- European Commission enters dialogue period to ratify its new proposals introducing PSD3, Payment Services Regulation (PSR), and Financial Data Access (FIDA).
- Aim of this new package is to strengthen consumer protection in electronic payments.
- Key points of the package include security, open banking improvements, data sharing, and transparency on fees.
The European Commission has proposed new regulations under the Payment Services Directive – with the revision of PSD2, to become PSD3 – Payment Services Regulation (PSR), and financial data access (FIDA) to strengthen consumer protection and competition in electronic payments and enhance trust in digital financial services.
Electronic payments in the European Union have drastically increased, reaching €240 trillion in 2021 from €184.2 trillion in 2017. The growth has been driven by a combination of factors, including the Covid-19 pandemic, which resulted in consumers relying more on digital technologies to make payments during lockdowns.
However, the downside of this trend has led to more sophisticated types of fraud, which has impacted trust and put consumers at risk of losing their life savings.
Since September 2020, when the Digital Finance Strategy was proposed, the EU Commission has been working hard to gather feedback since the introduction of PSD2 across the EU. This has been shared in the 2022 market consultation report on the PSD2 revision and Open Finance Framework.
PSD3, PSR, FIDA: the major documents of the new package
In response to these developments, today’s package seeks to ensure the EU’s financial sector is fit for purpose and capable of adapting to the ongoing digital transformation and the risks and opportunities it presents – in particular for consumers, the European Commission said in a statement on June 28.
The package comprises a set of three major documents:
- The revision of the PSD2, designated as the PSD3: as a directive, once ratified by the EU Parliament and EU President Council, each EU state will have two years to transpose them in their countries. The PSD3 will then have to be implemented and enforced (i.e., the same process as PSD2).
- The Payment Services Regulation (PSR): as an “EU Regulation,” once ratified, it will be enforced as-is by each EU country. This regulation will nail down the critical discrepancies between EU countries we saw with PSD2, as there is no transposition in each EU country.
- The framework for Financial Data Access (FIDA): this addresses the sharing of personal financial data to be put in place by financial services providers. It expands on the PSD2 concepts of opening access to payment account information to financial services providers.
What are the key points addressed by this new digital finance package proposals?
Security: The implementation of PSD2 in 2015 improved consumer security through the Strong Customer Authentication (SCA) protocol, which reduced fraud by about 50%. This pack further considers the ever-increasing collaboration between financial and non-financial players, such as fintechs, by strengthening consumer protection and anti-fraud mechanisms. This includes mandatory IBAN/name checks, PSP fraud-related reporting, transaction monitoring, and the extension of refund rights, as new criteria for PSD3.
Access to new payment information: the new regulations will provide transparency on fees for credit transfers, remittances from the EU to third countries, and ATM charges. It will also clarify estimated times for receiving funds and the designation of payees in payment account statements.
Improve payment-related mechanisms: in a welcome move for consumers, unused blocked funds, such as hotel or car rental deposits, will be released much faster under the proposed regulations. Non-licensed PSP retailers can also offer customers cash services (for ex-cashback) without requiring a purchase. However, they will be limited to about €50 to prevent unfair competition with independent ATM operators.
Meanwhile, financial regulators will be able to force banks to ensure that their dedicated interfaces are optimized to perform well – and failure to do so could lead to penalties. This proposed pack also facilitates access to settlement infrastructure for non-banks, such as Payment Initiation Services and Electronic Money Institutions. And it requires banks to open accounts for PIS and EMI businesses. At the same time, a merger of the e-money directive and PSD2 has been proposed to enhance the harmonization and simplification of this process.
Open banking improvements: this is a new substantial requirement for dedicated interfaces to harmonize interoperability between banks and TPP. At the same time, there will no longer be a need for a “fallback” solution. It also enables end users with dashboard capabilities to see what data access rights they have granted to whom and to withdraw any of them on the same user interface. This capability is compulsory for any open finance services.
Beyond payments: specifically, the FIDA pack extends the initial data scope of the PSD2. It covers all personal financial data of consumers (either individuals or enterprises); loans, savings, investments, pensions, and non-life insurance are included, and all information that may lead to financial exclusion, such as creditworthiness assessments of natural persons and life, sickness, and health insurance, are excluded.
Access to open finance data: this proposal introduces a general obligation for data holders to make customer data available to data users at customers’ request. There is a need for regulation alignment, and, at this stage, FIDA articulates the various rules and legal guides to be applied and encourages the industry and private sectors to move forward on defining the data standards and schemes.
These include:
- The same rules and consumer protection capabilities of the PSD3 / PSR.
- This proposal must fit into the European Strategy for Data (The Data Governance Act, the Digital Markets Act, and the Data Act proposal).
- Member states cannot improve data sharing alone to avoid EU fragmentation and discrepancies across the EU.
Companies must be regulated financial firms or authorized as Financial Information Service Providers (FISPs) to access customer data. They will also be subject to the Digital Operational Resilience Act, which addresses cybersecurity risks.
The EU Commission goes one step further: rather than imposing any data sharing standards, it requires data holders – banks and financial services providers – to develop these standards by establishing a transparent liability regime and dispute resolution mechanisms similar to the European Payment Council’s SPAA scheme of the European Payment Council.
Finally, the proposal states that the data holders should receive “reasonable compensation” for the cost of making data available, which will have to be addressed in the schemes.
Next steps
The EU Commission is now entering a dialogue period with the EU representatives in each country. This will result in a formal vote in parliament, hopefully by the end of the year, to ensure it is done before the parliament’s re-election starts at the beginning of 2024.
For more expert content on industry outlooks and innovation, subscribe to our newsletter or visit our Insights page.