On 28/6/2023, The European Commission (EC) published draft legislation for the third Payment Services Directive (PSD3) and a new Payment Services Regulation (PSR) which will replace PSD2 and the Electronic Money Directive, which will be merged with PSD3. In this blog, I will explain all you need to know about PSD3 Regulation.
What is PSD3 Regulation and the PSR?
PSD3 and the PSR are regulations that aim to improve the security and efficiency of payments in the EU. It does this by imposing stricter requirements for strong authentication, risk management, transparency, and accountability. They also make it easier for consumers to access their financial data and share it with third-party financial services providers.
Key Measures introduced by PSD3 Regulation and the PSR
Let me explain to you the specific changes and enhancements brought about by PSD3 and the PSR. We’ll explore alterations related to access to accounts, Strong Customer Authentication, direct access to EU payment systems, IBAN checks, and the introduction of the Consent Dashboard.
Changes to the Access to Accounts
PSD3 mandates that PSPs (Payment Service providers) offering payment accounts accessible online will be obliged to offer dedicated interfaces for data exchange with Third-Party Payment Providers (TPPs). Furthermore, the draft PSR specifies the minimum types of payment transactions that the dedicated interface should offer, as well as additional requirements ensuring that no obstacles remain.
Moreover, the draft PSR reinforces the existing requirement to grant Payment Institutions (PIs) non-discriminatory access to payment systems and accounts held by credit institutions. The scope of the requirement has been expanded to encompass not only the onboarding but also the offboarding of PIs and those in the process of obtaining a license.
Key Changes Linked to Strong Customer Authentication
PSD3 introduces an essential change introduced through the PSR, requiring Account Information Service Providers to conduct their own subsequent authentications of the PSU, once the initial authentication has expired, namely after 180 days.
Additionally, where a technical service provider offers or verifies SCA elements, PSPs should establish an outsourcing agreement with the provider. This agreement should include provisions for auditing and controlling security measures.
Direct Access to the EU payment systems
PSD3 and the PSR foresee that PIs will also have direct access to all the EU’s payment systems, including those steered by the central banks. This is a major improvement, as currently, only a few payment systems provide direct access to the PIs.
Furthermore, the draft PSR in compliance with PSD3 guidelines also requires the payee’s PSPs to verify, free of charge, the consistency between the name and unique identifier of a payee (the recipient of the transaction) before the initiation of credit transfers. These requirements extend the scope of the ‘IBAN name checks’ introduced in October 2022 through the proposal for a Regulation for Instant Credit Transfers in euros. Information and notification duties of PSPs towards PSUs are similar to those for instant payments.
Under PDS3 regulations, PSPs offering payment accounts accessible online will be required to develop a permission dashboard, known as ‘consent’ under PSD2, within their customer interface. This dashboard will allow PSUs to monitor, in real-time, which TPPs have been granted permission to access their data.
Important things to know about the PSD3 Regulation and the PSR
- PSD3 and the PSR are expected to have a major impact on the payments market in the EU, making payments more secure and efficient.
- PSD3 and the PSR will become applicable 18 months after publication in the Official Journal of the EU. If the final proposal is published by the end of the year, than obligation to comply with the PSR could be expected by the second half of 2025. However several experts expect the publication to be later.
- Businesses that provide payment services in the EU need to comply with PSD3 and the PSR. This includes banks, payment processors, and other financial institutions. Businesses need to take steps to strengthen their authentication processes, improve their transparency, and implement stronger risk management measures. They also need to make it easier for consumers to access their financial data.
As PSD3 and the PSR reshape the financial landscape, it’s crucial to stay informed and adapt to these regulations. If you have any further questions or require consultation on PSD3 and its implications, please feel free to reach out to me.