Last June 2023, the European Commission presented some legislative proposals to integrate the 2nd Payment Service Directive already in place, also known as PSD2.
As a general overview, the Payment Service Directives, the first version of which appeared in 2007, aim to grant harmonized protection in the UE payment service while promoting innovation and competition among all actors. All European countries must comply with the Directive, as well as global companies that deal with European users.
Over the years, the Directive kept changing to adapt to a fast-evolving market that requires stronger protection for customers and all players.
In 2016, the PSD2 was issued to replace the original version and came into full effect only in 2019, with an exceptional extension till late 2020. The purpose was to address obstacles related to new types of payment services and improve consumer security.
Despite the significant improvements brought by PSD2, a few months ago, the European Commission suggested a third regulatory update to face the consistent significant changes in the payment services market.
The growth of electronic payments and new fintech players, the emergence of open banking, and the development of innovative payment methods like instant payments, contactless payments, crypto payments, and Buy Now Pay Later (BNPL) urged the European Commission to start the first consultations for the future 3rd Payment Service Directive (PSD3).
Although there are no setting stones, this article offers an overview of what we know so far about PSD3 to help banks and payment providers prepare correctly.
What is PSD3?
The upcoming PSD3 framework is set to regulate electronic payments and the banking ecosystem within the European market.
It exclusively relates to electronic transactions, encompassing both payments and online/mobile banking, leaving out of scope all other forms of payments, like cash payments or bank checks.
The primary goal of PSD3 is to tackle some critical issues related to consumers and businesses.
On the one hand, users (consumers, merchants, and SMEs) still need more confidence in digital payments and transparent information towards financial providers. At the same time, even considering the remarkable achievements obtained with the PSD2, the exposure to fraud is still high.
On the other side, if open banking services find it harder to innovate and compete with incumbent players (such as card schemes), payment service providers (PSPs) experience uncertainty about their obligations, and non-bank PSPs struggle to compete with banks.
Main proposals for PSD3
The consultations conducted by the European Commission so far came up with the first set of proposals to address the above-mentioned key challenges in the financial landscape.
Consumer protection is a central concern of PSD3, with proposals that aim to enhance the transparency of account statements, ensure people have a clear understanding of their financial rights, and mitigate their exposure to fraud. We will dive deep into this last aspect in a moment.
Moreover, to ensure high competitiveness, Payment Service Providers (PSPs) will be granted access to all EU payment systems. In contrast, payment and e-money institutions will gain secure access to bank accounts.
In addition, PSD3 proposes to unify e-money and payment institutions under a unified regulatory regime applicable to all PSPs to provide a more streamlined and consistent framework for financial service providers.
Lastly, the new directive proposes improvements in open banking to enhance the efficiency and flexibility of financial services while ensuring the security and privacy of consumer data. These include but are not limited to, establishing a dedicated data access interface for account servicing PSPs and introducing “permissions dashboards” to allow users to manage their granted open banking access permissions.
PSD3 and payment fraud mitigation
While PSD2 already introduced updates to strengthen fraud mitigation, the latest development of fraud attacks brought the need to reinforce the level of protection and education of online customers.
The proposed PSD3 updates involve:
- Improvements to the application of Strong Customer Authentication (SCA);
- A legal basis for an exchange of information on fraud among all payment service providers;
- The obligation to educate customers about fraud to raise awareness about potential behaviors and consequences;
- The extension of IBAN/name verification to all credit transfers other than instant payments;
- Limited liability of payment service providers for authorized push payment fraud;
- The obligation of PSPs to improve the accessibility of SCA for all users;
- Measures to improve the availability of cash;
- Improvements to user rights and information.
In particular, Strong Customer Authentication has raised relevant concerns because today, advanced cyberattacks are conducted by luring payers into making the payment, believing they are interacting with a genuine beneficiary or bank representative.
Fraud such as phishing, vishing, and smishing cannot be effectively countered by SCA because most of these scams occur before the application of SCA or because payers themselves authorize the payment transaction through SCA.
The definition of authorized payment has become difficult to connect directly to the SCA execution.
We can now only wait and see how this will be managed soon.
PSD3: What’s next for banks and financial institutions
The assessment on PSD2 didn’t highlight critical issues requiring substantial changes. The PSD3 will not represent a revolution but an evolution to improve the market further.
Following the presentation of the 3rd Directive and the Payment Services Regulation PSR, the legislative process will proceed through the discussion and negotiation phase in the European Parliament and the Council of the European Union. Only after reaching an agreement will the proposal texts become European law.
However, after the adoption at the European level, the member states have two years to transpose and implement the relevant provisions into their respective national legislations. It will then be up to payment processors themselves to stay compliant.
As for the previous PSD2, the non-compliance will involve penalties such as fines or license removal.
We will make sure to keep you up to date with further developments.