This article was co-authored by Annabelle Rau, associate at McDermott, Will & Emery.
In November 2015 the Payment Services Directive II (PSD2) on payment services in the internal market came into force, most of the rules are applicable under the according Member State laws since January 2018. PSD2 led to much turmoil among payment service
providers. Many regulations were considered too extensive, too complex or unclear in their interpretation. There are also major differences in the respective implementation in the individual member states, which is a thorn in the side of the EU supervisory
authorities.
The proposal for a revised payment services directive (PSD3) is now on the table. It provides not only an amended payment service directive, but also the proposal for a regulation on payment services in the internal market, which would be directly applicable
in the member states (PSR), as well as the proposal for a Framework for Financial Data Access Regulation (FIDA).
In a first step, the regulation is already being changed quite significantly in terms of its effectiveness, rather than individual areas being shifted completely to a regulation that is applied directly and thus no longer leaves the member states any leeway
for their own different implementation models. This is in line with the current approach to new financial supervisory regulations at EU level, which is striving for full harmonisation. It is precisely the developments of recent years that have been seen in
the payment services and e-money sector, in which individual countries have developed into a 'paradise' for payment service providers, creating a corresponding forum shopping for fintechs that the EU would like to prevent with full harmonisation and raise
financial supervision within the EU, even more to an equivalent level.
What does that mean for the payment services sector? What shoul we expect from the amended regulation for payment service providers? In this article, we examine the most relevant and important amendments under the current draft for the new provisions and
provide an outlook on what to expect in the payment services sector in 2024.
New regulations and amendments in PSD3 and implementation of PSR and FIDA
While the requirements for the licensing of payment institutions should continue to be included in the PSD3 as a directive and thus be implemented by the Member States, all other requirements for the provision of payment services shall be shifted and be
regulated in future in the PSR and thus in a regulation that applies uniformly throughout the EU. Accordingly, the individual member state regulations currently in force will no longer apply and only the corresponding regulation in the new PSR will apply.
This will make it easier for payment service providers to find their way around the (currently slightly different) EU regulations, which will be a great benefit for the free movement of services.
The following areas will be transferred to the PSR:
- Regulations on strong customer authentication (formerly, among others, Art. 97ff. PSD 2);
- Rules on data protection related to the processing of personal data (formerly Art. 94 PSD2)
- Liability provisions and the fraud scheme (formerly Art. 73ff. PSD2);
- The prohibition on charging for the use of certain payment instruments (formerly Art. 62 PSD 2)
Strengthening anti-fraud measures: The new IBAN/name verification service and improvements of strong customer authentication
The upcoming regulatory adjustments under the PSD3 framework will significantly expand the compliance landscape for payment service providers. A notable task will be the obligation for providers to ensure a congruence between the IBAN and the account holder's
name for all Euro transfers. Prior to initiating the payment process, any discrepancies must be communicated to the payer, enhancing the transparency and accuracy of transactions.
Moreover, the regulatory gaze is sharpening on transaction monitoring, setting a higher bar for oversight. This goes hand in hand with the planned changes to the strong customer authentication (SCA) rules, which aim to delineate the areas of application
more clearly. In order to simplify the handling of payment account information services, SCA should only be required the first time data is accessed, and thereafter only on an ad hoc basis in the event of suspected fraud. Furthermore, payment service providers
must not make SCA exclusively dependent on the possession of a smartphone, but must provide suitable alternatives for people with disabilities, older people, and people without smartphones, for example.
Winding-up plan, merging e-money and payment institutions, and prudential requirements: The impact of PSD3 on the licensing process
The PSD3 proposals introduce several substantial changes in the authorisation procedure for payment and e-money institutions. While the main structure of the authorisation application remains largely unchanged, detailed risk assessments including fraud and
illegal usage of sensitive and personal data are now required, along with measures for sharing fraud-related data.
