Glossary PSD3

PSD3

What is Payment Service Directive 3 (PSD3?) 

The Payment Services Directive 3 (PSD3) is the latest iteration of the European Union’s regulations on payment services, aimed at enhancing and modernizing the framework established by its predecessor, PSD2. The key goals of PSD3 include improving consumer protection, fostering competition, and further developing the internal market for payment services within the EU. 

Key features and objectives of PSD3: 

  • Enhanced Consumer Protection: PSD3 introduces stronger measures to protect consumers from fraud and other risks associated with electronic payments. This includes stricter requirements for strong customer authentication (SCA) and better dispute resolution mechanisms. 
  • Increased Competition: The directive seeks to level the playing field for payment service providers (PSPs), including non-bank entities, by facilitating easier market entry and competition. This is intended to drive innovation and offer more choices to consumers. 
  • Digitalization and Technological Advancements: PSD3 addresses the rapid technological changes in the financial sector, including the rise of digital and mobile payments. It includes provisions to ensure that the regulatory framework keeps pace with these innovations. 
  • Operational Resilience: The directive strengthens the requirements for PSPs regarding the management of operational and security risks, including the need for robust incident reporting and resilience against cyber-attacks. 
  • Open Finance: PSD3 is closely aligned with the EU’s broader goals of Open Finance, which aims to enhance data sharing and interoperability between financial services, promoting greater innovation and efficiency in the financial sector. 
  • Revised Scope and Definitions: PSD3 updates and refines the scope and definitions of payment services to cover new types of transactions and services that have emerged since PSD2 was implemented. 

Overall, PSD3 represents a significant step forward in the EU’s efforts to create a more secure, competitive, and innovative payment services market . 

What are the differences between PSD2 and PSD3?  

The Payment Services Directive 3 (PSD3) introduces several key changes compared to its predecessor, PSD2. Here are the major differences: 

  1. Fraud Prevention Enhancements: PSD3 introduces more robust mechanisms to combat new types of fraud, such as “spoofing” (impersonation fraud). It extends the IBAN-name verification to all credit transfers and strengthens the monitoring and sharing of fraud-related information among payment service providers (PSPs) . 
  1. Open Banking Improvements: PSD3 addresses the challenges faced by open banking under PSD2 by improving the performance of data access interfaces and removing obstacles that have hindered service providers. A significant addition is the requirement for banks to offer a “dashboard” where consumers can manage their data access permissions . 
  1. Non-bank PSPs Access: Unlike PSD2, PSD3 ensures that non-bank payment service providers (PSPs) have access to all EU payment systems and a right to a bank account, which is crucial for fostering competition . 
  1. Merging of Frameworks: PSD3 merges the legal frameworks for electronic money institutions and payment services, which were previously separate under PSD2 and the Electronic Money Directive. This integration aims to reduce regulatory complexity and create a more cohesive system for all types of payment service providers . 
  1. Consumer Protection Enhancements: PSD3 further strengthens consumer rights by improving transparency, especially in transactions involving blocked funds, and speeding up the release of unused funds . 
  1. Regulatory Framework Shift: PSD3 introduces a more harmonized regulatory approach by incorporating certain provisions into a directly applicable regulation, rather than relying solely on national transpositions as was done under PSD2. This change aims to reduce inconsistencies in the application of the rules across EU member states . 

These changes in PSD3 are designed to address the evolving landscape of payment services, enhance security, improve user experiences, and ensure a more level playing field across the EU. 

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) is a regulatory requirement introduced under the Payment Services Directive (PSD2) and further enforced under PSD3. It is designed to enhance the security of electronic payments and reduce fraud by requiring the authentication of a customer’s identity using at least two of the following three elements: 

  1. Something the Customer Knows: Such as a password or PIN. 
  1. Something the Customer Has: Such as a mobile device or smart card. 
  1. Something the Customer Is: Such as a fingerprint or facial recognition (biometric data). 

