal framework for operations throughout the EEA, minimizing uncertainty and disparities between the national legislations of Member States.
When will PSD3 & PSR come into effect?
After passing the legislation, each EU/EEA country will be provided with a deadline to transpose it into their national law. As a result, the implementation of PSD3 isn’t anticipated before 2026, or potentially even later.
As a Regulation, the PSR will be directly applicable within 18 months from its publication, without the need for transposition by Member States at national level. This is to ensure full harmonization and a smoother implementation. Currently, the adoption of the PSR is estimated in 2024/2025, and its application in 2026/2027.
Read more: UK regulator reviews interchange fees
Stay up-to-date with the latest developments with Checkout.com
It’s vital that merchants stay informed about important developments regarding PSD3 and PSR to prepare for any changes in compliance requirements, payment procedures, and consumer rights.
Being up-to-date will help you implement necessary adjustments in your operations and ensure you adhere to the latest regulations, ultimately fostering trust and confidence among your consumers.
At Checkout.com, we’ll always endeavor to keep you up-to-date by sharing information on future developments regarding PSD3 & PSR.
The contents of this blog post do not constitute legal advice and are provided for general information purposes only.