Reviewing the EU payments regulatory framework: the new PSD3/ PSR1 package

At a glance

• The EU has introduced a legislative package to modernise and harmonise the existing payments regulatory framework, in light of accelerating innovation and digitisation. The package comprises a third Payment Services Directive (PSD3) and a Payment Services Regulation (PSR1).
• The proposals include measures to level further the playing field between banks and non-bank payment providers. These include making the latter eligible for direct access to all EU payment systems and reinforcing their rights to open and maintain a bank account.  The package aims to enhance the resilience of the payment sector through stricter safeguarding and wind-down planning requirements. Regulators could also require payments firms to create a separate legal entity, if they are part of a group undertaking non-payment - likely unregulated - activities.
• The EU is also seizing the opportunity to remove well-known barriers to open banking development. It proposes mandating dedicated data-sharing interfaces for third parties, relaxing some consumer authentication requirements, and introducing mandatory permissions dashboards. The changes are essential, but will require significant effort and investment, particularly from account providers. 
• The package also includes proposals to strengthen fraud and consumer protection. These include mandatory free of charge payee verification services, broadening consumers’ refund rights for new types of frauds, and providing a robust legal basis for firms to share fraud-related data voluntarily. 
• If adopted in its current form, the legislative package will help bolster the EU payment sector’s resilience and competitiveness. However, compliance, including re-authorisation requirements, will demand considerable investment and effort from firms. Given the package’s ambition and technical complexities, we expect that final rules are unlikely before late 2024 at the earliest.

Introduction

As digitisation accelerates, the EU’s quest to remain innovative, competitive and resilient has caused it to review the current payments regulatory framework. Against this background, the EU Commission recently published two legislative proposals: PSD3 and PSR1. 

The Commission described the package as an “evolution not a revolution".¹ Still, while the proposed changes can appear incremental, their long-term impact could potentially be substantial, especially for non-bank Payment Institutions (PIs). This article explores the key proposals.

Note – The Commission launched the PSD3/PSR1 package alongside a legislative proposal for a Financial Data Access (FIDA) Regulation that would effectively implement Open Finance in the EU. Please click here to access our analysis of FIDA.

One framework to rule them all 

Harmonising the EU payment regulatory landscape is one of the package’s key goals. Diverging interpretations reduced the effectiveness of the current Payment Services Directive (PSD2) by creating a degree of regulatory fragmentation and arbitrage across Member States (MS).² To this end, the EU proposes to transfer all key definitions (e.g., what constitutes a payment account) and rules governing the conduct of PIs from PSD2 into PSR1, clarifying those definitions where necessary. As a Regulation rather than a Directive PSR1 will be directly applicable in all MS. PSD3 will continue to cover rules on the authorisation and supervision of PIs.

The EU also proposes to repeal the current E-money Directive (EMD), making e-money institutions (EMIs) a sub-category of PIs and merging EMI requirements into PSR1/PSD3. The rationale is that it is increasingly challenging to distinguish between e-money and payment services. Establishing one single framework for all PIs will bring regulatory clarity without creating new or disproportionate compliance burdens. For example, EMIs already have to comply with most conduct requirements in PSD2 anyway. In some cases, it may reduce administrative costs, e.g., by removing the requirement to obtain a new licence in certain circumstances.

Existing licences for all PIs will remain valid for 2.5 years after the revised PSD3 enters into force. However, within the first two years PIs must provide their National Competent Authority (NCA) with the information it needs to assess compliance with the new authorisation and supervision requirements. This process will undoubtedly raise PIs’ compliance costs. The Commission may have deemed this approach necessary to remove existing differences across MS and realise the benefits of the new harmonised new framework more quickly.   

Levelling the playing field

The EU recognises that the playing field between banks and PIs is not yet fully level, and proposes two key measures to foster fairer competition: 

1) Access to all EU payment systems – PIs will be eligible for direct access to all EU payment systems, including four-party card schemes and central bank-operated ones, through an amendment to the Settlement Finality Directive. This will help reduce PIs’ reliance on banks and increase competition. However, meeting direct participation obligations will require significant enhancements to the governance and risk management capabilities of most PIs. In practice therefore, we think this option may only be viable for the largest market participants. 

2) Strengthen rights to access a bank account – PSR1 strengthens the requirements for banks to provide a payment account to PIs, bar in exceptional cases. Many PIs report that banks currently refuse their applications citing vague concerns, typically general AML/CFT³ risks associated with the payment sector. Instead, the new proposals mandate that refusals must meet higher transparency standards and refer to serious risks associated with a PI’s specific activities and business model. PIs will welcome these proposals, including the right to appeal to NCAs. The latter could therefore play a more significant role in ensuring fair access than they have done to date under the less prescriptive PSD2 requirements.

Strengthening the resilience of the payments sector

As we highlighted previously, the growing number and types of PIs and the complexity of their business models is an increasing supervisory concern. As anticipated, the Commission is now proposing enhanced regulatory requirements to tackle some of the key associated risks. We highlight three measures in particular:  

• More stringent safeguarding rules – PIs will have to “endeavour” to safeguard customer funds with more than one bank, to reduce concentration risks. PIs’ ability to do so will depend on the effectiveness of the complementary proposals to improve their access to bank accounts. However, MS will also have the option to let PIs hold customer funds at a central bank, which, if adopted, could provide more choice and flexibility. 
• Wind-down plans – As part of their authorisation applications, PIs will need to submit a wind-down plan that is proportionate to their business model and its planned services. This will give regulators more tools to probe firms to ensure they put measures in place to reduce consumer harm resulting from their potential failure. 
• Legal entity structure – NCAs will have the power to require PIs that also undertake non-payment activities to create a separate payments legal entity. As we expected, the Commission is taking steps to prevent spill-over risks – especially from unregulated activities – that may affect PIs’ financial and operational resilience. If implemented, this requirement may affect payment services provided by larger groups, including large technology and digital platforms. 

