Introducing the new payment service package
On June 28, 2023, the European Commission proposed a new payment service package. It included the upgraded payment service directive (PSD3), the payment service regulation (PSR), and FIDA, a framework for accessing financial data. The primary focus of the new payment service package is enhancing consumer protection, ensuring a level playing field for all payment service providers, and fostering a culture of both innovation and security on the market. In other words, the directive will significantly impact several different banking and payment areas.
Payment Service Directive 3 (PSD3)
PSD3 is the European Union’s latest directive regarding payment services. It is set to harmonize the EU payment market further and follow in the footsteps of the previous directives PSD and PSD2.
- Includes goals set by the EU that member states decide how to implement.
- Continues developing parts of PSD2 and merging them with the E-Money Directive while clarifying competent authorities’ supervisory mandates.
Payment Service Regulation (PSR)
PSR introduces new, directly applicable requirements and provides specific content from previous directives to binding legislation. It primarily focuses on improving consumer rights, increasing fraud protection, and enhancing technical standards.
- A binding legislation directly applicable in all member states.
- Takes certain goals from PSD2 and transforms them into directly applicable law.
Financial Data Access Regulation (FIDA)
FIDA aims to strengthen consumer control over financial data by establishing common principles for data sharing among financial institutions and third-party providers.
- Expands the open banking principles to include more types of financial data (open finance).
- Applies to financial institutions such as traditional banks, crypto platforms, FinTech, insurance/investment companies, and PSPs.
The goals of the new payment service package are to:
- Strengthen user protection and confidence in payments
- Improve the competitiveness of open banking services
- Improve enforcement and implementation in Member States
- Improve (direct or indirect) access to payment systems and bank accounts for nonbank PSPs
Why is it being launched now?
PSD2 was a game changer, but certain areas and provisions would benefit from amendment and clarification since digitization is moving faster than ever. Criminals find new ways to commit fraud, the directive varies in its implementation across member states, and Open Banking remains imperfect since not all APIs have the same quality or response times. PSD3 and PSR aims to address all the gaps identified in PSD2’s implementation.
Open Banking becomes Open Finance
FIDA (Financial Data Access) is a framework that intends to give consumers control over all their financial data. It promotes data availability and enables secure sharing with third-party services, such as fintech and insurtech companies, to improve financial products and foster innovation. FIDA aims to provide control and financial insights for the consumer. While PSD2 only applies to payment accounts, FIDA will apply to most financial institutions and cover a much wider range of financial data.
FIDA requires a self-regulating scheme
Institutions adhering to FIDA must enter a self-regulating scheme within 18 months of enforcement. The European Commission leaves it to the market to design and set up schemes to enforce standardization and cohesion between participants. If an institution is not part of a scheme 18 months after the launch of FIDA, competent authorities will assign the institution to an existing scheme it will be required to follow.
- Schemes can be grouped by region, industry, etc.
- Institutions must enter a scheme within 18 months of enforcement.
- FIDA allows for compensation of data sharing to be set up within schemes.
Strong(er) customer authentication and fraud prevention
SCA, introduced by PSD2, requires users to provide at least two out of three forms of authentication when completing electronic payments or accessing bank accounts. This multi-factor authentication approach makes it harder for fraudsters to gain unauthorized access. Even if one security layer is compromised, there is a significantly reduced risk of fraud. With PSD3, using two of the same categories, like token and SMS one-time passwords or even two passwords, is possible.
The three factors of authentication:
Something they know (e.g., a password or PIN)
Something they own (e.g., a phone or token)
Something they are (e.g., fingerprint or facial recognition)
Affecting all stakeholders
PSD3 and PSR include multiple updates to Strong Customer Authentication (SCA), impacting technical solutions and third-party contracts.
- PSPs must enter an outsourcing agreement with their technical service provider if the latter supplies and verifies the elements of SCA.
- SCA must be accessible to vulnerable consumers such as older people, people with disabilities, and non-digitally savvy users.
Name check becomes PSP’s responsibility
Confirmation of Payee will be extended to all credit transfers within the EU nominated in euros, requiring the PSP to verify that the account name matches the IBAN linked to that name.
Read more about Confirmation of Payee here.
Sharing more data with issuers
Merchants must share more data with issuers, allowing them to monitor environmental and behavioral characteristics such as user location, devices used, transaction history, and session data. As a result, issuers can better determine which transactions to approve and decline.
