PSD3: What is it and what changes can be found in the new payment services directive?

At the end of 2018, the second payment services directive, PSD2, came into force. Five years later, the European Commission is starting to take the necessary steps to make the leap to PSD3, the new update that comes to expand on what was already implemented by its predecessor, especially regarding strengthened customer authentication and open banking protocols.

After a series of evaluations of PSD2 in 2022, the European Commission determined that its effectiveness and scope could be improved and extended. Therefore, since then and until now Europe has been working on a more modern regulation adapted to the needs of today's FinTech environment with all the necessary PSD3 developments.

In this article, we will define what PSD3 is, unpack all the details about the draft that has been published and its improvements, and explore the impact it will have on the financial sector, banking, insurance, and related industries. We will then compare it with PSD2, and see what steps can be followed until its final approval and entry into force, with dates and milestones in the calendar according to what happened previously.

What is PSD3: Third Payment Services Directive?

PSD3 is the third European directive regulating payment services and related transactions. This regulation also sets out how a large number of processes must be carried out within the European Economic Area (EEA) banking ecosystem. Therefore, the regulation affects all member states of the European Union as well as Croatia, Iceland, and Norway that participate in it through the European Free Trade Association (EFTA).

The United Kingdom also adopted all the measures included in PSD2 despite Brexit and is expected to do the same with PSD3. European directives regulate relevant aspects of the economy and society and are transposed by the states at the national and regional level after an adaptation period defined by the European Commission.

Payment services regulations address open banking protocols, digital customer identification, and a series of standards for the most common transactions in BFSI industries (Banking, Financial Services, Insurance, and related areas). PSD3 comes to update all this content, broaden its scope, and improve the security of electronic transactions inside and outside online banking.

Thus, PSD3 is an initiative that is part of the European Commission's retail payments strategy, which includes clauses to review and update guidelines and legislation at regular intervals, to adapt to market and consumer needs, as well as to technological developments and the bigger picture.

The successor to PSD2

PSD2 (Second Payment Services Directive) is an update of the first regulation governing payment services in the European Union. It is the successor to PSD1, created in 2007, which laid the foundations for the SEPA (Single Euro Payments Area). After the implementation of PSD2, electronic payments increased exceeding 240 billion euros in 2021 compared to 180 billion euros in 2018.

It was published in 2015 but was not finally approved until 2018, when a decisive step towards open banking was taken, forcing banks to make changes to how they share customer data and the way in which certain types of financial transactions can be carried out through digital means. 

This led to the expansion of financial services offered by all BFSIs and the emergence of new FinTech players, the development of concepts such as integrated finance, the creation of Strong Client Authentication (SCA), and greater standardization, which has led to the joint work of different industry players that were considered competitors and improved the overall security of the digital economy.

On May 10, 2022, the European Commission initiated proceedings to audit and analyze PSD2. This assessment has lasted about a year, determining the effectiveness of the standard and exploring what room for improvement exists. Thus, the European Banking Authority (EBA) responded in the form of an opinion with a proposal to the Commission with more than 200 specific measures to be included in a future improvement of the current payment services regulation.

After this period, we reached June 2023, when the EC published a proposal aimed at establishing a new directive and successor to the audited standard, PSD3. On the one hand, a new update of PSD2 will be launched and, in addition and in a coordinated manner, a Payment Services Regulation (PSR) will be published.

The most important changes in PSD3 versus PSD2

PSD3 is intended to be a major update of PSD2 that seeks to improve and expand on what was already established by the previous directive by adding new concepts and involving actors that were left behind. Below are the most relevant aspects of PSD3 and its new features:

• Broader geographic scope: PSD3 will extend the scope of the directive to cross-border electronic payments between the EEA and third countries, for both incoming and outgoing transactions. This means that payment service providers will have to comply with the same rules that apply within the EEA, such as SCA (Strong Customer Authentication) and Open Banking (or Finance in the new scenario), when dealing with customers or merchants outside the EEA.
• Broader functional scope: The concept of Open Banking will transition to Open Finance, which means that financial service providers will be able to access data and initiate transactions not only related to bank accounts but also to other financial products, such as insurance, pensions, investments, leasing, etc. This will enable more integrated and hyper-personalized services to be offered to customers.
• Enhanced consumer protection: The third payment services directive (PSD3) will strengthen consumer protection measures in terms of security, transparency, liability, and rights. For example, PSD3 is expected to introduce a maximum limit of liability for customers in case of fraudulent or unauthorized use of their means of payment, as well as a faster and more efficient dispute resolution mechanism.
• Increased oversight and interoperability: Payment services will have to be provided under a common framework for the oversight and control of providers by the competent authorities, as well as for cooperation among them, including those previously mentioned from third countries and not only those of the Common European Economic Area and its permanent allies. In addition, PSD3 will promote interoperability between the different systems and technical standards used by payment service providers (intermingled with electronic invoicing and its recently approved new regulations), in order to facilitate access and competition in the market.

