Introduction
Whilst there has been a great deal of attention on the MiFID II and MiFIR review another equally important legislative measure is currently making its way through the EU legislative process. In the summer of 2023, the European Commission (Commission) issued a payment services legislative package which amends the existing Payment Services Directive 2 (PSD2). A new Directive, PSD3, was proposed together with a Regulation, the Payment Services Regulation (PSR). In addition, a further Regulation was proposed, a Regulation on a Framework for Financial Data Access (FIDAR). The Commission issued this legislative package in response to an EU payment services market which is constantly growing with new providers providing, in particular, ‘open banking’ services whilst at the same time more sophisticated types of fraud have emerged which puts consumers at risk.
In this briefing note we provide a summary of some of the key changes made by the PSD3, PSR and FIDAR. We also touch on EU/UK divergence and what firms should be thinking about in terms of preparing for the new EU legislation.
Purpose
The purpose of the EU legislative proposals is to develop and maintain a single payment services market for the EU that provides the same level of consumer protection, efficiency, and innovation across all EU Member States. Instead of a complete overhaul, the PSD3 and PSR will make gradual changes to EU payment services rules. Some of these changes will be challenging to implement, but it will not represent a major shift in how payment services and electronic money are regulated.
Legislative process
The Commission published the legislative texts of the PSD3, PSR and FIDAR in June 2023. The European Parliament and the Council of the EU are now reviewing and amending these texts. They will also negotiate with the Commission to finalise the legislation.
In November 2023, the European Parliament’s Committee on Economic and Monetary Affairs (ECON) published draft reports on the proposals with recommendations for amendments. ECON voted to adopt the texts in February 2024. The European Parliament has now voted to adopt both texts in plenary, closing the first reading.
The precise dates for the implementation of the draft legislation remain unclear. Industry experts project that the finalised documents may be made public by the end of 2024 or at the beginning of 2025.
Upon their release, it is customary for EU Member States to be allotted a transitional period, typically extending to 18 months, to align with the new legislation. Consequently, it is expected that PSD3 and the PSR will come into effect over the course of 2026.
Summary of changes
The rules applicable to payment service providers (PSPs) contained within the PSD2 will be transferred to the PSR and these will become directly applicable in all EU Member States as a result. The PSR includes additional rules relating to:
- transparency requirements;
- rights and obligations relating to the provision and use of payment services, including open banking;
- authorisation of payment transactions; and
- operational and security risks.
The PSR will also integrate certain provisions from the Regulatory Technical Standards for strong customer authentication (SCA) and common and secure open standards of communication, along with requirements derived from guidelines and opinions issued by the European Banking Authority (EBA). More on the SCA is set out below.
As a Directive, Member States will be required to transpose the requirements of the PSD3 into their own national laws. The PSD3 will repeal and replace the Electronic Money Directive (EMD2), establishing a single regulatory framework governing both payment services and e-money services. There would be a single set of requirements for licensing, conduct of business and prudential supervision, as e-money institutions will be licensed as payment institutions under the PSD3. The PSD3 will focus on:
- authorisation for providing payment services and the associated requirements for authorisation;
- supervision of payment institutions (PIs) and e-money institutions (EMIs) to ensure compliance and proper functioning; and
- addressing the provision of cash withdrawal services by retailers without purchase and independent ATM deployers.
The final component of the payment services package is the FIDAR. This Regulation seeks to establish a new framework for secure and open access to customer data across a wider range of financial services. The framework establishes clear rights and obligations to manage customer data sharing in the financial sector beyond payment accounts, including:
- possibility but no obligation for customers to share their data with data users;
- obligation for customer data holders to make these data available to data users;
- full control by customers over who accesses their data and for what purpose; and
- standardisation of customer data and the required technical interfaces.
FIDAR is discussed further below.
SCA
A key point to note regarding the PSR is that it sets out more extensive SCA regulations and stricter rules on access to payment systems and account information compared to the PSD2. The Commission’s Q&As on the payments package stated that the proposal would:
- clarify in which circumstances certain types of transactions, such as merchant-initiated transactions, or transactions for which payment orders are placed by the payer with modalities other than the use of electronic platforms or devices, may be exempt from the obligation to apply SCA, while also introducing safeguards to ensure that payers remain nevertheless protected from fraud;
- clarify that, for remote payments, the specific amount and the payee must be explicitly linked to the transaction which is to be authenticated by the payer;
- simplify the application of SCA in respect of payment account information services. Banks holding payment accounts will only apply SCA for the first access to payment account data by open banking account information service providers unless there are reasonable grounds to suspect fraud. Account information service providers will then be responsible for SCA for subsequent data accesses;
- strengthen the use for payments of digital passthrough wallets (where a virtual payment card is stored on the wallet), by requiring that SCA must be performed at the moment of the enrolment of a payment instrument in the wallet under the responsibility of the PSPs that issued that instrument; and
- require payment services providers to ensure that all users can benefit from methods to perform SCA which are adapted to their needs and situations and, in particular, that those methods do not depend on one single technology, device or mechanism, for instance on the possession of a smartphone.
Commercial agents
The Commission is aware that the current exclusion contained in the PSD2 of payment transactions from the payer to the payee through a commercial agent acting on behalf of the payer or the payee has been applied very differently across EU Member States. The concept of commercial agents is typically defined in national civil law, which might diverge from EU Member State to EU Member State, leading to inconsistent treatment of the same services in different jurisdictions.
The PSR seeks to harmonise this exclusion and makes clear that the exclusion applies “irrespective of whether or not the commercial agent is in possession of the client’s funds where the agreement under which the commercial agent is appointed gives the payer or payee a real margin to negotiate with the commercial agent or conclude the sale or purchase of goods and services. The EBA is to develop guidelines on the exclusion. Such guidelines may include a repository of use cases typically covered by the commercial agent exclusion.
