New PSD3 & PSR: Evolution or Revolution?

How will the PSD3 and PSR address current PSD2 limitations, and what will be the implications for merchants?

Insight

New PSD3 & PSR: Evolution or Revolution?

Published 15.April 2024

As the new PSD3 and PSR (the Third Payment Services Directive and the Payment Services Regulation) are entering into their final legislative stage at the end of the year, it is important to assess in detail the main issues the payment market has been facing in Europe and evaluate how these regulations could address these hurdles.

Background

The revised payment service directive (PSD2), adopted by the European Parliament on October 8th 2015 and going live on Sep 14th, 2019, aimed primarily at strengthening the security of online payments, fostering the development and use of open banking, and making the European payments market more integrated and efficient.

While the strong customer authentication (SCA) introduced by the PSD2 has significantly improved the overall security of payment transactions in Europe, it is no offense to European regulators to say that the PSD2 has not realized its initial ambition to create a frictionless pan-European open banking area, despite 4,5 years of existence. To be fair, responsibilities are shared, and all players have something to reflect on.

PSD2 limitations

We see 3 main hurdles that have hindered PSD2 and more generally open banking’s development.

  • Lack of clarity on the regulation itself, leading to uneven playing field and inconsistent implementations across countries.
  • Lack of willingness from certain Account Servicing Payment Service Providers (ASPSPs) to fully open up access to their customers’ data.
  • Lack of market readiness when the regulation went live, generating uncertainties and higher risk of fraud.

First, the PSD2 regulation itself was not clear enough and created room for interpretation

  • Non consistent definition of what an Account Initiation Service Provider (AISP) or Payment Initiation Service Provider (PISP) is, which could be considered differently according to the country (as a financial institution implying numerous rules to comply with (e.g. AML) or as a technology enabler requiring much less scrutiny from regulators).
  • Unclarity regarding the definition of what is considered a payment account and the information a Third-Party Provider (TPP) can access (e.g. credit card balances and transactions are available in some countries but not in others).
  • No standardized API interfaces defined in the regulatory technical standards (RTS) of PSD2.
  • Lack of clarity on the conditions defining when a platform could act on behalf of the payer.
  • Unclarities regarding the applicability of certain strong customer authentication exemptions.

Second, many ASPSPs have not fully played the game, and have been following a “minimum legal product” approach

  • Insufficient effort from ASPSPs to make their APIs work at a high-quality standard level.
  • Limitations from certain ASPSPs on the payment services available to a TPP.
  • Difficulties to be granted delegated SCA from ASPSPs on a general basis.
  • No fully integrated PSD2 customer journeys within ASPSPs own banking app processes.

Third, market players were not always ready when PSD2 was launched, generated delays and postponements, which diluted the overall momentum and added some operational uncertainties

  • Many TPPs were not ready soon enough to test interfaces with ASPSPs and underestimated the time and effort needed to get a license.
  • Most of large online merchants were not ready for SCA implementation and pushed for additional time.

PSD3/PSR improvements

EU financial regulatory bodies are well aware of those difficulties and have proposed two distinct legislative vehicles to address those pain points: a new directive (PSD3) focusing on rules relating to licensing and supervision of payment institutions, that will need to be transposed by each Member state into their legislation, and a new regulation (PSR) that focuses more on the use of payment services and that will come directly into force in each country without the need for transposition.

PSD3 and PSR are two sides of the same coin, with a joint objective of improving the payment market in Europe by bringing long awaited changes:

Further clarifications, harmonizations and simplifications

  • Clear definition of a payment account and clarification of the scope of data that should be available to TPPs.
  • Harmonized rules between payment institution and e-money institution licenses and clarification on the triangular passporting issues.
  • Harmonized rules between bank and non-bank TPPs.
  • Clarification regarding access to payment systems for payment institutions.
  • Clarification regarding the possibility to open or close a payment account by a payment institution, its agents or distributors via credit institutions.
  • Simplification regarding SCA mechanism: 2-factor could be part of the same family, less frequent need for AIPSPs to trigger a SCA (180 days vs 90 days before).

Additional obligations for ASPSPs to allow access to their customers’ data

  • Obligation for ASPSPs to provide at least one dedicated interface to TPPs for open banking access, and to share more information regarding API updates and performance via quarterly statistics.
  • Obligation for ASPSPs to offer a dashboard to payment service users enabling them to manage access rights to their data.

Stronger governance requirements for TPPs and reinforcement of measures to combat fraud

  • Liability shift to TPPs when a consumer is manipulated by a third-party pretending to be an employee of the PSP.
  • Additional capital needed for PISPs and AISPs.
  • Widened sanction powers for national competent authorities, including investigation rights.

Perspectives

Will it be enough? PSD3 and PSR appear to be more an evolution than a revolution. While they will address the three main hurdles in some ways, they cannot force ASPSPs to go beyond the regulation, nor ensure that all market players will foster its adoption.

It is, however, a good thing – adoption of new products, services or technologies cannot come from regulation itself. The experience from the initial version of the European regulation on digital identities (eIDAS 1.0) for example, clearly showed that regulation alone is never sufficient to move a market, especially when you do not have full involvement of the private sector. The regulation could help of course, to prevent for example some ASPSPs from leveraging the non-clarity and broad definitions of PSD2 to limit or complicate access to customers’ data but cannot be the main or unique catalyst.

The big change could only come from the market itself, from banks, payment players and merchants to showcase the value they can derive from these regulations and open banking in general, and from customers to embrace the change. At the end, only services adding value, simplifying customer journeys and putting customers in control of their own data will prevail. We should not forget that the initial market shift enabled by PSD2 – transferring data ownership from banks to customers – is here to stay and should only be reinforced by upcoming market evolutions. In that regard, value-added services brought by account-to-account (A2A) and instant payments could significantly foster this market dynamic and enable PSD3 to accelerate the full realization of open banking potential.

Implications for merchants

While merchants have been experiencing higher card payment costs in the past few years, A2A payments appear as an interesting and viable alternative to expensive international card schemes and wallet solutions. Unfortunately, direct A2A payments via TPPs have remained relatively limited for the reasons mentioned above. In that regard, PSD3 and PSR can be a step in the right direction, simplifying the rules, adding clarity, and inciting ASPSPs to further facilitate access to payment accounts. Merchants will also benefit from higher security of transactions, and increased transparency and harmonization.

In addition to PSD3 and PSR, the new Financial Information Data Access regulation (FIDA) that could be adopted by the European Parliament at the end of the year or early 2025, will facilitate access to non-payment data through Financial Information Service Providers (FISPs) – this regulation will encompass non-payment accounts such as investments, loans, pensions and might change even more dramatically the payment landscape by paving the way for open finance development. Merchants should jointly work with innovative TPPs to define best-in-class customer journeys and experiences, leveraging open banking and open finance’s tremendous potential that has just been touched on the surface so far.

Article author

Thierry Morin

Vice President Strategic Projects and Development

Tags