Another significant innovation is the requirement for institutions to provide a winding-up plan in case of failure, tailored to the envisaged size and business model of the applicant. Such a plan outlines how operations would be wound down to minimise adverse
impacts on consumers and the financial system. By necessitating a tailored winding-up plan, PSD3 aims to enhance institutional preparedness and contribute to a more resilient financial sector.
The practice of forum shopping is targeted for prevention under the PSD3 regulations. To curb this, payment institutions are required to have the registered office of their head office in the country of their first registration. Additionally, they are mandated
to conduct a part (but not the majority) of their payment services business in the country of their first registration.
A crucial aspect is the consolidation of e-money institutions and payment institutions into a single entity category to streamline the regulatory framework. Authorisations already granted for the provision of payment services or e-money business will not
automatically lapse when the new regulations come into force. However, financial service providers that have already been authorised will have to prove to the supervisory authorities that they have met the amended authorisation requirements (re-authorisation).
Therefore, market participants, including existing authorised payment institutions and e-money institution, will likely need to obtain a new authorisation under PSD3, with some specific features related to e-money like capital requirements and the issuing
or redeeming of e-money retaining separate provisions.
Initial capital requirements are to be adjusted for inflation since the adoption of PSD2 (with the exception of payment initiation service providers, as this is not considered appropriate given the relatively short time they have been in business). PSD3
provides the following requirements for initial capital:
- For money remittance services: EUR 25,000
- For payment initiation services: EUR 50,000
- For other payment services: EUR 150,000
- For electronic money services: EUR 400,000
In contrast to what has been provided for in PSD2 to date, the calculation of capital requirements for payment service providers that do not provide e-money services will in future be based as standard on 'Method B', which is linked to the yearly payment
volume of payment transactions at the institution.
Empowering customers and streamlining data access: The FIDA proposal
The FIDA proposal seeks to unify customer data access rules across diverse financial services, extending the 'open banking' principles of PSD2 to a broader 'open finance' framework. It stipulates that while the regulation of payment account data remains
under the payment services framework (soon to be PSR), other financial service data access will be governed by FIDA, aiming to provide customers more control over their financial data usage.
FIDA is applicable to data handled by financial institutions during their routine customer engagements, covering both consumer and business clients but excluding data related to specific insurance and creditworthiness assessments. It grants customers direct
electronic data access, and the ability to authorise other regulated service providers access to their data. Financial institutions could charge service providers for data access facilitated at the customer's behest, with transparency ensured through dashboards
showing data access rights and easy revocation options.
Current implementation status
A definite timeline for the implementation of PSD3, PSR and FIDA has not been established yet. It is anticipated that the finalised versions might be accessible by late 2024. Typically, EU Member States are granted an 18 to 24-month transition period for
implementing new directives, implying that the provisions might come into effect around 2026.
The next steps would likely involve further consultations, discussions among stakeholders, and possibly the amendment of the proposals based on feedback from the industry and other interested parties. Additionally, once a definite timeline is established,
stakeholders will need to begin preparations to comply with the new regulatory framework, which may include adjusting business models, updating systems, and ensuring compliance with new security and consumer protection requirements.
Keeping abreast of official communications from the European Commission and other relevant EU regulatory bodies is crucial for understanding the evolving implementation timeline and preparing for the changes that PSD3, PSR and FIDA will introduce.
Outlook for 2024
The new payment services framework will accordingly not bring any new or amended regulations already in 2024. However, for payment service providers that also offer crypto services the provisions of the new Market in Crypto Asset Regulation (MiCAR) will
already become relevant 2024. MiCAR is also directly applicable in all EU Member States and came into force this summer. Its regulations will apply from June 30 2024 or December 30, 2024 respectively.
E-money itself is not covered by MiCAR, but e-money tokens are. E-money institutions are allowed offer e-money tokens and crypto-services around their e-money tokens under MiCAR only after they have gone through the corresponding notification procedure under
MiCAR with the competent national supervisory authority.