Payment Services Directive 3 - An Evolution: not a Revolution...

The Payment Services Directive (PSD) is a regulatory framework governing electronic payments and the banking system in Europe and the European Economic Area (EEA).
Currently Payment Services Directive 2 (PSD2) has been overseeing digital payments and open banking in the EEA. PSD3 is expected to continue and potentially expand this regulatory influence.
For this month’s blog I want to introduce Beata, who will take us through the new directive.

‍

Hello, I'm Beata, and I work as a Product Manager at Judopay. With several years of experience in the payments industry, I've developed a keen focus on regulatory frameworks such as PSD2, alongside security protocols like 3DS2. Throughout my career, I've been dedicated to driving innovation and ensuring compliance within this dynamic landscape.
At Judopay, I am committed to delivering cutting-edge solutions that not only meet but exceed industry standards.
I'm passionate about leveraging technology to streamline payment processes and enhance the overall user experience.
So as we move from PSD2 to PSD3, I will share what this entails.

‍

From PSD2 to PSD3

The European Commission notes that Payment Services Directive 2 (PSD2) has effectively contributed to:

• Preventing fraud
  • The introduction of Strong Customer Authentication (SCA).

• Increasing the efficiency, transparency and choice of payment instruments for consumers.
• Introducing open banking
  • Allowing for the secure sharing of financial data between banks and third-party service providers.

However, its adoption has been met with varying levels of success.

Challenges persist in data access for:

• Account information service providers
  • Consolidating consumer bank account information.
• Payment initiation service providers
  • Establishing payment links between payers and online merchants.

Additionally, while there has been progress in the cross-border provision of payment services, many payment systems, especially debit card systems remain predominantly national in scope.

‍

Introducing PSD3

Since the adoption of PSD2 there has been a rapid evolution of the payments sector (fuelled by the pandemic), with the emergence of new payment solutions and more sophisticated types of fraud.
Combining these elements with  the Payment Service Directive Consultation’s feedback, the Third Payment Service Directive (PSD3) was proposed on 28 June 2023.

This new directive is following the path set by PSD2 which will:

• Bring open finance one step closer
• Address new emerging types of fraud
• Take reinforcement measures about SCA
• Generally focus on user experience and accessibility

The new Payment Service Regulation (PSR) has been proposed, with the aim to achieve quicker implementation of the new rules under PSD3, into national law without exemptions, or obstructions from member countries.

In summary, the goal of the European Commission’s Payment Services Directive is to develop and maintain a single payment services market for the EU that provides the same level of consumer protection, efficiency, and innovation across all of its member states.

The fundamental principles introduced by PSD2, will remain.

‍

The Main Changes

The European Commission wishes to address some of the shortcomings of PSD2, with the following proposals:

Proposal One: Enhanced Fraud Detection and Prevention

The PSD2 provisions are no longer sufficient to tackle the new types of fraud. In particular fraud that relies on manipulative techniques for example, the so-called Authorised Push Payment (APP) fraud.
With PSD3’s new measures (which are to fortify security and consumer protection) these changes will demand adjustments in fraud prevention mechanisms and authentication processes.
The directive mandates more stringent consumer authentication rules and extends refund rights for individuals falling victim to fraud.

The European Commission has highlighted impersonation fraud, also known as spoofing, as an area in which PSD2 is not sufficiently equipped.
This type of fraud is more challenging to prevent, as the customer, having been manipulated by the fraudster, does in fact provide their consent to authorise a payment.

With PSD3, the European Commission plans to enhance requirements for spoofing detection and prevention in the following ways:

• Using IBAN / name check for all credit transfers
  The bank is required to verify the account name matches the IBAN linked to that name
• Strengthening transaction monitoring measures
  To highlight unusual and potentially fraudulent payment activity
• Providing a legal framework for payment service providers
  To share information on fraud, such as data related to ongoing scams
• Requiring payment service providers to thoroughly educate their staff and customers on payment fraud prevention

‍

Proposal Two: Expanding Authentication Requirements‍

When evaluating the impact of PSD2, the European Commission found its fraud-prevention regulations, specifically its Strong Customer Authentication (SCA) requirements, to be one of the most successful components of the directive.
As you are aware, the SCA requirements add an extra layer of security to the payment process by requiring consumers to provide at least two pieces of identifying information during the payment process.
This information must belong to two of the following categories:

• Something the customer KNOWS ( PIN or password)
• Something the customer HAS (card reader or mobile phone)
• Something the customer IS (face or fingerprint recognition)

Some of the main ways in which PSD3 will expand its SCA requirements from PSD2 include:

• Clarifying when certain transactions may be exempt from SCA
• Requiring SCA for mobile wallet enrolments

I will delve a little deeper into more of the SCA enhancements later in the blog.

