Important take-aways of the EU Commission’s proposal for a new Payments Package

The EU Commission has put forward proposals to amend and modernise the current Second Payment Services Directive (PSD2), thus becoming PSD3, and to establish a thereto related Payment Services Regulation. The purposes of the Commission’s proposals are, inter alia, to improve the competition within the payment industry and to ensure that consumers may continue to make electronic payments in a secure manner, within the EU, domestically and cross-border. In this article, we look closer at some of the most interesting features of the proposed rules.

Background – evaluating the impact and application of PSD2

PSD2 is the current EU legal framework regulating retail payments in the Union. In general, the PSD2 intends to regulate the fluctuating types of payment services and to improve the level of consumer protection and security, aiming to, inter alia:

• ensure a competitive and level playing field between current and new providers of card-, internet- and mobile payments;
• increase the efficiency, transparency, and choice of payment instruments for payment service users (mainly consumers); and
• facilitate the provision of different internet, card, and mobile payment services.

A targeted consultation of the application and impact of the PSD2 took place during 2022.[1] The purpose was to inform the EU Commission on the application and impact of the PSD2, and to assess whether the PSD2 remains fit for purpose, taking into consideration certain developments in the payment market, payment users’ needs, including charges, scope, and access to payment systems. The evaluation concluded, inter alia, that there is an unlevel playing field between Payment Service Providers (PSPs), partly due to the lack of direct access by non-bank PSPs to certain key systems necessary to finalise payments.[2]

Following this preparatory work, the Commission has proposed certain amendments to the PSD2 for the purpose of adapting applicable legislations to evolving payments services, the evolving payment landscape and technological advancements. The Commission’s proposal also aims to improve consumer protection and the security and accessibility of different payment services.

The proposed PSD3 & PSR

General

On June 28, 2023, the Commission proposed an amended payment services package, including a proposal for a third payments services directive (PSD3) and a new payment services Regulation (PSR), intended to replace the PSD2 and the Electronic Money Directive. The proposed approach would thus have the effect that payment services and electronic money would become subject to one single legislative regime.

The proposed PSR contains the general rules in relation to e.g., operational and information requirements for PSPs and sanctions for PSPs while the proposed PSD3 mainly regulates the authorisation process for Payment Institutions (PIs) and the supervisory system.

The PSR will encompass rules pertaining to all activities for PSPs, integrating certain provisions from the currently applicable Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA) and Common and Secure open standards of Communication (CSC), as well as guidelines and opinions from the EBA. Furthermore, PSR will (as an EU regulation) become a single directly applicable legal framework covering all operations of PSPs in the EU. This will have the benefit of reducing any uncertainty and regulatory arbitrage between national legislation of Member States.

Key Objectives of the PSD3 and PSR

The new payment package aims to address the following objectives:

(1) strengthen user protection and confidence in payments;

(2) improve the competitiveness of open banking services;

(3) improve enforcement and implementation in Member States; and

(4) improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs.

In the following, we consider each of these objectives in more detail, focusing on the core novelties of the proposed legal regime.

A closer look at the rules aiming to fulfil the objectives of PSD3 and the PSR

Strengthen user protection and confidence in payments

To strengthen user protection and confidence in digital payments, the EU Commission wants to further improve the application and use of SCA and address the different types of emerging frauds, such as “spoofing” (which is when a perpetrator falsely presents themselves as, for example, an employee of a PSP and utilises such position to commit a fraud).

In case of a fraudulent action, for example spoofing, a PSP will under the PSR be obligated to reimburse the amount transferred due to the fraud, provided however that the user promptly reports the incident to the police and notifies the PSP.[3]

The PSR also provides clarity regarding the scope and usage of SCA[4], including for example in relation to virtual payment cards in mobile wallets.[5] In this regard, a PSP will be required to enter into an outsourcing agreement with its technical service provider if such provider is supplying and verifying the elements of the SCA.[6] It is hence likely that card issuers are required to enter into such outsourcing agreements with providers of digital wallets, such as Google Pay and Apple Pay. Additionally, provisions regarding accessibility requirements have been included in the PSR, ensuring that a variety of SCA methods are made accessible for all types of users.[7] This because the performance of SCA shall not be dependent on the use of a single mean, for example a smartphone.

Improve competitiveness of open banking services

The emerging need and use of open banking services has created a requirement for a uniform standard of interfaces within the payment industry. In this regard, the PSR sets out obligations for account servicing PSPs (ASPSPs), such as banks, for facilitating their interactions with providers of open banking services. For the purpose of strengthening the interoperability and standardisation between the ASPSPs and the open banking services, the PSR will set out mandatory minimum requirements for application program interfaces (APIs). These shall for instance ensure that payment initiation service providers are able to place and revoke a standing payment order or a direct debit, initiate a single payment and to initiate and revoke a future dated payment.

