Drafts: Payment Services Directive 3 (PSD3) and Payment Services Regulation (PSR)
On 28th June 2023 the European Commission published an entire package of proposed new draft legal acts, including drafts for Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR). These new drafts are a consequence of PSD2 Directive assessment made back in 2022 by the European Commission, including advice from the European Banking Authority (EBA), as well as public consultations and a report prepared by independent consultants.
Why is PSD2 Directive going to be changed?
The evaluation of PSD2 showed that the Directive achieved many of its objectives: improving transaction safety through introduction of strong customer authentication (SCA), as well as increasing choice of payment instruments to consumers. However, some fields remain to be improved:
(i) payment fraud is still a problem;
(ii) lack of direct access by non-bank Payment Service Providers (PSPs) to certain key systems that are necessary to finalize payments needs to be addressed;
(iii) PSPs should be granted with a strong right to have a bank account, which is often refused to them by banks;
(iv) obstacles of data access by account information service (AIS) providers as well as payment initiation service (PIS) providers – open banking requires improvements in this aspect;
(v) payment services and electronic money frameworks should be unified.
What are the planned measures to counteract payment fraud?
European Commission noticed some new types of fraud for which the measures under PSD2 Directive are unequipped. PSD3 will for example address ‘spoofing’ (impersonation fraud), which blurs the distinction between unauthorized and authorized transactions, since the consent given by the customer to authorize transaction is subjected to manipulative techniques by the fraudster, who for example uses the telephone number of e-mail address of the PSP.
The proposed preventive measures include:
- obligation of the PSP of the payer to provide IBAN / name matching service for all credit transfers, meaning that the payer’s PSP will have to contact the payee’s PSP and confirm a match between the IBAN and name of the account holder. In case of a discrepancy, the payer’s PSP will be obliged to notify its customer before the payer finalizes the payment order. This service will be free of charge with the payer’s right to opt out of a transaction in case of a mis-match;
- legal basis for PSPs to share fraud-related data;
- increase of transaction monitoring;
- increasing the customers refunds rights;
- obligation of the PSPs to carry out education / awareness increase actions among their customers.
Providing PSPs with access to key transaction systems
The PSD3 proposal explicitly indicates payment institutions as possible direct participants of designated payment systems. The operators of payment systems will be obliged to admit payment institutions as participants, subject to a positive result of risk assessment carried out. PSD3 provides for a short deadline of 6 months for the Member States to transpose these new rules to national laws.
Providing PSPs with a right to bank account
As noticed by the European Commission, banks often refuse to open an account for PSPs or terminate the existing bank accounts, usually based on some general / vague concerns over AML and CFT controls.
According with PSD3:
(i) banks will be obliged to precisely explain each bank account access refusal, covering also withdrawal of such service, whereas the justification for such decision of the bank will have to be based on the specific situation of that specific PSP;
(ii) PSPs will have a right to appeal the bank’s decision to national authorities;
(iii) central banks will now also be allowed – at their own discretion – to provide account services to PSPs.
Open banking improvements
Proposed key changes in open banking include among others:
(i) imposition of a dedicated interface for data access;
(ii) removal of the requirement of Account Servicing Payment Service Providers (ASPSPs) to maintain a ‘fallback’ interface;
(iii) ASPSPs will be obliged to provide their customers with measures to manage their data through open banking in a transparent way, including the introduction of a dashboard allowing for withdrawal of data access to any provider.
Merger of Electronic Money Institutions (EMIs) and Payment Institutions (PIs)
According with the European Commission, the local supervisory authorities have experienced practical difficulties in distinguishing between e-money and payment services legal regimes. What’s more, the European Commission is noticing significant interpretation differences (e.g. understanding what e-money is) between EU regulators.
Therefore, the two regimes most probably will become merged. According with PSD3, EMIs will no longer exist, as there will only be payment institutions, which can be granted authorization to offer e-money services as well as payment services.
When will PSD3 come into force?
Currently we are at an early stage of the legislative process. It is assumed that the final version of the directive will be implemented around 2026.