Another important aspect, closely linked to what was being done under PSD2, is that the new regulation allows access to and use of financial services data over and above that related to payment accounts, extending it to both variants. Not only are all the pillars of the previous regulation maintained, such as the obligation to give full control over the data and the purposes for which it is used but a clearer liability regime will now be established in the event of leaks. 

New requirements in SCA Strong Client Authentication

PSD3 (Third Payment Services Directive) introduces important changes to the SCA and multi-factor authentication standards. SCA (Strong Customer Authentication) is a requirement to verify a customer's identity by at least two independent factors (something they know, something they have or something they are) before authorizing an electronic payment. This concept was introduced with PSD2 and is proposed to be drastically reformed in PSD3. The formula is shaping up to be a common financial API for strong customer authentication across the EEA, SEPA, and partner countries.

Questions are raised about alternatives to the current SCA authentication methods and options similar to what is already indicated by the FIDO Alliance are explored. One possible modification is to extend the SCA period from 90 to 180 days to reduce delays.

Thus, many of the SCA enhancements in PSD3 focus on correctly defining what constitutes 'online' access under payment accounts, which is the obligation to apply strong customer authentication controls and applications to payment service users. On the other hand and in view of the extension of such a functional and secure standard, SCA mechanisms can be applied globally to all payment transactions except for some very specific cases but reduced to a minimum.

In this way, AISPs will be required to implement their own SCA strong authentication systems in addition to the one used by the banks, which is essential for agile payment gateways and without the need to resort to another external system. This changes the responsibilities of both parties and would be done once the initial access of the former has been verified.

The introduction of proprietary requirements for card, gateway, and eCommerce schemes will be extended and based on those already defined in SCA or new ones to be defined in a hypothetical SCA2 or SCA3 standard.

European Commission draft for the third payment services directive

On the other hand, SEPA is taken as the main scope of application and action beyond the EEA and the EU, with a more versatile focus and adapted to the markets and regions belonging to this area. Thus, we can summarize the objectives of PSD3 as follows:

1. Completely eliminate identity fraud and computer security in payment and related transactions.
2. Expand citizens' rights and give them greater control over their data.
3. Democratize access to a simpler and more standardized banking ecosystem to banks and non-banks that have emerged as FinTech startups and other innovative BFSI companies.
4. The transition from Open Banking to Open Finance is not only by improving its operation but also by expanding its scope of application to the entire economy and to any industry, betting on improved competitiveness through diversification.
5. Changes on cash availabilities for all currencies.
6. Cohesion and standardization of all economic guidelines and operations in the markets in which they apply.

On the other hand, and going into legal detail, new definitions are included and some are modified to optimize compliance: from the definition of payment institution or instrument to electronic money issuing services or digital funds. The minimum capital figures increase depending on the scope of services provided by the company.

Finally, the safeguarding requirements are modified so as not to apply to all funds in the same credit institution. This allows for greater security and impacts on an expansion of the services provided such as the operation of payment systems, and other related business activities and ensuring the execution of payment transactions such as custody or currency exchange. 

In this way, we see how new agents, distributors, and branches will come under PSD3 rules, having previously escaped PSD2.

Open Banking, Open Finance and Embedded FinTech: new concepts

Open Banking is a system that allows financial service providers to access data and initiate transactions on behalf of customers with their consent. This involves two types of providers: account information service providers (AISPs) and payment initiation service providers (PISPs).

AISPs are entities that can access customer bank account information and offer services such as data aggregation, financial advice, or product comparison (Fintonic, Money Up!...). PISPs are entities that can initiate payments from customers' bank accounts to merchants or other accounts, without the need for intermediaries such as credit or debit cards (Paypal, Pecunpay...). This gave great agility to digital payments thanks to and together with SCA techniques and other convenient APIs for users and for companies.

