On the 28th of June 2023, the European Commission (EC) published its draft proposal of a Payment Services package which should replace the second Payment Services Directive (PSD2).
The EC’s proposal follows the various consultations with stakeholders. It also results from the EC’s impact assessment that demonstrated the need to pursue the following key objectives:
- Tackle the fragmentation of the market and, in particular, ‘Forum shopping’ issues observed in the European Union (EU) by stronger enforcement and implementation rules in the Member States;
- Further protect Payment Service Users (PSUs) against fraud risk and foster their confidence in payments;
- Improve competitiveness in the Payment landscape by protecting Open Banking Service Providers against remaining obstacles to providing their payment services and reducing their competitive disadvantage compared to banks;
- Fight economic inefficiencies or discriminations faced by non-bank Payment Service Providers (PSPs) by improving their access to payment systems and bank accounts.
PSD2 replaced by a directive (PSD3) and a regulation (PSR)
The proposed draft Payment Service package is composed of two legislative acts, namely a Regulation and a Directive. The proposed draft Payment Services Regulation in the internal market is directly applicable in the EU, which will minimize room for interpretation.
The PSR will address all rules concerning PSP activities, and will also embed some requirements from the Regulatory Technical Standards for Strong Customer Authentication and Common and Secure open standards of Communication (RTS on SCA & CSC), as well as requirements from European Banking Authority guidelines and opinions.
The EBA is expected to draft a new RTS, most probably replacing the existing one. It should tackle:
- SCA;
- exemptions from the application of SCA;
- Transaction Risk Analysis (TRA);
- technical requirements for transaction monitoring;
- security measures to protect confidentiality and integrity of personalized security credentials and Common & Secure open standards of Communication (CSC).
PSD2 and E-Money Directive merged into PSD3
Next to the PSR, the proposed draft Directive on Payment Services and Electronic Money Services in the internal market (PSD3) embeds the Electronic Money Directive (Directive 2009/110/EC) and tackles requirements regarding the authorization (licensing) and supervision of Payment Institutions (PIs) and Electronic Money Institutions (EMIs).
The changes introduces by the draft proposal for PSD3 are further discussed here.
Access to Accounts, fallback and obstacles
Obligation to offer dedicated interface, unless exemption
PSPs offering payment accounts accessible online will be obliged to offer dedicated interfaces for data exchange with Third-Party Payment Providers (TPPs), the option to offer direct access to the customer interface being removed. However the draft PSR introduces an exemption, allowing PSPs not to offer any dedicated interface if they have a specific business model in which payment services are of very little relevance. Criteria for granting this exemption are expected to be further described by the EBA.
Review of payment initiation services definition and what the PSPs need to expose in their dedicated interface
The Confirmation of Funds (CAF) payment service being very scarcely used, the CAF has been merged with the Payment Initiation Service (PIS). Also, the draft PSR specifies the minimum types of payment transactions that the dedicated interface should offer, as well as additional requirements ensuring that no obstacles remain.
No fallback, secured screen scraping
It is no longer mandatory to maintain a permanent fallback interface. However, in the event that dedicated interfaces are down and with authorization from the relevant National Competent Authorities (NCAs), TPPs should have the ability to securely utilize the customer interfaces by identifying themselves. This practice is also known in the market as ‘secured screen scraping’.
Drawing from the current EBA opinion on TPP service provision under PSD2, the draft PSR encompasses a non-exhaustive list of obstacles that dedicated interfaces should not create, ensuring unhindered provision of payment services.
Access to payment systems and payment accounts
The draft PSR reinforces the existing requirement to grant Payment Institutions (PIs) non-discriminatory access to payment systems and accounts held by credit institutions. The scope of the requirement has been expanded to encompass not only the onboarding but as well the offboarding of PIs and those in the process of obtaining a license.
Key changes linked to Strong Customer Authentication
Account Information Service Provider (AISP)
An essential change introduced by the PSR is the requirement for Account Information Service Providers to conduct their own subsequent authentications of the PSU, once the initial authentication has expired, namely after 180 days.
Financial inclusion
PSPs will also be required to offer a range of authentication methods that are suitable for individuals with disabilities and elderly individuals, ensuring they are not reliant solely on smartphones or payment instruments for authentication purposes.
Technical service provider
Where a technical service provider offers or verifies SCA elements, PSPs should establish an outsourcing agreement with the provider. This agreement should include provisions for auditing and controlling security measures.
Consent dashboard
PSPs offering payment accounts accessible online will be required to develop a permission dashboard, known as 'consent' under PSD2, within their customer interface. This dashboard will allow PSUs to monitor, in real time, which TPPs have been granted permission to access their data.
The biggest challenges for the concerned PSPs will be to support PSUs in revoking and re-establishing their permissions, as well as ensuring that TPPs are promptly informed of these actions. TPPs should also share information about PSUs’ permissions with the PSPs to ensure the permission dashboard always remains up to date.
IBAN checks
The draft PSR also requires the payee’s PSPs to verify, free of charge, the consistency between the name and unique identifier of a payee (the recipient of the transaction) before the initiation of credit transfers. These requirements extend the scope of the ‘IBAN name checks’ introduced in October 2022 through the proposal for a Regulation for Instant Credit Transfers in euro. Information and notification duties of PSPs towards PSUs are similar to those for instant payments.
Fraud
Transaction monitoring
Transaction monitoring requirements related to the existing RTS on SCA and CSC are as well documented in the draft PSR. Notably, it introduces fraud data exchanges among PSPs to facilitate the multilateral sharing of relevant fraud data, such as unique identifiers, manipulation techniques, fraudulent credit transfers and other patterns identified by other PSPs.
Liability
The draft PSR introduces specific requirements regarding the fraud scenario of impersonating bank employee. PSPs are liable in such cases, therefore responsible for refunding PSUs who have been manipulated by fraudsters unlawfully using a bank’s name, email address or phone number to carry out fraudulent transactions. Cooperation with mobile network operators should prevent the fraud scenario from happening again.
Fraud reporting
Specific articles require PSPs to provide their NCA with statistical data on fraud and payment methods at least on a yearly basis. It remains unclear whether this reporting will complete the current Payment Statistics Reporting. The EBA is expected to draft Regulatory and Implementing Technical standards to provide clarity on this matter.
PSU awareness
PSPs will also be required to enhance awareness among their PSUs and employees regarding emerging forms of payment fraud and trends. They must inform them about precautions and actions they may take if they suspect a fraud.
By when?
The PSR will become applicable 18 months after publication in the Official Journal of the EU. If the final proposal is published by the end of the year, the obligation to comply with the PSR could be expected by the second half of 2025.
How should PSPs prepare?
The PSR will undoubtedly require developments that must be incorporated into strategic plans and budget forecasts. Therefore, PSPs should assess the impact of these changes on their organization right now instead of waiting for the final proposal of the PSR.
To ensure timely compliance with the PSR, PSPs should undertake the following steps:
- Identify the functions impacted by the PSR changes, such as credit transfers and cards-payment flows, fraud departments, legal teams handling contracts, liability and terms & conditions, IT & security departments, etc.;
- Assess the impact of the PSR on each affected function to determine the necessary process changes and developments, as well as required budget and capabilities;
- Incorporate the impacts into the strategic planning of the organization;
- Roll-out changes to ensure timely compliance.
Just like any important change impacting multiple functions within an organization, it is crucial to ensure adequate governance is defined, in order to follow-up on the changes planned. As PSPs progress in implementing these changes, it is important to monitor compliance to ensure it is achieved by the regulatory deadline.