EU proposals for PSD3/PSR, Financial Data Access and a digital euro
New payments rules
On 28 June 2023, the European Commission (EC) has presented its legislative proposals for payment services, financial data access and a digital euro.
Part of these proposals are the following draft legislative acts:
- a third Payment Services Directive (PSD3) and a Payment Services Regulation (PSR);
- a Regulation for Financial Data access (FIDA);
- a Regulation on the establishment of the digital euro (Digital Euro Regulation).
The PSD3, PSR and FIDA proposals are part of the EC “Financial data access and payments” package. This package is aimed at modernising payment services and opening financial services data, to bring payments and the wider financial sector into the digital age.
The Digital Euro Regulation is part of the EC’s ‘single currency package’ and sets out a framework for a possible new digital form of the euro that the European Central Bank could choose to issue in the future, as a complement to cash.
As these proposals will have a substantial impact on various financial institutions, below we will discuss some of the key changes.
PSD3 and PSR
These proposals will modernise the second Payment Services Directive (PSD2) through an updated directive (PSD3) and a new directly applicable PSR, aimed at harmonising the ongoing payment services requirements across the EU. Also, the second E-money Directive (EMD2), will be merged into the PSD3. This means e-money services will also be covered by PSD3 and the PSR. The proposals will mainly have impact on Payment Service Providers (PSPs) and E-money Institutions (EMIs). Also banks will be affected by PSD3 and the PSR in their capacity as Account Servicing Payment Service Providers (ASPSPs).
Some important changes the proposals bring are:
Further levelling the playing field between banks and non-banks
One of the main goals of PSD2 was enhancing competition on the EU payments market. PSD3 and PSR must take this competition to the next level. The aim is to make PSPs and EMIs less dependent on commercial banks. Important changes in this respect are:
- allowing PSPs direct participant access to payment systems designated under the Settlement Finality Directive (SFD);
- securing the rights of PSPs and EMIs to a bank account by setting stronger requirements for banks for access refusal and withdrawing their services to PSPs and EMIs;
- giving payment institutions the right to safeguard their client funds directly with their national central banks.
Improving the functioning of open banking
PSD3 and the PSR make some targeted amendments to the sharing of payments account data (‘open banking’), by removing remaining obstacles and improving customers’ control over their payment data. The proposals include:
- new substantial requirements for dedicated data access interfaces;
- a list of prohibited obstacles to data access;
- a requirement for ASPSPs to set up a “dashboard” allowing consumers of open banking services to see at a glance what data access rights they have granted and to whom, and to withdraw access via this tool;
- the amendment that banks will no longer need to permanently maintain – unless where exempted – two data access interfaces (a dedicated one and its “fall-back”), but only a dedicated interface; and
- rules to protect the continuity of open banking providers (AISPs and PISPs).
Narrowing down the scope of the Commercial Agent Exemption (CAE)
According to the EC, the concept of a commercial agent is applied inconsistently and must be harmonised and clarified. The EC aims to provide further clarity on the conditions under which payment transactions through commercial agents may be excluded from the scope of the PSR. Following to the text of the PSR, commercial agents will only be excluded from PSD3 and the PSR in the following events:
- The commercial agent meets the definition of commercial agent as defined in in Article 1(2) of Directive 86/653/EEC: a self-employed intermediary who has continuing authority to negotiate the sale or the purchase of goods on behalf of another person, or to negotiate and conclude such transactions on behalf of and in the name of that person.
- The commercial agent is authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of only the payer or only the payee, but not both of them, irrespective of whether or not the commercial agent is in the possession of the client’s funds.
- Such agreement gives the payer or the payee a real margin to negotiate with the commercial agent or conclude the sale or purchase of goods or services.
Requirement iii), the real margin to negotiate with the commercial agent, is a new requirement that is likely to impact current users of the CAE. Also, e-commerce platforms using the CAE are specifically mentioned in the recitals to the PSR: “Electronic commerce platforms that act as commercial agents on behalf of both individual buyers and sellers without buyers or sellers having any real margin or autonomy to negotiate or to conclude the sale or purchase of goods or services should not be excluded from the scope of this Regulation”. We advise parties currently using the CAE to closely monitor the developments of PSD3 and PSR.