PSD2 brought about a radical change in the financial sector, as it opened the market to new players and forced banks to share their data and infrastructure with third parties. However, it also posed some challenges, such as technical implementation, regulatory harmonization, data protection, and fraud prevention. Much of the updates on PSD2 vs. PSD3 start from here.

Open Banking is one of the fundamental pillars of PSD2 and PSD3. Open Finance is an extension of Open Banking that encompasses other financial products in addition to bank accounts, such as insurance, pensions, investments, etc. The aim is to offer customers a more complete and holistic view of their financial situation and provide them with access to more integrated and personalized services.

On the other hand, embedded finance in PSD3 is an innovative way to integrate financial services into other platforms or applications, such as social networks, e-commerce, or mobility, which will again require more SCA strong customer authentication systems. The goal is to offer customers a more seamless and convenient experience when making payments or accessing other financial services without leaving the environment they are in.

Dates and approval steps for PSD3

On June 28, 2023, the European Commission issued a press release announcing the promulgation of the fundamentals underpinning the conceptual pillars of the Third Payment Services Directive (PSD3).

With regard to the deadlines concerning the implementation of this regulation, a long period lies ahead. The future sequence in this process involves the referral of the proposal to the European Parliament and Council, a stage in which further evaluations and amendments are planned.

However, at present, we do not have an official timetable specifying the terms of implementation and compliance. However, it is plausible to anticipate that the final iteration of the proposal will be available towards the end of 2024, while the imposition of implementation deadlines will be set around 2026. The forthcoming European directive on payment services will enter into force twenty days after its publication in the Official Journal of the European Union.

The regulatory changes included in PSD3 require many companies to take immediate preparatory actions in view of the impending regulatory changes. With the ratification of PSD3 projected for 2024, the current timeframe calls for the implementation and formulation of innovative strategies and solutions that align with the goals outlined by the new directive.

The states, regions, and markets subject to the jurisdiction of the PSD3 will have a time margin of eighteen months from its adoption to materialize in their legal and regional spheres each of the alterations, duties, and prerogatives newly instituted by the new payment services regulation. There is only one exception in relation to Directive 98/26/EC, for which the maximum implementation period is six months from its enactment.

The current time point is in its infancy. It is anticipated that the European Commission will draft the relevant legal framework in the first or second quarter of 2024, that it will receive the relevant approval and that each EU/EEA member nation will have a timeframe for the incorporation of these provisions into their domestic legislation. Ultimately, PSD3 is unlikely to enter into force before 2025, or possibly even later. 

It should be noted that companies can adapt to PSD3 now, thanks to the draft provided by the European Commission. This means that they can benefit from great advantages and benefits before its implementation and avoid penalties from the first moment the Directive becomes effective.

A question that has aroused the interest of many people is whether PSD3 is a directive or a regulation, and the precise connotation of such classification. In this context, it is important to point out that this legislation is not optional, but is a mandatory obligation for all institutions operating in the EEA, SEPA, and associated markets. Although this panorama could suggest some friction in relation to the adoption by companies, it is essential to recognize that the metamorphosis of certain processes brings with it advantages and benefits that outweigh the cost associated with the implementation of the modifications.

A directive, it should be emphasized, is not reduced to the status of a mere recommendation, but constitutes a framework guideline that the member states must transpose into their respective legal frameworks, with serious penalties for failure to do so, with the creation of specific legislation or the updating of existing legislation in the corresponding socio-economic and legal sphere. In this context, it should be noted that the terms "PSD3 Directive" and "PSD3 Regulation" are synonymous. It should be added that all the nations involved have already carried out the required procedures in this regard, which means that the regulatory objectives are in the process of being implemented and entail the obligation of compliance for all companies operating in these markets and those related to other companies in these markets.

eIDAS, Digital Euro, and the Payment Services Directive 3

As we have already mentioned, the Payments Services Directive 3 (PSD3) is expected to give a boost to innovative FinTech, WealthTech, InsurTech, and all the X-Tech players in other industries whose core business is not necessarily financial services activity. This will lead to the creation of synergies with companies in the telecommunications, utilities, and other sectors.

The eIDAS regulation is still aligned with the new PSD3 mandates, although it is expected that the same will happen as with PSD2, and in the future, there will be a review, evaluation, and updating process beyond what is currently being worked on in eIDAS2. Likewise, after the halt of the Euro Digital regulatory framework, which was expected to come out together with the third generation of electronic payment regulations, we will see how sooner rather than later work is resumed in ECOFIN for this project.

Tags