In June 2023, the European Commission (EC) announced plans to
update its Payment Services Directive, which was originally designed to drive integration across the payments market, level the playing field for payment service providers (PSPs) and enhance security across the value chain. The latest proposed changes will
swap the existing second Payment Services Directive (PSD2) for two new pieces of legislation: the Payment Services Regulation (PSR1) and the
third Payment Services Directive (PSD3).
According to
EY, “PSD3 is primarily focused on the rules pertaining to the licensing and supervision of payment institutions, while PSR introduces new provisions alongside the existing mandates of the PSD2.” The timelines for each are not set in stone yet, though PSR1
and PSD3 are expected to come into
effect by 2026, with compliance deadlines stretching into
2027/28.
Since PSD3 is a directive and not a regulation, European Union (EU) member states are obliged to transpose its rules into national law. This article explores how financial institutions should comply with this
seminal directive.
Open banking
Open banking continues to be a prevailing theme, with PSPs granted access to all EU payment systems and e-money institutions to bank accounts. Fortunately, the majority of firms in Europe will not be starting from scratch – they will have gained valuable
insights from the implementation processes of PSD2, back in
2016.
The directive encourages the implementation of dedicated
application programming interfaces (APIs) for data access, aiming to eliminate the dual interface requirement for banks, and ensure uninterrupted operations.
Banks should also enhance customer experience via the provision of dashboards – enabling users to see which service providers they have previously granted access to – as well as by broadening access to financial data beyond payment account information.
In the interest of increased security for online purchases, however, the rules around customer data sharing will be tighter. For incumbent banks in particular, PSR1 involves stricter technical standards and tougher penalties for non-compliance – though with
more harmonisation across EU countries, as exemplified by the General Data Protection Regulation (GDPR), the
Digital Operational Resilience Act (DORA) and the
Markets in Crypto Assets (MiCA), which are all connected to the EC’s new proposals.
Cybersecurity
Cybersecurity – spanning identity, fraud management and privacy – remains high on the agenda too, with the draft changes demanding close attention from all market players. A notable change will be the deepening of security requirements to encompass payment
card schemes, payment gateways, and merchants. From the go-live date, for instance, a greater number of entities will be mandated to implement Strong Customer Authentication (SCA) measures, while payment providers will have to hold insurance against their
liability for any fraudulent use of payment services.
Other practices for institutions to adopt include the implementation of robust systems for Identity Verification, such as IBAN cross-checks, as well as the sharing of fraud-related data among PSPs – and with the European Central Bank (ECB), annually, which
will be developing regulatory technical standards. Critically, a Data Protection Impact Assessment (DPIA) should be run before any transaction monitoring data is shared.
With the ever-growing stock of technologies at cybercriminals’ disposal, fraud prevention – particularly social engineering-based – is also a hot topic. In the summer of 2023, the
Fraud Pattern Anomaly Detection (FPAD) program was piloted, providing STEP2-T and RT1 participants access to a range of real-time fraud prevention and detection tools. The program is now confirmed for PSD3 and will support existing fraud prevention legislation.
Under PSR1, institutions are encouraged to mitigate fraud risk with similar transaction monitoring tools and catch suspicious activity before payments are made. Privacy considerations should also remain present.
To the privacy piece, PSR1 and PSD3 work closely alongside the tenets of GDPR, enabling PSPs to “process special categories of personal data as defined in Article 9 of the GDPR, given that appropriate safeguards for the fundamental rights and freedoms of
natural persons are in place,” underlines
EY. “Furthermore, PSR1 advises that data minimisation…prevails in the context of screen scraping techniques.” Another example of data minimisation includes the jettisoning of transaction monitoring information once a customer relationship is closed.
Operational resilience
The new proposals from the EC are also in harmony with the requirements of DORA, which asks that institutions build operational resilience into their infrastructures. More specifically, PSR1 and PSD3 mandate the “establishment of a framework with mitigation
and control mechanisms to manage security and operational risks,” notes
EY.
“The competent authority must receive, at least on an annual basis, an assessment of the operational and security risks related to the provided payment services. PSR makes a specific reference to incident management procedures that must be established as
part of the framework.”
Fortunately, the deadline for DORA – 17 January 2025 – was placed ahead of PSD3, which means that organisations will already be some way to achieving operational resilience.
Training and disclosure
Other measures banks can take to comply with PSR1 and PSD3 include relevant training for the leadership team. Under the new proposals, the EC can decide to assess whether a firm’s C-suite has the requisite knowledge to effectively lead the business to compliance.
On-the-ground teams should be versed in payment fraud risks and trends, too.
Transparent disclosures are also crucial. This is primarily relevant to the lending and borrowing markets, where it is imperative that the terms of financial products are clear – enabling consumers to make positive decisions. Consumer rights can be further
strengthened by enhancing transparency around account statements; solving issues related to fund blockages; and providing straightforward guidance on automated teller machine (ATM) charges.
In practice, banks should have already made positive steps to such ends – particularly with different vulnerable groups in mind – due to the overlap with
Consumer Duty, which went live in July 2023.
The shared benefits of PSD3
In tandem, PSR1 and PSD3 promise to further open banking services, streamline authentication, improve access to payments systems and accounts, upscale fraud prevention, and build a clearer framework for e-money.
Financial institutions must begin their compliance journeys now, by opening internal conversations, assessing readiness, identifying the key areas for improvement, and designing a goal-oriented roadmap.
If firms can comply effectively, and on time, the entire ecosystem and value chain stands to
benefit.