PSD3: Everything We Know About the Payment Services Directive Update

On May 10, 2022, the European Commission (EC) published an initiative/call for consultation on its 2^nd Payment Services Directive – PSD2 for short – which is currently in force. 

The goal? To use the takeaways to inform the update of what will be called PSD3. 

Already, speculation has begun to mount on what the revised directive, PSD3, will contain and what consequences it will have for the banking and payments sector, as well as merchants.

We take an up-to-date look at both the solid facts we know so far, and what history has shown might happen as we move towards the 3^rd Directive. 

What Is PSD3?

The 3^rd Payment Services Directive, PSD3, is an upcoming framework that regulates electronic payments and the banking ecosystem within the European single market area (EEA). The PSD3 will be decided by the EC after a round of consultations.

Just like its predecessor, PSD3 is going to address Strong Customer Authentication (SCA) and open banking standards and protocols, aiming to make it easier for consumers to transact with confidence in the digital landscape, both with merchants and with banks. 

Moreover, the open finance and banking protocols will address sharing of customer information between competent authorities and banks the consumer has accounts with, including tax authorities, payment processors, and more. 

SEON’S CEO, Tamas Kadar, says about PSD3:

“It is reassuring to know that important SCA and open finance legislation is being reviewed and updated. We are following developments closely and, as an industry-agnostic and highly customizable fraud prevention solution, are well positioned to address any changes.”

It should be made clear that only electronic transactions fall under the remit of Payment Services Directives – both in terms of payments and online/mobile banking. So, they do not address cash payments or bank checks, for example.

Why Is PSD2 Changing?

Built into the European Commission’s retail payments strategy are clauses to review and update guidelines and legislation at regular intervals, to keep up with market and consumer needs, as well as technological developments and the overall landscape.

In particular, in September of 2020, the EC adopted a retail payments strategy to enable innovation and growth. Within this decision was included a milestone to review and potentially update the current rules on payment services in 2022.

In other words, these consultations and subsequent discussion is a way to find out whether stakeholders feel the current legislation is still fit for purpose – or, if not, what is missing.

Such a change does not come without precedent. PSD1 was introduced in 2007 and was eventually updated to PSD2, which passed in 2015. Seven years later, the need has been identified to ensure everything in it is up to speed.

PSD3 vs PSD2: Differences

PSD3 is upcoming legislation set to regulate the provision of electronic payments and the banking ecosystem within the EU’s single market, while PSD2 is the older version of this framework, which has been in use in the European Union and European Economic Area since 2019/2020, when the extended deadline for its implementation passed. 

PSD2 governs all digital payments and open finance in the EU and EEA, and PSD3 is expected to do the same, potentially broadening its scope. 

One way for us to think in solid terms about what might be part of PSD3 is by looking at the questions asked during the consultation phase. These show us the areas the authorities have already earmarked as up for reconsideration and possible update. 

Therefore, the new Payment Services Directive is looking to answer questions and address issues such as the below:

• Are current open banking requirements adequate?
• Are there alternatives to current SCA methods?
• Should the SCA period be extended from 90 to 180 days to reduce friction?
• Should contactless payment limits change?
• Should applicable currency conversion costs be disclosed before transactions?
• Are exceptions under PSD2 still appropriate?
• Should one-leg-in (just one PSP in the EEA) payment transactions be sped up?
• Can authorization for payment providers and institutions be streamlined?
• Should we start regulating currently unregulated activities such as crypto payments and BNPL?
• etc.

Of course, it may well be found that some of these are sufficient for future use, in which case those parts of PSD2 are likely to simply be left as-is rather than updated. However, it’s almost certain that there will be major changes as well.

The Payment Services Directive Consultation

What is often called the PSD3 consultation is in fact three separate initiatives: a public consultation, a targeted consultation on the technical aspects of PSD2, and a targeted consultation on open finance, also frequently called open banking. 

The public consultation came to an end on August 3, 2022. Per the official announcement, EU citizens, companies, business associations, and public authorities all shared their opinions – and stakeholders came from far and wide, including Germany, France and even the UK, despite its status having changed to outside the EU. The targeted consultations have also concluded.

Please note that the results of the consultation are not binding and do not constitute any formal proposal or final position for any stakeholder.

One prominent opinion provided at the time of the consultation phase and fully accessible to the public is that of the EBA (European Banking Authority), which highlights a series of issues, opportunities and challenges PSD2 and the proposed PSD3 pose for banking institutions.

From here, the appropriate bodies of the EC will review the answers as well as additional findings and work towards a draft of PSD3, which is expected in early to mid-2023.

PSD3 Compliance: What Do You Need to Know?

Both for companies who accept electronic payments and those banks and financial institutions that process and manage them, PSD3 compliance will eventually be mandatory – once PSD3 has been decided, ratified in law, and after an implementation deadline has passed.

This deadline is not known at present but we can make an educated guess based on how long it took PSD2 to replace the first-ever PSD: five years.

• European countries had two years to transpose PSD2 into national legislation after it had been passed at the EC level.
• Companies had another two years (extended to three) from transposition to fully comply with PSD2.

There is always the chance this process will be sped up, but it is safe to say that it will be at least three years after PSD3 becomes EU law until companies are forced to fully comply with it. 

Of course, depending on the extent of the updates, this is likely to be no easy feat, so payment processors, banks and other financial institutions are advised to start the process of adapting their systems as soon as PSD3 becomes EU law.

Penalties for PSD3 Non-Compliance

There is nothing set in stone yet, but once PSD3 becomes law, penalties for non-compliance are likely to be similar to those of PSD2 – which involve fines as well as potential license removal for financial institutions and adjacent companies.

This means that it is up to the “competent authority of the home Member State” where the company in question resides to spot non-compliance and enforce fines and other penalties, according to local legislation.

Keep in mind that if PSD3 follows the path that the previous Directives have forged, it will be up to payment processors themselves to stay compliant, not merchants who accept digital payments. 

Therefore, though merchants are wise to keep abreast of PSD3 developments, there is less of a reason for online retailers and similar companies to worry at present.

How Will PSD3 Help Fight Fraud?

In addition to streamlining the provision of financial payments and services, PSD3 will look to safeguard operations and users, making them safer for all parties involved – in line with its predecessors.

For example, PSD2 defined and mandated the use of multi-factor authentication (MFA) in certain types of payments, as well as when a consumer wants to access their financial account with their bank or credit company. This made it significantly more difficult for brute force, phishing and other types of account takeover fraud to be successful.

As we’ve pointed out before, open banking comes with risks as well as opportunities. A key consideration is how this enlarges the possible attack surface, as a significantly larger ecosystem compared to previous setups. 

As the adage goes, you’re only as safe as your weakest link. In this case, this means that among the various institutions that share someone’s authentication or identity, a single loophole can give successful fraudsters a higher reward. 

So, PSD3 will look to further amplify protection for consumers and organizations, as well as national and regional economies at large, by addressing more recent fraudulent methods as well as anticipating new risks to the extent possible. 

As more information is released about PSD3, we will be letting our partners know about key new developments so they can prepare their responses.

FAQ

Sources

Europa.EU: Payment services – review of EU rules

European Banking Authority: EBA replies to European Commission’s call for advice  on the review of the Payment Services Directive