Upcoming EU Regulations Impacting Corporate Payments

What is PSD3 Regulation and the PSR?

PSD3 and the PSR are regulations that aim to improve the security and efficiency of payments in the EU. It does this by imposing stricter requirements for strong authentication, risk management, transparency, and accountability. They also make it easier for consumers to access their financial data and share it with third-party financial services providers.

An introduction

Whilst PSD3 focuses on the guidelines for anything related to licensing and what it means to be a licensed Payment Institution or an e-Money Institution (EMI), the PSR focuses on the rules to act as a Payments Services Provider (PSP), including an update on the Regulatory Technical Standards for Strong Customer Authentication and Common and Secure Open Standards for Communication. 

The projected PSD3 and the PSR aim to improve the security and efficiency of payments in the EU, by imposing stricter requirements for strong Customer authentication, measures to combat fraud, transparency (amongst others better user rights information) and accountability. 

On the same day, the EC also unveiled its legislative proposal for a new Financial Data Access (FIDA) framework. Data-driven services are increasingly relevant also beyond payments. The FIDA proposal aims to establish a clear regulatory framework to make sure financial services customers are in control of their data, and enable data sharing, provided that the clients agree on this.

Important things to know about the PSD3, the PSR and FIDA

Changes to the Access to Accounts

PSD3 mandates that PSPs (Payment Service providers) offering payment accounts accessible online will be obliged to offer dedicated interfaces for data exchange with Third-Party Payment Providers (TPPs). The draft PSR specifies the minimum types of payment transactions that the dedicated interface should offer, as well as additional requirements ensuring that no obstacles remain.

Key Changes Linked to Strong Customer Authentication

PSD3 introduces an essential change introduced is the requirement for Account Information Service Providers to conduct their own subsequent authentications of the PSU, once the initial authentication has expired, namely after 180 days.

Where a technical service provider offers or verifies SCA elements, PSPs should establish an outsourcing agreement with the provider. This agreement should include provisions for auditing and controlling security measures.

In addition, PSD3 puts in place a new liability regime for technical service providers (apply / Google Pay) and payment scheme operators failing to comply with SCA.

Direct Access to the EU payment systems

PSD3 and the PSR foresee that PIs (payment institutions) will also have direct access to all the EU’s payment systems, including those steered by the central banks. Currently, only few payment systems provided direct access to the PIs.

This is a major improvement, as it will establish a level playing field between banks and PIs and improve the competition in the corporate payment market, which has also been welcomed by the EACT in its December 2023 Newsletter.

IBAN checks

There will be an obligation for the payee’s and the Payor’s PSPs (Payment Service Providers) to verify, free of charge, the consistency between the name and unique identifier of a payee (the recipient of the transaction) before the initiation of credit transfers.

These requirements extend the scope of the ‘IBAN name checks’ introduced in October 2022 in the proposal for a Regulation for Instant Credit Transfers in euros. Information and notification duties of PSPs towards PSUs are similar to those for instant payments.

Consent Dashboard

Under PDS3 regulations, PSPs offering payment accounts accessible online will be required to develop a permission dashboard, known as ‘consent’ under PSD2, within their customer interface. This dashboard will allow PSUs to monitor, in real-time, which TPPs have been granted permission to access their data.

Transaction Monitoring & Fraud sharing

Article 83 necessitates transaction monitoring mechanisms to support SCA implementation and fraud prevention. These requirements were already present in the RTS on SCA under PSD2, but are now directly included in the PSR, underscoring their importance.

PSPs are required to share fraud-related information collectively, enhancing transaction monitoring effectiveness.

Winding-up plan, merging e-money and payment institutions, and prudential requirements

The PSD3 proposals introduce several substantial changes in the authorisation procedure for payment and e-money institutions, including detailed risk assessments. They also cover measures against fraud and illegal usage of sensitive and personal data, along with measures for sharing fraud-related data.

Another significant innovation is the requirement for institutions to provide a winding-up plan in case of bankruptcy. Such a plan outlines how operations would be wound down to minimise adverse impacts on consumers and the financial system. 

FIDA: Creation of a data-sharing environment

FIDA will grant consumers and SMEs the right to authorize third parties – or data users – to access their data held by financial institutions – or data holders. Nearly all financial services data will be within its scope. Firms can play a dual role – data holder and data user.

There are two key differences compared with the PSD rules. First, data holders will be able to ask for reasonable compensation for making data accessible to data users, being financial institutions and Financial Information Service Providers. Second, data users will have “read access”, but, unlike in PSD2, they will not be able to initiate transactions on behalf of customers. Both could affect the uptake and potential benefits of open finance.

Data holders must provide customers with a permission dashboard to monitor and manage the permissions they provide to data users. The dashboard must allow the customer to withdraw and re-establish permissions given to data users. 

Data holders and users will have to join one or more Financial Data Sharing Schemes, which will govern data access in line with FIDA and other EU rules.

Initial capital requirements are to be adjusted for inflation since the adoption of. PSD3 provides the following requirements for initial capital:

• For money remittance services: EUR 25,000
• For payment initiation services: EUR 50,000
• For other payment services: EUR 150,000
• For electronic money services: EUR 400,000

Takeaways of PSD3, the PSR and FIDA

• I expect that PSD3 and the PSR will have a major impact on the payments market in the EU, making payments more secure and efficient. In addition, it will offer more competition in the payments market, which is beneficial for corporates. 
• The PSR will become applicable 18 months after publication in the Official Journal of the EU. It is expected that the PSR will enter into force and that PSD3 will be enacted in the local legislation of the member states in 2026. Likely, the implementation of FIDA will not occur before 2026. 
• Businesses that provide payment services in the EU need to comply with PSD3 and the PSR. This includes banks, payment processors, and other financial institutions. They need to take steps to strengthen their authentication processes, improve their transparency, and implement stronger risk management measures. They also need to make it easier for consumers to access their financial data.
• Existing authorised payment institutions and e-money institution will likely need to obtain a new authorisation under PSD3, with a grandfathering during a transitional period. This will also have an impact on their activities. 
• FIDA creates new opportunities, which SMEs and large corporates can leverage. New business models will arise, enabling innovation in the financial services industry, and the move to open finance.

Conclusion

As PSD3 and the PSR reshape the financial landscape, it’s crucial to stay informed and adapt to these regulations. We will keep you posted on new developments. If you have any further questions or require consultation on PSD3 and its implications, please feel free to reach out to me. 

Update as of February 9, 2024: The EU Parliament has adopted Instant Payment Regulations. Stay informed by reading more about it here.