Share the article
twitter-iconcopy-link-iconprint-icon
share-icon
RegulationsNovember 27 2023

Explainer: the Payment Services Directive

On the road to harmonised European payments: the birth of the Payments Services Directive.
Share the article
twitter-iconcopy-link-iconprint-icon
share-icon
Explainer: the Payment Services DirectiveImage: Getty Images
 

Jump to 

What is the Payment Services Directive?

The first iteration of the Payments Services Directive (PSD) set the legal and regulatory framework to make way for the Single Euro Payments Area (Sepa).

PSD was released in late 2007. A directive of the EU, it was administered by the European Commission (EC) to regulate payment services and payment service providers throughout the EU and the European Economic Area (EEA). PSD’s purpose was to increase pan-European competition and participation in the payments industry from non-banks, and to provide for a level playing field by harmonising consumer protection and the rights and obligations for payment providers and users.

The common framework of PSD is meant to ensure payments are easy, efficient and secure for consumers. Those rules cover credit transfers, direct debits and card payments.

PSD came into effect on December 25, 2007. EU countries had until November 1, 2009 to incorporate it into national law and create a ‘competent authority’ for prudential supervision. 

The rules of PSD include ‘the market rules’ and the ‘business conduct rules’.

The market rules describe which type of organisations can provide payment services. Those include credit lending banks, central banks, government bodies and electronic money institutions (EMIs). EMIs, allowed as a result of the E-Money Directive of 2000, are legal entities or bodies that have obtained an operating licence to disburse electronic money. Today, EMIs include fintech companies such as PayPal, Revolut and Wise. 

The business conduct rules specify what transparency of information payment service institutions need to provide, including any charges, exchange rates, transaction references and maximum execution time. They stipulate the rights and obligations for both payment service providers and users, how to authorise and execute transactions, liability in case of unauthorised use of payment instruments, refunds on payments, payment orders and value dating of payments.

The initial PSD also guaranteed certain rights and obligations:

  • A payment transaction in euros or in the currency of an EU country outside the euro area is executed within one working day.
  • Payment services providers are fully liable to payers for the correct execution of payment transactions. When a transaction is not executed or is defective, the payer’s payment services provider must correct it or refund the relevant amount to the payer. In the event of the misuse of a payment instrument by someone other than the payer, such as a credit card, the payer bears the losses up to a maximum amount of €150.
  • The law also lays down rules for refunds when payment transactions have been wrongly authorised by a payment services provider.

What does this have to do with Sepa?

PSD originates from the 1992 Maastricht Treaty on European Economic and Monetary Union, which created the plan for the euro.

PSD then became the legal framework leading the way for the creation of Sepa, which was introduced for credit transfers in 2008, followed by direct debits in 2009 and fully implemented by 2014 in the euro area and 2016 in non-euro Sepa countries. 

What did The Banker have to say about PSD and Sepa in 2007? 

In April 2007, The Banker published Delay creates breathing space, about the delay of the Payments Services Directive meaning that Sepa would go live in a phased approach. 

“Banks would be excused for breathing a quiet sigh of relief that the European Parliament has still not passed the controversial Payments Services Directive, which will provide the legal framework for Single Euro Payments Area (Sepa),” The Banker wrote. “The delay means that they are able to focus efforts on the launch of the Sepa credit transfer, the easier of the two Sepa schemes to implement, on January 1, 2008, because the Sepa direct debit cannot go live until each EU country has passed the directive into national law. This is unlikely to happen until 2009 at the earliest, making the European Commission’s ambition of full migration to the new Sepa instruments extremely unrealistic.”

At the time, Brendan Reilly, product head, global automated clearing house (ACH) and wholesale clearing for EMEA and the Americas at JPMorgan Treasury Services, said that although JPMorgan was undertaking material system developments to shield customers from the complexity of Sepa, there were still some areas of uncertainty to be addressed. “We need to give ourselves flexibility because not all countries will migrate at the same pace, so the domestic ACH may remain dominant in some countries for longer than others,” he said.

PSD2 and the introduction of ‘open banking’

The Revised Payment Services Directive, otherwise known as PSD2, introduced the industry to ‘open banking’.

It aimed to create a more integrated European payments market, making payments more secure and protecting consumers.

The European Parliament adopted the EC’s PSD2 proposal on October 8, 2015. The council of the EU passed it on November 16, 2015, and the revised directive came into being on January 13, 2018. 

It aimed to better protect consumers when they pay online, promote the development and use of innovative online and mobile payments such as through open banking, and make cross-border European payment services safer. 

PSD2 presented many banks with technical challenges related to collaborating with new fintech entrants. Banks were required to provide sets of open application programming interfaces to third-party fintech companies allowing for better integration and access to clients’ payment accounts data. In addition to the technical challenges this presented, these open API integrations could only be allowed by banks with the informed consent of consumers, otherwise known as strong customer authentication (SCA). 

PSD2 came into full effect on September 14, 2019, but due to delays in the implementation, the European Banking Authority allowed for a time extension of the SCA until December 31, 2020. 

The idea was that PSD2 would create a level playing field for all. This aspect of PSD2 reflected recent developments in consumer spending trends. 

The impetus behind PSD2 was to improve the level of consumer protection in place, but mainly to increase competition and facilitate innovation in financial services.

PSD2 effectively opens the market for new entrants — third-party providers — by introducing two brand new services:

  • Payment initiation service: third-party providers (‘Payment Initiation Service Providers’) will enable clients to initiate payments from their payment accounts without actually accessing their bank’s online channels, and
  • Account information aggregation service: third-party providers (‘Account Information Service Providers’) will provide customers with consolidated information on their various payment accounts held with multiple banks.

