The European Union (EU) is updating its regulatory framework governing payment services by introducing the "Payments Services Package". In June 2023, the European Commission published a set of legislative proposals designed to modernise and enhance the digital financial landscape within the EU.
The Payments Services Package consists of Payment Services Directive III (PSD3), to be adopted alongside the Payment Services Regulation (PSR) and the Regulation on a Framework for Financial Data Access (FIDAR).
PSD3 is an update to the existing Payment Services Directive (PSD2), aimed at further refining and expanding the regulatory framework for payment services. It will also repeal and replace the Electronic Money Directive (EMD2), establishing a single regulatory framework governing both payment services and e-money services. There would be a single set of requirements for licensing, conduct of business and prudential supervision, as e-money institutions will be licensed as payment institutions under PSD3.
What are the key topics of PSD3/PSR?
Strengthening harmonisation and enforcement
The forthcoming PSD3 is anticipated to focus predominantly on the regulation of licensing procedures and the functional aspects of payment service providers (PSPs).
Nevertheless, other essential elements such as fraud prevention, liability, transparency, open banking and Strong Customer Authentication (SCA) will be addressed within the PSR. The integration of these aspects into the PSR signifies the direct applicability of these regulations across the EU.
Enhancing consumer rights
The new proposal includes the following propositions to strengthen customers' rights:
- Increased protection of temporarily blocked funds – the proposed changes aim to ensure that the blocked amount will be proportionate to the expected final amount. Blocked funds should be released immediately after receipt of the information on the exact final amount of the payment transaction and no later than immediately after receipt of the payment order.
- Enhanced transparency on credit transfers and money remittances from the EU to third countries – PSPs will be required to inform users of currency conversion charges as well as of the estimated time for the payee's payment service provider in the third country to receive the funds.
- Enhanced transparency for payment account statements – PSPs will be obliged to clearly identify payees, including stating their commercial trade name.
Mitigating payment fraud
The Payments Services Package should tackle new types of fraud such as "spoofing" (i.e. cases where the fraudster manipulates the customer into giving their consent to authorise the transaction by pretending to be an employee of the payment institution). This blurs the distinction between unauthorised and authorised transactions, leaving current mechanisms insufficient to addressing such frauds.
The new proposal includes the following fraud prevention measures:
- Extension of IBAN/name verification services to cover all credit transfers – this will require the PSPs to verify that the account name matches the International Bank Account Number (IBAN) associated with that name.
- Enhancement of customer refund entitlements – customers should be entitled to refunds in instances where consumers are deceived by spoofing scams. Additionally, if the system designed to verify the alignment between the IBAN and the account holder's name malfunctions, customers will be eligible for a refund.
- Introduction of extended transaction monitoring measures.
- Provisions of legal framework for PSPs to share fraud-related information.
- Further SCA enhancements – new rules will be
established regarding SCA, including:
- Liability shift – the new proposal aims to shift the liability for fraud to third-party systems and technical service providers, such as digital wallet providers and payment gateways, if they fail to apply SCA.
- Exemptions from SCA – the proposal clarifies the circumstances in which certain types of transactions, such as Merchant-initiated transactions (MITs), are exempted from SCA.
Upgrading open banking
A landmark feature of PSD2 was the introduction of the open banking regulation, allowing account information service providers (AISPs) and payment initiation service providers (PISPs) to access customers' data with their consent in order to provide them with services such as expense reports, budgeting tools and targeted financial products. PSD3 is expected to bring the following changes and improvements to open banking requirements:
- Strict standards for data access interfaces – the Payments Services Package specifically address the prohibited obstacles, such as the requirement for additional registration or additional checks of the permission, that cannot be integrated into the interfaces.
- Customer dashboard – customers should be provided with a dashboard integrated into their user interface to monitor and manage permissions granted to AISPs. This tool should allow customers to see which companies have access to their data and enable them to revoke such access.
Levelling the playing field
The proposal aims to provide payment institutions (PIs) and electronic money institutions (EMIs) better access to payment systems. To obtain a licence, PIs and EMIs are required to have an account with a commercial bank. Currently, however, commercial banks often refuse to open accounts for them or close existing accounts due to concerns related to issues such as anti-money laundering controls. This creates an uneven playing field, as banks compete with PIs and EMIs in providing payment services.
Under the new proposal, banks will be required to offer clear reasons when refusing to open an account or when closing accounts for payment institutions (PIs), considering the individual circumstances of the PI. The decision not to open the account must be based on serious suspicions of illegal activities conducted by the PI or the risky nature of the PI's business model or risk profile. If the bank refuses to open the account, the proposal offers the PI the opportunity to appeal to a national authority. In addition to commercial banks, central banks will have the discretion to offer opening of accounts to non-bank PSPs.
Improving the availability of cash
- Purchase-free "cashback" at retailer shops – presently, retailers can provide cash-back services, but only as part of a purchase. The proposal aims to broaden access to cash by allowing retailers to offer cashback services outside of a purchase transaction, even without needing to obtain a licence or being an agent of a payment institution.
What is the timeline?
The precise dates for the implementation of PSD3 and the PSR remain unclear. Industry experts project that the finalised documents may be made public by the end of 2024 or at the beginning of 2025.
Upon their release, it is customary for EU Member States to be allotted a transitional period, typically extending to 18 months, to align with the new legislation. Consequently, it is expected that PSD3 and the PSR will come into effect over the course of 2026.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.