On 28 June 2023, the European Commission published proposals for a third Payment Services Directive (PSD3), and a Payment Services Regulation (EU PSR). PSD3 will repeal and replace the second Payment Services Directive (PSD2) and the second Electronic Money Directive (EMD2), combining the separate regimes for payment services and electronic money into a single regime.
PSD3 sets out the rules for the authorisation and supervision of non-bank payment service providers (PSPs), and EU PSR contains detailed rules that all PSPs (including banks) must comply with when providing payment services. Payment institutions and electronic money institutions will need to apply for re-assessment of their regulatory authorisations under the new regime, and firms that are currently authorised as electronic money institutions will become payment institutions with specific regulatory permissions for their electronic money services.
The proposals seek to achieve the following objectives:
- strengthen user protection and confidence in payments
- improve the competitiveness of open banking services
- streamline supervisory powers and obligations to improve enforcement in EU Member States
- tackle the perceived unlevel playing field between banks and non-banks by improving access to payment systems and bank accounts for non-bank PSPs
As EU PSR is an EU Regulation (rather than a Directive), the rules governing the conduct of payment services will apply directly in all EU Member States, rather than needing to be transposed in national law.
While we anticipate that there will still be several years before the proposed changes take effect, firms should consider starting their impact analysis now and engaging with relevant stakeholders on any issues of significance for their businesses.
1. Scope
2. Regulatory Capital and Winding-Up Plans
3. Safeguarding
4. Access to Payment Systems And Bank Accounts by Payment Institutions
5. Anti-Fraud Measures
6. Strong Customer Authentication
7. Additional Customer Protection Measures
8. Open Banking and Open Finance
9. Regulatory Powers
10. Next Steps
11. What Should Firms Do Next?
1. Scope
Amendments to key definitions, the inclusion of additional definitions, and the narrowing of certain exclusions may all result in changes to the scope of application of the regime. PSPs should review their business models against the changes accordingly.
Narrowing of Commercial Agent Exclusion (CAE)
To address interpretative inconsistencies across EU Member States, EU PSR clarifies that the CAE will apply more narrowly than under PSD2. In particular:
(i) the meaning of “commercial agent” will be aligned with the Commercial Agents Directive (86/653/EEC); and
(ii) the application of the CAE will be subject to an additional condition such that payment transactions from a payer to a payee through a commercial agent will only be excluded from regulation where the relevant agreement gives the payer or the payee contracting with the agent “a real margin to negotiate with the commercial agent or conclude the sale or purchase of goods or services.”
In practice this means that some firms may no longer be able to rely on standard contractual provisions to apply the exclusion, as it will be difficult to demonstrate that these give the underlying payer or payee “a real margin” to negotiate with the agent or conclude the sale or purchase.
This could have significant implications for certain e-commerce platforms and other intermediaries that rely on the CAE to facilitate the sale of goods or services for third-party merchants.
The European Banking Authority (EBA) is expected to provide further guidelines on the CAE.
Narrowing of Limited Network Exclusion (LNE)
Under PSD2, the LNE excludes certain payment instruments (e.g., physical and virtual payment cards) from the scope of regulation. One limb of the exclusion currently applies to certain payment instruments “allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers.”
EU PSR narrows this limb of the exclusion by clarifying that:
a) “premises” means the physical premises of the issuer and does not include an online store environment; and
b) “within a limited network” means “within a single limited network.”
The EBA will be required to develop regulatory technical standards specifying the conditions for reliance on the LNE.
Firms relying on the relevant limb of the LNE will need to consider whether their existing business models will continue to benefit from the exclusion. Given the changes, it may be more difficult for certain e-commerce firms to rely on the LNE.
Scope of regulated open banking services
“Account information services” and “payment initiation services” are the two categories of open banking services regulated under PSD2. EU PSR amends the definitions of both terms.
The definition of “account information services” has been amended to make clear that a firm collecting payment account information through a technical service provider falls within scope if it consolidates the information as part of an online service. This means that certain firms that collect and consolidate information regarding payment accounts will fall within scope of regulation even where they rely on another party to access the information.
