By Nicholas (Nikos) Kontizas, Counsel

Introduction

The payment services market has changed significantly since the adoption of the Second Payment Services Directive (PSD2). New providers, enabled by digital technologies, have entered the market, in particular providing ‘open banking’ services (i.e. securely sharing financial data between banks and fintechs). More sophisticated types of fraud have also emerged, putting consumers at risk and affecting trust.

Furthermore, the EU payments market remains, to a significant degree, fragmented along national borders, as most domestic payment solutions based on cards or instant payments do not work cross-border. This comes to the advantage of a handful of big global players, which capture the whole intra-European cross-border payments market.

In response to these developments, the EU Commission published on 28 June 2023 a package of legislative proposals that aims to modernize the payment services legislation and is comprised of:

• Third Payment Services Directive (PSD3);
• Payment Services Regulation (PSR);
• Regulation on a framework for Financial Data Access (FIDA Regulation).

PSD3 includes provisions regarding the authorization to providing payment services, as well as the supervision of payment institutions (PIs), whereas PSR tackles the transparency and information requirements and the rights and obligations of the providers and users of payment services.

Objectives

The proposals seek to achieve the following objectives:

• Strengthen user rights and protection against fraud;
• Improve the competitiveness of open banking services;
• Improve enforcement and implementation in Member States; and
• Improve (direct or indirect) access to payment systems and bank accounts for non-bank payment service providers (PSPs).

Authorization

Application

The procedures for application for authorisation and control of shareholding are mostly unchanged from PSD2, with the exception of a new requirement for a winding-up plan to be submitted with an application.

Initial Capital

Requirements for initial capital are updated (except for PISPs), in order to reflect the inflation changes since the adoption of PSD2.

Safeguarding

Safeguarding rules for PIs remain unchanged, except that the possibility of safeguarding in an account of a central bank is introduced, and that payment institutions must endeavour to avoid concentration risk in safeguarded funds; EBA regulatory technical standards on risk management of safeguarded funds are to be adopted in this respect.

Indemnity Insurance for PISPs and AISPs

It is acknowledged that payment initiation service providers (PISPs) and account information service providers (AISPs) may hold initial capital instead of a professional indemnity insurance, considering that the requirement to hold a professional indemnity insurance at the licensing stage may be difficult to fulfil, taking into account previous experience.

Transitional Provisions

Existing licenses for payment institutions (PIs) and electronic money institutions (EMIs) are prolonged in validity (“grandfathered”) until 24 months after entry into force of PSD3, on the condition that application for a license is made at the latest 18 months after entry into force of PSD3.

E-money institutions will disappear

The legal framework applicable to EMIs and PIs is already reasonably consistent. However, the licensing requirements and some other key concepts governing the e-money business, such as issuance of e-money, e-money distribution and redeemability, are quite distinct compared to the services provided by payment institutions. Supervisory authorities have experienced practical difficulties in clearly delineating the two regimes and in distinguishing e-money products/services from payment services offered by payment institutions. Therefore, the proposed PSD3 integrates former EMIs as a sub-category of PIs (and consequently repeals the second Electronic Money Directive, 2009/110/EC).

Narrowing of Exclusions

The proposed PSR narrows the application of the limited network exclusion as well as the commercial agent exclusion.

Improvements to Open Banking (OB)

The proposed PSR introduces a requirement for account servicing PSPs (ASPSPs) to put in place a dedicated data access interface with AISPs and PISPs, as well as “permissions dashboards” to allow users to manage their granted OB access permissions. However, ASPSPs will no longer be required to maintain a “fallback” interface for AISPs and PISPs for use, if the primary interface fails.

Improvements to Strong Customer Authentication (SCA)

Some of the key provisions of the proposed PSR are the following:

• New liability provisions for technical service providers (TSPs) and operators of payment schemes are included for failure to support SCA.
• A new provision is added requiring PSPs to have transaction monitoring mechanisms in place to provide for the application of SCA and to improve the prevention and detection of fraudulent transactions.
• Provisions have been added to improve the accessibility of SCA, in particular to ensure that all customers, including persons with disabilities, older persons, persons with low digital skills and those who do not have access to digital channels or a smartphone, have at their disposal at least one mean enabling them to perform strong customer authentication.
• There is a provision requiring PSPs and TSPs to enter into outsourcing agreements in cases where the latter provide and verify the elements of strong customer authentication.

 Next Steps

It is not known yet when the final texts will be adopted. The final versions may become available by the end of 2024, following the forthcoming EU elections. Member States will have 18 months to implement the Directive, whereas the Regulation will become binding automatically throughout the EU on its date of application. This means that the new legislation will most likely not enter into force before 2026.