On 28 April 2023 the European Commission ("Commission") put forth a proposal (Link) to revise Directive (EU) 2015/2366 (Payment Services Directive, "PSD2"), which was adopted on the EU level in 2015 and transposed into Austrian law by the Payment Services Act (Zahlungsdienstegesetz 2018 – ZaDiG 2018).
The package is part of the EU's retail payments strategy to amend and modernise the payment services framework, given market developments and innovations over the past years. The package of drafts includes:
- an amended Payment Services Directive ("PSD3"), which mainly amends Title II of PSD2 and repeals Directive 2009/110/EC (Electronic Money Directive, "EMD");
- a Payment Services Regulation ("PSR", together with PSD3 the "PSD3 Package"), which will clarify and substitute Title III and IV of PSD2.
By proposing a directly applicable regulation (the PSR), the Commission intends to further harmonise EU payment services markets.
Based on a report by the Commission evaluating PSD2, the proposals present amendments and improvements which aim to achieve five key objectives:
- combatting and mitigating payment fraud;
- improving consumer rights;
- further levelling the playing field between banks and non-banks;
- strengthening user protection and confidence in payments;
- improving competitiveness;
- extending the supervisory and enforcement powers of regulators.
Timeline
The EU Commission's proposal presents the first step in the EU's ordinary legislative procedure towards PSD3 being published in its final form. The proposal is now being reviewed by the co-legislators, the Council and the European Parliament, and it is currently expected that the final text of the PSD3 will be approved and published towards the end of 2024 or early 2025.
The draft PSR stipulates that it will enter into force and begin to apply directly 18 months after its publication. At the same time, Member States will have 18 months after the publication of PSD3 to transpose it into national law. Given the projected time horizon, this will mean that the PSD3 Package will apply approximately from 2026 onwards, which gives payment service providers a similar period of time to prepare as with PSD2.
Key takeaways
Open banking: The EU Commission described challenges regarding effective and efficient access by account information service providers ("AISPs") and payment initiation service providers ("PISPs"), collectively known as third-party providers ("TPPs"), to data held by banks. Although this is controversial, the PSD3 proposal introduces extended financial information data access (FIDA), which includes the following measures:
- Interface for TPPs: Banks must provide dedicated secure interfaces for the exchange of information to TPPs; but, they will no longer be required to continue to maintain a "fallback" interface if the primary interface fails as under PSD2.
- Dashboard: Banks must provide consumers with an access and permissions dashboard giving an overview of data access rights granted to TPPs and enable any access granted at any time to be withdrawn. This will be particularly relevant as the proposal for a regulation on financial data (Link), which was also published on 28 June 2023, also provides for a permission dashboard for access granted to third parties.
Consumer measures and anti-fraud protection: With new innovations, new types of fraud schemes emerged (including social engineering fraud). To tackle these new types of fraud the proposals include the following measures:
- IBAN/name verification: All (regular and instant) credit transfers will be subject to IBAN and name matching verification services, which means payment is only completed once the check is completed and the consumer is notified. In case of a discrepancy, the consumer may, following the notification, proceed with the transfer. If, however, the payer is not notified of any discrepancy, the PSP may be liable for any resulting losses if the transfer is executed.
- Transaction monitoring: Payment service providers (PSPs) will be required to implement additional transaction monitoring mechanisms and may share fraud-related information with other PSPs in instances where a PSP has sufficient evidence to assume that a fraudulent payment transaction has occurred.
- Liability for spoofing: PSPs are liable in case of impersonation fraud (so-called "spoofing") if the consumer was manipulated by a third party impersonating an employee of the PSP and this manipulation resulted in subsequent fraudulent authorised payment transactions, provided the consumer has reported such fraud to the police and notified the PSP without delay (exception: the obligations do not apply if the consumer acted fraudulently or with gross negligence). It remains to be seen whether this far-reaching liability for banks and PSPs is adequate and will be included in the final package.
Level playing field:
The Commission finds that PSD2 is limited in its effectiveness as non-bank PSPs lack direct access to key payment systems and bank accounts. To create a level playing field between banks and non-bank PSPs, the PSR sets forth that EU Member States may not unduly restrict access to key payment systems and thus extends the access requirements of the Settlement Finality Directive to non-bank PSPs. Furthermore, banks may only refuse to open or unilaterally close a payment institution's payment account in certain limited situations.
Further notable amendments:
- Narrower exclusions of PSD3/PSR: The commercial agent and the limited network exclusion will be narrower under the PSD3 Package, which requires market participants to review whether they can still rely on either exemption.
- Repeal of the Electronic Money Directive: The EMD will be repealed and electronic money institutions will have to get reauthorisation under the PSD3 Package as payment institutions providing electronic money services.
- Own funds: The PSD3 Package stipulates increased own funds requirements and by default links the calculation of own funds to payment transactions volumes instead of percentage of fixed overheads expenditures for the preceding year or based on operating income.
- Winding-up plans: As a condition of their authorisation, PSD3 requires payment institutions (including firms currently authorised as electronic money institutions) to maintain winding-up plans to describe what would happen in the event of the firm's failure.
- Safeguarding: Payment institutions will be required to avoid concentration risks in safeguarding customer funds, meaning all customer funds may not be held with only one credit institution.
- Independent ATMs: Cash providers that do not service payment accounts (e.g. independent ATMs) need to register pursuant to PSD3.
Conclusion
As the proposals may still be subject to further discussions and the trilogue negotiations between the three EU institutions, the final texts may deviate from the current proposals. Nevertheless, the proposals already show the directions of how payment services in the EU will progress moving from PSD2 to the PSD3 Package.
As the changes of the PSD3 Package will require electronic money institutions to seek reauthorisation within 24 months of the new PSD3 coming into force and existing payment institutions to assess whether they comply with the new prudential requirements, it is sensible to prepare (eg. drawing up winding-up plans, review internal policies in line with PSD3 / PSR and check whether the exemption still applies) well in advance to fulfil all legal requirements on time.
By Matthias Pressler, Counsel, Maximilian Nusser, Associate, Schoenherr