What did The Banker say at the time?

In February 2014, The Banker’s Jane Cooper wrote in PSD2: playing with firewalls:

The EC’s proposed update to the PSD will allow third parties to penetrate banks’ security firewalls, which is leaving banks understandably nervous. Dermot Turing, a partner at law firm Clifford Chance, says that it is the proposals around payment initiation services that are the most challenging. Under PSD2, says Mr Turing, “banks will have to allow third-party services to come into an account and initiate payment transactions”. Allowing this access, he explains, is potentially problematic because it enables a third party to circumvent a bank’s security firewall. “Banks are really nervous about this. The concept of allowing anybody other than the consumer to penetrate the security firewall has been greeted with hostility. And consumer associations are not particularly thrilled about it,” says Mr Turing.

Another bone of contention is what happens if something goes wrong when a third party is involved in initiating a transaction. Under the draft proposals, says Mr Turing, the bank would be liable, would have to reimburse the consumer and investigate the matter afterwards. Amendments that have since been proposed take the opposite approach and state that the third party should be liable.

PSD3: third time’s the charm?

Post-pandemic changes in customer behaviour, the rise of instant payments and the increased risk of fraud are driving PSD3. 

On June 28, 2023, the EC published a set of new legislative proposals for a third Payment Services Directive and a Payment Services Regulation (PSR).

The proposed new rules aim to improve consumer protection and competition in electronic payments, allowing consumers to share their data in a more secure way.

According to the EC, electronic payments in the EU have been constantly growing, reaching €240tn in value in 2021 (compared with €184.2tn in 2017). This trend was accelerated by the Covid-19 pandemic. New providers, enabled by digital technologies, have entered the market, in particular providing ‘open banking' services. More sophisticated types of fraud have also emerged, putting consumers at risk and affecting trust.

PSD3 aims to ensure the EU’s financial sector is fit for purpose and capable of adapting to the ongoing digital transformation, and the risks and opportunities it presents, fulfilling a key commitment in the EC’s 2020 Retail Payments Strategy.

It also complements the EC’s proposal from 2022 for a regulation to make instant payments in euros available to all citizens and businesses holding a bank account in the EU and in EEA countries.

The PSD3 proposal will amend and modernise the current PSD2 as well as establish a PSR.

The package of measures in the proposal include: 

  • Combat and mitigate payment fraud, by enabling payment service providers to share fraud-related information between themselves, increasing consumer awareness, strengthening customer authentication rules, extending refund rights of consumers who fall victim to fraud and making a system for checking alignment of payees’ IBAN numbers with their account names mandatory for all credit transfers;
  • Improve consumer rights, for example in cases where their funds are temporarily blocked, improve transparency on their account statements and provide more transparent information on ATM charges;
  • Further levelling the playing field between banks and non-banks, in particular by allowing non-bank payment service providers access to all EU payment systems, with appropriate safeguards, and securing those providers’ rights to a bank account;
  • Improve the functioning of open banking, by removing remaining obstacles to providing open banking services and improving customers’ control over their payment data, enabling new innovative services to enter the market;
  • Improve the availability of cash in shops and via ATMs, by allowing retailers to provide cash services to customers without requiring a purchase and clarifying the rules for independent ATM operators; and
  • Strengthen harmonisation and enforcement, by enacting most payment rules in a directly applicable regulation and reinforcing provisions on implementation and penalties.

The proposal also includes a framework for Financial Data Access, which will establish clear rights. 

The EC hopes the new proposal will lead to more innovative financial products and services, such as improved personal finance management and advice. It also claims PSD3 will make processes such as comparison services or switching to a new product smoother and cheaper, including, for example, automated processing of mortgage applications. Small and medium-sized enterprises would also be able to access a wider range of financial services and products, such as more competitive loans resulting from their creditworthiness data being more easily accessible.

In 2023, The Banker started to look at the possibilities of PSD3

In July 2023, Max Savoie wrote What do the EU PSD3 proposals mean for the payments sector?

“It is not yet clear when PSD3 and the EU PSR will come into force. By way of comparison, the original proposal for PSD2 was published in 2013 and came into force in 2016, with application to firms in 2018,” he wrote. “On this basis, it may be several years before the changes under PSD3 and the EU PSR apply to firms. However, given the breadth of the changes, PSPs should start considering how the proposals will affect their businesses now.”

Was this article helpful?

Thank you for your feedback!

Read more about:  Banking strategies , Digital journeys , Regulations
Liz Lumley
Liz Lumley is deputy editor at The Banker. She is a global specialist commentator on global financial technology or “fintech”. She has spent 30 years working in the financial technology space, most recently as director at VC Innovations and architect of the Fintech Talents Festival, managing director at Startupbootcamp FinTech London and an editor at financial services and technology newswire, Finextra. She was named Journalist of the Year for Technology and Digital Finance at State Street’s UK Press Awards for 2022.
Read more articles from this author

Trending in The Banker

  1. Fintech doesn’t deserve trite, tech-bro speak

    Editor’s blog
    APRIL 17

  2. ‘The most British of foreign banks’

    Agenda
    APRIL 15

  3. Canada announces date for real-time payments system launch

    Digital journeys
    APRIL 18

  4. Ripple to launch USD-pegged stablecoin on XRP ledger and Ethereum

    Crypto assets
    APRIL 5

  5. The Banker’s Top 100 US Banks 2024

    Best-performing banks
    APRIL 3
A service from the Financial Times