Mark Taylor
Senior Editorial Manager
The payments landscape has shifted dramatically since the European Union’s Second Payment Services Directive (PSD2) entered force in 2015.
Open Banking and the spectacular growth of electronic payments have informed an evolution of the rules that apply across the bloc and for businesses selling into the market.
Below is a breakdown of the major changes that PSD3 will introduce.
Key changes
- PSD3 updates the Second Payment Services Directive (PSD2) and presents a stronger set of rules for the efficiency and security of European Union electronic/digital payments and financial services.
- A key aim is to improve competition and innovation in finance.
- PSD3 also aims to tackle the soaring fraud linked to digital payments.
- Extensive Strong Customer Authentication (SCA) regulations and tougher rules on access to payment systems and account information have been proposed.
- Enhanced consumer protection rights and data governance requirements.
- A new Payment Services Regulation (PSR), directly applicable to EU member states, will be created to improve consumer protection.
- Timeline: There is not a clear timeline for implementing PSD3 and PSR. The finalised versions are expected by late 2024. Member states usually receive an 18-month transition period, suggesting that PSD3 and PSR could enter force in late 2026/early 2027.
The rise of digital payments and the continued uptake of Open Banking technology has reshaped the European payment landscape.
PSD2, which entered force as internet and mobile payments began to take off, was intended to level the playing field between the incumbents, with their stranglehold on transactional data, and technology-driven new entrants.
Demand for cashless services was already skyrocketing before the onset of COVID-19, which accelerated the uptake of digital payments and introduced more ways to pay without needing to hold notes, coins, or physical cards.
Market demands and a need to refresh the rules were required, prompting Brussels to introduce a new set of standards more aligned to modern technological developments.
The Third Payment Services Directive (PSD3) was drafted to update and modernise PSD2, and a directly binding new rule for every member state, the Payment Services Regulation (PSR), was proposed.
What is PSD3?
PSD3 is a revision of the PSD2, which sets out the rules for all retail payments in the EU, euro and non-euro, domestic and cross-border.
It aims to protect consumers’ rights and personal information while improving competition across the payment sector.
As a directive, member states must transpose the PSD3 legislation into their own domestic framework.
What is the Payment Services Regulation (PSR)?
PSR is an EU Regulation that directly applies to the EU Member States once adopted and entered into force.
The PSR will be directly applicable without member states having to transpose it into domestic laws.
The aim is to create a uniform and consistent implementation across the entire EU. The PSR aims to improve consumer protection, an area in which consistency of rules is crucial.
PSD2 vs PSD3
PSD3 is intended to be more suitable for the modern payments landscape, considering changes in technology and customer habits since 2015 such as the rise in cashless, QR codes, and more.
It expands many aspects of PSD2 around transparency, liability, and open banking.
PSD3 also introduces more extensive Strong Customer Authentication (SCA) regulations and tougher rules on access to payment systems and account information compared to its predecessor. This was revised in response to much greater levels of fraud stemming from digital payments, and the need for better safeguarding of payment transactions and tackling fraud.
PSD3 and the payments sector
The Strong Customer Authentication (SCA) changes and access to payment systems and account information updates are designed to make the experience of buying online safer for the consumer. New technical rules will be introduced relating to data sharing, fraud prevention, authentication, transactions, and accessibility.
Businesses will be required to share more data with issuers, allowing them to track environmental and behavioural characteristics such as user location, time of payment, devices used, spending habits, transaction history, session data, and device IP.
Payment schemes and Payment Service Providers will also be allowed to process personal data for crime prevention measures without explicit user consent under the General Data Protection Regulation (GDPR).
Fraud liability will also shift under PSD3. Schemes, digital wallet providers, and payment gateways amongst others will be liable for fraud if they fail to apply SCA.
PSD2 required SCA factors to belong to two categories out of the following three: knowledge, possession, and inherence. With PSD3, using two of the same categories, like token and SMS OTP or even two passwords, is possible.
SCA must be available and easy for vulnerable customers such as the elderly, people with disabilities, and non-digitally savvy consumers to use. This will mean providing authentication methods not solely reliant on smartphones.
Access to payment systems and account information
The existing Open Banking framework will be updated under the PSR.
Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) will be permitted to develop custom interfaces that connect to banks and other financial institutions.
Banks and financial institutions must publish quarterly statistics on interface availability and performance regarding APIs, as part of a drive to increase transparency.
It is hoped the move will give new entrants a better understanding of the payments landscape and enable them to make smarter decisions around processing.
PSD3 also pushes banks to provide customers with a permission dashboard to continuously monitor and manage permissions granted to AISPs.
What else do banks need to know about PSD3?
Payment businesses have often struggled to gain access to bank accounts due to their apparent high-risk status. PSD3 aims to stop banks from engaging in this practice of ‘de-risking’.
By introducing a new standard that where a credit institution refuses to open, or decides to terminate an account, the credit institution is required to present a “duly justified response and reasoning”.
Regarding credit transfers and money remittances from the EU to the UK, US, and other non-EU states, the proposals introduced an obligation for payment service providers to add certain information.
This includes the estimated time for the funds to be received by the PSP of the payee located outside the EU, and (in an effective extension of the revised Cross-Border Payments Regulation to this type of transaction) the estimated currency conversion charges must be expressed, for comparability purposes, as a percentage mark-up over the latest available ECB euro foreign exchange reference rates.
Lawmakers have proposed further changes aimed at providing better information, for example, to stipulate that estimated currency conversion charges should be disclosed transparently in a monetary value as a mark-up over the latest available applicable foreign exchange reference rates issued by the relevant central bank.
What is the timeline?
The timeline isn’t quite for implementing PSD3 and PSR, as the European Parliament and European Council are currently reviewing the proposed changes, and will submit their own amendments before a final agreement is struck, likely later in 2024.
The member states usually receive an 18-month transition period, in which case PSD3 and PSR would take effect around 2026.