A proposal to revise payment services legislation in the EU published
On 28 June 2023, the European Commission published a proposal to revise the Payment Services Directive (PSD2), which was introduced in 2015. As part of this revision, the directive will be divided into two separate legislative instruments. In the future, payment services regulation in Europe will consist of:
- an updated Payment Services Directive (PSD3), and
- a Payment Services Regulation (PSR)
with additional delegated regulations where applicable. The revision also consolidates the provisions on of 2EMD with PSD2, leading to the abolition of 2EMD.
In this new structure, PSD3 will cover provisions related to authorisation (including for e-money institutions), internal organisation, outsourcing, and national supervision, which be implemented at the national level in each EU Member State. Meanwhile, the PSR will govern rules related to disclosure requirements, rights and obligations, liability, strong customer authentication, and access to payment systems and bank account services. The PSR will be directly applicable across all EU Member States.
Webinar about the new payment services provisions
In the following, Plesner's payment services and fintech specialists outline the most significant innovations in the legislative package.
In a webinar on 26 September 2023, we will go even deeper into the specifics of PSD3 and PSR.
The Directive (PSD3)
Consolidation of 2EMD
As mentioned, parts of the 2EMD are consolidated into PSD3. Going forward, the directive will regulate the requirements for obtaining authorisation as an e-money institute. The independent concept of an e-money institution will cease to apply, and undertakings authorised to issue e-money will be classified as payment institutions.
Cash withdrawals from shops and ATM operators
Currently, shops are permitted to provide cash withdrawal services to customers, but only when a purchase of goods or services is made. To improve access to cash, PSD3 introduces the option for physical retail stores to offer cash withdrawals without requiring a purchase, as long as the withdrawal does not exceed 50 euros at a time.
In the future, operators of ATMs that do not also offer payment account will need to register with the Danish Financial Supervisory Authority and will be subject to supervision. However, they will not be required to comply with the directive's provisions on capital requirements, internal organisation, outsourcing, and similar obligations. The extent to which these operators will fall under the provisions for payment institutions outlined in the PSR remains unclear.
Third parties
When PSD2 was adopted in 2015, providers of account information services were expected to collect data through APIs directly between the service providers and individual European banks. However, given the large number of banks in the EU (approx. 8,500 in 2015, decreasing to around 5,200 by 2022), this proved to be an impractical task for account information providers. As a result, other businesses have emerged, specialising solely in building API-access to banks and acting as IT gateways for account information service providers.
PSD3 clarifies this business model by expressly allowing account information service providers to collect data through third parties/gateways, removing any previous doubt about its compatibility with the definition of account information services.
Another issue related to third parties, where PSD2 created market challenges, is the requirement that account information service providers and payment initiation service providers must have liability insurance (or alternatively, a bank guarantee, though the latter has not been widely used in practice). In the initial years after PSD2's implementation, there was no available insurance product for this purpose, and obtaining the necessary coverage has generally been expensive and difficult for third parties. To address this challenge, PSD3 introduces a more flexible approach, allowing third parties to hold an additional 50,000 euro in startup capital as an alternative. This can later be replaced with liability insurance once the business has received its authorisation and commenced operations.
Direct participation in payment settlement systems
For many years, payment institutions have expressed a desire to participate directly in payment settlement systems registered under the Settlement Finality Directive. In Denmark, these systems include KRONOS2, operated by Danmark's Nationalbank, as well as Sum Clearing, Intraday Clearing and Express Clearing, operated by Finance Denmark.
This wish is realised through PSD3 and amendments to the Settlement Finality Directive. In the future, payment institutions that meet the requirements of the Settlement Finality Directive will be able to participate directly in registered payment settlement systems. As a result, payment institutions will no longer depend on banks - who are their competitors - for (indirect) access to payment settlement.
Coming into force and transitional provisions
As is common for a directive, PSD3 will formally come into force 20 days after its publication in the Official Journal of the European Union. Following this, member states will have 18 months to implement the directive into national law. However, member states will only have six months from the directive's effective date to grant payment institutions direct access as participants in registered payment settlement systems under the Settlement Finality Directive.
With certain modifications, payment and e-money institutions authorised under the existing rules may continue their activities for up to 18 months after PSD3 comes into force, provided they obtain new authorisation under the national legislation implementing PSD3 within two years of the directive's effective date.
The regulation (PSR)
Third parties
Account information service providers' transmission of data to other service providers
When PSD2 was introduced in 2015, account information services were expected to involve collecting data for a user's bank, processing the data, and then providing the data (such as a spending overview) directly to the user. In practice, however, many account information service providers have developed business models where the primary purpose of the data collection is to transmit the collected information to other service providers, such as price comparison platforms or credit providers for use in credit assessments.
This practice raised concerns in the market and among national supervisory authorities, who questioned whether a service transmitting data to third parties without direct involvement from the user could legally be considered account information service. PSR addresses this issue by explicitly acknowledging in its preambles that account information services may also involve collecting data and transmitting such data to third parties , who then provide a service to the user.
If PSR is adopted with this provision, it could challenge the Consumer Ombudsman's current stance that data collected by an account information service must result directly in a service provided to the user potentially altering how such service is regulated.
APIs
Since the adoption of PSD2 in 2015, the development of APIs, which were intended to enable third parties to easily connect to banks to access transaction data and initiate account transfers, has been a major challenge for all market participants. Third-party providers have raised numerous complaints regarding the quality of APIs and alleged obstacles imposed by banks on their use.
