Due in part to the deregulation of traditional banks, which encouraged more competition and innovation in the market, the regulatory environment for electronic payments has undergone a substantial transformation during the past 20 years.
As part of these ongoing changes, the European Commission has introduced the Payments Services Directive 3 (PSD3) and related legislation to enhance the regulation of electronic payments.
The Payment Services Directive (PSD) is a European regulation aimed at improving payment services across the EU. PSD1 laid the foundation for non-bank entities to operate in the payments sector, emphasizing fee transparency and advancing the Single Euro Payments Area (SEPA) initiative. It also established expectations for prompt customer fund reimbursements in case of fraud incidents.
PSD2 expanded the regulatory framework by introducing roles for non-bank payment initiation and information service providers, along with the implementation of Strong Customer Authentication (SCA).
Now, PSD3 aims to further refine and develop the payments landscape.
What to Understand About PSD3 and PSR Regulations
PSD3 and the PSR are set to bring significant changes to the EU’s payments market, enhancing security and efficiency. These regulations are expected to come into effect 18 months after their publication in the Official Journal of the EU. While the exact publication date remains uncertain, compliance with the PSR could be required by the second half of 2025 or later.
Businesses offering payment services in the EU, including banks, payment processors, and financial institutions, must adhere to PSD3 and the PSR. This entails strengthening authentication processes, increasing transparency, implementing robust risk management practices, and facilitating easier access to financial data for consumers.
Key Developments
PSD3 and the PSR introduce several significant changes and enhancements to the regulation of electronic payments:
Access to Accounts: PSD3 mandates that Payment Service Providers (PSPs) offering online payment accounts must provide dedicated interfaces for data exchange with Third-Party Payment Providers (TPPs). The PSR outlines specific requirements for the types of payment transactions that these interfaces should offer to ensure accessibility and remove obstacles. The scope has also been expanded to include both onboarding and offboarding of Payment Institutions (PIs).
Strong Customer Authentication (SCA): PSD3, through the PSR, introduces a change requiring Account Information Service Providers to perform subsequent authentications of the Payment Service User (PSU) after the initial authentication has expired (typically after 180 days). PSPs are required to establish outsourcing agreements with technical service providers handling SCA elements, with provisions for security auditing and control.
Direct Access to EU Payment Systems: PSD3 and the PSR enable Payment Institutions (PIs) to have direct access to all of the EU’s payment systems, including those controlled by central banks. This marks a significant improvement as only a limited number of payment systems currently offer such direct access to PIs.
IBAN Checks: The draft PSR, in line with PSD3, mandates payee’s PSPs to verify the consistency between the name and unique identifier of a payee before initiating credit transfers, free of charge. This extends the scope of the ‘IBAN name checks’ introduced in October 2022, aligning with the proposal for Instant Credit Transfers in euros.
Consent Dashboard: Under PSD3 regulations, PSPs providing online payment accounts must develop a permission dashboard, known as ‘consent’ under PSD2, within their customer interface. This dashboard enables Payment Service Users (PSUs) to monitor in real-time which TPPs have been granted permission to access their data, enhancing transparency and control for customers.
These measures collectively aim to improve the efficiency, security, and accessibility of electronic payment services across the European Union.
The Impact of PSD3 on the Payments Industry
PSD3 brings significant changes to the payments industry, particularly in the realm of Strong Customer Authentication (SCA) and access to payment systems and account information. Here’s an overview of these changes and their implications:
Strong Customer Authentication (SCA):
- SCA changes in PSD3 aim to enhance the safety of payment transactions.
- New rules cover data sharing, fraud prevention, authentication, transactions, and accessibility.
Data:
- Businesses will be required to share more data with issuers, enabling them to analyze various factors like user location, transaction history, device information, and spending habits.
- This data sharing helps issuers make informed decisions about approving or declining transactions, potentially increasing approval rates.
- Payment schemes and Payment Service Providers (PSPs) can process personal data for fraud prevention without explicit user consent under certain conditions, specifically for fraud prevention purposes.
Fraud:
- PSD3 introduces a liability shift in cases of fraud. Schemes, technical service providers, and payment gateways become liable for fraud if they fail to apply SCA. This incentivizes providers to maintain high-quality service.
- Issuers can also be held liable in cases of spoofing fraud, where fraudsters impersonate bank employees to manipulate users into authenticating payments.
Authentication:
- While PSD2 required SCA factors to belong to two out of three categories (knowledge, possession, inherence), PSD3 allows for the use of two factors from the same category, such as token and SMS OTP or two passwords.
- Delegation of SCA by issuers to third parties is now considered outsourcing and must comply with outsourcing rules. Some providers, like Adyen, have developed Delegated Authentication solutions to handle SCA in-house.
Exemptions:
- Merchant-initiated transactions (MIT), like subscriptions, are exempt from SCA after the initial transaction. This simplifies recurring payments.
- Card-based mail orders and telephone orders (MOTO transactions) are also exempt from SCA, benefiting industries like travel.
- SCA is required for tokenization only when the cardholder initiates the transaction, such as during card-on-file transactions or card enrollment in digital wallets.
Accessibility:
- PSD3 mandates that SCA must be accessible to vulnerable customers, including the elderly, people with disabilities, and non-digitally savvy consumers. This involves providing authentication methods that do not solely rely on smartphones.
- These changes reflect a comprehensive effort to strengthen payment security, improve authentication processes, and balance fraud prevention with user convenience and accessibility in the EU’s payments industry.
The Bottom Line
The evolution of electronic payment regulations in the European Union over the past two decades, culminating in the introduction of the Payment Services Directive 3 (PSD3) and related Payment Service Regulation (PSR), represents a pivotal moment in the financial landscape. These regulations have been crafted to address the changing dynamics of the payments industry, driven by technological innovation and increased competition.
PSD3 and the PSR aim to not only enhance security but also improve the efficiency and accessibility of electronic payment services across the EU. They bring about significant changes, with key highlights including access to accounts, Strong Customer Authentication (SCA) enhancements, direct access to EU payment systems, IBAN checks, and the introduction of a consent dashboard. These measures collectively set the stage for a more transparent, secure, and consumer-centric payments ecosystem.
One of the most noteworthy aspects of PSD3 is its impact on SCA. The new rules are poised to elevate the safety of payment transactions by introducing data sharing, enabling issuers to make more informed decisions, and holding parties liable for fraud if SCA is not adequately applied. These changes are designed to strike a balance between security and convenience, benefiting both consumers and payment service providers.
Furthermore, PSD3 emphasizes the importance of accessibility, ensuring that SCA methods cater to all segments of society, including vulnerable individuals who may not be digitally savvy. This inclusive approach is a testament to the EU’s commitment to providing secure payment services for everyone.
In essence, PSD3 and the PSR signal a bold step forward in the regulation of electronic payments in the European Union. As these regulations are expected to come into effect in the coming years, businesses operating in the payments sector must prepare for compliance, strengthen authentication processes, and embrace the opportunities for innovation and growth that these changes bring. Ultimately, the impact of PSD3 on the payments industry will be felt not only in terms of increased security but also in the continued evolution of a more accessible and consumer-friendly financial landscape in the EU.
