PSD3 & Payment Service Regulation (PSR)

On 28 June 2023, the European Commission (EC) finally published the so-called ‘Financial access data and payments package’, which many payment enthusiasts had been eagerly awaiting.

First of all, the new regulatory proposals do not represent a revolution in the previous European payment regulation, but rather an evolution that addresses many of the known problems of the PSD2. In addition, the EC wants to develop the ‘Open Banking’ regime into a more general, much more far-reaching ‘Open Finance’ framework.

In this briefing, we summarise the background and the most important proposed changes to the Payment Service Regulation (PSR) and Payment Service Directive 3 (PSD3).

In further parts, we will take a closer look at the so-called Open Finance Regulation (Framework for Financial Data Access Regulation, FIDA) and the proposal to introduce a digital euro.

Conclusions from the PSD2 review

Before we go into the PSR/PSD3 proposals in more detail, we believe it is helpful to briefly mention the European Commission's (EC) PSD2 review report, which was published together with the legislative proposals, in order to better understand the innovations. Unsurprisingly, the EC concluded that the PSD2 has been successful to varying degrees.

Specifically, the EC's assessment of the PSD2 and the related implementation measures in the Member States is as follows:

• A level playing field could only be created to a limited extent, in particular due to an ongoing imbalance between bank and non-bank payment service providers (bank PSPs vs. non-bank PSPs). This is mainly due to the fact that non-bank PSPs do not have direct access to key payment systems.

• Open banking has had varying degrees of success in EU Member States, with particular attention being drawn to existing problems with the performance of the dedicated interfaces for third-party providers (PISPs, AISPs).

• Furthermore, although the cross-border provision of payment services is increasing, many payment systems remain largely national. A pan-European payment solution is still pending.

• Finally, the expected cost reductions for merchants through new, cheaper means of payment (e.g. based on open banking) have not yet fully materialised.

Overall, the EC acknowledges that the existing PSD2 framework has made progress in creating a successful single market for payments, despite some shortcomings. However, further targeted changes to the legal framework are needed.

To address these issues, the impact assessment presented together with the regulatory proposals identifies four objectives of the current PSR/PSDD3 initiative:

• Strengthening user and consumer protection and trust in payments,

• improving the competitiveness of open banking services,

• improving the consistent implementation and enforcement of European rules in member states, and

• improving access to payment systems and bank accounts for non-bank PSPs.

These objectives are to be achieved primarily through the following measures. Please note that this article does not provide a comprehensive list of all changes compared to PSD2, but only covers the most important innovations:

PSR/PSD3 regulatory concept

The Commission proposal envisages the existing PSD2 being transferred into two different legal acts, namely a 3rd Payment Services Directive (Payment Service Directive 3, PSD3) to be implemented by the EU Member States and a directly applicable Payment Service Regulation (PSR).

While the majority of the rules previously contained in the PSD2 have been moved to the PSR, the provisions on the authorisation and supervision of payment institutions are to be regulated in the PSD3 in the future.

In particular, the PSR is intended to regulate the pre-contractual information obligations of payment service providers, rules on the conclusion, content, amendment and termination of payment service contracts, rights of reimbursement/liabilities, anti-fraud measures and the requirements in connection with strong customer authentication (SCA).

The introduction of the directly applicable PSR should lead to a more harmonised legal framework. National discretion is to be reduced. This approach is not new, but is already known from other areas of financial market regulation, such as banking supervision law (keywords CRR / CRD).

Furthermore, the previous 2nd E-Money Directive (EMD2) is to be incorporated into the PSR and PSD3. E-money business is defined as a further payment service. Accordingly, institutions that engage in e-money business are to be covered by the term ‘payment institutions’ in the future. This means that the previous category of ‘e-money institution’ will no longer apply.

Open Banking

The EC has decided to make a number of targeted changes to the open banking framework to improve its functioning.

At the same time, however, it wants to avoid radical changes that could destabilise the market or lead to significant further implementation costs. Nevertheless, the changes – if they are adopted as they stand – will trigger some adjustment needs, in particular technical changes for account-holding payment service providers.

It is interesting to note that the EC believes that the costs of introducing an EU-wide uniform technical API standard would outweigh its benefits, which is why it is refraining from such a requirement. In the run-up to the proposal, standardisation of the technical standard was often discussed as a way of boosting open banking.

