PSD3: Unveiling the Secrets Behind


Having introduced the previous Payment Services Directive (PSD), the European Union’s payment services market has undergone substantial changes. This transformation is attributed to the surge in electronic payments and the emergence of new providers offering open banking services.

The primary aim of the preceding Payment Services Directive (PSD2) was to establish a fair competition landscape between existing and new providers of card, internet, and mobile payments.

In response to market developments, there was a call for an update in the rules and regulations governing payments. On June 28, the European Commission proposed revisions to propel payments and the broader financial sector further into the digital age. These proposals will revise and modernize PSD2, evolving into PSD3, and introduce a Payment Services Regulation (PSR).

This article offers a comprehensive overview of the European Commission’s proposals for Payment Services Directive 3 (PSD3), highlighting their comparisons with PSD2 and examining the anticipated impact on the payments industry.

Introducing PSD3: A Breakdown of the EU Directive for Non-Bank Payment Service Providers

PSD3 stands as a pivotal EU Directive, delineating regulations governing the authorization and oversight of non-bank payment service providers (PSPs) within the European Union.

The primary objective of PSD3 is to safeguard consumers’ rights and personal information while fostering increased competition within the payments industry. This directive is designed to empower consumers, enabling them to securely share their data and actively contribute to a more extensive array of cutting-edge financial products and services.

Given its directive nature, the rules outlined in PSD3 necessitate transposition into the national laws of the diverse EU Member States to ensure comprehensive implementation and adherence.

Unveiling PSR: An Insight into the EU Regulation

PSR, or the Payment Services Regulation, represents a significant EU Regulation characterized by its direct applicability to EU Member States upon adoption and entry into force. Unlike directives, the PSR doesn’t require transposition at the national level by member states, ensuring a streamlined and uniform implementation throughout the entire EU. This distinctive feature contributes to a consistent regulatory framework and is particularly advantageous in enhancing consumer protection—an area where the uniformity of rules holds paramount importance according to the objectives of the PSR.

PSD2 vs PSD3: Evolving Regulations for the Changing Payments Landscape

In the realm of payment services, PSD3 emerges as a more comprehensive framework compared to its predecessor, PSD2. This adaptation addresses the contemporary payments landscape, recognizing the need for a broader scope to mitigate the potential for regulatory arbitrage resulting from uneven rule implementation. PSD3 encompasses key aspects of PSD2, including transparency, liability, and open banking. Notably, PSD3 introduces more expansive regulations for Strong Customer Authentication (SCA) and imposes stricter guidelines on access to payment systems and account information when juxtaposed with PSD2. These enhancements play a pivotal role in fortifying payment transactions and combating the prevalence of payment fraud.

For a deeper understanding of the interplay between PSD2 and SCA, delve into the dynamics shaping their interaction up to the present moment.

PSD3’s Influence on the Payments Industry: Navigating Changes in SCA and Access to Payment Systems

The forthcoming alterations in PSD3, particularly concerning Strong Customer Authentication (SCA) and access to payment systems and account information, will significantly impact the payments industry. Let’s delve into these changes and explore their implications.

Strong Customer Authentication (SCA)

Enhanced Safety in Buying Experiences: The modifications in SCA under PSD3 are poised to contribute to safer purchasing interactions, ushering in new regulations surrounding data sharing, fraud prevention, authentication, transactions, and accessibility.

Expanded Data Sharing: Businesses will be required to share more data with issuers, enabling them to monitor various environmental and behavioral characteristics. This includes user location, transaction time, devices used, spending habits, transaction history, session data, and device IP. This heightened data sharing aims to improve approval rates by better distinguishing between legitimate and fraudulent transactions.

GDPR Compliance: Payment schemes and Payment Service Providers (PSPs) gain the ability to process personal data for fraud prevention without explicit user consent under GDPR. This is contingent upon the data being used solely for fraud prevention purposes.

