Read also our previous blogs in this series!
Earlier, the European Commission unveiled its findings on the evaluation of the Second Payment Services Directive (PSD2), which hinted at an upcoming revision of this framework. On 28 June 2023, these revisions were formally proposed. The package contains a new Directive, which will become known as the PSD3, a Payment Services Regulation (PSR), addressing the issue of financial data access – also known as Open Banking – and the issues of transaction authorization and customer authentication, and a Regulation concerning financial data access (FIDA). In this blogpost, we provide an initial overview of the PSR.
As noted in our previous blogpost on the PSD3, the European Commission identified four main shortcomings of the PSD2 that it aims to address with the new legislative package. In order to ensure a higher degree of consistency across the EU, and also in line with other EU financial law instruments, it was decided to move the operational requirements to a directly applicable regulation. The PSR therefore addresses the transparency of conditions and information requirements for payment services and e-money services, as well as the rights and obligations of payment and e-money service users, and of service providers in relation to the provision their services.
The PSR includes a few changes to the scope exemptions found in the PSD2. The PSR no longer lists professional physical cash transport, cash-to-cash currency exchange operations, and cash withdrawal services offered by means of ATM by providers. As discussed in our blogpost on the PSD3, these can still benefit from authorization exemptions.
The commercial agents exemption has gained some more clarifications – namely that the exemption is irrespective of whether or not the agent enters into possession of the clients’ funds, and that the agreement between the agent and the payer or payee must provide the latter with a real margin to negotiate. Especially this last element is often missing in practice, for instance with marketplaces.
The limited networks exemption has been maintained.
New is the exemption for services where cash is provided in retail stores following an explicit request by the payment service user but independently of the execution of any payment transaction and without any obligation to make a purchase of goods and services.
The PSR maintains the differentiation between single payment transactions and transactions that are part of a framework contract. However, information duties apply in both cases.
As before, the user must be provided with information regarding the service and charges. No payment may be charged for the provision of this information. Some derogations apply only for individual payment transactions that do not exceed EUR 50 or e-money instruments that either have a spending limit of EUR 200 or store funds that do not exceed EUR 200 at any time.
The provisions on the issuance and redeemability of e-money are moved from the EMD2 to the PSR.
For some time now, Europe has been pursuing a policy to enable a data-driven economy. This is evidenced in initiatives such as the Digital Markets Act, the Data Act and Data Governance Act, as well as the GDPR – which regulates the processing of personal data. Data-driven finance – which allows users to more effectively control and share their financial data – is part of that policy. In principle, this was already introduced under the PSD2 back in 2015. That Directive enabled the sharing of data related to payment accounts to third party payment service providers, such as account information service providers (AISPs). This idea of financial data sharing to non-bank payment providers became known in the industry as Open Banking.
However, the analysis of the impact of the PSD2 found that this principle was never fully realized. On the customer side, there were still concerns about privacy and the scope of financial data sharing. On the industry side, implementing Open Banking proved very difficult – both on the side of traditional holders of financial data such as banks and on the side of the payment service providers wishing to access this data.
The PSR will require all account servicing payment service providers to provide at least one dedicated interface for the purpose of data exchange with account information and payment initiation service providers. This interface needs to correspond to applicable international standards. Testing facilities must be made available as well. The PSR provides minimum requirements for the interface, including regarding its capabilities. The availability and performance of the interface must be on par with the service provided directly to the user. Contingency measures are needed for the unavailability of the interface.
To further enhance the acceptance of AISPs, the PSR limits the reasons for restricting their access. Furthermore, users must be provided with a dashboard allowing them to manage their data access permissions. The PSR also contains a list of prohibited obstacles to data access, which are often found in practice today. Non-bank payment service providers are also provided a right to an account. These provisions aim to enhance Open Banking and level the playing field between banks and non-bank payment providers.
In terms of transaction authorization, there is now an obligation for the payment service provider of the payer to verify whether the name of the payee and the unique identifier in case of a credit transfer match. The payee’s payment service provider must provide this service at the request of the payer’s payment service provider. This is to combat the increased prevalence of invoice fraud. In this type of fraud, an invoice is intercepted and the account number of the payee is altered before the payer receives the invoice. If the payer does not notice this alteration, they will often end up paying to the wrong person – and may need to pay twice since they are still indebted to the sender of the invoice. If the payer’s payment service provider notices a discrepancy, this must be notified to the user. The payer’s payment service provider is liable for providing this check. If the payer, despite this notification and warning, still allows the transaction to be executed, they assume full responsibility for any losses.
Another added liability is that for a payment service provider whose user was manipulated into thinking they were dealing with an employee of the payment service provider when authorizing a transaction. The payment service provider therefore becomes liable for impersonation fraud (‘spoofing’).
Users must also be better notified of fraud trends, so that they may take better precautions.
Strong customer authentication is now required for:
When, for instance, a SEPA direct debit mandate is provided remotely, this requires the use of strong customer authentication. There are a few more cases where the PSR more clearly explains and defines the use of strong customer authentication. Also the requirement for AISPs has been relaxed a bit in the sense that they only need to apply strong customer authentication every 180 days, unless the account servicing payment service provider has reasonable grounds to suspect fraud.
The PSR largely maintains the core operational provisions of the PSD2. The core changes focus on making Open Banking work, strengthening the position of the payment service user against fraud, and increasing payments’ security by strengthening the strong customer authentication requirement. Existing service providers will want to take note of these changes, as they do come with a few significant added liabilities – particularly in the field of fraud. Thorough preparation once this framework is adopted will therefore be key.
If you have more questions on PSD3 and payment services, please contact Timelex.