What SCA Means for Your Business: 

As a business operating under PSD3, Strong Customer Authentication has significant implications for how you process payments and interact with customers. Here’s what it means for you: 

  • Mandatory Compliance: You are required to implement SCA for most electronic payments, especially those made online. This means you must integrate systems that can verify two or more of the required elements (knowledge, possession, and inherence) during a transaction. 
  • Impact on Customer Experience: While SCA enhances security, it also introduces additional steps in the payment process. You will need to ensure that these security measures do not negatively affect the customer experience. This might involve working with payment processors to streamline authentication steps or offering customer support to address potential issues. 
  • Handling Exemptions: Not all transactions will require SCA. Under PSD3, certain payments may be exempt, such as low-value transactions, recurring payments, or payments to trusted beneficiaries. Understanding and correctly applying these exemptions can help you maintain a smoother transaction flow while remaining compliant. 
  • Security vs. Conversion Rates: The introduction of SCA might impact conversion rates as customers adapt to the new requirements. Your business may need to balance the improved security with potential friction in the payment process, possibly requiring customer education or adjustments in the payment journey. 
  • Technology and Integration: To comply with SCA, you may need to upgrade or integrate new technologies into your payment systems, such as multi-factor authentication tools, biometric scanners, or secure communication protocols. This could involve working closely with your payment service providers to ensure all transactions are secure and compliant. 

Implementing SCA is crucial for maintaining the trust of your customers and ensuring that your business operates securely within the EU’s regulatory framework. Properly handling the requirements of SCA under PSD3 will help protect your business from fraud while providing a secure and seamless payment experience for your customers. 

What is PSR? 

The Payment Services Regulation (PSR) is a set of rules that operates alongside the Payment Services Directive (PSD) to govern payment services within the European Union. While the PSD (such as PSD2 and the upcoming PSD3) lays down the general framework for payment services, the PSR contains specific provisions that are directly applicable across all EU member states, without the need for national transposition into local law. 

Key Aspects of PSR: 

  • Harmonization of Rules: 

PSR aims to ensure uniformity in the regulation of payment services across the EU. This helps to reduce discrepancies that could arise from different national implementations of the PSD. 

  • Scope and Definitions: 

The PSR outlines detailed definitions of payment services, payment service providers (PSPs), and the rules governing their operations. This includes specific requirements for access to payment systems, security measures, and transparency obligations for PSPs . 

  • Consumer Protection: 

The regulation emphasizes the protection of payment service users by ensuring that they receive clear information and are safeguarded against fraud and other risks. It also addresses issues related to the surcharging of payments and the availability of certain payment services 

  • Enforcement and Supervision: 

PSR provides the legal basis for the enforcement of these rules by national competent authorities and introduces penalties for non-compliance. It also outlines the roles of these authorities in supervising payment service providers . 

In summary, PSR is a crucial component of the regulatory framework for payment services in the EU, complementing the PSD by providing specific, directly applicable rules that enhance the consistency and effectiveness of payment services regulation across the union. 

The Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR) are closely related components of the European Union’s regulatory framework for payment services. Together, they work to modernize and harmonize the payment services market across the EU. 

1. Complementary Frameworks: 

  • PSD3 sets out the overarching principles, rights, and obligations that govern the provision of payment services within the EU. It focuses on areas such as consumer protection, fraud prevention, and competition enhancement. 
  • PSR, on the other hand, contains specific, detailed rules that are directly applicable across all EU member states. While PSD3 provides the general framework, PSR ensures that these rules are uniformly enforced without the need for national transposition. 

2. Harmonization and Direct Applicability: 

PSD3 allows some flexibility for member states to adapt the directive to local contexts. In contrast, PSR enforces uniformity by directly applying certain rules across the EU. This reduces inconsistencies and ensures a level playing field for payment service providers (PSPs) and users across different countries. 

3. Regulatory Coverage: 

  • PSD3 primarily addresses the rights and obligations of payment service users (consumers and businesses) and providers, covering a broad range of services and operations. 
  • PSR focuses more on the technical aspects and enforcement mechanisms, such as the conditions for accessing payment systems, the standards for security measures, and the transparency obligations for PSPs. 

4. Consumer Protection and Security: 

Both PSD3 and PSR aim to strengthen consumer protection and payment security. PSD3 introduces new measures and updates existing ones (e.g., Strong Customer Authentication), while PSR provides the legal backbone to enforce these measures uniformly across the EU. 