Unlocking the value of open banking

The Commission is also using the package to address some of the well-known hurdles to achieving the full potential of open banking. The key proposed measures in this area are: 

• Mandatory dedicated interfaces - Payment account providers will need to put in place a dedicated interface for authorised Third Party Providers (TPPs) to access open banking data. Currently, account providers can offer either a dedicated interface – usually through Application Programming Interfaces (APIs) - or a modified customer interface (MCI) – typically based on customers’ existing online banking platforms. However, in our experience MCIs are not standardised and are difficult and costly for TPPs to access, as the European Banking Authority (EBA) also found. Dedicated interfaces will need to meet specific functionality and performance requirements. However, account providers will no longer have to provide a fall-back mechanism should MCIs be unavailable. 
• Changes to Strong Customer Authentication (SCA) – Account providers will only need to apply SCA the first time TPPs – specifically Account Information Services Providers – request access to data. Otherwise, the onus will be on TPPs to apply SCA on their domain (e.g., app/website) at least every 180 days. This a positive step, as re-authentication requirements have been cumbersome and an impediment to seamless customer journeys. SCA glitches and related service interruptions erode customer confidence in TPPs and have slowed the adoption and launch of new account information services.
• Permissions dashboards - Account providers will also need to set up a dashboard allowing their customers to monitor, withdraw or re-establish their permissions to any open banking TPPs. The Commission sees this as an essential measure to increase trust in and modernise open banking data and payments services. 

The proposals on dedicated interfaces and SCA closely resemble those implemented by the UK post-Brexit. Much as in the UK, these steps are necessary to foster innovation and competition. Nevertheless, the changes will require significant effort and investment, particularly from account providers. The cost implications might partly explain why the Commission did not mandate the development of a single EU-wide open banking API standard, despite the EBA flagging that API fragmentation has been a major obstacle to the progress of open banking. 

Enhanced fraud and consumer protection 

The package also includes proposals to strengthen further users’ protection, including four key new fraud protection and redress measures: 

• IBAN and Payee verification – PIs will have to provide their users, free of charge, with IBAN and payee’s name verification services. This is effectively the EU equivalent of Confirmation of Payee in the UK. The proposal complements the requirements proposed in the EU Instant Payments Regulation (IPR), which should be finalised by the end of 2023. However, while IPR applies only to euro-denominated instant credit transfers, PSR1 will capture all EU credit transfers in any currency. Therefore, PIs will need to review their planned anti-fraud capabilities upgrades and budgets to consider this highly likely extension of scope. 
• New SCA liability for technical services providers – Under the proposals, technical services providers (e.g., gateways) and operators of payment schemes that fail to support the application of SCA will be liable for financial damages. These include damages caused to the payees and or the PIs of either the payer or payee. Although unregulated, these types of providers play a crucial compliance role, e.g., by providing the communication protocols used by PIs for the application of SCA. For example, the EBA found that delays in providing such protocols contributed to the initial SCA roll-out delays from 2018 to 2020.  
• Consumer refunds – Consumers will gain enhanced refund rights because new types of fraud mean that limiting refunds to unauthorised transactions is no longer appropriate. For example, consumers will be entitled to a refund in spoofing scams, where fraudsters impersonate employees of PIs. This could have significant implications for PIs’ financial planning, given their need to invest in stronger fraud controls. We are seeing similar enhanced - and near-mandatory - refund policies in the UK as well. 
• Legal basis for fraud data-sharing – The proposals introduce a new legal basis under the General Data Protection Regulation (GDPR) for PIs to share fraud-related data between themselves. This should enable PIs to share the data more easily on a voluntary basis, subject to multilateral information sharing arrangements that must include a dedicated IT platform. Firms will welcome the additional regulatory clarity. On the other hand, we expect regulators will use this to press PIs to set up data-sharing programmes to monitor and prevent financial crime more effectively. 

Next steps and final considerations

Overall, the PSD3/PSR1 proposals will help enhance both the competitiveness and resilience of the EU payment sector. They take practical steps to address known limitations and gaps in the existing EU payments regulatory framework and give regulatory authorities enhanced tools to address risks. 

Given their importance in the modern payments chain, we anticipated proposals to capture certain payment technology providers more directly, e.g., payment gateways, processors or pass-through wallets. Instead, the Commission did not propose any substantial review of the payments’ regulatory perimeter. This differs from the UK approach, where the Government is proposing to capture potential new types of systemic payment firms. Therefore, this seems an area where the EU and UK’s approaches are set to diverge. 

The publication of the payments package kicks off the EU legislative negotiations. However, the EU Parliament’s elections in June 2024 will slow things down. It is unlikely – but not impossible – that the final rules will emerge before late 2024 at the earliest. 

__________________________________________________________________________________________

Reference:

¹https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3544

²https://op.europa.eu/en/publication-detail/-/publication/f6f80336-a3aa-11ed-b508-01aa75ed71a1/language-en

³AML/CFT – Anti-money laundering/countering the financing of terrorism