‍

Proposal Three: Accessibility for all Users‍

Payment Service Providers to offer SCA methods that do not rely solely on one technology This will aim to ensure accessibility for all users, for example elderly and low-income users.

‍

Proposal Four: Access to EU Payment Systems‍

PSD3 also aims to provide non-bank Payment Service Providers with access to EU payment systems, subject to certain safeguards.
This includes the right for these providers to have a bank account, which could significantly broaden the competitive landscape.

‍

Proposal Five: Improvements to Open Banking Obstacles‍

PSD3 is set to enhance open banking by:

• Improving data interfaces
• Removing obstacles to open banking service
• Giving consumers more control over their data access permissions.

This could lead to more innovative services including a better user experience for consumers.

‍

Significant SCA Enhancements

As I mentioned above, SCA was one of the most successful components of PSD2. I want to now focus on some significant enhancements on SCA with PSD3.

• Account information services
  SCA is only required for initial data access.
  However, account information service providers have to enforce SCA when their customers access aggregated account data on the service provider's domain at least every 180 days.
  This is to ensure account information remains secure and protected, while allowing a balance between security and user convenience.
• Merchant Initiated Transactions (MIT)
  An eight-week unconditional refund right is introduced for MITs.
  Furthermore, it has clarified that SCA is required of the MIT mandate set-up, but is not required for subsequent MITs.
• Mail Order / Telephone Order (MOTO)
  In order for MOTO transactions to be exempt from SCA, only the initiation of a payment transaction needs to be non-digital. The execution of these MOTO transactions can be digital.
  This means that when conducted through the internet or other digital platforms, both card payments and bank transfers are considered electronic.
  However, when payment details are relayed from cardholder to merchant through non-digital channels (for example paper-based payment orders, mail orders, or telephone orders), they are deemed ‘non-electronic’. This is even if the information is subsequently processed electronically, for example processing the card details through a digital platform, after receiving the order details through the telephone.
• Transaction Risk Analysis (TRA)
  TRA remains exempt from SCA, although the European Banking Authority will be mandated to develop guidelines providing further details on the scope of the TRA.
  This will include requirements that must be met, appropriate methodologies, criteria for the calculation of fraud rates, and reporting and audit requirements.
• Tokenisation
  SCA is only required if the cardholder initiates the transaction. For example when initiating a card-on-file transaction, or when a cardholder initially enrols their card in a digital wallet.
• Transaction monitoring
  PSD3 requires Payment Service Providers to implement transaction monitoring mechanisms to enable both the application and enhancement of SCA, regarding the prevention and detection of fraudulent transactions.
  These mechanisms have to analyse payment transactions, including the consideration of the typical elements of the user's behaviour. For example, their location, time, device, spending habits, and the online store they are using for the purchase.
• Two-factor authentication
  Under the accessibility proposal, PSD3 will allow that two factor authentication will no longer need to be under different categories, as long as they are truly independent.
  This could allow authentication using two biometrical IDs or two passwords.

‍

A final point

It is also worth mentioning that PSD3 will enhance the availability of cash both in shops and at ATMs. This means shops will be able to offer ‘cashback’ options (as some supermarkets do today), without the consumer having to make a purchase.

The consumer can request cash via their payment card, or mobile wallet. They will however have a withdrawal limit.

PSD3 will also clarify existing regulations regarding ATM operators who are allowed to operate without a license. This is to encourage a higher number of ATMs, which is expected to promote better availability and accessibility to cash.

This will provide consumers with more flexibility and choice in how they make payments.

Does this impact the UK?

As the UK is no longer formally bound to follow the new PSD3, any potential impact would depend on the specific terms of the agreement between the UK and the EU regarding financial services regulation post-Brexit.
If PSD3 were to be adopted by the EU and the UK decided to align its regulations with those of the EU, then it is possible that PSD3 could have implications for the UK.
However, given the UK's departure from the EU and its ability to set its own regulatory framework, the extent of any impact would depend on the decisions made by UK regulators and policymakers.
Our prediction would be, given the international nature of the payment industry, that PSD3 will heavily influence some upcoming changes putting pressure on the UK to review existing rules and to align with PSD3.

What is next?

PSD3 aims to consolidate the legal frameworks for electronic money and payment services, creating a more coherent and efficient regulatory environment.
Even though PSD3 and PSR will be a significant change in Europe’s payment landscape (however, not as big as when PSD2 was introduced), the preparation for these regulatory changes can not be left until the last minute.
The regulatory and legal reviews, gap analysis and other business processes can take up a considerable amount of time.
But, before these can start the European Commission, the European Parliament, and EU Member States have to finalise the new rules and transfer them into national law, which would push out the expected roll out into 2026.