Liability Shift for Fraud: PSD3 proposes a shift in liability for fraud, holding schemes, technical service providers, and payment gateways responsible if they neglect to apply SCA. This encourages providers to uphold a high standard of service and shields payers from technical malfunctions.

Issuer Liability in Spoofing Fraud: Issuers will bear liability in instances of spoofing fraud, where a fraudster impersonates a bank’s employee to coerce the user into authenticating the payment. However, payer liability remains in place for fraudulent or grossly negligent actions.

Authentication Flexibility: Unlike PSD2, PSD3 allows for SCA factors within the same category, offering flexibility in combining elements like tokens and SMS OTP or two passwords.

SCA Delegation and Outsourcing: SCA delegation to third parties, such as Apple Pay, is now considered outsourcing and must comply with outsourcing rules. Some payment service providers have developed solutions to enable issuers to delegate SCA without outsourcing to third parties.

Exemptions: PSD3 introduces exemptions for Merchant-Initiated Transactions (MIT), card-based mail orders, and telephone orders (MOTO). MITs require SCA only for the first transaction, and MOTO transactions are exempt from SCA. Tokenization requires SCA only when the cardholder initiates the transaction.

Accessibility Mandate: SCA must now cater to vulnerable customers, ensuring authentication methods accessible to the elderly, people with disabilities, and non-digitally savvy consumers, beyond reliance on smartphones.

In essence, PSD3’s nuanced adjustments aim to bolster security, refine authentication practices, and foster a more inclusive payments landscape. Stay informed to navigate these transformative shifts in the industry.

Revolutionizing Access: PSR’s Impact on Open Banking and Financial Services

The Payment Services Regulation (PSR) is poised to instigate transformative changes within the existing Open Banking framework, aiming to eliminate barriers to open banking services and enhance overall uptime for banking and financial services.

Access for Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs)

Custom Interfaces for Enhanced Connectivity: Under PSR, PISPs and AISPs gain the authority to construct custom interfaces connecting to banks and other financial institutions. This empowerment facilitates a more dynamic and tailored approach to interfacing with financial systems.

Increased Transparency through API Performance Metrics: Banks and financial institutions face new requirements to share comprehensive information regarding their API performance. This involves quarterly publication of statistics on interface availability and performance, fostering a heightened level of transparency. This transparency empowers businesses with more accurate insights into payment systems, enabling them to make well-informed decisions when selecting partners for their payment processing needs.

Efficiency in Downtime: In the event of bank downtime or disruptions, PSR mandates that banks permit third parties, including AISPs and PISPs, to utilize their own banking interfaces. This provision is designed to streamline payment processes for digital businesses and their customers, ensuring continued efficiency even during unforeseen interruptions. Businesses, in accordance with civil law, also retain the right to claim damages for losses incurred during such incidents.

Customer Empowerment with Permission Dashboards: Banks are obligated to provide customers with a permission dashboard. This interactive dashboard serves as a centralized platform for customers to monitor and manage permissions granted to AISPs continuously. This feature enhances customer control and transparency, aligning with the principles of customer-centricity and data privacy.

In essence, the PSR-driven changes pave the way for a more dynamic and transparent ecosystem, fostering innovation, resilience, and improved customer experiences in the realm of open banking and financial services. Stay attuned to these developments to leverage the evolving landscape effectively.

Navigating the Future: PSD3 and PSR Proposals

The proposed PSD3 and PSR regulations are poised to uphold and enhance the safety and security of electronic payments and transactions within the European Union, both domestically and across borders, encompassing transactions in euro and non-euro currencies. The overarching goal is to provide consumers with an expanded array of payment service providers while steadfastly safeguarding their interests.

The timeline for implementing PSD3 and PSR is yet to be clearly defined. The proposed changes are subject to review by the European Parliament and European Council. Anticipating a finalized version by late 2024, member states typically undergo an 18-month transition period, implying a potential effective date around 2026. For more detailed information, refer to the official documents available here.