PSD3 has arrived: 7 key things you need to know

Author image
Andrei Cazacu, EU Public Policy Lead
27 Jun 2023
7 things you need to know about PSD3

On the 28th of June, the European Commission released its proposal for updating the EU’s payments legislation (PSD2). This long awaited proposal sets out several key changes and developments that will impact third-party providers, banks, PSPs and, in turn, merchants. In short, the biggest changes set out in the proposals include:

  1. The move from a Directive to a Regulation: standardising payments across the EU

  2. Better APIs: better open banking services

  3. More streamlined authentication: less pain at the checkout

  4. Direct access to payment systems for fintechs: a boost for innovation

  5. IBAN and name matching: a risk-based approach to fraud prevention

  6. Merging E-money and payments institutions: simplifying licensing

  7. Re-authorisation for firms under PSD3

Read on for our breakdown on all the new PSR1 and PSD3 developments.


Seven highlights in the EU Commission’s payments proposals

1. PSD2 becomes PSR1

Let’s get this one out of the way — we’ll be referring to ‘PSR1’ throughout this article. That’s because most of PSD2 will become the Payment Services Regulation (PSR1).

EU Directives require Member States to adapt them into national legislation, which means they can be interpreted in slightly different ways by each EU country. Regulations, on the other hand, apply ‘as is’, which can ensure a more consistent application across all 27 member states.

Shifting most of the payments rules from PSD2 to PSR1 will lead to a more harmonised payments market, with significantly fewer differences and inequalities between member states.

There is a new Directive — what we call PSD3 — which only focuses on licensing and authorisation for payments firms (see section 6).

PSD2, PSR1 and PSD3 explained

PSD2 (the revised Payment Services Directive): the EU law that governs digital payments. It established open banking, including giving customers the right to access their payment accounts and initiate payments via third parties. It will be repealed once PSR1 and PSD3 come into effect.

PSR1 (the Payment Services Regulation): the new Regulation that will replace PSD2. It includes specific proposals on API performance, streamlined authentication rules, risk-based fraud prevention and more.

PSD3 (the third Payment Services Directive): the new Directive from the EU Commission. This focuses specifically on the licensing and authorisation of payment and e-money institutions.


2. Better APIs will lead to better open banking services

Thanks to PSD2, application programming interfaces (APIs) have become the industry norm, just as they are the interface of choice in the digital economy.

However, the quality of API implementation continues to vary depending on bank and on market. Some of the most common issues with open banking APIs today are:

  • API downtime

  • Lack of harmonised implementation of API standards

  • Poor levels of support when APIs do have issues

PSR1 contains new rules on the performance requirements of APIs and on the minimum functionality that they should support.

For example, not all banks currently provide the name of the account holder initiating a payment. This can create challenges for PISPs looking to verify the payer’s identity before sending the payment order through. PSR1 recognises this as a challenge to providing basic payment services and therefore requires the name of the account holder to be shared with the PISP before initiation.

PSR1 also sets out requirements on levels of availability and on response times (also known as latency). The latency of open banking APIs should be no longer than the latency of the online or mobile banking application.

3. More streamlined authentication means less pain at checkout

Most of the obstacles to open banking identified by the European Banking Authority in 2020 will now be explicitly prohibited by PSR1. An open banking SCA journey will be required to be at least as seamless as what the user has available to them via online banking. For example:

  • Users will no longer have to go through significantly longer authentication journeys than they do when they complete a manual bank transfer.

  • Users will no longer be asked to type in their own lengthy IBAN to initiate a payment or access their accounts.

  • Payments can no longer be restricted to contacts on the trusted beneficiaries list, or to domestic beneficiaries.

These changes will need to be incorporated by EU standards organisations into technical specifications, and then banks will need to update their own APIs and SCA requirements accordingly.

The end result should be a much improved user experience across Europe that will increase user adoption.

Because open banking is significantly cheaper than cards, merchant demand is already high. To make sure consumers also adopt open banking payments at checkout, when in competition with cards and other methods, the user experience should be frictionless and inspire trust. PSR1 is a step in this direction.

4. Direct access to payment systems for fintechs

Today, only banks are legally allowed access to payment settlement infrastructure in Europe. Fully licensed payment institutions like TrueLayer do not have this option and must instead rely on banking partners to process payments. This means that payment firms depend on the choices made by banks, for example whether to adhere to SEPA Instant or whether to charge high fees for instant payments.

It is a relic of how EU payment laws have evolved. Before the first Payment Services Directive (2007), banks performed both the role of a credit institution and that of a payment institution. PSD1 introduced this distinction, but did not give payment institutions the legal right to obtain a settlement account.

The EU Commission recognises this oversight and has included an amendment to the Settlement Finality Directive (SFD), which gives payment and e-money institutions the right to directly access settlement infrastructure.

It is a significant change which will create more competition and innovation, level the playing field, and ultimately result in better and more efficient payments services across the EU.

5. IBAN and name matching to prevent fraud

PSR1 extends the IBAN and name check requirements which will be introduced by the Instant Payments Regulation to all forms of credit transfers. It will be the responsibility of payment providers to make sure that the payee account details that the payer inputs match those on the receiving account.

This mechanism — known as Confirmation of Payee or CoP in the UK — can be useful to reduce cases of fraud or misdirected payments in manual bank transfers.

It is less useful for open banking payments, where the open banking provider has a commercial relationship with that merchant and has carried out due diligence to make sure they are a legitimate business. The account details are pre-populated by the open banking provider and the payer cannot be deceived into changing them to a fraudster’s account details.

PSR1 rightly recognises that requiring IBAN and name matching for open banking would duplicate efforts. It does not require the service for payments where the payer does not input the payee details themselves.

6. Merging e-money and payment institutions

Another significant change is the merger of the licensing and authorisation regimes of PSD2 and the E-Money Directive (EMD2) into a newly created PSD3.

In the new framework, former Electronic Money Institutions (EMI) are a subcategory of Payment Institutions (PIs). Both the EU Commission and the European Banking Authority consider that payment services and e-money services are very similar in nature and risks, and therefore should have almost identical legal requirements when it comes to authorisation and requirements for safeguarding and initial capital.

The changes should create a clearer, simpler framework for e-money and payment institutions. This may also help businesses who have previously struggled to decide what kind of firm they need to partner with for payment services.

7. Re-authorisation for payment firms under PSD3

As a result of some changes in the licensing and authorisation regime, payment and e-money institutions will need to seek re-authorisation from national authorities within 24 months of the new rules coming into force. This will help ensure that all firms operating under PSD3 are fit to operate and ultimately keep consumers and businesses safe.

A major evolution for payments

PSR1 provides an exciting opportunity for EU payments and open banking to evolve.

We are encouraged to see that open banking receives considerably more attention in PSR1 than in PSD2. The proposed changes show that the European Commission understands the practical challenges that open banking is facing, and how to solve them. PSR1 focuses on further levelling the playing field by improving APIs, setting out minimum open banking functionality requirements, and by giving non-banks the legal right to access payment settlement systems, among others.

These new rules could be finalised by 2025, and in effect by 2026

We look forward to continuing to support the EU Council and Parliament as they discuss and negotiate the Commission’s proposals over the coming months.

Insights straight to your inbox
Join 10,000+ subscribers getting the latest open banking news.
Latest
checkout
6 Dec 2024

3 tipping points for change within ecommerce payment experiences

Cart abandonment
2 Dec 2024

How to reduce ecommerce cart abandonment

dev sec ops shared responsibility
27 Nov 2024

Devising a delegated alerts model for SecOps

Categories to explore