5. Implementation and Supervision: 

  • PSD3 is implemented by member states through national legislation, with each country responsible for adapting the directive to its legal system. 
  • PSR, however, does not require national transposition. It is directly applicable, meaning that its provisions automatically become part of national law in all EU member states. 

In summary, PSD3 and PSR are interlinked, with PSD3 providing the general framework for payment services, while PSR enforces specific rules across the EU, ensuring uniformity, consistency, and high standards of consumer protection and security. 

What is the scope of PSD3? 

The Payment Services Directive 3 (PSD3) covers a broad range of activities and entities involved in the provision of payment services and electronic money within the European Union. Its scope is designed to modernize and expand upon the framework established by PSD2, addressing new challenges and opportunities in the payment services market. 

Key Areas Covered by PSD3: 

  1. Payment Service Providers (PSPs): 

PSD3 applies to all entities involved in the provision of payment services, including traditional payment institutions, electronic money institutions (EMIs), and non-bank payment service providers. It introduces more stringent rules for these institutions, including enhanced requirements for licensing, supervision, and consumer protection . 

  1. Electronic Money Services: 

The directive extends its scope to cover electronic money institutions, integrating them as a sub-category of payment institutions. This helps streamline the regulatory environment and aligns the rules governing both payment and electronic money services . 

  1. Consumer Protection and Security: 

PSD3 introduces stricter measures to protect consumers from fraud and unauthorized transactions, requiring stronger authentication methods and more transparency in the handling of payment transactions . 

  1. Open Banking and Data Access: 

PSD3 expands the scope of open banking by improving data access interfaces and ensuring that third-party providers can access payment accounts more effectively. This includes the requirement for financial institutions to provide dashboards for consumers to manage their data sharing permissions . 

  1. Cash Withdrawal Services: 

The directive introduces new provisions for cash withdrawal services provided by retailers or independent ATM operators, allowing them to offer cash services without being licensed as payment service providers under certain conditions . 

  1. Cross-Border Services: 

PSD3 also addresses the cross-border provision of payment services, enhancing the regulatory framework to ensure that services provided across EU member states are consistent and secure . 

  1. Integration with Other Regulations: 

PSD3 works in conjunction with the Payment Services Regulation (PSR) to ensure a uniform and comprehensive regulatory environment across the EU. The PSR applies directly to all member states, enforcing specific rules that complement the broader framework set out in PSD3 . 

In summary, PSD3 significantly broadens the regulatory scope to cover more entities and services, strengthens consumer protections, and enhances the security and transparency of payment services across the EU. It aims to create a more harmonized and efficient market for payment services, addressing the evolving needs of consumers and businesses in the digital economy. 

What is the timeline of PSD3? 

The Payment Services Directive 3 (PSD3) is currently in the proposal stage, following a comprehensive evaluation and consultation process. Here’s a breakdown of its timeline and current status: 

  1. Evaluation of PSD2
  • In 2022, the European Commission conducted an evaluation of PSD2, gathering input from stakeholders through public consultations, expert groups, and studies. This evaluation highlighted both the successes and shortcomings of PSD2, providing the foundation for PSD3 . 
  1. Stakeholder Consultations
  • Throughout 2022, a series of consultations were held, including an open public consultation, targeted consultations, and expert group meetings. These consultations informed the drafting of PSD3, ensuring it addresses the evolving needs of the payments market . 
  1. Proposal Publication
  • The draft of PSD3 was published in 2023. This proposal includes both a new directive (PSD3) and an accompanying regulation (PSR) that together aim to modernize the regulatory framework for payment services in the EU . 
  1. Legislative Process
  • After publication, the proposal entered the EU’s legislative process, where it is being reviewed and negotiated by the European Parliament and the Council. This process can take several months to a few years, depending on the complexity of the negotiations. 
  1. Implementation Timeline
  • Once adopted, PSD3 will come into force 20 days after its publication in the Official Journal of the European Union. Member States will then have 18 months to transpose the directive into national law . 
  1. Expected Application
  • Assuming a typical legislative timeline, PSD3 could start being applied around 2025, depending on when it is officially adopted and published. 

PSD3 is moving through the legislative process, with a focus on updating and improving the existing framework set by PSD2, addressing new challenges in the payments market, and ensuring greater consumer protection and market efficiency across the EU.