Address
Omirou St. 18
10672,
Athens, Greece
Phone:
+30 21 036 75 100
+30 21 036 75 164
Email:
info@tsibanoulis.gr
By Nicholas (Nikos) Kontizas, Counsel
Introduction
The payment services market has changed significantly since the adoption of the Second Payment Services Directive (PSD2). New providers, enabled by digital technologies, have entered the market, in particular providing ‘open banking’ services (i.e. securely sharing financial data between banks and fintechs). More sophisticated types of fraud have also emerged, putting consumers at risk and affecting trust.
Furthermore, the EU payments market remains, to a significant degree, fragmented along national borders, as most domestic payment solutions based on cards or instant payments do not work cross-border. This comes to the advantage of a handful of big global players, which capture the whole intra-European cross-border payments market.
In response to these developments, the EU Commission published on 28 June 2023 a package of legislative proposals that aims to modernize the payment services legislation and is comprised of:
PSD3 includes provisions regarding the authorization to providing payment services, as well as the supervision of payment institutions (PIs), whereas PSR tackles the transparency and information requirements and the rights and obligations of the providers and users of payment services.
Objectives
The proposals seek to achieve the following objectives:
Authorization
Application
The procedures for application for authorisation and control of shareholding are mostly unchanged from PSD2, with the exception of a new requirement for a winding-up plan to be submitted with an application.
Initial Capital
Requirements for initial capital are updated (except for PISPs), in order to reflect the inflation changes since the adoption of PSD2.
Safeguarding
Safeguarding rules for PIs remain unchanged, except that the possibility of safeguarding in an account of a central bank is introduced, and that payment institutions must endeavour to avoid concentration risk in safeguarded funds; EBA regulatory technical standards on risk management of safeguarded funds are to be adopted in this respect.
Indemnity Insurance for PISPs and AISPs
It is acknowledged that payment initiation service providers (PISPs) and account information service providers (AISPs) may hold initial capital instead of a professional indemnity insurance, considering that the requirement to hold a professional indemnity insurance at the licensing stage may be difficult to fulfil, taking into account previous experience.
Transitional Provisions
Existing licenses for payment institutions (PIs) and electronic money institutions (EMIs) are prolonged in validity (“grandfathered”) until 24 months after entry into force of PSD3, on the condition that application for a license is made at the latest 18 months after entry into force of PSD3.
E-money institutions will disappear
The legal framework applicable to EMIs and PIs is already reasonably consistent. However, the licensing requirements and some other key concepts governing the e-money business, such as issuance of e-money, e-money distribution and redeemability, are quite distinct compared to the services provided by payment institutions. Supervisory authorities have experienced practical difficulties in clearly delineating the two regimes and in distinguishing e-money products/services from payment services offered by payment institutions. Therefore, the proposed PSD3 integrates former EMIs as a sub-category of PIs (and consequently repeals the second Electronic Money Directive, 2009/110/EC).
Narrowing of Exclusions
The proposed PSR narrows the application of the limited network exclusion as well as the commercial agent exclusion.
Improvements to Open Banking (OB)
The proposed PSR introduces a requirement for account servicing PSPs (ASPSPs) to put in place a dedicated data access interface with AISPs and PISPs, as well as “permissions dashboards” to allow users to manage their granted OB access permissions. However, ASPSPs will no longer be required to maintain a “fallback” interface for AISPs and PISPs for use, if the primary interface fails.
Improvements to Strong Customer Authentication (SCA)
Some of the key provisions of the proposed PSR are the following:
Next Steps
It is not known yet when the final texts will be adopted. The final versions may become available by the end of 2024, following the forthcoming EU elections. Member States will have 18 months to implement the Directive, whereas the Regulation will become binding automatically throughout the EU on its date of application. This means that the new legislation will most likely not enter into force before 2026.
Phone:
+30 21 036 75 100
+30 21 036 75 164
Email:
info@tsibanoulis.gr