Proposed EU payment services regulation reforms
On 28 June 2023, the European Commission published its proposals for the future of EU payment services regulation. These proposals include:
- A Third Payment Services Directive (PSD3) – a directive on payment services and electronic money services in the internal market which will repeal the Second Payment Services Directive (PSD2) and the Second Electronic Money Directive (EMD2) and will amend the Settlement Finality Directive (SFD).
- A new Payment Services Regulation (PSR).
These proposed reforms follow a 2022 European Commission assessment of PSD2, which concluded that whilst PSD2 had achieved many of its aims, certain areas could be improved.
The proposed reforms aim to do the following:
- Strengthen the protection of payment service users and confidence in payments.
- Improve the competitiveness of open banking services.
- Improve enforcement and unify implementation of payment services regulation across Member States.
- Improve (direct and indirect) access to payment systems and bank accounts for non-bank payment service providers (PSPs).
High level overview of key measures under the proposed EU payment services regulation reforms
Strengthen the protection of payment service users and confidence in payments
- Permitting PSPs to share fraud-related information amongst themselves via dedicated IT platforms subject to certain conditions;
- Imposing obligations on PSPs to heighten consumer awareness of payment fraud;
- Improving strong customer authentication (SCA) rules (including improved accessibility of SCA for users with disabilities, older people and others facing challenges using SCA) and simplifying the application of SCA rules in respect of account information service providers (AISPs);
- Increasing customer protection measures (e.g. new currency conversion disclosure obligations and new restrictions on increasing spending limits on payment instruments);
- Extending fraud refund rights of consumers (e.g. PSPs will be obliged, except in limited circumstances, to compensate customers duped into making a payment by someone impersonating an employee of the PSP);
- Improving cash availability (including by increasing the right of retailers to offer a cash provision service subject to certain conditions and increasing the circumstances in which ATM operators may operate ATMs without a licencing requirement and subject to a lighter registration requirement); and
- Extending IBAN verification requirements (i.e. checks on credit transfers to ensure alignment of payees’ IBANs with their account names).
Improve the competitiveness of open banking services
Improve the performance of data interfaces, remove obstacles to open banking services and improve consumer control over their data access permissions by:
- introducing a new requirement for account servicing PSPs (ASPSPs) (e.g. banks) to put in place a dedicated data access interface unless the ASPSP has successfully applied to the national competent authority (NCA) for an exemption under certain conditions;
- removing the requirement for ASPSPs to maintain (unless exempted) two data access interfaces (a dedicated interface and a fallback interface); and
- obliging ASPSPs to provide customers with measures to manage their data through open banking transparently, including by introducing permissions dashboards to allow users to manage their granted open banking access permissions and withdraw data access from any provider.
Improve enforcement and unify implementation of payment services regulation across Member States
- Enacting a large proportion of the new payment rules in the form of a regulation (which, unlike a directive, is directly applicable and does not require separate transposition into national law by each Member State thereby reducing the risk of inconsistent implementation) and clarifying some ambiguous provisions in PSD2 which resulted in inconsistent implementation;
- Strengthening the enforcement powers of NCAs; and
- Integrating the licencing regimes for payment institutions (PIs) and electronic money institutions (EMIs) under which former EMIs will become a sub-category of PIs.
Improve (direct and indirect) access to payment systems and bank accounts for non-bank PSPs
- Payment Systems. PIs have yet to be able to participate directly in certain payment systems and have had to rely on banks for indirect access to these systems. PSD3 will amend SFD to add PIs to the list of firms that may be direct participants in these payment systems (excluding securities settlement systems). Subject to a positive risk assessment result, payment system operators must admit PIs as direct participants.
- Bank Accounts. The reforms aim to secure a PI’s rights to access (open and close) a bank account. It is proposed that under PSR, banks must explain, in writing, detailed reasons for refusal or withdrawal of access.
Further detail on some key changes
Framework
Under the proposed new regime, the legal frameworks applicable to electronic money and to payment services will be merged. PSD2 and EMD2 will be repealed and replaced by PSD3. Rules under PSD2 will be divided into PSD3 and PSR. PSD3 mainly deals with the authorisation and supervision of PIs and PSR covers other rules, including those relating to transparency, payment transactions and operational and security risks.