The PSR/PSD3 proposal also does not change the existing PSD2 default rule that requires account servicing payment service providers (ASPSPs) to allow third party providers (TPPs) to access their customers' account data without a contractual relationship and thus without being able to charge a fee. This has also been widely requested.

Interestingly, the Open Finance Regulation, in contrast to the PSR/PSD3 proposal, does provide for the possibility of charging for access to other financial data.

The proposed Open Banking changes essentially include the following:

• It sets out new minimum requirements for the performance of the sg API interfaces, in particular an illustrative list of prohibited obstacles to transmission, in order to ensure that TPPs have optimal data access to the full benefit of their customers. In return, the current requirement to provide TPPs with a ‘fallback mechanism’ is being removed. ASPSPs will only be required to maintain a dedicated interface. TPPs must also be able to maintain business continuity through temporary emergency data access in the event of an interface failure.

• ASPSPs are also to be required to offer their customers a ‘permission dashboard’. This is designed to enable account holders to see at a glance in the payment account to whom they have granted which data access rights. Customers should also be able to use this tool to terminate data access by third parties if they so wish.

It is also interesting to note that the European Commission has considered the option of regulating account information service providers (AISPs) in the new open finance regulation (FIDA framework) rather than in the PSR/PSD3. At first glance, this would seem obvious, since this is only one specific form of open finance application. However, the Commission has decided to propose this only when the open finance framework is fully operational and only if the conditions for a smooth transfer can be deemed appropriate.

Catalogue of payment services

The list of payment services requiring a licence remains largely unchanged. As mentioned above, the e-money business is regulated as an additional payment service. The definition of the e-money business is somewhat expanded to include the management of payment accounts on which e-money is stored and the transfer of e-money units.

Otherwise, the definitions of the various payment services have merely been slightly adjusted. For example, issuing and acquiring, which were previously grouped together in one provision, have been separated. This is to make it clear that issuing and acquiring transactions can also be offered separately, which has already been the case in Austria.

However, due to the new wording, it seems unclear whether acquirers and issuers will still be allowed to offer loans in the future, which has been the case so far. In this regard, we expect a need for adjustment, especially since the EC has stated that it does not want to change the scope of the PSD2.

Furthermore, deposit and withdrawal transactions, which were previously separate, are being merged due to their similarity.

Strengthening the supply of cash

The EC cites ensuring access to cash as one of its priorities.

With this in mind, the existing cashback exemption in the PSD2 is being expanded to include the option for retailers to dispense cash at the checkout under certain conditions without a licence and without the customer having to make a purchase (referred to as ‘cashback without purchase’). This is intended in particular to promote the supply of cash in rural areas.

Furthermore, the previous exemption for cash withdrawal services provided by certain ATM operators (Art. 3 (3) (o) PSD2) has been cancelled because, according to the EC, it has led to many interpretation issues. Instead, a procedure for registering ATM operators that do not service payment accounts is being introduced. These are thus included in the scope of the PSR/PSD3 and also become ‘payment institutions light’. For the purpose of registration, certain information must be provided to the competent authority, such as the company's organisational arrangements. The activity may not be commenced before registration.

Stricter application of the commercial agent exemption

The planned restriction of the commercial agent exemption is highly relevant in practice. Until now, payment transactions between the payer and the payee via a commercial agent who, on the basis of an agreement, is authorised to negotiate or conclude the sale or purchase of goods or services only on behalf of the payer or only on behalf of the payee, are exempt. Now, an additional requirement is provided for, namely that such an agreement must give the payer or the payee a real margin to negotiate with the agent or to conclude the sale or purchase of goods or services. In our opinion, further clarification is needed here as to what exactly this means.

In any case, the amendment could have an impact on online marketplaces in particular, as well as on fuel card providers that sell fuel as intermediaries. Furthermore, retailers that act as intermediaries for goods (e.g. travel agencies and ticket sellers) could be affected.

Unchanged limited networks exemption

The wording of the limited networks exception, on the other hand, remains unchanged.

However, the EBA is to be instructed to define the conditions for using this exception in its own regulatory technical standards (RTS). Such RTS are then usually made binding by the Commission as delegated acts.

We currently expect the EBA guidelines of 24 February 2022 on the limited network exemption under PSD2 to be converted into RTS without any significant changes to the content. However, this is not set in stone.

Digital wallets

Another interesting point of discussion in the past was whether certain digital wallet providers or other technical service providers should be regulated under PSD3.

This will not happen, because the European Commission makes it clear in the PSR/PSD3 proposal that so-called ‘pass-through wallets’, such as Apple Pay and Google Pay, do not constitute a payment instrument, but a technical service. However, providers of such wallets must conclude an outsourcing agreement with the issuer of the respective payment instrument, e.g. the issuer of the credit card that is tokenised in the wallet, if they also verify elements of strong customer authentication for payments.

Other categories of digital wallets, however, such as prepaid electronic wallets like ‘staged wallets’ in which users can store money for future online transactions, are to be considered a payment instrument and their issuance a payment service.

Furthermore, it is clarified that NFC per se does not constitute a payment instrument.

Securing customer funds

Currently, payment institutions must secure customer funds in the event of bankruptcy either through an escrow account at a credit institution or by means of a bank guarantee or insurance.

In practice, it is difficult for payment institutions to find appropriate credit institutions or insurance companies. The EC is now responding to this by introducing the option for payment institutions to also secure customer funds directly with a national central bank. This will make it easier for payment institutions to maintain security accounts directly with central banks in the future.

However, the safeguarding requirements for payment institutions will also be tightened, with the aim of obliging them to avoid concentration risks when safeguarding customer funds. Specifically, they will be obliged not to use the same safeguarding method for all customer funds and not to keep all customer funds at a single credit institution.

Access of payment institutions to payment systems

The rights of payment institutions to access payment infrastructure are also to be strengthened in order to reduce existing imbalances between bank and non-bank PSPs. To this end, payment institutions are to be included in the Settlement Finality Directive as part of the PSR/PSD3 regulation. This would enable payment institutions to participate directly in important payment systems, such as TARGET2, and make them less dependent on credit institutions.

As a supporting measure, it is envisaged that payment system operators may only deny payment institutions access to the extent necessary to protect the respective payment system from certain risks (e.g. operational risks, liquidity risks).

Furthermore, it should be mentioned in this context that in the future, credit institutions may only refuse to open a payment account for a payment institution if there are serious reasons for doing so, such as suspicion of inadequate money laundering controls at the payment institution, suspicion of illegal activities by the payment institution or its customers, etc.

Combating fraud

The EC attaches great importance to the issue of combating fraud in payment transactions. It notes that new types of fraud have increased in recent years, such as social engineering fraud, for which the PSD2 is not equipped.

PSD3 is intended to combat the sharp increase in ‘spoofing’. The problem with spoofing is that the distinction between authorised and unauthorised transactions becomes blurred because fraudsters manipulate the consent given by the customer to authorise a transaction, for example by using the bank's phone number or email address. Prevention mechanisms such as SCA have so far been unable to sufficiently prevent such fraud.

The proposed new preventive measures include, in particular,

• an IBAN/name check (so-called ‘IBAN-name check’) for all transfers in EU currencies. This means that payment service providers should be obliged to check the IBAN of the payee for consistency with the account name free of charge for transfers in an EU currency. Such an obligation has not existed so far, but it has recently been provided for by the EC in the context of the Commission's draft regulation on instant payments for instant transfers (see the separate article on this). In the future, all consumers should benefit from this when making transfers, including ‘regular’ transfers. According to the EC, this could help to prevent social engineering fraud. Specifically, it is planned that the payee's payment service provider must verify, at the request of the payer's payment service provider, whether the payee's IBAN provided by the payer actually matches the account name, and must notify the result to the payer's payment service provider;

• stronger transaction monitoring to ensure strong customer authentication and improve the prevention and detection of fraudulent transactions. In this context, the creation of a legal basis for payment service providers to exchange fraud-related information with each other in full compliance with the GDPR should also be mentioned;

• an obligation on payment service providers to implement educational measures to raise awareness among their customers and employees of payment fraud; and

• an extension of consumer refund rights in certain situations (see next paragraph for more details).

Extension of refund rights / liability of PSPs

The PSD3 proposal provides for an extension of the liability rules at the expense of payment service providers. A new feature is the granting of refund rights in two situations:

• for consumers who have suffered a loss because the ‘IBAN name check’ did not detect a discrepancy between the name and the IBAN of the payee, and

• for consumers who have been the victim of a ‘spoofing’ scam, in which the fraudster contacts the consumer under the pretence of being an employee of the consumer's bank and tricks the consumer into taking certain actions that cause the consumer financial damage.

The second proposal in particular is a tough one. It means that victims of spoofing fraud can claim a full refund for the fraudulent transaction from their payment service provider, such as their account-holding bank, if they file a police report and inform their bank immediately. A refund would only be disallowed if the consumer had acted with gross negligence or with intent to defraud, e.g. if they had fallen victim to the same type of fraud more than once. The ‘spoofing’ would also have to be convincing, e.g. by exactly copying the bank's email address or phone number. However, the burden of proof for grossly negligent or fraudulent behaviour on the part of the consumer lies with the payment service provider.

It is clear that a regulation of this kind would significantly expand the liability of account-holding payment service providers. It would lead to liability in situations that a bank can hardly do anything about. It is therefore hardly surprising that banks have already taken a strong position against this expansion of the refund law.

Strong customer authentication (SCA)

One of the key measures of the PSD2 for preventing fraud is strong customer authentication (SCA), also known as two-factor authentication, whereby payment service users must identify themselves in certain situations by means of at least two elements from the categories of knowledge (e.g. a PIN), possession (e.g. a payment card) and inherence (e.g. a fingerprint).

In principle, the PSD2 only contained a definition of SCA and a rudimentary definition of when SCA must be used. Most of the specifics are set out in the RTS, the development of which was characterised by many discussions (see the Delegated Regulation on RTS for strong customer authentication and common and secure open standards of communication).

Compared to the PSD2, the proposed PSR contains more details on this. The SCA requirements are adjusted as follows, among other things:

• In order to avoid excluding people with disabilities, older people and others who have difficulties using SCA, payment service providers should in future provide SCA tools that can also be used by these groups. For example, it should not be a requirement to have a smartphone to authenticate oneself. This should be done in accordance with the European Accessibility Directive (see Directive on the accessibility requirements for products and services).

• With regard to merchant-initiated transactions (MITs), it is made clear that SCA may only be omitted if a payment transaction is initiated without any interaction or involvement of the payer. If MITs are based on a payer's mandate, SCA is necessary when the mandate is first set up, but not for subsequent payment transactions.

• For telephone or mail-order transactions (so-called ‘MOTOs’), a non-digital initiation of the payment transaction should not be subject to an obligation for SCA. However, this only applies on condition that the payer's payment service provider carries out security requirements and controls that enable some form of authentication of the payment transaction.

• One of the ‘pain points’ of the PSD2 is that ASPSPs must carry out strong customer authentication of their users who access their payment account via a specific account information service provider (AISP) at least every 90 days. This has often been criticised. The PSR aims to reduce the frequency with which ASPSPs have to carry out SCA to the initial application and no more than every 180 days. In addition, AISPs will be given the opportunity to carry out SCA themselves.

Further measures to protect consumers

To improve consumer protection, the EC proposes a number of further measures, such as:

• The surcharge ban should be extended to all credit transfers and direct debits in all currencies.

• With regard to transfers and remittances from the EU to third countries, it is planned that users must be informed about the likely fees for currency conversion, in line with the current information requirements for transactions within the EU. Customers should also be informed about the expected duration until the amount is received by the payment service provider of the payee in a third country. However, no maximum period is required for such transfers and remittances. This would not be feasible as the duration partly depends on banks outside the EU, which are not subject to EU rules either.

Further timeline

The publication of the proposed rules in June 2023 marked the start of the EU legislative process.

The next phase will see the Council and the European Parliament establish their positions on the proposals, before trilogue negotiations, in which a political compromise between the Council and the Parliament is usually negotiated. This is followed by formal adoption by the Council and the European Parliament.

After that, the regulations will be translated, published in the Official Journal and will usually come into force 20 days later. However, the PSR will not be applicable for another 18 months after it comes into force. The member states will in all likelihood have to implement the PSD3 within the same period.

According to reports, the European legislators will first negotiate the PSR/PSD3 package and only then discuss the open finance package.

Overall, we think that the legislative process will not be completed before the European elections in 2024, but will be finalised towards the end of 2024 at the earliest. This would mean that the new rules would start to apply around mid-2026.

Please bear in mind that this preliminary estimate is for indicative purposes only.

How can we help you?

With our extensive expertise in the payment sector, we are happy to support you in preparing for the new requirements of the PSR/PSD3 regulation at an early stage.