On 28 June 2023, the European Commission (EC) published a draft for the third iteration of the Payment Services Directive (PSD3) together with a draft for a new Payment Services Regulation (PSR). The drafts aim to strengthen the existent legal framework, extend financial data access and provide increased security and protection for users.
Electronic payments saw constant growth in the EU, helped by the emergence of “open banking” services – services that involve the secure sharing of financial data from banks to payment service providers. These services also brought new types of frauds, damaging the trust in the sector. PSD3 and PSR are the EC’s answer to these frauds, attempting to re-establish trust by improving the security and reliability of payments and improving consumer information and rights. Compared to PSD2, PSD3 and PSR increase the regulatory scope, demanding more providers to combat payment fraud, reduces reliance on cumbersome technical data interfaces, and overall removing obstacles for payment providers and consumers for safely using payment services.
PSD3 is primarily focused on the rules pertaining to the licensing and supervision of payment institutions, while the PSR introduces new provisions alongside the existing mandates of the PSD2. These provisions significantly impact various domains within the European Union (EU) payments market. Cybersecurity is such a domain, with the draft changes aiming to require additional attention from market players (banks, payment service providers (PSPs), Fintechs, technical solution providers) on topics such as identity, risk management and privacy.
While being in the draft phase, the new regulation and the directive are relevant for the market players as they imply changes for the provisioning of payment services. They align with the ongoing trend of regulatory uniformity and expansion witnessed in recent year, as exemplified by GDPR (General Data Protection Regulation), DORA (Digital Operational Resilience Act) and MiCA (Markets in Crypto Assets), which are also connected to the new rules. The new regulatory framework aims to increase the security and safety of the payments ecosystem, with a focus on end consumers, as mentioned in the objectives of the regulatory initiative. This can prove challenging for FinTechs, as their ambitions are to innovate, even disrupt the market, requires fast prototyping and changes to their products. Unsurprisingly, 53% of companies in the Financial Services sector rank “balancing security and innovation” as their biggest internal challenge [link to EY 2023 Global Cybersecurity Leadership Insights: Cybersecurity Leadership Insights: mastering complexity | [EY - Global].
The new Payment Services Regulation
The draft PSR proposes various changes, ranging from high-level regulatory ones such as integrating the requirements of the Electronic Money Directive into the PSR, to specific information transfer mandates, such as requiring Account Servicing Payment Service Providers (ASPSPs) to share the name of the Payment Service User (PSU) as account holder and the individual initiating the payment with Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). Highlighted below are some of the key aspects addressed, categorized by their theme.
Cybersecurity and fraud changes
A significant change in the cybersecurity domain is the expansion of security requirements to encompass payment card schemes, payment gateways, and merchants. The regulation also now covers third parties to whom technical, operational, and communication services have been outsourced. This mandates more parties in the payment chains to implement systems such as Strong Customer Authentication (SCA) to bolster payment security. Applying SCA for Merchant Initiated Transactions (MITs) and of Mail Orders or Telephone Orders (MOTOs), a point of ambiguity with PSD2, has been clarified in the PSR. For MITs, SCA must be applied at the set-up of the initial mandate, while for subsequent merchant-initiated payment transactions is not needed. MOTOs are not obliged to have SCA applied only when the initiation of payment transactions is non-digital. The regulation unequivocally prohibits the circumvention of SCA in the case of an acquier established outside of the EU.
The new PSR will encompass the provisions of EMD2 (the revised Electronic Money Directive), while taking into account the interplay between MiCA and PSD2 with regards to the treatment of e-money tokens (EMTs). With PSR, EMTs are deemed to be electronic money, hence falling under the definition of funds for PSR, warranting compliance.
The regulation also mandates organizations to address the emerging security risks of social engineering-based fraud, where customers might be deceived into initiating payment transactions. Fraud prevention in the PSR is associated with the utilization of SCA, programmes and compaigns for PSUs with the aim of increasing their awareness of fraud attempts and the use of transaction monitoring mechanisms by PSPs. Furthermore, PSPs are expected to notify PSUs of any discrepancies between the name and the unique identifier of a payee for payments. Internally, training programmes must be organized at least annually by PSPs to equipt employees with knowledge regarding payment fraud risks and trends. PSD3 specifies that authorized payment providers must hold an insurance that can cover their liability for fraudulent access or fraudulent use of payment account information service.
