PSD3, the anticipated upgrade to PSD2, emerged in late 2018, marking a regulatory stride five years after PSD2's introduction. The renewed Payment Services Directive aims to encompass a broader scope than its predecessor, reflecting the ever-evolving landscape
of electronic payments and the entrance of new providers offering open banking services.
Now, what does PSD3 aim to achieve, and when can we expect its implementation? Let's dive into these unanswered questions.
About PSD2
Before we talk about PSD3, let's understand that PSD stands for Second Payment Services Directive, a set of rules made by the European Union (EU) about how payments work.
PSD2 (Second Payment Services Directive) represents an update of the initial regulation governing payment services in the EU. Although initially published in 2015, it wasn't formally approved until 2018, introducing significant changes to
the EU's payment services regulatory framework.
- Open Banking and Third-Party Access: A pivotal shift mandates banks to grant third-party providers (TPPs) access to customer account information (AISPs) and the ability to initiate payments (PISPs) with customer consent.
- Strong Customer Authentication (SCA): PSD2 enforces SCA for electronic payments, enhancing transaction security through two or more identity verification factors.
- New Categories of Payment Service Providers: Introduction of AISPs and PISPs, playing crucial roles in accessing account information and initiating payments.
Beyond these, PSD2 encompasses liability and security requirements, consolidation of payment services, and transparency in payment transactions. The implementation of PSD2 posed challenges for financial institutions, technology providers, and regulators
in adapting to new technical standards and ensuring a seamless transition.
What Changes Will PSD3 Bring?
In essence, PSD3 proposes minimal changes, covering most aspects of PSD2, including transparency, liability, and open banking. However, PSD3 intensifies Strong Customer Authentication (SCA) regulations and imposes stricter rules on accessing payment systems
and account information compared to its predecessor.
New rules around data sharing, fraud prevention, authentication, transactions, and accessibility are on the horizon:
- Data Sharing: Businesses will share more data with issuers, monitoring environmental and behavioral characteristics to enhance security.
- Fraud Prevention: PSD3 suggests a liability shift in fraud cases, holding schemes, technical service providers, and payment gateways accountable if they fail to apply SCA.
- Authentication: PSD3 allows for using two of the same categories for SCA factors, offering more flexibility.
Furthermore, PSD3 introduces transformative concepts, such as Open Banking evolving into Open Finance, expanding the types of data customers can share, and enabling a broader range of financial services.
New Requirements in SCA and MFA:
AISPs and PSPs will be obligated to implement their SCA systems, acting as delegated SCA for financial institutions. PSD3 introduces proprietary requirements for card, gateway, and eCommerce schemes.
Dates and Approval Process for PSD3:
While an official implementation timeline is pending, expectations point to a final proposal in late 2024, with likely implementation deadlines around 2026.
Conclusion
While an official implementation timeline for PSD3 awaits confirmation, the expected final proposal in late 2024 and likely implementation deadlines around 2026 set the stage for the financial industry's next chapter.
In conclusion, PSD3 emerges as a continuation of the EU's commitment to fostering innovation, ensuring security, and embracing the ever-evolving landscape of financial services. As financial institutions and stakeholders gear up for the impending changes,
the promise of a more secure, transparent, and competitive financial ecosystem beckons on the horizon.