On June 28, the European Commission published proposals for a third Payment Services Directive (PSD3) and a Payment Services Regulation (EU PSR).
PSD3 sets out the rules for the authorisation and supervision of non-bank payment service providers (PSPs), while the EU PSR contains detailed rules that all PSPs (including banks) must comply with when providing payment services.
Regulatory objectives
- Strengthen user protection and confidence in payments
- Improve the competitiveness of open banking services
- Streamline supervisory powers and enforcement
- Tackle the perceived uneven playing field between banks and non-banks
Extended scope
One key change addresses interpretative inconsistencies across EU member states, with the EU PSR clarifying that the commercial agent exclusion (CAE) will apply more narrowly than under PSD2.
In particular the application of the CAE will be subject to an additional condition, meaning that payment transactions from a payer to a payee through a commercial agent will only be excluded from regulation where there is “a real margin to negotiate with the commercial agent or conclude the sale or purchase of goods or services”.
This could have significant implications for certain e-commerce platforms and other intermediaries that rely on the CAE to facilitate the sale of goods or services for third-party merchants.
Additionally, the EU PSR amends the definitions of the two regulated open banking services: “account information services” and “payment initiation services”.
The definition of “account information services” is amended to make clear that a firm collecting payment account information through a technical service provider falls within scope if it consolidates the information as part of an online service.
The definition of “payment initiation services” is amended to include placing a payment order “at the request of the payer or of the payee” with respect to a payment account held at another payment service provider.
Regulatory capital and winding-up plans
The EU PSR and PSD3 set out increased initial capital requirements for non-bank PSPs and seek to harmonise the prudential requirements of payment institutions providing payment services and those providing electronic money services under the new regime.
PSD3 also requires payment institutions (which will include firms currently authorised as electronic money institutions) to maintain winding-up plans as a condition of their authorisation. These plans should describe what would happen in the event of the firm’s failure, support the orderly wind-up of its activities, and address the continuity or recovery of critical activities performed by the institution’s outsourced service providers, agents and distributors.
Safeguarding
Payment institutions will be required to avoid concentration risk in safeguarding customer funds by “ensuring that the same safeguarding method is not used for the totality of their safeguarded customer funds”. They will also be required to “endeavour not to safeguard all consumer funds with one credit institution”.
If non-bank PSPs are required to use a combination of safeguarding methods (e.g. safeguarding bank accounts plus insurance) and/or maintain multiple sets of safeguarding bank accounts, this could significantly increase their costs and create operational challenges.
Access by payment institutions
The EU PSR extends non-discriminatory access requirements to payment systems designated by a member state pursuant to the Settlement Finality Directive. Additionally, the EU PSR bolsters the existing requirements under PSD2 for credit institutions (e.g. banks) to provide non-bank PSPs with access to payment accounts.
In particular, the EU PSR provides that only in limited situations can a credit institution refuse to open or unilaterally close a payment account for a payment institution. The EU PSR also extends the benefit of such access rights to entities in the process of applying for authorisation as a payment institution, and to agents or distributors of payment institutions.
Anti-fraud measures
The EU PSR also introduces a raft of new measures designed to prevent or reduce payments fraud, including verification of payee details for credit transfers. Where the relevant details do not match, the payer’s PSP is required to notify the payer of any such discrepancy prior to the payer finalising the payment.
Should the payer’s PSP fail to notify the payer of a discrepancy, it will generally be liable for any resultant losses sustained by the payer.
The EU PSR also generally requires a payer’s PSP to provide the payer with post-transaction information necessary for the payer to unambiguously identify the payee, such as the payee’s commercial trade name.
PSPs will also be required to implement additional monitoring mechanisms to detect and prevent fraudulent payment transactions. These should be based on the analysis of prior payment transactions and access to payment accounts online.
The reforms represent a shift in the balance of liability between PSPs and their customers, in favour of customers. In particular, the circumstances in which the payer’s PSP can refuse to refund the payer for an unauthorised transaction are narrowed to circumstances in which the PSP has reasonable grounds for suspecting fraud committed by the payer. In such cases, the PSP has up to 10 business days to investigate the suspected payer fraud.
The EU PSR also introduces a new requirement for PSPs to refund a consumer if the consumer was manipulated by a third party impersonating an employee of the PSP and this resulted in subsequent fraudulent authorised payment transactions.
The obligation would not apply if the consumer had acted fraudulently or with gross negligence. In the era of generative AI, this could present a significant risk for PSPs.
Open banking
The EU PSR introduces additional obligations for account servicing PSPs (ASPSPs) such as banks in relation to their interactions with providers of open banking services. ASPSPs, account information service providers (AISPs) and payment initiation service providers (PISPs) should consider how these changes will affect their business models, and any changes to operations and user interfaces needed to comply with the new requirements.
Read more about Open Banking
ASPSPs will generally be required to maintain dedicated interfaces for the exchange of information with AISPs and PISPs. However, ASPSPs will no longer be required to maintain a “fallback” interface for AISPs and PISPs for use if the primary interface fails.
The EU PSR also expands the requirements for dedicated interfaces so that they must (at a minimum) allow PISPs to initiate a broad range of payment types. This raises the question of whether all such functions are required if the ASPSP does not provide these to customers when the customer accesses the payment account directly.
Looking ahead
It is not yet clear when PSD3 and the EU PSR will come into force. By way of comparison, the original proposal for PSD2 was published in 2013 and came into force in 2016, with application to firms in 2018.
On this basis, it may be several years before the changes under PSD3 and the EU PSR apply to firms. However, given the breadth of the changes, PSPs should start considering how the proposals will affect their businesses now.
Firms providing, or planning to provide, payment services in the EU or to EU customers should consider how the points discussed above may affect their businesses and whether the changes could create opportunities or risks.
Max Savoie is a partner in law firm Sidley Austin’s payments and fintech practice.