Licencing and grandfathering
PSD3 creates a new licencing regime for PIs. The proposals envisage that EMIs will cease to exist and instead will operate as PIs granted authorisation to offer payment services and electronic money services. Existing PIs and EMIs will likely have to reapply to NCAs for authorisation as a PI under PSD3.
There are transitional provisions which will allow existing PIs and EMIs to continue to provide services for a limited transition period (e.g. while awaiting reauthorisation). It is proposed that existing PIs and EMIs will be required to submit relevant information within six months of when the new regime starts to apply. Existing authorised firms may qualify for automatic authorisation under the new regime if NCAs are satisfied that they meet the new requirements.
Existing licenses for PIs and EMIs may be grandfathered until 30 months after entry into force (one year after the PSD3 transposition deadline and the beginning of application) on condition that application for a license under PSD3 is made at the latest 24 months after entry into force.
Initial capital
Initial capital requirements may be generally higher to reflect increased inflation since PSD2 came into force. It is proposed that payment initiation service providers (PISPs) and AISPs may hold initial capital (EUR 50,000) instead of professional indemnity insurance at the licensing or registration stage, as the requirement to hold professional indemnity insurance at the licensing or registration stage may be difficult to fulfil. These providers would be required to obtain professional indemnity insurance without undue delay after their licence or registration has been obtained.
Own funds
In order to enhance the level playing field, it is proposed that one of the three possible methods of calculation of own funds, Method B (which is linked to payment transaction volumes), should be considered the default calculation method concerning payment services that are not related to the issuance of electronic money. However, it is proposed that NCAs will have discretion to permit PIs to use alternative methods of calculating own funds (e.g. Method A or Method C) depending on the business model.
Winding-up plan
Under PSD3, firms applying for authorisation as a PI would have to submit a winding-up plan proportionate to their size and business model with their application. However, some NCAs (e.g. the Central Bank of Ireland) already require the submission of winding-up plans at application for authorisation stage in practice.
Safeguarding
Under PSD3, the following changes to safeguarding requirements are proposed:
- Concentration risk – To minimise concentration risk, PIs would be required not to use the same safeguarding method for all client funds and to endeavour not to safeguard all client funds with one credit institution.
- Central Banks – It would be possible to safeguard client funds in an account of a central bank (at the discretion of the central bank) in addition to the option of using commercial banks.
- Changes to safeguarding – Any material changes to a firm’s safeguarding processes would have to be notified to the NCA before taking effect.
For PIs providing electronic money services, the safeguarding rules would be aligned with those applying to PIs providing payment services only.
Supervision and cooperation
- It is proposed that NCAs will have expanded sanctioning and investigative powers.
- PSR includes provisions for the European Banking Authority (EBA) to have product intervention powers under certain circumstances to prohibit or restrict (temporarily) the sale of payment products or features thereof, which would present risks where NCAs have not taken adequate steps to address these risks.
- PSD3 includes a mechanism for NCAs to request assistance from the EBA to resolve disputes with other NCAs.
Definitions and scope
There are numerous amendments to existing definitions under PSD2 and new definitions included in the proposed legislation. For example, clarifications on exemptions from a requirement for authorisation (e.g. the commercial agent exemption and the limited network exclusion) are included, which may consequently narrow their application.
Data Protection
PSR provides that PSPs may process special categories of personal data where necessary to provide payment services subject to appropriate safeguards.
Timeline
The European Commission’s proposed EU payment services regulation reforms are a first step in the EU legislative process and are still some way from finalisation. Final texts must be agreed between the three EU institutions before the proposals are adopted. When the changes to legislation are finalised, which may be in 2024, the provisions will come into effect 18 months thereafter (except for changes to SFD, which must be transposed into national law within six months of PSD3 entering into force). Therefore, we anticipate that the finalised PSD3 and PSR should take effect sometime in 2026.
Our market-leading Financial Regulation and FinTech teams will continue to monitor developments throughout the EU legislative process and are available to assist you with any queries regarding PSD2/PSR. For more information, please contact Shane Kelleher, Louise McNabola or any member of the Financial Regulation team or your usual William Fry contact.
Contributed by Jane Balfe