Exploring PSD3: The Near Future of Payment Services Directive
The European Commission (“Commission”) has published the Proposal for a Directive of the European Parliament and of the Council on Payment Services and Electronic Money Services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC. This proposal includes a revision of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (“PSD2”) and new regulations for financial data access (“Proposal”).
The Commission has also published the Impact Assessment Report where the Commission have reported four key issues that need to be improved based on its PSD2 evaluation (“The Assessment Report”): i) payment users must be protected against fraud; ii) open banking functions imperfectly; iii) PSD 2 is applied imperfectly which results in legal uncertainty and single market fragmentation and iv) payment service providers (“PSP”) and non-bank PSPs have an unlevel playing field.
As per the Proposal PSD2 will transform into Payment System Directive 3 (“PSD3”) and Payment Services Regulation (“PSR”) will be introduced in order to secure electronic payment in the European Union (“EU”) and protect the rights of customers. The Proposal’s objective is to address and reduce payment fraud, improve consumer protection, provide consumers with more choices of PSPs, promote fair rules between banks and non-banks, optimize the functioning of open banking and increase the access to cash in shops and ATMs.
The Proposal additionally includes a legislative proposal for a framework for financial data access to manage customer data sharing in the financial sector. This article will focus on discussing the changes introduced in PSD2 and with PSR.
Objectives of PSD3 and PSR
PSD2 currently serves as the regulatory framework for managing payments in the EU. The Assessment Report indicates that PSD2’s objectives have only been partially achieved and in line with problems detected in PSD2 following objectives are aimed with the Proposal: (i) increasing the consumer protection, (ii) improving open banking practices, (iii) improving enforcement and supervision of member states, (iv) achieving providing fair access to non-bank PSPs.
Changes Introduced by the Proposal
Fraud and Liability
Given the continued existence of social engineering fraud, in which fraudsters manipulate a victim to send funds to an illegitimate payee, the Commission is introducing further anti-fraud strategies The Proposal introduces following measures:
- Expanding IBAN/name matching verification services to cover all credit transfers,
- Establishing a legal framework that permits PSPs to exchange fraud-related information among themselves;
- Enhancing the transaction monitoring;
- Requiring PSPs to undertake educational initiatives aimed at raising awareness of payment fraud among their customers and employees;
- Extending consumer refund rights under specific circumstances.
Strong Customer Authentication (SCA) involving at least a two-phase authentication of payer's identities is defined in PSR as “an authentication which is based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”. PSR further explains the measures that will be applied by PSPs in Article 85 and 86. The Proposal clearly define the situations in which certain types of transactions are exempt from SCA requirements. For example, payment transactions initiated solely by the payee, without any participation or interaction from the payer, are exempt from SCA requirements to the extent allowed. It simplifies SCA application for payment account information services by saying that SCA is typically required only for the first access by an account information service provider, unless fraud is suspected. Subsequent data accesses to that payment account will be the responsibility of account information service providers. The Article 86 of PSR further states that account information service providers must employ their own SCA when a payment services user accesses payment account information retrieved by them, but only if it's been at least 180 days since the last application of strong customer authentication, unless the account servicing payment service provider has valid suspicions of fraud. The Article 59 of PSR clarifies PSPs’ liability for impersonation fraud and require PSPs to refund the consumer full amount if the consumer is deceived by a third party impersonating an employee of their PSP, which leads to fraudulent authorized payments provided that the consumer promptly reported the fraud to the police and informed their PSP.
Consumer rights and information
The Proposal introduces several measures to enhance transparency in various aspects of payment services. In order to enhance trust in payment markets, PSPs are obligated to inform users about estimated charges before initiating a payment transaction with a specific payment method, and likewise, if the payment service provider or any other party involved in the transaction intends to levy a charge, they must notify the payment service user beforehand. The payer is only required to cover these charges if they have been fully disclosed prior to the initiation of the payment transaction. In Article 5 of PSR, it is stated that PSPs will be obligated to inform users about estimated charges for currency conversion prior to payment initiation. As per Article 13 of PSR in the context of credit transfers and money remittances from the EU to non-EU countries, PSPs are required to provide payment service users with an estimated timeframe and charges for the funds to reach the PSPs of the recipient located outside the EU. These charges will be expressed as a percentage mark-up over the latest euro foreign exchange reference rates issued by the European Central Bank. This will enable users to compare conversion charges effectively and make informed decisions.
This Proposal aims to improve the open banking framework by making specific adjustments. It introduces the requirement for Account Servicing Payment Service Providers (“ASPSPs”) that offer to a payer a payment account that is accessible online to have in place at least one dedicated interface for the purpose of open banking activities. However, ASPSPs which maintain a dedicated interface, shall not be obliged to maintain a fallback interface for avoiding data disruption. The Proposal also introduces a list of prohibited obstacles as outlined in Article 44 of PSR and requires ASPSPs to ensure that their dedicated interface does not create obstacles to the provision of payment initiation and account information services.
The Proposal also requires the banks and payment account providers to have an user-friendly dashboard to their consumers of open banking services, which displays the data access permissions granted and allow users to withdraw access.
Competition and Level Playing Field
As stated above, one of the aims of this Proposal is to strengthen requirements for banks when providing bank account services to non-bank PSP. In order to achieve this, banks now shall have a stronger obligation to clarify their reasons for refusing access or withdrawing services to PSPs. These reasons should be based on the specific circumstances of the PSP, such as suspicions of illegal activities or significant risks to the bank and should be submitted in writing.
The Proposal introduces significant changes and enhancements to the regulatory framework governing payment services within the European Union. These revisions prove for the need for stronger consumer protection and security measures, fair treatment between bank and non-bank PSPs and competitive and secure payment ecosystem.
- European Commission Staff Working Document, Impact Assessment Report, Brussels, 28.06.2023.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Organization for Economic Co-operation and Development (“OECD”) has published its paper[i] presenting an outline of the diverse frameworks implemented for open banking and other data sharing arrangements in different jurisdictions, discussing expansion of open banking related data arrangements, which is referred...
The goal of this article is to explain and compare asset backed and asset based sukuk structures and their application in Turkish leasing certificate issuance. Sukuk, an Arabic word which is the plural of Sakk, is the common name of sharia compliant bonds also referred to as Islamic bonds. However, the Arabic word...
In September, the Central Bank of the Republic of Turkey (“CBRT”) published the Guide on Associating Business Models in the Field of Payments with Payment Service Types (“Guide”). The Guide includes explanations regarding payment services and electronic money issuance. An operating license is required...
The Banking Regulation and Supervision Agency (“BRSA”) published the Circular on the Disclosure of Confidential Information Regulation No.2022/1 (“Circular”) on 11.08.2022. The purpose of this Circular is to elaborate on concepts and procedures as outlined in the Regulation on Disclosure of...
Public-private partnerships (“PPP”) take a wide range of forms varying to the extent of involvement of, and risk taken, by the private party. The terms of a PPP are typically set out in a contract or agreement, often subject to the private law, to outline the responsibilities of each party and allocation of risk...