PSD3: The Future of Payment Services Regulation

The European Commission recently released its draft proposal for a new Payment Services package, introducing the third Payment Services Directive (PSD3). With a primary focus on the authorization and supervision of Payment Institutions (PIs) and Electronic Money Institutions (EMIs), PSD3 brings both challenges and opportunities to the financial industry.

Replacing the existing second Payment Services Directive (PSD2), the draft proposal aims to enhance the regulatory framework and address emerging trends in the payment services sector. Let’s take a closer look at the key aspects of PSD3 and its implications for authorized PIs and EMIs.

The Payment Services Regulation (PSR) and the Payment Services Directive (PSD3)

The proposed Payment Services package comprises two legislative acts: the Payment Services Regulation in the internal market (PSR) and the Directive on Payment Services and Electronic Money Services in the internal market (PSD3).

The PSR focuses on rules governing Payment Service Provider (PSP) activities and incorporates requirements from the Regulatory Technical Standards for Strong Customer Authentication and Common and Secure open standards of Communication (RTS on SCA & CSC). Additionally, it includes guidelines and opinions from the European Banking Authority (EBA), aligning payment services regulations across the European Union (EU).

PSD3 introduces EMIs as a sub-category of PIs, incorporating and repealing the existing Electronic Money Directive (Directive 2009/110/EC). This directive covers three primary topics: authorization for providing payment services, supervision of PIs and EMIs, and cash withdrawal services by retailers without purchase and independent ATM deployers.

Understanding the Measures in PSD3

1. Authorization: The application process for authorization remains largely unchanged, except for a few notable additions. PIs must demonstrate compliance with Regulation (EU) 2022/2554 on digital operational resilience for business continuity arrangements. A comprehensive risk assessment, including fraud risks and measures for sharing fraud-related data, is also required. PIs must provide an overview of the EU jurisdictions where they are seeking or planning authorization. Additionally, a winding-up plan adapted to the applicant’s size and business model is now mandatory.
2. Professional Indemnity Insurance and Initial Capital: To address challenges faced by Account Information Service Providers (AISPs) in obtaining professional indemnity insurance, PSD3 offers an alternative option. AISPs can opt to maintain EUR 50,000 of initial capital instead of securing insurance. Meanwhile, the initial capital requirement for other PIs has been adjusted to reflect inflation.
3. Own Funds: PSD3 maintains the existing methods for calculating own funds, designating method B (transaction volumes) as the default. However, PIs with unique business models can still utilize alternative methods, subject to criteria specified by the EBA.
4. Safeguarding: While the safeguarding rules remain mostly unchanged, PSD3 introduces the option of safeguarding funds in an account at a Central Bank. Regulatory technical standards on safeguarding requirements are expected to be developed by the EBA.
5. Cross-Border Provisions of Services: The rules governing cross-border service provisions remain largely unaffected. However, the draft PSD3 provides clarifications for scenarios involving three Member States, such as instances where a PI offers services in a Member State other than its home Member State through an agent located in a third Member State.
6. Cash Withdrawals: Retail stores are exempted from PI authorization requirements if they offer cash withdrawals below EUR 50 without a purchase, limited to their premises. Independent ATM deployers are also excluded from such obligations.

What Does PSD3 Mean for Authorized PIs and EMIs?

Authorized PIs and EMIs operating under PSD2 or the Electronic Money Directive will retain their authorizations for an additional 24 months from the entry into force of PSD3. However, to comply with the new legal authorization regime introduced by PSD3, these authorized PIs and EMIs must submit a new application to their National Competent Authority (NCA) within 18 months after the entry into force of PSD3. This allows the NCA sufficient time to assess compliance with the new directive.

It is crucial for authorized PIs and EMIs to carefully assess the impacts of PSD3 on their operations and application process to ensure their continued authorization. By understanding the specific requirements outlined in PSD3, authorized PIs and EMIs can proactively adapt their processes, policies, and risk management frameworks to meet the new regulatory standards.

Conclusion

The draft proposal for PSD3 brings significant changes to the payment services landscape, with a focus on authorization and supervision requirements for PIs and EMIs. As the European Commission seeks to enhance regulatory oversight and strengthen consumer protection, banks and financial institutions must stay informed and adapt to the evolving regulatory environment. By proactively addressing the implications of PSD3, authorized PIs and EMIs can maintain their compliance and continue to provide secure and reliable payment services to customers across the European Union.