The definition of “payment initiation services” has been amended to include placing a payment order “at the request of the payer or of the payee” (emphasis added) with respect to a payment account held at another payment service provider. This means that technical service providers that currently maintain that they are not payment initiation service providers because they do not intermediate directly between the payer and its account servicing payment service provider (e.g., the payer’s bank) could be brought within the scope of regulatory authorisation and other requirements under PSD3 and EU PSR if they act on a request of the payee.
Firms involved in data and instruction chains relating to payment accounts (e.g., bank accounts) should review their processes and consider whether they could be providing a regulated service.
Cash withdrawals offered by independent ATM deployers
Operators of automated teller machines that do not service payment accounts (so-called “independent ATM deployers”) will be subject to certain registration requirements and ongoing regulatory requirements under PSD3 and EU PSR.
2. Regulatory Capital and Winding-Up Plans
Own funds requirements
EU PSR and PSD3 set out increased initial capital requirements for non-bank PSPs, factoring in inflation since the adoption of PSD2, and also seek to harmonise the prudential requirements of payment institutions providing payment services and those providing electronic money services under the new regime.
One significant change from PSD2 is that the own funds calculation method linked to payment transaction volumes (Method B) will become the default calculation method in respect of payment services that are unrelated to the issuance of electronic money. National competent authorities can, however, deviate from this and permit payment institutions to utilise the alternative methods of calculating own funds requirements based on a percentage of fixed overheads expenditure for the preceding year (Method A), or generally based on operating income (Method C) where such payment institutions’ business models result in low volume but high-value transactions.
PSD3 requires the EBA to develop regulatory technical standards to determine situations where the exception to the general requirement for payment institutions to utilise Method B would apply.
For payment institutions and electronic money institutions that currently use Method A or Method C to calculate own funds requirements for payment services unrelated to electronic money, this could result in the institution needing to increase its regulatory capital (e.g., by issuing new shares). This could affect corporate and intragroup financing arrangements.
Winding-up plans
PSD3 requires payment institutions (including firms currently authorised as electronic money institutions) to maintain winding-up plans as a condition of their authorisation. These plans should describe what would happen in the event of the firm’s failure, support the orderly wind-up of its activities, and address the continuity or recovery of critical activities performed by the institution’s outsourced service providers, agents, and distributors (as applicable).
Account information service providers allowed to hold own funds as alternative to professional indemnity insurance
Registered account information service providers will be permitted to hold own funds of €50,000 as an alternative to holding professional indemnity insurance as is currently required by PSD2.
3. Safeguarding
Payment institutions (including firms currently authorised as electronic money institutions) will be required to avoid concentration risk in safeguarding customer funds by “ensuring that the same safeguarding method is not used for the totality of their safeguarded customer funds.” They will also be required to “endeavour not to safeguard all consumer funds with one credit institution.”
The EBA is required to produce regulatory technical standards on risk management of safeguarded funds, so we can expect further detail on this requirement.
If non-bank PSPs are required to use a combination of safeguarding methods (e.g., safeguarding bank accounts plus insurance) and/or maintain multiple sets of safeguarding bank accounts, this could significantly increase their costs and create operational challenges.
4. Access to Payment Systems And Bank Accounts by Payment Institutions
Access to payment systems
EU PSR aims to achieve a level playing field between bank and non-bank PSPs. One obstacle to non-bank PSPs identified by the European Commission is their inability to access certain payment systems directly (e.g., TARGET2). While PSD2 requires EU Member States to ensure that certain payment systems do not unduly restrict access by non-bank PSPs, it excludes those payment systems designated under the EU Settlement Finality Directive from such requirements.
EU PSR extends non-discriminatory access requirements to payment systems designated by a Member State pursuant to the Settlement Finality Directive.
The operators of payment systems designated under the Settlement Finality Directive should review their access rules and procedures in light of these changes. Non-bank PSPs may wish to consider whether to apply for direct access to such systems once the changes take effect.
Access to bank accounts
EU PSR bolsters the existing requirements under PSD2 for credit institutions (e.g., banks) to provide non-bank PSPs with access to payment accounts.
In particular, EU PSR provides that a credit institution can refuse to open or unilaterally close a payment account for a payment institution (including an electronic money institution that becomes a payment institution under the new regime) only in certain limited situations. EU PSR also extends the benefit of such access rights to entities in the process of applying for authorisation as a payment institution, and to agents or distributors of payment institutions.
