PSD3: Third time lucky?
Locations
The European Commission (EC) published on 28 July 2023 its proposals. According to the EC:
"These rules will further improve consumer protection and competition in electronic payments, and will empower consumers to share their data in a secure way so that they can get a wider range of better and cheaper financial products and services. These proposals place consumers’ interests, competition, security and trust at their centre."
The EC proposes to amend and modernise the current Payment Services Directive (PSD2) to become PSD3. In addition, it proposes a Payment Services Regulation (PSR), i.e. directly binding EU wide legislation. This has the twin stated aims of safeguarding consumer rights and providing greater choice of payment service providers on the market. One might add that there is a further aim of creating more harmonisation across Europe as to how payments legislation is interpreted.
This comes after extensive consultation, notably a general public consultation, a targeted consultation on the technical aspects of PSD2 and a targeted consultation on open banking/finance.
The requirement to review and update guidelines and legislation at regular intervals is built into the EC's retail payments strategy and the published proposals contribute to the EC's 2020 Digital finance Strategy. It is necessary to keep up with market and consumer needs, as well as technological developments. So the introduction of a new directive only eight years after the last one should not be seen at any sign of failure. In fact, PSD 2 has been seen generally as a success, if, perhaps, not as great a success as might be expected Regulatory Intelligence: Open Banking and PSD2 Reform.
The EC's own assessment is that PSD2 has had varying degrees of success in meeting its objectives – it has had a positive impact in fraud prevention, through mandating Strong Customer Authentication (SCA); has also been effective in increasing the efficiency, transparency and choice of payment instruments for payment service users, but has only mixed success in the uptake of ‘open banking’.
As may have been expected from the general consultation, and the responses to it, the package of measures proposed by the EC are intended to
- combat and mitigate payment fraud, by enabling payment service providers to share fraud-related information between themselves, increasing consumers' awareness, strengthening customer authentication rules, extending refund rights of consumers who fall victim to fraud and making a system for checking alignment of payees' IBAN numbers with their account names mandatory for all credit transfers;
- improve consumer rights, in cases for example where their funds are temporarily blocked, improve transparency on their account statements and provide more transparent information on ATM charges;
- further levelling the playing field between banks and non-banks, in particular by allowing non-bank payment service providers access to all EU payment systems, with appropriate safeguards, and securing those providers' rights to a bank account.
- improve the functioning of open banking, by removing remaining obstacles to providing open banking services and improving customers' control over their payment data, enabling new innovative services to enter the market.
- improve the availability of cash in shops and via ATMs, by allowing retailers to provide cash services to customers without requiring a purchase and clarifying the rules for independent ATM operators.
- strengthen harmonisation and enforcement, by enacting most payment rules in a directly applicable regulation and reinforcing provisions on implementation and penalties.
A keystone of the proposal is a new framework for Financial Data Access, allowing customers to share their data with data users (e.g. financial institutions or fintech firms) in secure machine-readable format to receive new data-driven financial and information services (i.e. such as financial product comparison tools, personalised online advice). This will involve:
- creating obligations for customer data holders (e.g. financial institutions) to make this data available to data users (e.g. other financial institutions of fintech firms) by putting in place the required technical infrastructure and subject to customer permission;
- ensuring customers can control who can access their data through a requirement for dedicated permission dashboards and strengthened protection of customers' personal data in line with the General Data Protection Regulation (GDPR);
- standardisation of customer data and the required technical interfaces as part of financial data sharing schemes, of which both data holders and data users must become members;
- liability regimes for data breaches and dispute resolution mechanisms as part of financial data sharing schemes so that liability risks do not act as a disincentive for data holders to make data available; and
- incentives for data holders to put in place high-quality interfaces for data users through reasonable compensation from data users.
Whilst the opening out of open banking into open finance has achieved the most press intention, and no doubt will launch many more tech start-ups to exploit the opportunities involved, it may be that this is not the most significant thing that will come out of PSD3. Perhaps more interesting will be how it recalibrates the issues of allocation of responsibility for the ever more sophisticated frauds perpetrated on the general public, and how it squares this with the growing concern about digital exclusion.
Timing
Even following the publication of the draft legislation it needs to be passed by the European Parliament and then each EU/EEA country will be given time to transpose it into national law. Realistically, PSD3 is unlikely to be in effect before some time in 2026 and could take much longer.
Effect in the UK
Of course the UK, whilst it has adopted PSD2 into domestic law is no longer formally bound to follow anything adopted by the EU via PSD3. However, the payments industry is of its nature international and the influence in pan-European banks and payment providers, and in particular of the major card schemes, is likely to cause the UK to be under pressure to look at its own rules to deal with the same issues that PSD3 looks to address. The issues driving PSD3 also act as drivers in the UK.
One can expect the regulators and legislators in the UK to study the European proposals very carefully with a view to considering whether any like changes are needed in the UK.
Ideally, the UK would get ahead of the game and demonstrate it can be more nimble and creative in demonstrating how to deal with the twin themes underling this legislative proposal: encouraging beneficial innovation whilst protecting customers and society.
This article was first published on Thomson Reuters Regulatory Intelligence.