Payment Services Directive 3 (PSD3), Payment Services Regulation (PSR)

What is the Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR)?

On June 28, 2023, the European Commission published the proposal for a Third Payment Services Directive (PSD3), and the proposal for the Payment Services Regulation (PSR), to bring payments and the wider financial sector into the digital age.

The new rules will improve consumer protection and competition in electronic payments, and will empower consumers to share their data in a secure way so that they can get a wider range of better and cheaper financial products and services.

The payment services market has changed significantly in recent years. Electronic payments in the EU have been constantly growing, reaching €240 trillion in value in 2021 (compared with €184.2 trillion in 2017). This trend was accelerated by the COVID-19 pandemic.

New providers, enabled by digital technologies, have entered the market, in particular providing ‘open banking' services – i.e. securely sharing financial data between banks and financial technology firms (‘fintechs'). More sophisticated types of fraud have also emerged, putting consumers at risk and affecting trust.

In response to these developments, the Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR) make the EU's financial sector capable of adapting to the ongoing digital transformation, and the risks and opportunities it presents.

The proposed measures:

1. Combat and mitigate payment fraud, by enabling payment service providers to share fraud-related information between themselves, increasing consumers' awareness, strengthening customer authentication rules, extending refund rights of consumers who fall victim to fraud and making a system for checking alignment of payees' IBAN numbers with their account names mandatory for all credit transfers.

2. Improve consumer rights, in cases for example where their funds are temporarily blocked, improve transparency on their account statements and provide more transparent information on ATM charges.

3. Further level the playing field between banks and non-banks, in particular by allowing non-bank payment service providers access to all EU payment systems, with appropriate safeguards, and securing those providers' rights to a bank account.

4. Improve the functioning of open banking, by removing remaining obstacles to providing open banking services and improving customers' control over their payment data, enabling new innovative services to enter the market.

5. Improve the availability of cash in shops and via ATMs, by allowing retailers to provide cash services to customers without requiring a purchase and clarifying the rules for independent ATM operators.

6. Strengthen harmonisation and enforcement, by enacting most payment rules in a directly applicable regulation and reinforcing provisions on implementation and penalties.

The proposed measures ensure consumers can safely and securely make electronic payments and transactions in the EU, domestically or cross-border, in euro and non-euro. Whilst safeguarding the rights of customers, it also aims to provide greater choice of payment service providers on the market.

Understanding the Payment Services Directive 3 (PSD3).

The first Payment Services Directive (PSD1), adopted in 2007, established a harmonised legal framework for the creation of an integrated EU payments market.

The second Payment Services Directive (PSD2), adopted in 2015, sets out the rules for all retail payments in the EU, euro and non-euro, domestic and cross-border. PSD2 addressed barriers to new types of payment services and improved the level of consumer protection and security.

PSD2 aimed to:

- ensure a level playing field between incumbent and new providers of card, internet and mobile payments;

- increase the efficiency, transparency and choice of payment instruments for payment service users (consumers and merchants);

- facilitate the provision of card, internet and mobile payment services across borders within the EU;

- help innovative payment services to reach a broader market; and

- ensure a high-level protection for payment service users across all Member States.

The Commission was required to evaluate the PSD2, in particular on charges, scope, thresholds and access to payment systems. The evaluation took place in 2022, including advice from the European Banking Authority (EBA), a general and targeted public consultation, and a report from an independent consultant. Following the evaluation the Commission decided to propose amendments to PSD2, accompanied by an impact assessment.

The evaluation found that there was an unlevel playing field between payment service providers, due partly to the lack of direct access by non-bank Payment Service Providers (PSPs) to certain key systems that are necessary to finalise payments.

Open banking (i.e. the secure sharing of financial data between banks and third-party service providers) was a major innovation of PSD2. In spite of the emergence of many new non-bank providers on the market offering open banking services, there has been mixed success in its uptake.

Obstacles to data access by account information service providers (services which collect and consolidate information on the different bank accounts of a consumer in a single place) and payment initiation service providers (services which establish a payment link between the payer and the online merchant) still remain. While cross-border provision of payment services is increasing, many payment systems (especially debit card systems) remain largely national.

The amendments represent an evolution of the EU payments framework, and will improve the functioning of EU payment markets by:

- strengthening measures to combat payment fraud;

- allowing non-bank payment service providers (PSPs) access to all EU payment systems, with appropriate safeguards, and giving them a right to have a bank account;

- improving the functioning of open banking, especially as regards the performance of data interfaces, removing obstacles to open banking services and consumer control over their data access permissions;

- reinforcing the enforcement powers of national competent authorities and facilitating implementation of the rules clarifying various elements;

- further improving consumer information and rights;

- improving the availability of cash;

- merging the legal frameworks applicable to electronic money and to payment services.

Understanding the Payment Services Regulation (PSR).

The evaluation of the PSD2 identified problems regarding divergent implementation and enforcement of the PSD2 which directly impact competition between payment service providers, by creating different regulatory conditions in different Member States, encouraging regulatory arbitrage.

