The European Commission published proposals for PSD3 and PSR1
On 28 June 2023, the European Commission published1 the eagerly awaited proposals2 for the Third Payment Services Directive (PSD3)3 and the new Payment Services Regulation (PSR)4, marking the completion of the Commission’s review of the Second Payment Services Directive (PSD2). PSD2, adopted in 2015, was aimed at enhancing competition, security, and innovation in the European payments market. The payments landscape has changed significantly since the introduction of PSD2. What did the Commission find and which revisions are proposed to address emerging challenges in the payments market?
The Commission found that PSD2 has had varying degrees of meeting objectives
- PSD2 had a positive impact on fraud prevention, among others through Strong Customer Authentication (SCA). For example, SCA-authenticated remote card payments have a 70-80% lower level of fraud than those without5.
- PSD2 has been effective in increasing the efficiency, transparency, and choice of payment instruments for customers.
- Obstacles to open banking remain. Service providers, such as Account Information Service Providers (AISPS) and Payment Initiation Service Providers (PISPS) have trouble accessing data. For example, interfaces designed to facilitate their data access vary in quality and performance.
- Non-bank payment services providers (PSPs) have difficulties opening bank accounts. This maintains an unlevel playing field between payment service providers (PSPs).
- Cross-border provision of payment services increased, but many payment systems remain largely national.
The EU proposals for PSD3 and PSR aim to achieve four objectives
The proposals evolve around consumer protection (most notably payment fraud and security), open banking, enforcement, and unification. The proposals aim to achieve four key objectives and introduce a number of revisions and improvements to PSD2:
1. Strengthening user protection and confidence in payments
Proposed fraud and liability improvements:
- Extended IBAN/name matching verification to all credit transfers and particularly, for instant payments conducted in euros
- Strengthening of transaction monitoring, most notably the introduction of a legal basis for sharing fraud-related information between PSPs.
- Obligation to provide education to increase awareness of payments fraud among customers and staff
- Extension of refund rights: in case of failure of IBAN/name verification or for victims of ‘spoofing’ fraud (where fraudster contacts consumer pretending to be an employee of the consumer’s bank), victims can be entitled to claim damages from their PSP.
- Improvements to strong customer authentication. For example, requiring PSPs to ensure that SCA methods do not depend on one single technology, device or mechanism, such as the possession of a smartphone. Also, banks holding payment accounts will only need to apply SCA for the first access to payment account data by open banking AISPs unless there are reasonable grounds to suspect fraud. AISPs will then be responsible for SCA for subsequent data accesses.
Proposed consumer rights and information improvements:
- Obligation to inform payment service users on estimated charges for currency conversion for credit transfers and money remittances from the EU to third countries.
- PSPs must provide information on payment account statements to unambiguously identify the payee.
The EC also aims to clarify the interaction between payments and GDPR. For example, by clarifying that PSPs may process special categories of personal data which are needed to provide payment services.
Banks need to explain and justify access refusal based on the specific situation including serious grounds to suspect illegal activities by or via the Payment Institution.
2. Improving the competitiveness of open banking services
- New requirements for dedicated data access interfaces with prohibited obstacles. Examples of these obstacles currently listed, are requiring additional checks of the permission given by the payment service users to a PISP or AISP, or restricting payments initiation via an PISP only to those payees that are on the payer’s beneficiaries list.
- No permanent “fall-back” interface for banks required anymore.
- Banks and PSPs are required to set up a dashboard for consumers of open banking to provide insight in data access rights they have granted, to whom, with a withdrawal functionality.
- To ensure the continuity of open banking, PSPs can request the national authority to be allowed to use an effective alternative interface, such as using the interface banks use for their customers, if the dedicated interface is down and the bank cannot rapidly offer effective alternative solutions.
3. Improving the enforcement and implementation in Member States
- Shifting elements from PSD2 into the new PSR. As opposed to Directives (such as PSD2), Regulations (such as PSR) apply directly and consistently across the EU.
- Integration of the Electronic Money Directive (EMD) with PSD3 and PSR. The EMD will cease to exist. E-money institutions will disappear. Payment Institutions can be authorized to offer e-money services.
- Enhancing enforcement of the rules, including a list of breaches (infringements) and administrative sanctions and measures. For these breaches, such as on the rules on access to accounts maintained by banks, secure data rules by ASPSs, AISPs, and PISPs and fraud prevention mechanisms, the nature of sanctions and measures will therefore be known upfront.
4. Improving (direct or indirect) access to payment systems and bank accounts for non-bank PSPs
- Toughened requirements for banks to provide bank account services to non-bank PSPS are proposed. For example, banks need to explain and justify access refusal based on the specific situation including serious grounds to suspect illegal activities by or via the Payment Institution.
- Payment Institutions may be offered an additional possibility to safeguard users’ funds, namely to hold those funds at a central bank.
- Possibility of direct participation to payment systems for non-bank PSPs.
Other notable implications from the proposals
The EC notes that the proposed amendments represent ‘an evolution not a revolution of the EU payments framework’. In addition to the proposed revisions above, a few other notable implications are as follows:
- Safeguarding: EBA will be tasked with developing Regulatory Technical Standards (RTS) to avoid concentration risk in the context of safeguarding, when holding client money funds at a single credit institution.
- Potential reapplication: The introduction of PSD3 may imply that existing PIs and EMIs must (partly) reapply for a license under PSD3, since the Directive includes transitional provisions for existing PIs and EMIs.
- Winding-up plan: When firms apply for authorization under PSD3, a ‘winding-up’ plan must be included in the documentation. Although this was required by certain national competent authorities already, this is now included in the proposed Directive.
- Notification procedures for limited network activities or exclusion based on payment volumes: As service providers often relied on their own assessments when seeking to benefit from an exclusion, service providers will now be obliged to notify competent authorities when seeking to benefit from the limited network or exclusion based on payment volume thresholds, so that authorities can assess whether requirements are fulfilled.
- PSD3, as an EU directive, will need to be transposed into national laws. It provides the rules for the authorization of payment institutions.
- The PSR, as an EU regulation, will directly apply in EU member states after entering into force.
What is next?
The proposals will be reviewed by the European Parliament and Counsel. The exact timelines for entry into force are not yet known. Based on the usual legislative process, the final versions may become available by the end of 2024. Since Member States are usually granted a 18-month transition period, the Directive and Regulation will likely start to apply somewhere in 2026.
We will review the proposals in further detail and monitor any developments.
 Payment services: revised rules to improve consumer protection and competition in electronic payments: https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3544
 The European Commission published a ‘Financial data access and payments package’, which includes legislative proposals for PSD3, PSR and a framework for financial data access’.
 PSD3 proposal: https://finance.ec.europa.eu/system/files/2023-06/230628-proposal-payment-services-directive_en.pdf
 PSR proposal: https://finance.ec.europa.eu/system/files/2023-06/230628-proposal-payment-services-regulation_en.pdf
 Report from the Commission on the review of Directive 2015/2366/EU of the European Parliament and of the Council on payment services in the internal market: https://finance.ec.europa.eu/system/files/2023-06/230628-report-payment-services-directive-review_en.pdf