Besides fraud prevention, PSPs must also report fraud statistics at least annually, for which ECB will develop regulatory technical standards containing the reporting requirements.
A notable simplification in the provisions pertains to the “dedicated interface”, usually represented by an Application Programming Interface (API). ASPSPs that have implemented an API are not required anymore to maintain a fall-back mechanism, thought they must ensure that the dedicated interface maintains the integrity and confidentiality of the security credentials, with response times similar to the standard interface used by their clients.
Additionally, PSR enforces that PSPs have transaction monitoring mechanisms in place to mitigate fraud risk. Moreover, a PSP might exchange information with another PSP if substantial evidence of a fraudulent payment transaction is present. On the other hand, transaction monitoring mechanisms are notoriously known as requiring large quantities of data, which means data privacy considerations must be present.
From an inclusivity standpoint, the PSR proposes a general provision requiring PSPs to take into account the needs of different vulnerable groups and to not exclude users who do not possess authentication means which require technology such as smartphones. These revisions would help towards clarifying the options to block suspicions payment transactions and address the risk of social engineering fraud.
Resilience changes
Looking from a different angle, DORA, a recent regulation on digital resilience, came into effect in 2023. Digital Operational Resilience is the ability to build, assure and review operational integrity from a technological perspective by ensuring, either directly or indirectly, through the services of Information and Communication Technology (ICT) third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a payments services provider makes use of and which support the continued provision of payment services and their quality.
PSD3 and PSR mandate the establishment of a framework with mitigation and control mechanisms to manage security and operational risks, aligning with the provisions for ICT risk management in DORA. The competent authoriy must receive, at least on an annual basis, an assessment of the operational and security risks related to the provided payment services. PSR makes a specific reference to incident management procedures that must be established as part of the framework. The overarching theme in PSD3 specifying that payments licenses applicants must uphold a high level of digital operational resilience as defined by DORA.
Privacy changes
Delving into privacy, PSD3 and PSR introduce measures aligned with the European privacy regulation, GDPR. PSPs are allowed to process special categories of personal data as defined in Article 9 of the GDPR, given that appropriate safeguards for the fundamental rights and freedoms of natural persons are in place. On a broader scale, PSR advocates for enhanced control over the PSU data across the different links in the payment chain, mandating ASPSPs to provide the PSUs with a dashboard for controlling and managing the permissions given for AISPs and PISPs.
Furthermore, PSR advises that data minimization (a core principle of the GDPR) prevails in the context of screen scraping techniques, which are notoriously processing large quantities of data, thereby prohibiting these techniques under any circumstances. Another example of data minimization is that transaction monitoring data should not be stored longer than necessary and must be deleted after the end of the customer relationship. Lastly, a Data Protection Impact Assessment (DPIA) must be performed before any agreements on sharing transaction monitoring data with other payment service providers.
What you should do now
While still in the draft phases, the mandates of PSD3 and PSR and the linked regulations can disrupt an organization and presents risks for the payment licenses. The following steps allow you to prepare:
- 1. Ensure you start internal and external conversations now.
Internally, discuss with relevant departments, such as Compliance, Cybersecurity, Law, about PSD3 and PSR and increase awareness.
Externally, connect with your business network and the regulators to determine what is deemed sufficient and collaborate. The goal is to create a similar understanding for what PSD3 and PSR mean for your organization. - Assess holistically your readiness to the new rules of PSD3 and PSR.
A holistic approach integrates with the existent compliance initiatives, compared to a reactive approach which is likely to increase compliance effort and cost.
Evaluate your strong points and gaps, putting into context the other regulations and directives that impact your organization, such as DORA. - Prioritize and plan areas of improvement, for remediating actions for your gaps or increasing maturity in key competencies and introduce these into your roadmap.
- Popularize the roadmap by means of awareness programs and training, to ensure wide buy-in from employees.