If a credit institution refuses to open, or closes, a payment account in such circumstances, it is required to notify the relevant entity and “duly motivate any such decision” by reference to specific risks – which we assume is intended to mean duly explain the basis of the decision by reference to such risks. The relevant entity can appeal to the appropriate national competent authority.
Credit institutions should consider whether changes to their customer onboarding and account closure policies and procedures will be needed to ensure that access to payment accounts is provided to payment institutions, and other in-scope entities, in compliance with EU PSR. Once these requirements enter into application, non-bank PSPs may wish to review account closures or application refusals from credit institutions against these requirements and consider appealing to the appropriate national competent authority in the event a credit institution fails to meet the relevant requirements.
5. Anti-Fraud Measures
EU PSR also introduces a raft of new measures designed to prevent or reduce payments fraud. These include the following.
Verification of payee details for credit transfers
In respect of credit transfers EU PSR requires a payee’s PSP to verify, on the request of the payer’s PSP, whether the unique identifier (e.g., an IBAN) and the name of the payee matches with those details supplied by the payer, and to communicate the outcome of such verification to the payer’s PSP. Where the relevant details do not match, the payer’s PSP is required to notify the payer of any such discrepancy prior to the payer finalising the payment order and the execution of the credit transfer. However, the payer can decide whether to proceed with the credit transfer despite any discrepancies identified.
These requirements are broadly similar to the UK’s confirmation of payee requirements and will require PSPs that execute or receive credit transfers for payers or payees to put in place additional procedures.
Identification of payee
EU PSR generally requires a payer’s PSP to provide the payer with post-transaction information necessary for the payer to unambiguously identify the payee, such as the payee’s commercial trade name. PSPs within scope of this requirement will need to update their processes for payment confirmations and account statements accordingly and will no longer be able to use the legal entity name of a corporate payee in all cases for these purposes. This may also mean such PSPs need to request additional information from the PSP of the payee. Relevant payment systems will need to take this into account in their messaging protocols.
Transaction monitoring
PSPs will be required to implement additional monitoring mechanisms to detect and prevent fraudulent payment transactions. These should be based on the analysis of prior payment transactions and access to payment accounts online. They should also take into account elements which are typical of the payment service user in the circumstances of a normal use of the personalised security credentials, including the respective environmental and behavioural characteristics. The EBA will be required to develop regulatory technical standards on such mechanisms.
Processing of personal data
EU PSR permits PSPs to process certain special categories of personal data as defined in the EU General Data Protection Regulation (GDPR), including biometric data, to the extent necessary for the provision of payment services and compliance with EU PSR, subject to appropriate safeguards. It is notable that the processing of such categories of personal data is generally restricted under the GDPR. Firms will need to review their fraud prevention and data policies and procedures accordingly.
Data exchange between PSPs
EU PSR also permits PSPs to exchange the unique identifier of a payee with other PSPs, subject to information sharing arrangements, in circumstances where a PSP has sufficient evidence to assume that a fraudulent payment transaction has occurred. In this regard, EU PSR also clarifies that where at least two different payment service users who are customers of the same PSP have reported that a unique identifier of a payee was used for a fraudulent credit transfer, sufficient evidence can be assumed. Such information sharing arrangements between PSPs will be subject to a data protection impact assessment and certain other requirements under the GDPR.
Customer warnings and staff training
EU PSR requires PSPs to alert their customers “via all appropriate means and media” when new forms of payment fraud emerge, provide them with clear indicators on how to identify fraudulent attempts, and warn them as to the necessary precautions to avoid becoming victims of fraud. PSPs are also required to provide at least annual training to employees on payment fraud risks and trends, and ensure that employees are adequately trained to mitigate and manage payment fraud risks.
6. Strong Customer Authentication
Scope
EU PSR clarifies that the requirement to apply SCA is triggered:
(i) when a payer accesses payment account information, even where the payer does not access a payment account; and
(ii) when a mandate for merchant-initiated transactions is established through a remote channel (e.g., using an app or web-based interface) with the involvement of the payment service provider.
PSPs should consider whether these changes require them to apply SCA in any circumstances in which they currently do not.