The PSR also introduces new performance requirements for APIs. These include a requirement for ASPSPs to ensure that their dedicated interface offers at least the same level of availability and performance as the interfaces made available to a user for directly accessing its payment account online.[8] Furthermore, ASPSPs offering payment accounts that are accessible online will also be required to provide a dashboard for monitoring and managing the permissions that the user has given, including allowing the user to manage and withdraw permissions for open banking providers from gaining access to their data.[9]

Improve enforcement and implementation in Member States

One ambition with the proposed PSD3 is to integrate the licensing regimes for PIs and Electronic Money Institutions (EMIs). PIs and EMIs which have already been granted and possess a relevant license, will be required to undergo a re-application process in order to continue to provide payment services or issuing e-money as PIs.[10] Within 24 months of the PSD3 coming into effect, an already licensed PI or EMI would hence have to submit a new application to the competent authority for such authority to assess whether it complies with the new framework and, where it does not, which measures the institution must take to ensure compliance (but also whether the existing authorisation should be withdrawn).[11] There is also an option for Member States to provide for a possibility for automatic re-authorisation.

Although the reasons behind the re-application process are motivated (i.e., to ensure that all institutions operating in the market have been subject to the same harmonised application process), we believe there may be a risk that such re-application process will be costly and may require extensive resources from the applicant. As we see it, specific measures should therefore be taken in this regard to ensure that the re-application process for such institutions will not be unnecessary time consuming or costly. To ensure a harmonised process for the granting of licenses under any such re-application processes, it may also be appropriate to impose to competent authorities a time limit for the authorisation process to be concluded, after the receipt of all the information required for the decision.

Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs

The overall purpose of the PSR is to achieve a more even playing field between banks and non-bank PSPs. Under the PSD2, an obstacle for non-bank PSPs has been their inability to gain direct access to certain payment systems, which has resulted in uneven conditions for non-bank PSPs when operating in the market, thus affecting and obstructing the overall competition between service providers.

PSPs need access to payment systems to provide payment services to users. To ensure equal treatment throughout the Union between the different categories of authorised PSPs, the EU Commission has deemed it necessary to clarify the rules concerning access to payment systems (direct as well as indirect via another participant in that payment system).[12] PSD3 thus amends the EU Settlement Finality Directive (SFD) to allow non-bank PSPs to be direct participants in SFD-designated payment systems. [13] As a result, non-bank PSPs would not need to rely on banks in order to execute payment transactions through such systems.

The Commission has deemed that such access should be subject to requirements that ensure integrity and stability of those payment systems, and the payment system operator should hence carry out a risk assessment of a PSP applying for direct participation, including conducting a risk assessment to examine relevant risks (e.g., settlement risks, operational risks, credit risk, liquidity risk and business risks). In this regard, payment system operators should only reject an application for direct participation by a PSP if the payment service provider is unable to respect the rules of the system or poses an unacceptably high level of risk.[14]

Ending remarks

The proposed content of the PSD3 and PSR indicate that there will be a promising transformation in the digital payment landscape within the Union. With a focus on strengthening user protection, conforming license application processes, and expanding access for non-bank PSPs to payment systems, these frameworks set out a solid foundation for creating a more secure, competitive, and innovative payment and financial landscape. However, while these proposals aim to establish and bring significant advantages and clarity for actors in the payment market, their success will, as we see it, be dependent on a balanced and fine-tuned approach being met between consumer protection (including safeguarding security) and the fostering of competition between bank- and non-bank-PSPs. In this regard, we hence see that collaboration and close dialogues are needed between regulatory bodies, financial institutions, and PSPs to ensure a seamless transition into this new regulatory framework, requiring profound involvement from all actors operating in the market.

[1] finance-2022-psd2-review (europa.eu)

[2] A study on the application and impact of Directive (EU) 2015/2366 on Payment Services (PSD2) – Publications Office of the EU (europa.eu)

[3] PSR, Article 59.

[4] PSR, Article 85.

[5] PSR, Recital 118-119.

[6] PSR, Article 87.

[7] PSR, Article 88 and Recital 110.

[8] PSR, Article 35 and 37.

[9] PSR, Article 43.

[10] PSD3, Article 44 and 45.

[11] PSD3, Article 44.

[12] PSR, Recital 34.

[13] PSD3, Article 46.

[14] PSR, Recital 34 and Article 31.