What do the PSD3 and PSR mean for the payments sector?

On June 28, 2023, the European Commission (EC) published a set of new legislative proposals, notably for a Third Payment Services Directive (PSD3) and a Payment Services Regulation (PSR). It foresees changes to the foundational framework of the European payments market and is likely to have a material impact on the players subject to it, both from a legal and operational perspective.

European Payments Council interviewed Eric Ducoulombier – Head of Unit at the European Commission, Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA).

What are the main novelties included in the PSR and PSD3 proposals and what this means for the payments sector?

These proposals are an evolution, not a revolution. Novelties such as open banking or strong customer identification were introduced years ago, by PSD2. PSD3 and PSR do not challenge the main ‘acquis’ of PSD2. They must be seen as the continuation of PSD2, not as a change of direction. Our review showed that PSD2 has, by and large, met its intended objectives. The market needs stability and PSD2 is not that old after all. That said, our proposals do contain important provisions. Let me highlight a few, but there are many more:

•   We propose to merge the payment and the e-money frameworks into one, even if some key e-money specificities are preserved. 

•   We propose to modify the Settlement Finality Directive (SFD) to enable non-banks to access payment systems. We also propose remedies to the recurring ‘de-risking’  problem faced by some Payment Institutions (PIs) and E-money Institutions (EMIs), which should substantially improve their capacity to open and maintain bank accounts. 

•   As regards open banking (OB), although we are not changing the fundamental principles introduced by PSD2 (no charging for the use of OB interfaces, no standard API etc.) we are determined to improve the framework which – as explained in our review report – is not yielding all its potential benefits. We provide a lot of clarifications as to what constitutes a regulated ‘baseline’ OB service, we identify a list of prohibited obstacles to the provision of payment initiation services and account information services, we streamline the complex system (dedicated interface, fallback, exemption to the fallback etc.) established by PSD2 etc.

We also explicitly recognise the possibility for a self-regulatory market space to exist in addition to the regulated sphere. This is a particularly important acknowledgement of on-going initiatives such as  SEPA Payment Account Access (SPAA) scheme, in which the European Payments Council (EPC) is playing a leading role.

•   We also identified payment fraud as a growing source of concern. The PSD2 provisions were quite substantial but they are no longer sufficient to tackle the new types of fraud, in particular fraud relying on manipulative techniques, like the so-called authorised push payment (‘APP’) fraud.

We are significantly stepping up the legal framework as regards both fraud prevention and redress. We give more tools to PSPs to prevent fraud, in particular by enabling them to safely share some fraud-related data. I know that this was particularly important for the  [note from the editor: safe fraud-related data sharing is important for frauds information sharing initiatives being discussed at PSP industry level].

We are also proposing to extend to regular credit transfers the compulsory IBAN/name checking service which we had initially proposed only for instant payments. But prevention is not enough. We are also opening redress rights to consumers in respect of fraudulent payments including, in certain cases, some authorised payments. For example in cases of ‘spoofing’, i.e. of fraud based on the impersonation of bank staff which, unfortunately, is becoming a serious problem for consumers and PSPs.

We are also clarifying and reinforcing Strong Customer Authentication (SCA) which, in spite of having only recently been introduced in the European Union (EU), is already producing spectacular results. But as regards fraud there is no silver bullet. Our proposed measures are to be seen as a panoply, a tool-kit, but obviously whatever the legal measures put in place, individual vigilance based on proper consumer awareness and education – which we are also reinforcing – remains the first line of defense.

These proposals were extensively debated during the three years of preparation and in particular during the numerous consultations which we carried out with all stakeholders. The payments sector as well as consumers who are, I believe, the main beneficiaries of our package, benefiting from many new or reinforced rights which would take me too long to describe here, should largely benefit from these improvements which were extensively debated during the three years of preparation of our proposals and in particular during the numerous consultations which we carried out with all stakeholders.

How do the PSR and PSD3 proposals relate to the EC’s proposal on the Financial Data Access (FIDA) framework?

They are different but complementary. They are complementary in the sense that FIDA covers financial services and accounts which were not covered by PSD2. They are different in the sense that they are based on different premises.

FIDA, unlike PSD3, has no ‘legacy’ to take into account and no prior investments were made by the market. That explains the different choices made by the Commission in FIDA, such as the possibility to charge or the need for prior contractual arrangements. The differences between the two frameworks are not at all fortuitous – there are by the way also a lot of similar provisions in the two frameworks, for example as regards to ‘dashboards’. Legal differences between the proposals are justified by the differences between the two markets.

We also carefully examined the situation of Account Information Service Providers (AISPs) which could theoretically, given the nature of their business, have been transferred right away to the FIDA framework. We decided to proceed rather in stages in order to avoid any risk of disruption. Any future transfer of AISPs to the FIDA legal framework will have to depend on prior favorable market conditions.  

More details here