Transaction risk analysis (TRA) exemption
TRA remains an exemption to SCA although the EBA will be mandated to develop guidelines providing further details on the scope of the TRA, including requirements that must be met, appropriate methodologies, criteria for the calculation of fraud rates, and reporting and audit requirements.
Liability for technical service providers (TSPs) and operators of payment schemes
EU PSR introduces liability for TSPs and operators of payment schemes for financial damages caused to payees or PSPs resulting from the TSP or operator of a payment scheme’s failure to provide the services necessary to enable the application of SCA.
This could create significant liability risk for TSPs and payment scheme operators, and they should review their systems, policies, procedures, and agreements relating to services supporting SCA accordingly.
Outsourcing
PSPs will be required to enter into outsourcing agreements with TSPs where the TSP provides and verifies the elements of SCA. PSPs will remain liable to payment service users for failure to apply SCA and must have the right to “audit and control security provisions” under the outsourcing agreement. PSPs will need to review their agreements with service providers supporting SCA processes accordingly and ensure they have appropriate audit and control rights.
Accessibility requirements
PSPs will be required to ensure all of their customers, including “persons with disabilities, older persons, with low digital skills and those who do not have access to digital channels or payment instruments” have at their disposal at least a means, adapted to their specific situation, which enables them to perform SCA.
PSPs will also be required to develop a diversity of means for application of SCA and will be prohibited from making the performance of SCA dependant on the exclusive use of a single means of authentication or, explicitly or implicitly, on the possession of a smartphone.
Increased potential for PSP liability
EU PSR also represents a shift in the balance of liability between PSPs and their customers in favour of customers.
In particular, the circumstances in which the payer’s PSP can refuse to refund the payer for an unauthorised transaction are narrowed to circumstances in which the PSP has reasonable grounds for suspecting fraud committed by the payer. In such cases, the PSP has up to 10 business days to investigate the suspected payer fraud. Within this timeframe, the PSP is required to either refund the payer the amount of the unauthorised payment transaction if it has concluded after further investigation that the payer did not commit fraud, or, if it refuses to do so, provide a justification for such refusal, and indicate the bodies to which the payer can refer the matter for resolution.
Further, under EU PSR, should the payer’s PSP fail to notify the payer of a detected discrepancy between the unique identifier and the name of the payee provided by the payer in connection with an authorised credit transfer, the payer’s PSP would be financially liable for any resultant losses sustained by the payer. In the event that the payee’s PSP is responsible for such failure to comply with the obligation to verify a payee’s details, it would be required to reimburse the payer’s PSP.
Impersonation fraud
EU PSR also introduces a new requirement for PSPs to refund a consumer if the consumer was manipulated by a third party impersonating an employee of the PSP and this manipulation resulted in subsequent fraudulent authorised payment transactions, provided that the consumer has reported such fraud to the police and notified its PSP without any delay. The obligation would not apply if the consumer had acted fraudulently or with gross negligence. However, the relevant PSP has the responsibility of discharging this burden of proof and in practice proving fraud or gross negligence is likely to be challenging in most cases.
In the era of generative artificial intelligence (AI) (including increasingly sophisticated AI voice generation), this could present a significant risk for PSPs.
7. Additional Customer Protection Measures
Currency exchange disclosures for credit transfers and money remittance
PSPs that execute credit transfers or money remittance transactions involving a currency conversion will be required to disclose to their customers the estimated charges for currency conversion expressed as a percentage mark-up over the latest available applicable foreign exchange reference rate issued by the relevant central bank. This is likely to create operational challenges for certain PSPs, particularly in relation to the calculation methodology and timing of the relevant inputs.
No unilateral spending limit increases
EU PSR introduces a restriction such that PSPs are not permitted to unilaterally increase the spending limits of payment instruments agreed with their customers. On this basis, customer consent will generally be required to increase spending limits on payment instruments such as payment cards.
8. Open Banking and Open Finance
EU PSR introduces additional obligations for account servicing PSPs (ASPSPs) such as banks in relation to their interactions with providers of open banking services. These are accompanied by separate legislative proposals to extend data access requirements to a broad range of financial services beyond payments (open finance).
ASPSPs, account information service providers (AISPs) and payment initiation service providers (PISPs) should consider how these changes will affect their business models, and any changes to operations and user interfaces they will need to make to comply with the new requirements. Firms that provide other types of financial services or provide services that enable customers to access information about these should review the open finance proposals.
