European Union – Financial Services

The European Union (EU) is updating its regulatory framework
governing payment services by introducing the “Payments
Services Package”. In June 2023, the European Commission
published a set of legislative proposals designed to modernise and
enhance the digital financial landscape within the EU.

The Payments Services Package consists of Payment Services
Directive III (PSD3), to be adopted alongside the Payment Services
Regulation (PSR) and the Regulation on a Framework for Financial
Data Access (FIDAR).

PSD3 is an update to the existing Payment Services Directive
(PSD2), aimed at further refining and expanding the regulatory
framework for payment services. It will also repeal and replace the
Electronic Money Directive (EMD2), establishing a single regulatory
framework governing both payment services and e-money services.
There would be a single set of requirements for licensing, conduct
of business and prudential supervision, as e-money institutions
will be licensed as payment institutions under PSD3.

What are the key topics of PSD3/PSR?

Strengthening harmonisation and enforcement

The forthcoming PSD3 is anticipated to focus predominantly on
the regulation of licensing procedures and the functional aspects
of payment service providers (PSPs).

Nevertheless, other essential elements such as fraud prevention,
liability, transparency, open banking and Strong Customer
Authentication (SCA) will be addressed within the PSR. The
integration of these aspects into the PSR signifies the direct
applicability of these regulations across the EU.

Enhancing consumer rights

The new proposal includes the following propositions to
strengthen customers’ rights:

• Increased protection of temporarily blocked funds
  – the proposed changes aim to ensure that the blocked amount
  will be proportionate to the expected final amount. Blocked funds
  should be released immediately after receipt of the information on
  the exact final amount of the payment transaction and no later than
  immediately after receipt of the payment order.




• Enhanced transparency on credit transfers and money
  remittances from the EU to third countries – PSPs will
  be required to inform users of currency conversion charges as well
  as of the estimated time for the payee’s payment service
  provider in the third country to receive the funds.




• Enhanced transparency for payment account statements
  – PSPs will be obliged to clearly identify payees, including
  stating their commercial trade name.

Mitigating payment fraud

The Payments Services Package should tackle new types of fraud
such as “spoofing” (i.e. cases where the fraudster
manipulates the customer into giving their consent to authorise the
transaction by pretending to be an employee of the payment
institution). This blurs the distinction between unauthorised and
authorised transactions, leaving current mechanisms insufficient to
addressing such frauds.

The new proposal includes the following fraud prevention
measures:

• Extension of IBAN/name verification services to cover all
  credit transfers – this will require the PSPs to verify
  that the account name matches the International Bank Account Number
  (IBAN) associated with that name.




• Enhancement of customer refund entitlements –
  customers should be entitled to refunds in instances where
  consumers are deceived by spoofing scams. Additionally, if the
  system designed to verify the alignment between the IBAN and the
  account holder’s name malfunctions, customers will be eligible
  for a refund.




• Introduction of extended transaction monitoring
  measures.




• Provisions of legal framework for PSPs to share
  fraud-related information.




• Further SCA enhancements – new rules will be
  established regarding SCA, including:
  

  • Liability shift – the new proposal aims to shift
    the liability for fraud to third-party systems and technical
    service providers, such as digital wallet providers and payment
    gateways, if they fail to apply SCA.

  
  

  • Exemptions from SCA – the proposal clarifies the
    circumstances in which certain types of transactions, such as
    Merchant-initiated transactions (MITs), are exempted from SCA.

Upgrading open banking

A landmark feature of PSD2 was the introduction of the open
banking regulation, allowing account information service providers
(AISPs) and payment initiation service providers (PISPs) to access
customers’ data with their consent in order to provide them
with services such as expense reports, budgeting tools and targeted
financial products. PSD3 is expected to bring the following changes
and improvements to open banking requirements:

• Strict standards for data access interfaces –
  the Payments Services Package specifically address the prohibited
  obstacles, such as the requirement for additional registration or
  additional checks of the permission, that cannot be integrated into
  the interfaces.




• Customer dashboard – customers should be
  provided with a dashboard integrated into their user interface to
  monitor and manage permissions granted to AISPs. This tool should
  allow customers to see which companies have access to their data
  and enable them to revoke such access.

Levelling the playing field

The proposal aims to provide payment institutions (PIs) and
electronic money institutions (EMIs) better access to payment
systems. To obtain a licence, PIs and EMIs are required to have an
account with a commercial bank. Currently, however, commercial
banks often refuse to open accounts for them or close existing
accounts due to concerns related to issues such as anti-money
laundering controls. This creates an uneven playing field, as banks
compete with PIs and EMIs in providing payment services.

Under the new proposal, banks will be required to offer clear
reasons when refusing to open an account or when closing accounts
for payment institutions (PIs), considering the individual
circumstances of the PI. The decision not to open the account must
be based on serious suspicions of illegal activities conducted by
the PI or the risky nature of the PI’s business model or risk
profile. If the bank refuses to open the account, the proposal
offers the PI the opportunity to appeal to a national authority. In
addition to commercial banks, central banks will have the
discretion to offer opening of accounts to non-bank PSPs.

Improving the availability of cash

• Purchase-free “cashback” at retailer shops
  – presently, retailers can provide cash-back services, but
  only as part of a purchase. The proposal aims to broaden access to
  cash by allowing retailers to offer cashback services outside of a
  purchase transaction, even without needing to obtain a licence or
  being an agent of a payment institution.

What is the timeline?

The precise dates for the implementation of PSD3 and the PSR
remain unclear. Industry experts project that the finalised
documents may be made public by the end of 2024 or at the beginning
of 2025.

Upon their release, it is customary for EU Member States to be
allotted a transitional period, typically extending to 18 months,
to align with the new legislation. Consequently, it is expected
that PSD3 and the PSR will come into effect over the course of
2026.