PSD3 & PSR: Reshaping the EU payment services regulatory landscape

Since adoption of the Second Payment Services Directive (PSD2), almost eight years ago, the payment services industry in the EU has changed dramatically. New players have been allowed to participate in the payments market thanks to adoption of the open banking concept that became a role model for other jurisdictions.

The existing regulatory framework and rapid technological developments have enabled the EU to become one of the most digitized ecosystems for payment services in the world. Nonetheless, an adjustment of the existing framework appears to be necessary bearing in mind new developments in the industry driven by the rapid technological development and adoption of new business models.

On 28 June 2023, the EU Commission has published a package of legislative proposals that are aimed to reshape the payment services regulatory landscape in the EU and that is comprised of:

• Third Payment Services Directive (PSD3);
• Payment Services Regulation (PSR);
• Regulation on a framework for Financial Data Access (FIDA Regulation).

In this article we provide an overview of the proposed PSD3 and PSR. In the next article, we will focus more closely on the proposed FIDA Regulation that is aimed to enable consent-based sharing of financial data in the EU (beyond payment account data regulated under PSD2) and lay down the basis for the next stage of open banking, commonly known as open finance.

Proposed new framework at glance

The existing regulatory framework applicable to payment institutions and e-money institutions anchored in PSD2 and the Second E-Money Directive (EMD2) will be merged into a single rule book comprised of PSD3 and PSR.

With the aim of achieving more alignment of the authorization regime for e-money institutions (EMIs) with the one applicable to payment institutions, under the proposed framework, EMIs will become a sub-category of payment institutions. Further, the Commission has proposed a new definition of “electronic money services” that shall cover the issuance of e-money, maintenance of payment accounts storing e-money units and transfer of e-money.

The new framework based on the proposed PSD3 and PSR will be structured as follows:

• PSD3 will contain provisions on authorization and supervision of payment institutions (including those that are defined under the existing framework as EMIs);
• PSR will contain conduct requirements applicable to payment institutions (including those that issue e-money), the transparency and information requirements as well as provisions on the respective rights and obligations of payment and electronic money service users. Further, requirements on strong customer authentication (SCA) will be from now on contained in the PSR as well.

While PSD3 will be in many ways an update of the existing PSD2 framework, that will need to be implemented into national law of individual EU Member States, PSR will be the very first directly applicable Regulation in the payment services area that shall enhance the coherence of application of the common framework across the EU Single Market.

Scope & Exclusions

In the past, differences in national implementation of PSD2 and different administrative practice of national competent authorities (NCAs) in different EU Member States, led to divergence interpretation of the scope of regulated payment services and in application of exclusions from the authorization obligation.

This created a lot of confusion within the industry and decreased the level of regulatory certainty for entities operating in more than one EU Member State. With the aim of achieving uniform and harmonized application of the EU payment services regulatory framework across the Union, the provisions on the scope of application and the exclusions from the authorization obligation are moved from PSD2 to PSR.

Definitions

The current definition of a payment instrument under PSD2 that is referring to “personalized devices” used in order to initiate a payment order, was a cause for a lot of confusing interpretations across the EU given that NCAs were frequently seeing high level of personalization of the instrument as a necessary characteristic. With the aim of ending an era of non-consistent interpretation of the term at Member State level, the new definition of payment instrument, contained in both PSD3 and PSR, is referring now to all “individualized instruments”, clarifying that even not fully personalized instruments (like prepaid cards with customers’ name on them) can fall under the definition of a regulated payment instrument.

The Commission has amended the definition of a “payment account” as well, clarifying that the determining criterion for the categorization of an account as payment account lies in the ability of the customer to perform daily payment transactions from such an account. That being said, the Commission has emphasized that structures that need another intermediary account for execution of payment transactions from or to third parties should not fall under the definition of a payment account.

Services of issuing of payment instruments and of acquiring payment transactions, which were listed together under PSD2, are listed now separately under proposed PSR/PSD3 framework. Since joint listing of these two services under PSD2 was a cause for a lot of confusion in the industry, the Commission has decided to list them separately now by emphasizing that that the issuing and acquiring services may be offered separately by payment service providers.

