Revised Payment Services Rules to Improve Consumer Protection and Competition in Electronic Payments

The payment services market has changed significantly in recent years. Electronic payments in the EU have been constantly growing and new providers have entered the market, in particular providing ‘open banking’ services. In addition, more sophisticated types of fraud have emerged, putting consumers at risk and affecting trust. In response to these developments, the European Commission has proposed to amend and modernise the current Payment Services Directive (PSD2), which will become PSD3, and additionally establish a Payment Services Regulation (PSR). The Commission gave its proposal in June 2023, the European Parliament adopted its first position in April 2024, and the Committee on Economic and Monetary Affairs has decided to open trilogues as of 21 October 2024 which was announced at the Plenary on 13 November 2024.
 
The objective of the PSD3 and the PSR is to enhance the security, efficiency and competitiveness of payment services within the European Union.

Key goals include:
 
Technological advancements: The rapid evolution of technology in the financial sector necessitates updated regulation to address new challenges and opportunities. The PSD3 aims to ensure that the regulatory framework keeps pace with technological innovations in payment services.
 
Enhanced security: With the increasing prevalence of digital payments, there is a heightened need for robust security measures to protect consumers and businesses from fraud and cyber threats. The PSD3 will introduce an enhanced Strong Customer Authentication (SCA), which will contribute to safer buying experiences.
 
Consumer protection: The directive seeks to enhance consumer protection by ensuring greater transparency and accountability in payment services. This includes clear information on fees, charges and dispute resolution mechanisms.
 
Market efficiency and competition: The PSD3 aims to create a more competitive and efficient payment market within the EU. By fostering innovation and reducing barriers to entry, the directive encourages competition among payment service providers, ultimately benefiting consumers and businesses.
 
Harmonisation of regulation: The directive seeks to harmonise payment regulation across EU member states, creating a more integrated and cohesive payment market. This harmonisation helps reduce regulatory fragmentation and facilitates cross-border payment services.

Yes, already authorised payment service providers (PSPs) need to evaluate whether the suggested changes would impact their businesses and services. The PSD3 together with the PSR could affect how payment services are to be organized and managed. The changes may relate to, for example:

In brief, yes and no. The PSD3 and PSR are largely similar to the PSD2 in terms of which services or transactions are excluded from the scope of regulation. However, the proposed amendments together with the recitals clearly show that the intention is to harmonise interpretation across the EU, as the exclusion has been applied differently across the EU and to services involving substantial volumes or a large number of customers. For the same reason, it seems the intention is to narrow down the scope of exclusions.

For the purpose of harmonisation, the proposal for example gives the European Banking Authority (EBA) the authority to develop guidelines and regulatory technical standards specifying the criteria for several exclusions, including the limited network and commercial agent exemptions.

Based on the proposed changes we expect that, on one hand, the amendments make supervisory authorities more reserved when assessing criteria for exemptions. We expect that this could support the development of a stricter interpretation across the EU. On the other hand, service providers who provide or aim to provide exempted payment services across the EU likely benefit from the added clarity and harmonisation.

In either case, after the PSD3 and PSR apply there will be a period during which updated guidance and legal praxis will develop. It is therefore crucial for companies relying on exemptions as provided under the PSD2 to familiarise themselves with the new guidance and, depending on the development of authority praxis, to seek authorisation.

Both payment service providers and technical service providers operating SCA need to consider the proposed PSD3 and PSR. ‘Technical service providers’ in particular is a new term introduced in this legislation, and it refers to service providers who support the provision of payment services without at any time receiving possession of the funds to be transferred. We highlight a few of the proposals below.

Emphasis on risk-based approach to applying SCA: The European Parliament has emphasized a risk-based approach in the application of SCA, in particular in the context of transaction monitoring. New regulatory technical standards would also be drafted with the European Parliament with the aim of increasing the thresholds for applying the transaction risk analysis exemption to SCA.

The risk-based approach would apply both in the consumer context and in the context of B2B (business to business) and B2G (business to government) payments. The European Parliament has clarified in proposed amendments to recitals that, in the context of B2B or B2G payments, SCA should be appropriate to the risk level of such transactions and should not be required for every such transaction but based on a risk-based approach.

Changes to liability: The PSD3 and PSR would clarify that the payer will not bear any financial losses where either the payment service provider of the payer or the payee applies for an exemption from the application of SCA. In addition, there are new liability provisions for technical service providers and operators of payment schemes for failure to support SCA.

Parliament proposing fair, reasonable and non-discriminatory (FRAND) access to mobile devices: The European Parliament has suggested that original equipment manufacturers of mobile devices and electronic communications service providers should allow providers of front-end services effective interoperability with, and access to for this purpose, the technical features necessary for storing and transferring data to process payment transactions on FRAND terms. Time will tell what form this particular requirement will take in the final text.

Other changes: The PSD3 and PSR would further clarify exemptions from applying SCA. In particular, merchant-initiated payment transactions would need to apply SCA only at the set-up of the mandate. Further, account information service providers would need to require SCA upon first data access. The Commission’s initial proposal requiring a further SCA at least every 180 days was deleted in the Parliament’s text.

There are several other new provisions, including new provisions on accessibility requirements, that would even affect outsourcing agreements with technical service providers. The proposal would also make it possible to have the two required elements for SCA from the same category (knowledge, inherence, possession), subject to independence of the elements and high level of security.

The scope of new provisions is subject to change during the trilogue. The finalised versions of the PSD3 and PSR are expected to be published early 2025. After publication, Member States have an 18-month transition period during which they shall transpose the directive into national law and prepare compliance for newly introduced regulation. We will continue to closely monitor the developments of the PSD3 and PSR.

If you have any questions about this Legal Alert, please feel free to contact the undersigned.