Combatting and mitigating payment fraud
PSD3 and the PSR must contribute to reducing payment fraud. The main changes regarding combating and mitigating payment fraud will be:
- enabling PSPs to share fraud-related information between themselves (via dedicated IT platforms);
- improving Strong Customer Authentication (SCA) by strengthening and clarifying the current rules;
- extending refund rights of consumers who fall victim to fraud; and
- extending IBAN/name matching verification services from instant payments to all credit transfers.
The EC’s second proposal deals with financial data access (FIDA). This proposal is aimed at extending the obligation to provide access to financial data beyond payment account data (which was already introduced by PSD2 and is referred to as ‘open banking’). Extending the access to more financial data is referred to as ‘open finance’. FIDA must ensure that customers have effective tools to control the use of their financial data. The proposal will have impact on financial institutions (who will be required to give access to certain data) and creates possibilities for financial and non-financial institutions (who will have the possibility to access and use the data).
The FIDA proposal introduces:
- the right for customers to access the data that financial institutions hold about them (these financial institutions are referred to as ‘data holders’);
- the right for customers to give access to this data to third parties that provide innovative services (referred to as ‘data users’). Data users can be financial institutions as well as non-financial institutions (the latter must obtain dedicated authorisation from a competent authority as ‘Financial Information Service Provider (FISP))’.
Customer data in scope of FIDA is “personal and non-personal data that is collected, stored and otherwise processed by a financial institution as part of their normal course of business with customers”. This can either be data transmitted to the data holder by customers themselves (‘transmitted data’), as well as data arising from customers’ interactions with financial institutions (‘transaction data’). The full list of financial institutions in scope of FIDA includes banks, PSPs and EMIs, investment firms, AIFMs, insurance companies, crypto-asset service providers and crowdfunding service providers.
The third topic to discuss is the proposal for a Digital Euro Regulation. The idea behind the digital euro is to complement cash and to offer people and businesses an alternative way to pay digitally, on top of the private options currently offered by banks, PSPs or EMIs. Based on the current proposal, the digital euro will be granted “legal tender status” for retail payments, which means its acceptance is mandatory by payees unless otherwise provided in the Regulation.
In terms of financial institutions, the current proposal of the Digital Euro Regulation will have impact on banks and PSPs. PSPs that have an authorisation to provide payment services under PSD2, will be able to provide digital euro payment services without any additional authorisation. On top of that, the Digital Euro Regulation does require PSPs and banks to carry out specific tasks in relation to the digital euro:
- PSPs must make available funding and defunding functionalities and facilitate interaction with non-digital euro payment accounts;
- banks must distribute basic digital euro payment services upon request of their clients;
- anti-money laundering rules must be applied to digital euro payments.
Please note that, next to providing a legal framework for a digital euro, the digital euro still has to be developed. It will ultimately be for the European Central Bank to decide whether or not to issue a digital euro.
Next steps and timeline
Note that according to the transitional provisions in PSD3, licensed PSPs and EMIs must apply for re-authorisation within 24 months after its entry into force (unless they are granted automatic authorisation by the competent authority).
The proposals will now go through the usual EU legislative process which is expected to take around two years to complete. This brings the following expected timelines:
- The regimes for PSD3, PSR and FIDA will, based on the current proposals, take 18-24 months to apply/enter into force after the texts are agreed upon. Assuming that the texts are agreed in 2025, the new regimes would be binding sometime in 2026.
- The Digital Euro Regulation will enter into force shortly after being finalised. However, its effect depends on the progress regarding the development and issuance of the digital euro itself.
In all, the new proposals will have a major impact on the payments industry. We will monitor the developments of the legislative proposals closely and keep you informed. If you have any questions on the impact on your business, we are happy to help.