Introduction
In June 2023, The European Commission unveiled two significant legislative proposals: the third Payment Services Directive (PSD3)[1] and the Payment Services Regulation (PSR)[2]. These updates are designed to replace the existing framework under PSD2, which has been in place since 2015. PSD3 and PSR aim to modernise and strengthen the regulatory environment for payment services across the European Union, ensuring that it keeps pace with the rapid advancements in digital finance. These texts introduce crucial changes that will shape the future of innovation, competition, and security in the payment service industry.
By tightening regulatory oversight, enhancing consumer protections, and enabling a more competitive landscape, these proposals will both address current challenges and set the stage for the next wave of Fintech evolution.
Key Changes and Innovations
Merging of E-Money and Payment Services
One of the most significant updates is the merging of the E-Money Directive with the Payment Services Directive[3]. This integration aims to create a unified regulatory framework for both payment institutions and electronic money institutions, reducing the complexity that previously existed between these two sectors.
While this merger does streamline the regulatory framework, it may not necessarily lower barriers to entry. The requirements for an e-money license are expected to remain the same, if not become more stringent, which could limit the ease with which new players can enter the market. Previously, a Payment Institution (PI) license, and in some countries a Small Payment Institution, license, offered a more accessible entry point for smaller firms to establish themselves. However, the increased regulatory rigor could enhance banks’ confidence in providing transactional banking services to licensed entities, as they benefit from stronger compliance measures.
Strengthened Regulatory Oversight
PSD3 introduces more stringent licensing and authorisation requirements for payment service providers. These include higher capital requirements[4], mandatory winding-up plans[5], and a more streamlined authorisation process[6]. The aim here is to enhance the stability and reliability of payment services across the EU.
While these changes are designed to increase consumer trust and market integrity, they also pose significant challenges for smaller Fintech firms. The increased compliance demands may strain resources, particularly for startups and smaller companies, potentially leading to market consolidation as these firms struggle to meet the new requirements[7].
Enhanced Open Banking and Open Finance
PSD3 also brings significant enhancements to the Open Banking framework, including clearer guidelines for improved user protection and confidence, and expanded access rights for third-party providers. These changes are intended to remove existing barriers and improve the functionality of open banking across the EU[8]. The new rules offer an opportunity to deliver more robust and competitive services. Improved standards (dedicated data access interface[9] for ASPSPs[10] etc.) and increased access rights will enable Fintechs to integrate more seamlessly with banks, enhancing their ability to innovate and provide better services to consumers. Conversely, firms must also invest in more reliable infrastructure to remain competitive.
Security and Consumer Protection
Strong Customer Authentication (SCA)
Regarding PSR and according to EY[11], “A significant change in the cybersecurity domain is the expansion of security requirements to encompass payment card schemes, payment gateways, and merchants. The regulation also now covers third parties to whom technical, operational, and communication services have been outsourced. This mandates more parties in the payment chains to implement systems such as Strong Customer Authentication (SCA)[12] to bolster payment security.” The new rules also introduce other rigorous fraud prevention mechanisms, including enhanced transaction monitoring[13] and stricter liability rules.
Anti-Fraud Measures
Alongside the strengthened SCA, PSR introduces several new anti-fraud measures aimed at safeguarding consumer transactions. Key among these is the mandatory IBAN-name matching for credit transfers, which helps verify that the payee’s details match the intended recipient[14]. Additionally, the regulation promotes enhanced data-sharing protocols[15] among payment service providers to detect and prevent fraudulent activities more effectively.
While these measures may increase operational complexity, they are essential for maintaining a secure and trustworthy service in the eyes of consumers and regulators alike.
Conclusion
Regulations streamlining, better consumer protection, more competitive market… These proposals are set to significantly reshape the landscape of digital payments. For Fintech companies, this evolution presents both challenges and opportunities: while increased market compliance demands may strain resources, especially for small players, the potential for innovation and improved security offers a pathway to greater trust and adoption in the market.
Firms that adapt quickly and invest in strengthening their infrastructure and compliance frameworks will be well-positioned to thrive in this new era. PSD3 and PSR are not just regulatory updates, they bring the foundation for the next waves of innovation and growth in payment services.
Curious to learn more about E-Money services and how they’re shaping the future of finance? Dive into the latest insights on regulatory updates, market trends, and opportunities for innovation!
Notes:
Featured image source : Midjourney
[1] Proposal for a Directive of the European Parliament and the Council on payment services and electronic money services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52023PC0366
[2] Proposal for a Regulation of the European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52023PC0367
[3] See Recital 5 of PSD3: “Even though the issuance of electronic money is regulated under Directive 2009/110/EC of the European Parliament and of the Council,31 the use of electronic money to fund payment transactions is to a very large extent regulated by Directive (EU) 2015/2366. Consequently, the legal framework applicable to electronic money institutions and payment institutions, in particular with regard to the conduct of business rules, is already substantially aligned. (…) It is therefore appropriate that the authorisation and supervision regime applicable to electronic money institutions is further aligned with the regime applicable to payment institutions.
[4] See Recital 25 of PSD3: “To cater for the risks posed by their activities, payment institutions need to hold enough initial capital combined with own funds. Considering the possibility for payment institutions to engage in the wide range of activities covered by this Directive it is appropriate to adjust the level of the initial capital attached to individual services to the nature and the risks attached to these services.”
[5] See the Explanatory Memorandum pf PSD3, p.7, “Licensing and supervision of payment service providers”: “The procedures for application for authorisation and control of shareholding are mostly unchanged from PSD2, with the exception of a new requirement for a winding-up plan to be submitted with an application, but made fully consistent for institutions providing payment services and electronic money services.”
[6] See Recital 18 of PSD3: “To ensure a level playing field and a harmonised process for the granting of an authorisation to undertakings applying for a payment institution license, it is appropriate to impose to competent authorities a time limit of 3 months for the authorisation process to be concluded, after the receipt of all the information required for the decision.”
[7] See articles 5 and 6 of PSD3.
[8] See page 5 of PSD3: “There are four specific objectives of the initiative, corresponding to the identified problems: 1. Strengthen user protection and confidence in payments; 2. Improve the competitiveness of open banking services; 3. Improve enforcement and implementation in Member States; 4. Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs.”
[9] See p.5 of PSD3: “requirement for account servicing PSPs (ASPSPs) to put in place a dedicated data access interface; “permissions dashboards” to allow users to manage their granted open banking access permissions;”
[10] Account Servicing Payment Service Providers
[11] Rudrani Djwalapersad (22 Feb 2024) “PSD3 and PSR: regulatory uniformization for enhanced protection” https://www.ey.com/en_nl/cybersecurity/psd3-and-psr-regulatory-uniformization-for-enhanced-protection
[12] See article 85 of the PSR.
[13] See p.10 of the PSR, “Operational and security risks and authentication”: “A new provision is added requiring PSPs to have transaction monitoring mechanisms in place to provide for the application of strong customer authentication and to improve the prevention and detection of fraudulent transactions.”
[14] See p.6 of the PSR: “Improvements to the application of SCA, (…) extension of IBAN verification to all credit transfers.” See Recital 104 of PSR: “‘Unique identifier’ should be understood as referring to ‘IBAN’“
[15] See article 84 of the PSR: “Payment service providers shall alert their customers via all appropriate means and media when new forms of payment fraud emerge…”