Personal data can be used for fraud prevention
Under the General Data Protection Regulation (GDPR), payment schemes and PSPs can also process personal data for fraud prevention without explicit user consent. This only applies if they use the data to prevent fraud.
Increased consumer protection and control
The payment service package aims to give consumers more control over their financial information. This is partially done by introducing dashboards that can be visualized on a banking app’s interface. It will increase transparency and make it easier for consumers to manage their data and handle permissions with third-party providers such as PSPs. Also, PSPs must take on an even greater responsibility for data security, authentication, and education of staff and consumers regarding fraud prevention.
Taking action against spoofing and APP fraud
Spoofing and Authorisation Push Payment (APP) fraud have been identified as areas where PSD2 has not been sufficient in consumer protection. PSR introduces a new liability shift in terms of fraud. Schemes, technical service providers, and payment gateways will be liable for fraud if they fail to apply SCA. This protects payers from technical malfunctions and encourages providers to maintain a high quality of service.
- Consumers get increased reimbursement rights for spoofing
- PSPs need to have insurance against fraudulent use
Leveling the playing field for banks and third parties
PSD3 and PSR level the playing field for banks and third parties by strengthening Open Banking, ensuring that both banks and third parties can access consumer data. Banks must provide reliable APIs and continuity measures during downtime, preventing disruptions that could disadvantage third-party providers (AISPs and PISPs).
PSD3 makes banks justify refusals or closures of PSP accounts, with the option for PSPs to appeal.
PSR removes barriers like extra SCA checks and limited transfers to improve open banking.
PSR lets third parties use data providers’ own interfaces after 5 failed access attempts during downtime.
Improving technical quality and standards for API interfaces
PSR improves API technical standards and integrations by mandating that Open Banking APIs perform at the same level as the interfaces used for direct customer access. This is an important step in ensuring that third parties receive the same speed and reliability as bank customers. The interfaces are also required to have statistics published and tech support available.
No more fall-back interfaces
Account Servicing Payment Service Providers (ASPSPs) with APIs no longer need fallback interfaces, as internal systems now serve as backups.
Security and operational risks align with DORA
PSD3 and PSR require a framework for managing risks in line with DORA. Payment Service Providers must ensure digital resilience and annual reporting on risks and incidents.
Opening up payment infrastructure for non-banks
Under PSD2, non-bank PSPs have faced obstacles in gaining direct access to certain payment systems, resulting in uneven market conditions. PSD3 opens direct access to payment infrastructure for non-banks, with the real implications yet to be decided. It amends the Settlement Finality Directive (SFD) to allow non-bank PSPs to participate directly in the SFD-designated payment systems. In other words, non-bank PSPs do not need to rely on banks to execute payment transactions through such systems.
Positive reviews from Swedish authorities and associations
The Swedish central bank and the Swedish Fintech Association are positive about the new legislation. Riksbanken is currently investigating the prerequisites for opening up the central payment system RIX to other actors, and the SFA adds that Swish should be part of PSR. Hence, initiating these types of payments through third-party providers is possible. Owners of private payment infrastructure, such as Bankgirot, are also considering giving more actors access to their infrastructure.
Estimated timeline and the next step moving forward
The payment service package changes are coming fast, and they will have an 18-24 month implementation time, no matter when the EU determines the final timeline. Member states usually receive an 18-month transition period, suggesting that PSD3 and PSR could take effect around 2026. Still, there is reason to think there might be a prolonged transition period, meaning a 24-month time frame.
In conclusion, there is still a lot of uncertainty regarding implementing PSD3, PSR, and FIDA, but it will hit fast and on a large scale when it comes.
Analyzing readiness and forming an action plan
When looking closer at the current conditions in the payment market, readiness will vary depending on the actor’s size and resources. Several initiatives are taking place simultaneously within the payments landscape, and the impacted players have massive amounts of work ahead of them. On one hand, larger actors are faced with great complexity adapting to the changes within their organizations and across business areas. On the other hand, smaller actors might lack the resources to take efficient action early on, as these changes are affecting the whole market and not only the biggest actors.
Where in the process are you?
Conclusion – Cooperation is critical to moving forward
Various types of support are available to assist with analyzing and adapting to the payment service package, from creating internal understanding, to GAP analysis and setting strategic directions. At 421, we help clients navigate through complex change journeys with everything from analysis of current state, implementation and all the way to compliance. Reach out to us if you want to have a discussion on how we can help you navigate the coming payment service package.
Share:
