On 28 June 2023, the European Commission introduced a package of three proposals aimed at improving the functioning of the payment services market and widening access to and use of financial data. The package consists of a proposal for a new Payment Services Directive 3 (PSD3), a proposal for a Payment Services Regulation (PSR) and a proposal for a Financial Data Access Regulation (FIDAR).
1 Background and objectives of the package
Since the adoption of PSD2 in 2015, the retail payment services market underwent significant changes: the use of cards and other digital means of payments has increased, the use of cash has decreased and the presence of new players and services, including digital wallets and contactless payments, has grown. While PSD2 has without a doubt achieved many of its objectives, the Commission has also identified certain areas where the objectives of PSD2 have not been fully achieved. In particular, despite the achievements of PSD2, (i) consumers remain at risk of fraud and lack confidence in payments, (ii) the open banking framework functions imperfectly, (iii) EU supervisors have inconsistent powers and obligations, and (iv) there is an unlevel playing field between banks and non-bank payment service providers (PSPs). The initiative intends to address each of these problems.
2 Strengthen user protection and confidence in payments
PSD2 introduced Strong Customer Authentication (SCA) in order to reduce fraud. While SCA has reduced the average value of fraudulent transactions across the EU from 2020 to 2021 by almost 50% for card payment service providers, new types of fraud continue to evolve.
In order to further reduce fraud, the package proposes amongst others the following measures:
- PSPs of payees, at the request of the PSP of the payer, must verify whether the IBAN and the name of the payee as provided by the payer match. This service is an important extension of the current rule that payment orders are deemed to have been executed correctly if they have been executed in accordance with the IBAN of the payee provided by the payer and, at least under Belgian law, the PSP has verified the coherence of the IBAN.
The Commission intends to align this new obligation with its Instant Payments Proposal, where a similar provision imposing the verification of discrepancies between the name and IBAN of a payee for instant credit transfers in euro is proposed;
- victims of fraud were already given a right of refund by their PSP. The Commission intends to extend this right of refund to impersonation fraud cases. An obligation for electronic communication service providers to cooperate with PSPs is introduced with a view to preventing such fraud;
- new liability provisions for technical service providers and operators of payment systems are included for failure to support SCA;
- SCA will be more accessible to users with disabilities;
improved availability of cash such as in shops without a purchase and through independent ATM providers;
- the rights of consumers are improved and transparency obligations are imposed by introducing targeted amendments to certain current rules, such as a requirement to inform the payment service user of alternative dispute resolution procedures in case of single payment transactions (i.e. mainly money remittances), a requirement to clearly identify the payee in the payment account statements, additional information requirements for domestic ATM withdrawals…
3 Improve the competitiveness of open banking services
Account information services and payment initiation services, often collectively known as open banking services, are payment services involving access to the data of a payment service user by payment service providers which do not hold the account holder’s funds nor service a payment account. Given that open banking service providers still face obstacles to offering basic open banking services, the Commission puts forward measures to support open banking by lowering market barriers.
Account servicing PSPs (ASPSPs) will need to allow access by open banking service providers to payment account data if the payment account can be accessed by the payment service user online and if the payment service user has granted permission for such access. Access to the account and the data therein will be provided via a dedicated interface. The requirement to maintain permanently a fallback interface is removed.
ASPSPs must also put at the disposal of payment service users a dashboard for monitoring and withdrawing or re-establishing data access granted to open banking service providers.
4 Improve enforcement and implementation in member states
Divergent implementation and enforcement of PSD2 and the resulting regulatory arbitrage have been identified as a key issue of PSD2. It is therefore proposed that:
- the private law provisions that are currently contained in PSD2 will be moved to the directly applicable PSR. PSD3 will continue to regulate the prudential status of payment institutions;
- the e-money regime will be integrated within PSD3 and PSR and the second E-Money Directive (EMD2) will be repealed. In practice, the delineation between the payment institution and electronic money regimes has over the years led to a number of practical difficulties, creating an unlevel playing field and possible circumvention of EMD2. The authorisation and supervision regime applicable to electronic money institutions will therefore be aligned with the regime applicable to payment institutions, although certain licensing requirements and key basic concepts governing the electronic money business that are distinct from the services provided by payment institutions will be preserved;
- penalty provisions will be reinforced.
5 Direct access to payment systems and right to a bank account for payment institutions
Payment institutions currently do not have direct access to payment systems. PSD3 proposes to amend the Settlement Finality Directive so that payment institutions can participate directly in payment systems designated by a Member State pursuant to that Directive (but not designated securities settlement systems).
Payment institutions need to be able to open and maintain a bank account to meet their licensing requirements as regards safeguarding of customer funds. Some payment institutions or companies applying for a payment institution license still face de-risking practices from some banks which either refuse to open an account for them or close an account where one exists.
The right of payment institutions to a bank account will therefore be strengthened: credit institutions will be required to provide a payment account to payment institutions and to applicants for a license as a payment institution, as well as to their agents and distributors, except in exceptional cases where there are serious grounds to refuse access.
6 Financial data access proposal
In addition to the PSD3 and PSR proposals, the European commission also wants to promote data-driven financial services.
PSD2 already enabled the sharing of payment account data. The FIDAR proposal will enable the sharing of a broader set of financial services data, allowing consumers and firms to better control access to their financial data and making it possible for consumers and firms to benefit from financial products and services that are tailored to their needs based on the data that is relevant to them. The FIDAR proposal also sets out the rules applicable to the market participants who will engage in this activity.
Matthias De Cock