Limited network exclusion
The PSR also seeks to clarify the limited network exclusion noting that at present the exclusion has been applied differently across EU Member States despite the EBA issuing guidelines in February 2022. Among other things the recitals to the PSR note that to assess whether a limited network should be excluded from scope, the geographical location of the points of acceptance of such network as well as the number of the points of acceptance should be considered.
PSP liability
In relation to the PSP’s liability for unauthorised payment transactions, the PSR adds a clarification that only reasonable grounds for suspecting fraud by the payer can lead to a refusal to refund by the PSP. In such a case, the PSP must provide a justification for refusing the refund and indicate the bodies to which the payer may refer the matter.
The PSP of the payer will be liable for the full amount of a credit transfer in instances where the PSP has failed to notify the payer of a detected discrepancy between the unique identifier and the name of the payee provided by the payer. A PSP will also be liable where a consumer has been manipulated into authorising a payment transaction by a third party pretending to be an employee of the consumer’s PSP using lies or deception. An obligation for electronic communications services providers to cooperate with PSPs is introduced by the PSR, with a view to preventing such fraud.
Where liability is attributable to the PSP of the payee, the latter is to refund the financial damage incurred by the PSP of the payer. The PSR updates provisions on notification and rectification of unauthorised or incorrectly executed payment transactions, information requirements and right of recourse in order to reflect the new liability provision for incorrect application of the matching verification service.
FIDAR
FIDAR builds on the current provisions of the PSD2 on the sharing of payment account data between account servicing payment service providers (ASPSPs, often banks) and account information service providers (AISPs). It applies to Financial Information Service Providers (FISP) as well as regulated firms providing in-scope financial services and products, both where they act as data holders or data users.
A key point to note is the difference in scope between FIDAR and PSD3. While PSD3 specifically targets payment services, FIDAR focuses on the broader financial data across various institutions. It aims to create rights and obligations regarding the sharing of customer data beyond payment services to, for example, mortgages, loans and accounts (other than payment accounts in scope of the PSR), savings products, financial instrument investments, crypto-assets and data forming part of a creditworthiness assessment. FIDAR’s main features include the introduction of stipulations for specialised data access interfaces and the elimination of the need for banks to support dual access interfaces.
Open finance
The FIDAR therefore focuses on open finance, responsible access to individual and business customer data across financial services. Importantly, there is a general obligation for data holders to make customer data available to data users at the customer’s request. Data holders are to provide customers with dedicated permission dashboards as part of their customer interfaces so that customers can keep track of the permissions they have granted. Firms wanting to access customer data will either have to be a regulated financial firm or be authorised as a FISP, a new status created by FIDAR that requires compliance with specific obligations. FISPs will also be subject to the Digital Operational Resilience Act and the General Data Protection Regulation when personal data is processed.
In terms of the type of data covered, this includes data transmitted by the customers themselves (transmitted data) and transaction data arising from customers' interactions with their financial service providers (transaction data). The data involves both personal data that relates to identified or identifiable individuals and non-personal data that relates to business entities or financial product (contract) features.
As for specific types of customer data, this includes loans, savings, investments, occupational and personal pensions, and non-life insurance. Input data collected for the purposes of carrying out an assessment of suitability and appropriateness as defined in Article 25(2) and Article 25(3) of MiFID II and input data collected for the purposes of a creditworthiness assessment of firms are also covered.
Life, sickness and health insurance data is excluded to guard against any unintended consequences and risks with respect to the processing of such sensitive data. Creditworthiness data of natural persons is also excluded. The EBA and European Insurance and Occupational Pensions Authority are empowered to issue guidelines on the use of customer data originating from other sources for the purposes of the creditworthiness evaluation of natural persons as well as risk assessment and pricing of life, sickness and health insurance.
EU/UK divergence
A key question is whether or not the United Kingdom (UK) will adopt similar changes to its payment services legislation as that being adopted by the EU. Currently there is a certain degree of alignment between the UK and EU regimes given the UK’s transposition of the PSD2 whilst it was a member of the EU and as UK PSPs (among other things) continue to participate in the Single Euro Payments Area (SEPA) especially as regards execution requirements.
In January 2023, HM Treasury issued a Payment Services Regulations Review which met the UK Government’s statutory requirement to review the Payments Services Regulations 2017 (the 2017 Regulations). As such the review noted that the regulatory framework for payments was potentially not working as well as it could and therefore the UK Government also launched a call for evidence on how UK payments regulation should evolve. As part of the call for evidence the UK Government also sought evidence on the Electronic Money Regulations 2011, cross border payments regulation, other areas of payments law covering specific issues which are not intricately connected with the 2017 Regulations including the Interchange Fee Regulation and participation in the SEPA. The call for evidence closed on 7 April 2023.
Whether there will be divergence remains to be seen although this will become clearer once the UK Government publishes its response to the call for evidence.
How to prepare
When it comes to the PSD3, PSR and FIDAR, there is a lot for firms to consider and given this they might wish to start planning early and scope out the changes they need to make to accommodate the new provisions. For example, what operational and technical changes will need to be implemented to deal with, for example, the provisions on SCA and what updates will need to be made to customer agreements. Perhaps a useful starting point in this respect would be a gap analysis which assesses at a high level the PSD2 against PSD3, PSR and FIDAR. Firms solely operating in the EU will also need to track the draft legislation as it works through the EU legislative process. Firms also operating in the UK will need to track any changes being made to UK requirements and be alive to any divergence.