July 21, 2023 | Mark Taylor
Estimated reading time: 7 minutes
EU set for major payments regulation shake-up
Banks will be forced to share customer data with rivals and work together to battle fraud under new payments regulations proposed by Brussels.
The European Commission announced on June 28 it is updating the Payment Services Directive (PSD) to ensure the bloc’s financial services market is “fit for purpose and capable of adapting to the ongoing digital transformation”.
Two proposals were put forward, including a directive establishing rules on the licensing and supervision of payment institutions and a regulation with rights and duties for payment service providers, which updates PSD2.
“[We] intend to reinforce consumer protection – including by improving fraud prevention – and make sure that consumers are offered the best and cheapest payment service,” said EU Commission vice-president Valdis Dombrovskis.
“We are not advocating major changes, but still there have been many changes in the payment services market over the last years,” Dombrovskis said during a press conference.
The emergence of new providers powered by digital technologies and the social distancing aspects of the Covid-19 pandemic has accelerated mobile payments beyond the scope of PSD2, the bloc’s executive body said. Innovations in contactless payments, QR codes, and the further march of Open Banking, which forces banks to allow new service providers access to customer transaction data, have all combined to send usage soaring.
Electronic payments in the EU have now exceeded €240 trillion in value, compared to €184.2 trillion in 2017 when member states began transposing PSD2 into domestic law. However, the market volatility, rapid pace of technological advances and rise in cryptocurrency scams has sent fraud figures soaring, particularly around impersonation and identity theft.
Crypto-fraud experts Chainalysis reported a huge spike in crypto-related crimes in 2022, with more than $14bn sent to illicit addresses, doubling the previous year’s numbers. Transactions associated with sanctioned entities accounted for 44% of 2022’s record high.
In the UK, fraudsters bilked more than £1.2bn ($1.5bn) last year according to industry association UK Finance, which found that 78% of authorized push payment (APP) fraud begins online, with another 18% starting via telecommunications.
Telecom operators will be forced to cooperate with payment service providers under the proposals, while the providers will be permitted to exchange fraud-related information without breaching the General Data Protection Regulation (GDPR).
The Commission also wants to make it easier for non-bank payment service providers to access customer data and the payment infrastructure of traditional lenders.
It is hoped this step will further level the playing field between banks and non-banks, and particularly help fintech firms who are providing financial services.
The new provisions were cautiously welcomed by industry experts.
A “sound liability framework” for fraud cases will be vital for both customers and banks, added Fabrice Denèle, from the European Savings and Retail Banking Group (ESBG).
“Payment service providers will gain a legal basis allowing them to voluntarily share data on payment fraud. This is something the industry wants,” said Mairead McGuinness, Commissioner for financial services.
Member states will negotiate the proposals before they are ratified by the European Parliament, the bloc’s legislative arm, and will apply 18 months after the law enters force.
End of the road for PSD2
Although technology is rapidly rendering it obsolete, PSD2 will go down as a standout framework of its time that did achieve many of its goals.
It laid the groundwork for a better customer experience by allowing third parties access to the transaction data traditionally held by banks. This led to more services becoming available through the use of Application Programing Interfaces (APIs).
Banks, building societies and other payments account holding institutions were obliged to enable third party ‘account information service providers’ (AISPs) and ‘payment initiation service providers’ (PISPs) to access the customer payment account data they held.
Regulatory technical standards were drafted to govern customer authentication and data access.
The resulting changes allowed consumers to make payments directly to merchants via third-party providers, and further advanced real-time or ‘instant’ payments; a 24/7 settlement infrastructure for near-immediate settlement of proceeds.
PSD2 also introduced Strong Customer Authentication, which helped to significantly cut card scams. But as technology evolved, so did new types of fraud. Consumers have no way of claiming compensation from newer types of social manipulation fraud, where the victim is tricked into authorizing a payment, and it is hoped PSD3 will help close this gap.
The Commission also noted that PSD2 didn’t quite hit the mark in terms of improving competition between payment service providers (PSPs). Non-bank PSPs struggled to gain access to key payment systems, ensuring much of the power remained with the banks.
Open Banking initiatives regarding data access for these service providers also failed to catch on outside the UK, which launched its own initiative to wrest control of transaction data from what it billed a “cartel” of high street lenders.
One of the major issues Brussels is hoping to resolve by handing down a regulation instead of just a directive is to improve harmonization between member states and improve the quality of cross-border payment systems.
How is PSD3 different from PSD2
PSD3 and the Payment Services Regulation (PSR) have a number of key objectives that go beyond the limits of the previous rules.
First is strengthening user protection and boosting consumer confidence, with improvements to improved fraud information exchange between PSPs.
Banks will be obliged to further educate consumers on fraud, improve the availability of cash, and strengthen payment service users’ rights. Further enhancements to Strong Customer Authentication standards will also be brought in.
Open Banking competitiveness is to be directly addressed, with mandatory dedicated data access interfaces for Account Servicing Payment Service Providers (ASPSPs). Detailed specifications for Open Banking data will be drafted, with permissions dashboards for users to manage access.
Enforcement of non-compliance will also be strengthened, with the “ambiguous” aspects of PSD2 replaced with a direct regulation. Sanctions will be toughened, the Commission said.
Greater strides will be taken on access for non-bank PSPs by broadening the range of what the EU’s 270 e-money institutions and 800 payment institutions can access, and it will be easier for them to open bank accounts where previously lenders have resisted serving fintech players.
Whilst PSD3 will remain a directive with rules for payment institutions that EU states will have some flexibility to interpret locally, the PSR is a regulation and will apply directly, without the need for transposition.
It will provide rules in relation to transparency of conditions and information requirements for payment services, and rights and obligations regarding the provision and use of payment services.
This includes provisions on Open Banking, and for the first time will mean a single legal framework for all operations across the EEA. It is hoped the regulation will reduce uncertainty and inequality between the varying national legislation of member states.
What PSD3 means for the payments sector
Far from having it their own way, several new demands will be placed on payment service providers.
The expanded scope of application “means some firms that are currently unregulated will need to obtain regulatory authorization and comply with applicable rules” said John Cassanova, senior counsel at law firm Sidley.
PSPs will also be subject to higher capital holdings requirements, must produce winding up plans in the event they fail, and will have obligations to diversify their safeguarding arrangements to ensure customer funds are safe.
Payment firms will also have greater liability for fraud, rather than banks taking the lump of the responsibility.
The new rules also mean enhanced customer disclosure requirements relating to currency conversions for credit transfers and money remittance, Cassanova added.
“Firms providing, or planning to provide, payment services in the EU or to EU customers should consider how the points discussed above may affect their businesses and whether the changes could create opportunities or risks,” he said.
The need for secure and efficient digital payment infrastructure has been underlined by the number of players and the range of digital payment services that have appeared in recent years. But the speed at which payment technology advances poses questions as to how relevant PSD3 will be when it is finally rolled out.
PSD2 took several years for the various member states to embed, only to be followed by the pandemic which rendered much of its provisions outdated. Unforeseen Black Swans notwithstanding, PSD3 is unlikely to materialize until sometime after 2026, by which time the market, and the compliance demands of firms in the landscape may have radically altered. The success of strong customer authentication rules is tempered by the pace at which fraud evolved around it, highlighting the need for regulators and market participants to stay on top of trends and technologies.
CUBE’s industry-leading proprietary automated regulatory intelligence platform is your strategic partner in compliance, helping you navigate the maze of payment services regulations with AI-powered engines that put you firmly in control.