On June 28, 2023, the European Commission published a set of new legislative proposals aimed at ushering in the digital era for payments and the broader financial sector, with a particular focus on consumers. One of these proposals is an updated directive on payment services and electronic money services (“PSD3”). Furthermore, the Commission published a proposal for a Payment Services Regulation (“PSR”) and a proposal for a Regulation on a framework for financial data access (“FDA”).
PSD3 and the PSR
The proposal for PSD3 and PSR fulfils an important obligation outlined in the Commission's 2020 Retail Payments Strategy. It aims to ensure that the regulations governing the European Union's retail payments sector remain relevant and responsive to market advancements. Additionally, the proposals encourage the growth and adoption of instant payments within the EU. The review of PSD2 identified several deficiencies in the current regulations applicable to the payments sector. These proposals seek to address these deficiencies by focusing on strengthening user rights and protection against fraud, enhancing the competitiveness of Open Banking services, improving enforcement and implementation in Member States, and facilitating access to payment systems and bank accounts for non-bank Payment Service Providers (“PSPs”).
The most important changes to the current regulatory framework are:
- The difference between e-money institutions (EMIs) and payment institutions (PIs) will disappear;
- Under the proposals, there will only be payment institutions, which can be granted authorization to offer e-money services as well.
- Under the new regime introduced by PSD3, authorizations already granted to PI and EMIs will remain valid for an additional 24 months, as from the entry into force of PSD3. However, these PIs and EMIs will have to submit a new application to their national competent authority (NCA) at the latest 18 months after the entry into force of PSD3, leaving the NCA the time to assess compliance. It will be pivotal for authorized PIs and EMIs to identify and assess the impacts of PSD3 on their application, to be able to keep their authorization.
- To combat and mitigate fraud risks:
- PSPs will be allowed to exchange fraud-related information between themselves;
- customer authentication rules will be strengthened;
- consumers who fall victim to fraud will have extended refund rights;
- a system for checking the alignment of payees' IBANs with their account names will be mandatory for all credit transfers;
- Improve consumer rights, in cases for example where their funds are temporarily blocked, improve transparency on their account statements and provide more transparent information on ATM charges.
- To improve open banking in the EU:
- non-bank PSPs will receive access to all EU payment systems, with appropriate safeguards, and securing those providers' rights to a bank account;
- certain obstacles to data access will be prohibited;
- Retailers will, under circumstances, be allowed to provide cash services to customers without requiring a purchase.
- The so-called commercial agent exemption shall be further narrowed, making it more difficult for parties (including marketplaces) to rely on this exemption from the licence requirement under PSD3.
Furthermore, by enacting most payment rules in the PSR, a directly applicable regulation, and reinforcing provisions on implementation and penalties the Commission hopes to strengthen the harmonisation and enforcement of payments regulations across the EU, creating a level playing field.
Framework for Financial Data Access
The proposed Regulation on a framework for Financial Data Access aligns with the objective stated in the 2020 Digital Finance Strategy to establish a European financial data space. This initiative within the financial sector is part of the comprehensive European data strategy and is built upon the fundamental principles for data access and processing outlined in related initiatives like the Data Governance Act, the Digital Markets Act, and the Data Act proposal. Together, these efforts aim to create a cohesive framework for managing and utilizing data in Europe.
This proposal aims to establish well-defined rights and responsibilities for managing customer data-sharing in the financial sector beyond payment accounts. The key provisions include:
- Customers will have the option to securely share their data with data users such as financial institutions or fintech firms. This sharing will be facilitated through secure machine-readable formats, enabling customers to access new, more affordable, and improved data-driven financial products and services.
- Financial institutions and other data holders will be required to make customer data available to data users. They must establish the necessary technical infrastructure and obtain customer permission to facilitate this data-sharing process.
- Customers will have complete control over who can access their data and for what purpose.
- The proposal emphasizes the standardization of customer data and the technical interfaces required for financial data-sharing schemes. Both data holders and data users will be mandated to participate as members of these schemes.
- Clear liability frameworks for data breaches and mechanisms for resolving disputes will be established within financial data-sharing schemes.
- Data holders will be encouraged to develop high-quality interfaces for data users. Reasonable compensation from data users, in accordance with the general principles of business-to-business data-sharing laid down in the Data Act proposal, will serve as an additional incentive. Smaller firms will only be required to pay compensation at cost, ensuring a fair approach for all stakeholders involved.
The publication of these proposals marks the initial stage in their journey toward implementation. Firstly, the proposals will undergo a thorough review process by both the European Parliament and European Council. While the specific timelines for their implementation are yet to be determined, it is anticipated that the final versions could be made available by the end of 2024, following the standard legislative procedure. As is customary, Member States are typically granted a 24-month implementation period, which would mean that PSD3 and the PSR would enter into force in the course of 2026.
As the PSD3 and PSR proposals indicate the direction the supervision of the payment sector is going in, we advise PSPs to take a look at the proposals. If you have any questions about the PSD3 and PSR, our team is available to provide further guidance.
Furthermore, PSD3 and the PSR proposals include provisions that delegate authority to the Commission and the European Banking Authority for the adoption of regulatory technical standards. Draft delegated acts will be published for public consultation at an appropriate time in the future.