Europe’s new payments regulation – from PSD2 to PSD3

I’ve always expected a PSD3 (the third European Payment Services Directive), as PSD2 had flaws. For example, banks were complaining that an OpenAPI for Trusted Third Parties is fine, but what about a reciprocal agreement or, if you prefer, why should we give them our data if they won’t give us theirs? Or maybe you prefer I’ll show you mine if you show me yours (remember those days?).

So, what’s in the goody box for PSD3?

Well, it’s in proposals stage and is framed as follows by the European Commission (June 28 2023).

The European Commission has put forward proposals to bring payments and the wider financial sector into the digital age. Today's new rules will further improve consumer protection and competition in electronic payments, and will empower consumers to share their data in a secure way so that they can get a wider range of better and cheaper financial products and services. These proposals place consumers' interests, competition, security and trust at their centre.

The payment services market has changed significantly in recent years. Electronic payments in the EU have been constantly growing, reaching €240 trillion in value in 2021 (compared with €184.2 trillion in 2017). This trend was accelerated by the COVID-19 pandemic. New providers, enabled by digital technologies, have entered the market, in particular providing ‘open banking' services – i.e. securely sharing financial data between banks and financial technology firms (‘fintechs'). More sophisticated types of fraud have also emerged, putting consumers at risk and affecting trust.

In response to these developments, today's package seeks to ensure the EU's financial sector is fit for purpose and capable of adapting to the ongoing digital transformation, and the risks and opportunities it presents – in particular for consumers.

That is why the Commission has today proposed two sets of measures:

Revising the Payment Services Directive:

Today's proposal will amend and modernise the current Payment Services Directive (PSD2) which will become PSD3 and establish, in addition, a Payment Services Regulation (PSR). It consists of a package of measures which:

• Combat and mitigate payment fraud, by enabling payment service providers to share fraud-related information between themselves, increasing consumers' awareness, strengthening customer authentication rules, extending refund rights of consumers who fall victim to fraud and making a system for checking alignment of payees' IBAN numbers with their account names mandatory for all credit transfers.
• Improve consumer rights, in cases for example where their funds are temporarily blocked, improve transparency on their account statements and provide more transparent information on ATM charges.
• Further levelling the playing field between banks and non-banks, in particular by allowing non-bank payment service providers access to all EU payment systems, with appropriate safeguards, and securing those providers' rights to a bank account.
• Improve the functioning of open banking, by removing remaining obstacles to providing open banking services and improving customers' control over their payment data, enabling new innovative services to enter the market.
• Improve the availability of cash in shops and via ATMs, by allowing retailers to provide cash services to customers without requiring a purchase and clarifying the rules for independent ATM operators.
• Strengthen harmonisation and enforcement, by enacting most payment rules in a directly applicable regulation and reinforcing provisions on implementation and penalties.

This proposal ensures consumers can continue to safely and securely make electronic payments and transactions in the EU, domestically or cross-border, in euro and non-euro. Whilst safeguarding the rights of customers, it also aims to provide greater choice of payment service providers on the market.

Legislative proposal for a framework for Financial Data Access:

This proposal will establish clear rights and obligations to manage customer data sharing in the financial sector beyond payment accounts, namely:

• Possibility but no obligation for customers to share their data with data users (e.g. financial institutions or fintech firms) in secure machine-readable format to receive new, cheaper and better data-driven financial and information products and services (i.e. such as financial product comparison tools, personalised online advice)
• Obligation for customer data holders (e.g. financial institutions) to make this data available to data users (e.g. other financial institutions of fintech firms) by putting in place the required technical infrastructure and subject to customer permission.
• Full control by customers over who accesses their data and for what purpose to enhance trust in data sharing, facilitated by a requirement for dedicated permission dashboards and strengthened protection of customers' personal data in line with the General Data Protection Regulation (GDPR).
• Standardisation of customer data and the required technical interfaces as part of financial data sharing schemes, of which both data holders and data users must become members.
• Clear liability regimes for data breaches and dispute resolution mechanisms as part of financial data sharing schemes so that liability risks do not act as a disincentive for data holders to make data available.
• Additional incentives for data holders to put in place high-quality interfaces for data users through reasonable compensation from data users in line with the general principles of business-to-business (B2B) data sharing laid down in the Data Act proposal (and smaller firms will only have to pay compensation at cost).

In practice, this proposal will lead to more innovative financial products and services for users and it will stimulate competition in the financial sector. For example, consumers will benefit from improved personal finance management and advice. Previously burdensome processes such as comparison services or switching to a new product will become smoother and cheaper, including for example, automated processing of mortgage applications. SMEs would also be able to access a wider range of financial services and products, such as more competitive loans resulting from their creditworthiness data being more easily accessible.

Panagiotis Kriaris, who works with Unzer in Austria, posted an update on the latest developments for PSD3 on LinkedIn  that summarises the above features of PSD3 nicely, if you're not so keen on reading paragraphs:

1) Open Banking improvements:

• new requirements for dedicated data access interfaces
• banks will no longer need to maintain two data access interfaces
• open banking providers to be given contingency #data access (to secure business continuity in case the primary bank interface is down)
• all providers (banks and PSPs) to set up a “dashboard” for consumers to view, control (and be able to revoke) data access rights
• obligation to provide access to financial data beyond payment account data

2) Fraud mitigation:

• extend refund rights for fraud victims
• new mandatory system to match IBAN numbers with account names
• stronger customer authentication rules
• a legal basis for PSPs to share fraud-related information between them

3) Fairer competition between banks and the 1,000+ non-bank PSPs (Payment Service Providers) to drive down prices:

• allow PSPs to access all EU payment systems
• secure payment and e-money institutions’ (there are 800 and 270 respectively) access to a bank account

4) Simplification:

• merging e-money institutions (EMIs) with payment institutions (PIs) under one regime
• all payment rules applicable to PSPs will be contained in a directly applicable regulation

5) Improve the availability of cash in shops and via ATMs, by allowing retailers to provide cash services to customers without requiring a purchase and clarifying the rules for independent ATM operators

6) Improve consumer rights (i.e. when funds are blocked, improve transparency on account statements and ATM charges)