Exclusions

The provisions on one of the most widely used exclusion under the existing framework, the so-called limited network exclusion (LNE), will be complemented by the EBA Regulatory Technical Standards (RTS) that will set out clear criteria based on which entities will be able to assess the scope of application of the LNE.

Further, the scope of the commercial agent exclusion was slightly amended as well. Namely, the concept of commercial agents under the exclusion will be further clarified by a reference to the definition of commercial agents as laid down in the Directive 86/653/EEC. By following the administrative practice of some NCAs in the EU (e.g. German BaFin) the Commission has proposed that entities relying on this exclusion will need to have an agreement in place empowering them to conclude the sale or purchase of goods or services on behalf of either the payer or the payee. In the same vein, the Commission has clarified that e-commerce platforms that act as commercial agents on behalf of both individual buyers and sellers will not be able to rely on this exclusion.

Bearing in mind rapid technological developments that are reshaping the payments industry, the Commission has emphasized the importance of the exclusion available for technical service providers and provided some further clarification on its scope of application. Namely, pass-through wallets (such as GooglePay and ApplePay) involving for example the tokenisation of an existing payment instrument (like a credit card), will not be deemed as a payment instrument than rather payment application, effectively leaving their operators outside the scope of the authorization obligation.

License free cash withdrawal service

Under the proposed PSR, retail stores that offer cash withdrawals without a purchase will not need authorization where cash withdrawals take place solely within their premises and do not exceed EUR 50.

Authorization regime

Authorization requirements for payment and e-money institutions that are now placed in PSD3, have experienced some minor amendments as well that can be summarized as follows:

Winding up plan

Despite the fact that some Member States have required payment institutions to develop a winding up plan as part of their license application, PSD3 now requires all applicants to have a winding-up plan as part of their application package. This document, setting out the scenario in the event of the payment institution’s fallout (including continuity and recovery of ordinary business activities) should be appropriate to support an orderly wind-up of activities under applicable national law.

Safeguarding requirements

PSD3 introduces few important changes when it comes to safeguarding requirements applicable to payment institutions. Payment institutions will be required to avoid concentration risk by safeguarding customer’s funds with more than one credit institution or alternatively, by holding them with a central bank. Further, under the proposed framework, payment institutions will be required to notify their NCA in advance of any material change to their safeguarding process. EBA is mandated to develop RTS that will specify in more detail regulatory requirements on safeguarding of customer’s funds.

Initial capital & own funds

Except for Payment Initiation Service Providers (PISPs), initial capital requirements are amended to reflect the inflation changes since the adoption of PSD2. When it comes to own funds requirements, NCAs may increase own fund requirements for payment institutions that do not provide e-money services up to 20%, where they conclude, based on an evaluation of the institution’s risk management processes, risk loss data base and internal control mechanisms, that such increase is necessary.

More flexibility for PISPs and AISPs

Given that (PISPs and Account Information Service Providers (AISPs) have experienced difficulties in the past when obtaining professional indemnity insurance required under PSD2, the proposed PSD3 provides for a possibility for them to hold EUR 50,000 of initial capital instead of a professional indemnity insurance.

Registration regime for ATM operators

Under the current regime, automated teller machine (ATM) deployers that do not service payment accounts are not subject to authorization. Under the proposed PSD3 they will still not be subject to authorization but will be required to register with their home NCA before taking up activity.

Impact on existing payment and e-money institutions (Reapplication?)

Existing payment and e-money institutions that are operating under PSD2 or EMD2 framework will be able to continue to operate based on their existing licenses for 24 months following the entry into force of PSD3.

In the meantime, they will need to submit necessary information and documents to their home NCAs necessary to demonstrate their compliance with the new authorization requirements and to obtain a new license under the PSD3 framework. Alternatively, NCAs will have an option to grant authorization automatically to existing institutions where they already have sufficient evidence proving that the institutions comply with the new requirements.

