A new Payment Services Directive, PSD3: what’s in it?

In June, the EU put forward proposals for a new Payment Services Directive, PSD3. Having been involved in these developments since their inception in the 2000s, I was intrigued to read the text of PSD3, particularly as the main point bankers made about PSD2 is that they were forced to open up to Third Party Payment Services Providers (TPPs) via Application Program Interfaces (APIs) … what about vice versa?

So, big question: has PSD3 forced TPPs to open up to banks through APIs? Well, not exactly but then why would a bank want access to a TPP’s data some might ask. Answer: data enrichment, so yes, that caveat is quite important. More importantly is how the payments market have changed since the first directives and regulations were introduced almost twenty years ago.

As the EU points out:

The payment services market has changed significantly in recent years. Electronic payments in the EU have been constantly growing, reaching €240 trillion in value in 2021 (compared with €184.2 trillion in 2017). This trend was accelerated by the COVID-19 pandemic. New providers, enabled by digital technologies, have entered the market, in particular providing ‘open banking' services – i.e. securely sharing financial data between banks and financial technology firms (‘fintechs'). More sophisticated types of fraud have also emerged, putting consumers at risk and affecting trust.

Just to add more context, 62% of all UK payments were made in cash in 2006, when the first directive was drafted. By 2016, cash reduced to 40% of payments and then, by 2021 just 15% of payments were made in cash, according to the banking trade body UK Finance. In the same report, UK Finance notes that 32% of adults were registered for mobile payments in 2021 and 92% paid this way in 2022. Meanwhile, contactless payments represent 63% of all credit card transactions and 76% of all debit card purchases. The result is a very different payments market as demonstrated by the fact that cash machines (ATMs) shrunk 22% between 2018 and 2022 (from 63,152 to 51,253), according to the UK ATM system Link [although, notably, UK banking customers withdrew £83bn from cash machines compared to £79bn in 2021].

So, what is in PSD3. In summary:

• The move from a Directive to a Regulation: standardising payments across the EU
• Better APIs: better open banking services
• More streamlined authentication: less pain at the checkout
• Direct access to payment systems for fintechs: a boost for innovation
• IBAN and name matching: a risk-based approach to fraud prevention
• Merging E-money and payments institutions: simplifying licensing
• Re-authorisation for firms under PSD3

Thanks to TrueLayer for those points.

Reading through the detail, here are the main points:

Improving open banking functionality. These elements focus on technological requirements such as the implementation of new data access interfaces, emergency data access, consent management dashboards, opening up access to financial data beyond only payment account data, etc.

Fraud mitigation. Per the European Commission, the proposals will reduce fraud by:

• Making widely available a service to check whether the name of the payee and bank account number match each other, before a transfer is confirmed
• Giving victims of fraud a right of refund by their bank or other Payment Service Providers (PSP), in specific circumstances
• Helping banks and other PSPs cooperate against fraud through more fraud-related information sharing
• Obliging banks to improve customers’ awareness about fraud

Fairer competition between banks and non-bank PSPs.

The proposals toughen requirements for banks to provide bank account services to non-bank PSP, and the latter would be able to directly participate in payment systems throughout the EU. The hope is that leveraging fairer competition would help drive down prices.

Simplification and efficiency. Electronic money institutions (EMIs) are merged with payment institutions (PIs) under a single regime, and all payment rules applicable to PSPs will be contained in a directly applicable regulation.

Strengthened consumer rights through enhanced account statement transparency, clear and transparent information regarding ATM charges, steps to rectify problems associated with blocked funds.

Improved payments experiences for consumers.

The proposal ensures consumers can make electronic payments and transactions in the EU, domestically or cross-border, in euro and non-euro.

To enhance cash accessibility in stores and via ATMs, businesses would be permitted to offer cash services to clients independent of any purchase requirements. Clearer guidelines are also provided for independent ATM operators.

Finally, instant transfers become mandatory. Banks in the EU will have to offer it to their customers, retail and professional, at the same price as a conventional transfer.

Thanks to Axway for the points above.

As a final note, we don’t know yet when PSD3 will come into force but, if previous directives are anything to go by, it will be around 2026. This is because the draft text needs to be issued as a final proposal, which will be around the end of 2024, and member states then have 18 months to vet, veto and commit.

Talking of which the UK, as a former member state, does not need to implement PSD3 but probably will take its key requirements onboard, as usual. After all, the UK did take PSD2’s requirement for OpenAPIs in payments into something called Open Banking and widening the remit. I’d expect more of the same.