There should be no room for ‘forum shopping’ where payment services providers would choose, as ‘home country’, those Member States where the application of Union rules on payment services is more advantageous for them and provide cross-border services in other Member States which apply stricter interpretation of the rules or apply more active enforcement policies to payment service providers established there. That practice distorts competition.

The Union rules on payment services should therefore be further harmonised, by incorporating rules governing the conduct of the payment services activity, including the rights and obligations of the parties involved, in a Regulation.

Such rules, excluding the rules on authorisation and supervision of payment institutions, which should remain in a Directive, should be clarified and more detailed, thus minimising margins of interpretation.

To further improve access to cash, which is a priority of the Commission, merchants should be allowed to offer, in physical shops, cash provision services even in the absence of a purchase by a customer, without having to obtain a payment service provider authorisation or being an agent of a payment institution.

Those cash provision services should, however, be subject to the obligation to disclose fees charged to the customer, if any. These services should be provided by retailers on a voluntary basis and should depend on the availability of cash by the retailer.

Fraud in credit transfers is inherently adaptive and comprises an open-ended diversity of practices and techniques, including the stealing of authentication credentials, invoice tampering, and social manipulation.

Therefore, to be able to prevent ever new types of fraud, transaction monitoring should be constantly improved, making full use of technology such as artificial intelligence. Often one payment service provider does not have the full picture about all elements that could lead to timely fraud detection.

However, it can be made more effective with a greater amount of information on potentially fraudulent activity stemming from other payment service providers. Therefore, sharing of all relevant information between payment service providers should be possible.

To better detect fraudulent payment transactions and protect their customers, payment services providers should, for the purpose of transaction monitoring, make use of payment fraud data shared by other payment services providers on a multilateral basis such as dedicated IT platforms based on information sharing arrangements.

To improve the protection of payers against fraud in credit transfers, payment service providers should be able to rely on information as comprehensive and up to date as possible, namely by collectively using information concerning unique identifiers, manipulation techniques and other circumstances associated with fraudulent credit transfers identified individually by each payment services provider.

According to Article 1 (subject matter) of the proposed Payment Services Regulation (PSR):

1. This Regulation lays down uniform requirements on the provision of payment services and electronic money services, as regards:

(a) the transparency of conditions and information requirements for payment services and electronic money services;

(b) the respective rights and obligations of payment and electronic money service users, and of payment and electronic money service providers in relation to the provision of payment services and electronic money services.

2. Unless specified otherwise, any reference to payment services shall be understood in this Regulation as meaning payment and electronic money services.

3. Unless specified otherwise, any reference to payment service providers shall be understood in this Regulation as meaning payment service providers and electronic money service providers.

According to Article 2 (scope):

1. This Regulation applies to payment services provided within the Union by the following categories of payment service providers:

(a) credit institutions, including branches thereof where such branches are located in the Union, whether the head offices of those are located within the Union or outside the Union;

(b) post office giro institutions which are entitled under national law to provide payment services;

(c) payment institutions;

(d) the ECB and national central banks when not acting in their capacity as monetary authority or other public authorities;

(e) Member States or their regional or local authorities when not acting in their capacity as public authorities.

According to Article 31 (access to payment systems):

1. Payment system operators shall have in place objective non-discriminatory, transparent and proportionate rules on access to a payment system by authorised or registered payment service providers that are legal persons.

Payment system operators shall not inhibit access to a payment system more than is necessary to safeguard against specific risks, including where applicable settlement risk, operational risk, credit risk, liquidity risk and business risk or more than is necessary to protect the financial and operational stability of the payment system.

2. A payment system operator shall make publicly available its rules and procedures for admission to participation to that payment system and the criteria and methodology it uses for risk assessment of applicants for participation.

3. Upon receiving an application for participation by a payment service provider, a payment system operator shall assess the relevant risks of granting the applicant payment service provider access to the system.

A payment system operator shall only refuse participation to an applicant payment service provider where the applicant poses risks to the system, as referred to in paragraph 1. The payment system operator shall notify that applicant payment service provider in writing whether the request for participation is granted or refused and shall provide full reasons for any refusal.

4. Paragraphs 1, 2 and 3 shall not apply to payment systems composed exclusively of payment service providers belonging to the same group.

5. Payment system operators shall not have in place any of the following requirements:

(a) restrictive rules on effective membership in other payment systems;

(b) rules which discriminate between authorised payment service providers or between registered payment service providers in relation to the rights, obligations and entitlements of members;

(c) restrictions on the basis of institutional status.

6. A participant of a payment system that allows an authorised or registered payment service provider that is not a participant of the payment system to pass transfer orders through that payment system shall, when requested, give the same possibility to other authorised or registered payment service providers in an objective, proportionate, transparent and non-discriminatory manner. In case of a rejection of such request, the participant of a payment system shall provide any requesting payment service provider with full reasons for such rejection.

7. For payment systems that are not covered by Eurosystem oversight, pursuant to Regulation (EU) No 795/2014, Member States shall designate a competent authority responsible for oversight of payment systems to ensure enforcement of paragraphs 1 2, 3, 5 and 6 by payment systems governed by their national law.

Cyber Risk GmbH, some of our clients