Customers‘ Rights & Transparency

The proposed PSR contains a number of provisions on customers’ rights, transparency requirements as well as detailed provisions on contractual requirements for payment institutions, that aim to provide for further harmonization and better coherence of application of these rules across the EU.

Information on costs and charges

For credit transfers and money remittances from the EU to third countries, payment institutions will be required to inform customers about the estimated charges for currency conversion. More transparency will be introduced for ATM charges as well given that under the proposed PSR, customers will need to be provided with information on all applicable charges made by other ATM operators in the same Member State, so that they can know in advance what total charges will be applied, regardless of the ATM used.

Information on payees

The proposed PSR will require payment institutions to include in payment account statements the information needed to unambiguously identify the payee, such as a reference to the payee's commercial trade name, given that the absence of this obligation under PSD2 has caused a lot of confusion for customers that were frequently unable to identify the payees on their account statements.

Contractual requirements

Contractual requirements that payment institutions need to comply with are moved from PSD2 and are now contained in PSR, which shall provide for more harmonization, given that national laws implementing PSD2 have frequently contained gold-platting provisions that have hindered creation of the level playing field in the EU Single Market for payment services. That being said, PSR contains provisions that provide more clarity on the content of the framework contracts, termination rights of the customers, notice periods etc.

Open Banking

Open Banking, is another area that will be regulated in the future under the proposed PSR that will introduce a number of targeted amendments to the existing framework with the aim of improving its functioning. Among other, the PSR shall bring the following changes to the open banking framework:

• Account servicing payment service providers (such as banks) will be required to offer a dedicated interface for open banking data access to PISPs and AISPs and will be required to publish on their website quarterly statistics on the availability and performance of their dedicated interface;
• In order to ensure functioning of open banking systems in the case of disruptions of bank’s interfaces, PISPs and AISPs will be able use the alternative interfaces and will retain the right to claim damages from the bank for incurred losses, in accordance with applicable civil law;
• Banks will be required to provide their customers with a permission dashboard to monitor and manage any permissions provided to account information services providers (AISPs) on an ongoing basis and in a convenient way.

Strong Customer Authentication (SCA)

The proposed PSR also brings some new changes to the SCA framework, the most important of which are the following:

• Payment service providers will be required to have transaction monitoring mechanisms in place to provide for the application of SCA and to improve the prevention and detection of fraudulent transactions;
• Technical service providers that rely on exclusion from the framework and that verify SCA elements will be required to enter into outsourcing agreements with the payment service provider in order to be able continue to perform such verifications, while being required to comply with key security requirements;
• AISPs will be required to apply SCA on the first occasion of data access and at least every 180 days when customers access aggregated account data;
• Under the proposed PSR, firms will be required to meet new accessibility requirements relating to SCA to allow all customers, including those with disabilities, to perform SCA. In the same vein, the Commission has emphasized that SCA cannot be dependent on the use of a smartphone devices since this can also be discriminating against certain groups of customers.

What comes next?

The proposed package is just the first step, and the proposed PSD3, PSR and FIDA Regulation are yet to find their way through the complex maze of the EU legislative making process. The forthcoming EU elections may additionally prolong the process and move adoption of the final texts to second half of 2024, when the new EU Parliament will take its seat. If the EU lawmakers enter into trialoge negotiations before the elections, the final versions of the proposals are likely to be finalized by the end of 2024 or beginning of 2025.

Following its adoption and entry into force, Member States will have 18 months to implement PSD3 into national law. On the other side PSR would start to apply directly in all EU Member States 18 months after its entry into force.

Stay up to date with the latest developments

Over the coming period, we will closely follow the upcoming developments as the proposed PSD3, PSR and FIDA Regulation go through the EU legislative making process. If you want to stay up to date with the latest developments on the proposed EU payment services regulatory framework, follow our client alerts as well as our Podcast Series „FinTech Stories” that will cover the key parts of the new framework in more detail. Should you have any questions on or want to have more detailed consultation about the proposals, feel free to reach out to us.