‘PSD3’ – or should that be ‘PSR1’? Exploring the EU’s updated payments regulations

On 28^th June 2023, the European Commission (EC) set out its proposals for ‘modernising payment services and opening financial services data’. The proposals for payments – referred to as ‘PSD3’ –essentially reflect an update to the current Payment Services Directive (PSD2) while also establishing a first Payment Services Regulation.

The overarching missions for the EU in these areas are to improve consumer protection, enhance competition in electronic payments, and strengthen harmonisation and enforcement across the EU. The question is – do the proposals deliver on these aims?

Further steps in fighting fraud

The fraud agenda includes some important elements. Firstly, strengthening rules for Strong Customer Authentication (SCA) in how they apply to particular circumstances and types of transaction. This will include simplifying the application of SCA for payment account information services (offered by an AISP), whereby the bank holding the payment account (ASPSP) will only need to apply SCA for the first access to payment account data by the AISP.

Secondly, this announcement proposes the introduction of an account name matching service for instant payments, which alerts the payer to potential discrepancies between the name and unique account identifier of a payee. There may be some similarities to Confirmation of Payee (CoP), introduced for a number of Faster Payments scenarios since 2019.

Thirdly, there is a proposal for payments services providers (PSPs) to share fraud-related information between themselves to prevent bad actors from executing similar frauds across multiple banks or non-bank PSPs. There is also reference to an extension of refund rights of consumers in certain situations, which could include failures of the name verification checking service, or for victims of spoofing fraud where the scam involves impersonating the consumer’s PSP.

Levelling the playing field to foster innovation

The proposals for enhancing competition centre on improving the functioning of open banking ‘especially regarding the performance of data interfaces’ and allowing non-bank PSPs access to all EU payment systems with appropriate safeguards.

New substantial requirements for dedicated data access interfaces are proposed, together with a list of prohibited obstacles to data access. In addition, the Commission proposes strengthening rules to protect business continuity of open banking providers with new rules on the performance levels for APIs. This includes addressing API availability vs downtime, API response times (latency), or levels of support when API problems occur. The rules will also seek to address a lack of standardisation in API implementations, specifying the minimum levels of functionality that APIs should support.  The Commission has clearly concluded that further rules are required to get banks and other financial institutions to grasp the benefits from data sharing and API-based third-party access.  These requirements have some similarities to the UK’s open banking standards and framework rules via the Open Banking Implementation Entity, the body that drove the roll-out of Open Banking since PSD2 was adopted into UK regulations.

The proposals also include reinforced rules as a matter of urgency for the admission of Payment Institutions as participants in payment systems, with an obligation on payment system operators to carry out tailored risk assessments on possible participants in place of generalised higher-level assessments to discourage excessive risk aversion. There will also be tougher rules on banks providing bank account services to non-bank PSPs, with a stronger requirement on banks to explain refusal of service or account closure.

Changing the regulatory approach

There are two important angles on the regulatory architecture to highlight.  A proposal is included to merge the two existing regulatory regimes for e-money institutions which currently sit under the E-money Directive and payment institutions which currently sit under PSD2, to provide better harmonisation and simplicity in the legal regimes for payment institutions and former electronic money institutions.

Separately, most of these upgraded rules for PSPs will be enacted in a ‘directly applicable regulation’ – a first Payment Services Regulation (“PSR1” maybe?). For context, a regulation is applied more consistently across the 27 member states, whereas a directive needs to be interpreted and incorporated into national law in each country.  Such a regulation will reinforce implementation requirements and consistency across all EU countries and will enable a stronger enforcement approach to achieve compliance.

PSD3 and PSR1 – Consolidation not revolution

It is worth noting that PSD2 took the big steps to introduce new regulated payment entities such as third-party providers including PSIPs and AISPs, as well as SCA with major impacts on acquirers and merchants. While there are no revolutionary new concepts or strategic step-changes in PSD3, these proposals represent a constructive build on the PSD2 agenda and address a number of known practical problems that have arisen with PSD2’s implementation.

Overall, PSD3 brings a range of benefits to the industry by improving consumer security, adjusting the open-banking environment to drive greater standardisation and service consistency across the EU, and delivering harmonisation and simplification of the regulatory environment, together with stronger enforcement.

The pragmatic measures outlined in PSD3 / PSR1 can consolidate the big breakthroughs made under PSD2 and maintain focus on achieving the right outcomes for customers: convenience, competition, cost-effectiveness, security and choice.

The EC’s proposals will now move through the parliamentary stages, supported by wider industry engagement, with potential for amendments dialling up or down different areas of emphasis. The current timelines in place indicate the new rules could be finalised by 2025 and come into effect in 2026.

Amid shifting regulatory sands, Icon understands the evolving landscape and the customer proposition opportunities across corporate, business and consumer segments.  Our leadership in payments positions us to work successfully with clients looking to upgrade their payments architectures and deliver roadmaps for API-enabled, data-centric, open-banking services, coupled with leading fraud mitigation approaches.