Dedicated interfaces and fallback
ASPSPs will generally be required to maintain dedicated interfaces for the exchange of information with AISPs and PISPs. They will no longer be able to provide AISPs and PISPs with access to the interface used by the ASPSP’s customers. However, ASPSPs will no longer be required to maintain a “fallback” interface for AISPs and PISPs for use if the primary interface fails.
EU PSR expands the requirements for dedicated interfaces so that they must (at a minimum) allow PISPs to:
a) place and revoke a standing payment order or a direct debit
b) initiate a single payment
c) initiate and revoke a future dated payment
d) initiate payments to multiple beneficiaries
e) initiate payments, regardless of whether the payee is on the payer’s beneficiaries list
f) communicate securely to place a payment order from the payer's payment account and receive all information on the initiation of the payment transaction and all information accessible to the ASPSP regarding the execution of the payment transaction
g) verify the name of the account holder before the payment is initiated and regardless of whether the name of the account holder is available via the direct interface
h) initiate a payment with one single strong customer authentication, provided the PISPS has provided the ASPSP with certain prescribed information
This raises the question of whether all such functions are required if the ASPSP does not provide these to a customer when the customer accesses the payment account directly.
Permissions dashboards
An ASPSP must provide its payment service user with a dashboard, integrated into its user interface, to monitor and manage the permissions the payment service user has given for the purpose of account information services or payment initiation services covering multiple or recurrent payments. The dashboard must provide the payment service user with an overview of the access permissions given to AISPs and PISPs and allow the user to withdraw access for a given provider.
New open finance regime
In addition to the proposals for PSD3 and EU PSR, the European Commission published on 28 June 2023 a proposal for a Regulation on financial data access that will extend requirements to provide third-party access to customer data to a broad range of financial services beyond payments, including mortgages, loans, savings and investment services, pensions, and insurance. The new regime will create new standards on sharing data and require relevant third parties to obtain regulatory authorisation for their open finance services. It also includes requirements for customer permissions dashboards.
9. Regulatory Powers
EU PSR extends the supervisory and enforcement powers of regulators and prescribes significant regulatory sanctions for breaches of certain requirements. These changes are likely to affect the regulatory enforcement strategies and priorities of national competent authorities and may increase the likelihood and impact of enforcement actions against firms that breach the rules.
Broader investigatory powers
EU PSR gives national competent authorities broad powers to investigate potential infringements of the Regulation. These include powers to investigate TSPs, the operators of payment systems and outsourced service providers to relevant firms.
Prescriptive enforcement regime
EU PSR specifies sanctions for the breach of certain requirements, such as the rules on payment account access (i.e., open banking) and fraud prevention measures including SCA. These include maximum fines of at least 10% of annual turnover for legal entities and €5,000,000 for natural persons.
Product intervention powers
EU PSR gives the EBA the power to temporarily prohibit or restrict certain types or specific features of a payment service or instrument or an electronic money service or instrument in certain circumstances where the national competent authorities have not taken adequate actions to address a threat. The EBA is required to publish details of any such decisions.
10. Next Steps
Both PSD3 and EU PSR will now be subject to the EU’s “ordinary legislative procedure” which involves review by the European Parliament and the Council of the EU. The final versions of these texts could be agreed as early as late 2024 or early 2025. However, European Parliament elections in May 2024 may cause delays. PSD3 will also need to be transposed into national law. EU PSR will have direct effect in EU Member States but will apply 18 months after the final text enters into force.
It is not yet clear when PSD3 and EU PSR will enter into force. By way of comparison, the original proposal for PSD2 was published in 2013 and came into force in 2016 with EU Member States generally required to transpose its provisions into national law by January 2018.
On this basis, it may be several years before the changes under PSD3 and EU PSR apply to firms. However, given the breadth of the changes, PSPs should start considering how the proposals will affect their businesses now.
11. What Should Firms Do Next?
Firms providing, or planning to provide, payment services in the EU or to EU customers should consider how the points discussed above may affect their businesses and whether the changes could create opportunities or risks. Based on these considerations, firms may wish to engage with the European legislative institutions and/or national governments and regulators directly or through trade associations.