PSD3 and PSR: Impact on payment and e-money institutions

Coexistence of a Directive and a Regulation on payment services

The legislative landscape for payment services in the EU will be shaped by the pieces of legislation resulting from the proposals for both PSD3 and the Payment Services Regulation (PSR), collectively referred to hereunder as the “Proposal”.

PSD3 focuses on the licensing and authorisation procedures for payment institutions, requiring EU member states to incorporate its provisions into national laws and allowing for some limited derogations, while PSR sets out harmonised and directly applicable operational rules and technical requirements for PSPs, including stringent authentication protocols and advanced fraud prevention measures.

The European Commission has decided that the piece of legislation to address the issues identified during the evaluation of PSD2 shall be in the form of an EU Regulation. Although PSD2 was largely successful in achieving its objectives of transparency and defining the rights and obligations of payment service users and providers, as an EU Directive, its implementation in the Member States led to inconsistencies. These inconsistencies, often due to gold-plating or differing interpretations, resulted in legal fragmentation that undermined the internal market objectives of PSD2 in the context of progressing towards an EU Digital Single Market. While the European Banking Authority (EBA) was able to address many consistency issues through Q&As and guidance, fundamental ambiguities in PSD2's concepts and exemptions created an uneven playing field and encouraged forum shopping. In addition, rapid technological advances and market changes require that future provisions regulating the provision of payment services remain as aligned as possible with the overall objective of promoting a well-functioning payment services industry. 

Harmonisation of the legislation on payment services and e-money

The Proposal will not only repeal PSD2 but also the Second Electronic Money Directive (EMD2), effectively merging those fields into one single regulatory framework. Under the Proposal, entities may seek authorisations as Payment Institutions (PIs) to provide payment services, which may (or not) cover the offering of e-money. Despite this merger of legislations, the Proposal envisages more stringent requirements for PIs offering e-money services to preserve some of the aspects of EMD2 that did not overlap with PSD2, such as higher initial capital requirements for PIs providing e-money services. The preservation of specific e-money requirements ensures that the unique aspects of electronic money are adequately addressed, while the unified regime simplifies compliance and supervision for institutions operating in multiple jurisdictions.

Under the Proposal, existing PIs (and entities currently authorised as Electronic Money Institutions or EMIs) will need to apply for new authorisations within 24 months of the directive's entry into force. This requirement ensures that all institutions comply with the updated regulatory standards set forth by the Proposal. The European Commission refers to this transitional arrangement as “grandfathering”, which allows institutions to continue their operations while they transition to the new regulatory framework. Accordingly, regularising their respective authorisations will be the main obvious task that entities currently operating as PIs or EMIs will need to complete to adapt to the Proposal, including following -for example- the relevant passporting procedures to operate across jurisdictions on a FOS basis.

Other challenges and Opportunities for PSPs

Beyond the need to file new applications for authorisations, the introduction of the Proposal presents a series of specific challenges and opportunities for PSPs. One of the most significant challenges is the need to comply with the new requirements for SCA. The Proposal mandates that PSPs implement transaction monitoring mechanisms that support the application of SCA and enhance fraud prevention and detection. Not only does this involve the implementation of new technologies but also the adaptation of internal processes to ensure that all transactions are effectively monitored and authenticated. Additionally, PSPs must ensure that SCA methods are accessible to all customers. Additionally, in relation to the notion of "accessibility", it is important to note that the provision of payment services is included within the scope of the implementation into the Spanish laws of the European Accessibility Act, and PSPs will need to review their services to ensure that are universally accessible. This may require a significant review and update of their authentication systems to meet these inclusive standards.

Another major challenge is the liability for unauthorised transactions. Under the Proposal, PSPs are required to notify payers about any discrepancies between the unique identifier and the name of the payee, thus increasing PSPs' duties and responsibilities in relation to the execution of a payment transaction when there is a mismatch of unique identifiers from the PSD2 regime. Failure to comply with this obligation can result in PSPs being held liable for unauthorised transactions. Furthermore, PSPs can only deny refunds in cases of reasonable suspicion of fraud. This additional responsibility will oblige PSPs to implement robust verification and notification systems to minimise the risk of errors and fraud.

However, the Proposal also offers significant opportunities for PSPs, especially for those involved in the facilitation of open banking such as ASPSPs. One of the most notable opportunities is the requirement to provide a single dedicated interface for data access, although contingency (fallback) data access possibilities might be permitted under specific circumstances. This can simplify operations and reduce long-term costs, allowing PSPs to focus on developing more innovative and personalised services. The elimination of the fallback interface can also reduce technical and operational complexity, enabling greater efficiency in service delivery.

Additionally, the introduction of "permissions dashboards" allows users to manage their access permissions more effectively. These dashboards provide users with greater transparency and control over who has access to their financial data, which can increase customer trust in open banking services. By offering users tools to manage their access permissions, PSPs can foster greater adoption of open banking services and improve customer satisfaction.

The Proposal also allows for collaboration between PSPs and other financial entities for the purposes of fraud prevention by sharing personal data of their users. While these data sharing activities can result in strategic alliances that expand service offerings and enhance market competitiveness, it will be necessary for the financial entities involved to engage in information sharing arrangements in full observance of the data protection laws. Additionally, PSPs will need to conduct a data protection impact assessment (DPIA) to check whether these data sharing activities result in a high risk to the rights and freedoms of their users.

Osborne Clarke comment

Although we do not anticipate that PIs and EMIs currently providing services in strict compliance with PSD2 and EMD2 should conduct major changes in their operations in light of the Proposal, it is advisable that these operators begin to design their adaptation plans. It is also important not to disregard any additional action that may be necessary after the relevant adaptation of PSPs to the Proposal, such as reviewing and (if necessary) adjusting AML practices in relation to the monitoring of transactions and/or their on-boarding procedure for payment services users.