Contrary to the wishes of many in the market, PSR does not authorise the European Banking Authority ( EBA) to develop a binding API-standard. However, it introduces a catalogue of prohibited obstacles in the use of APIs, aligned with the EU Market Abuse Regulation The catalogue includes examples such as: (i) a requirement that users manually enter the IBAN of the account for which authorisation is given, (ii) implementation of strong customer authentication to a greater extent than what is required when users access the bank's online system, and (iii) offering of APIs that do not support all the authentication procedures otherwise made available to the user by their bank.
Permission dashboard
To enhance user control over authorisations given to account information services and repeated transfers via payment initiation services, banks will be required to establish a permission dashboard in their online banking systems. This dashboard will allow users to (i) view information about authorisations they have provided, including which of their accounts and which third parties are covered by the authorisations, (ii) withdraw existing authorisations, (iii) reinstate previously withdrawn authorisations, and (iv) view expired or withdrawn authorisations from the past two years.
Banks and third parties must work together to keep this information up to date. For example, if a user withdraws an authorisation through the dashboard, the bank must provide real-time information to the relevant third party. Similarly, third parties must notify banks in real time about new authorisations granted by users.
Combating abuse
IBAN verification mechanism
Under the Payment Services Regulation (PSR), receiving banks are required to offer a verification mechanism for direct account transmissions. This mechanism enables the receiving bank to verify, prior to final payment approval by the payer, whether the recipient's name matches the name of the IBAN owner as provided by the sending bank to the receiving bank. This mechanism helps prevent fraud where a fraudster provides the payer with their IBAN instead of that of the intended recipient to whom the payer believes they are transferring money.
If the verification mechanism mistakenly confirms a match between the recipient's name and the IBAN, the receiving bank (or the sending bank if the error occurs there) is liable for any resulting loss to the payer due to the funds being transferred to the wrong recipient.
Payers can choose to bypass the verification mechanism for specific payments or opt out entirely. However, in doing so, they forfeit the right to claim protection under this special liability rule.
Liability for spoofing
New liability provisions are introduced for consumers affected by spoofing. Spoofing is a type of fraud where fraudsters impersonate trusted individuals or organisations, such as a bank, an insurance company, a sports club, or a charity, typically using fake email addresses, phone numbers, etc.
The new rule covers situations where the payer is deceived into believing the fraudster is an employee of their payment service provider. In such cases, the payment service provider is liable for any loss, provided the consumer immediately reports the incident to the police and informs the provider.
Like most liability rules in both PSD2 and the future PSR, this does not apply if the consumer has acted negligently. In the preambles to PSR it is specified that it is considered gross negligence if a consumer falls victim to spoofing by the same provider more than once in relation to the same payment service provider.
Information sharing to combat fraud
Payment service providers are permitted to share a recipient's IBAN with other providers if there is "adequate basis" for suspecting the recipient is involved in fraud. An adequate basis is established if at least two customers of the provider report fraudulent use of the same IBAN in connection with account transfers.
Information sharing must occur within a formal "information sharing arrangement," which is to determine practicalities in relation to sharing of information, including use of an IT platform and compliance with data protection regulation.
Strong customer authentication (SCA)
180 day-"period of validity" for account information services
The period of validity for account information services following strong customer authentication has been extended from 90 to 180 days, unless there is reasonable suspicion of abuse.
Needs of people with disabilities and vulnerable groups
Payment service providers must consider the needs of people with disabilities, persons with poor digital skills, persons who do not have access to digital communication channels, and other vulnerable groups when designing procedures for strong customer authentication and ensure that they have at least one option for strong customer authentication adapted to their specific situation.
Providers are required to develop and implement methods for strong customer authentication, and the PSR states explicitly that strong customer authentication must not depend on access to a smartphone or similar technology.
Liability for technical suppliers and card schemes
Under PSD2, although technical suppliers (e.g., providers of card terminals, point-of-sale systems, and payment gateways) and card schemes played a significant role in the implementation of strong customer authentication (SCA), they were not explicitly required to contribute to its facilitation, nor were they held liable if their systems failed to support it.
This is addressed by the PSR, which now assigns explicit liability to technical suppliers and card schemes if a transaction cannot be completed using SCA due to their systems, and this results in a loss for the payer, their payment service provider, or the payee.
EBA product intervention right
A new provision in the PSR, compared to PSD2, grants the European Banking Authority (EBA) the right to intervene in products. Under certain conditions, the EBA can restrict or prohibit specific types of payment services or functions across the EU. This intervention is provisional, expiring automatically after three months unless it is extended for another three-month period.
Coming into force
PSR will formally come into force 20 days after its publication in the Official Journal of the European Communities, with full applicability 18 months later. However, the requirement for an IBAN verification mechanism will not take effect until two years after the PSR's start date.
The further process
Given the time it took to finalise similar initiatives such as PSD2 and the MiCA Regulation, there is a possibility that the current proposals may not be adopted before the European Parliament elections in June 2024.
Should this occur, the proposals would need to be reintroduced, which would only be possible once the newly elected European Parliament is convened, and a new European Commission is appointed. In 2019, the period from the European Parliament election to the final appointment of the European Commission lasted six months. Based on this, a conservative estimate suggests that the proposals might not take effect until the second half of 2025. Consequently, PSD3 would likely need to be implemented in the first half of 2027 (with amendments to the Settlement Finality Directive taking effect in the first half of 2026), while the PSR would be applicable from the first half of 2027. The IBAN verification mechanism, however, would not come into force until the second half of 2027.