EU Proposals for a Revised Legal Framework for Payment Services (PSD3) and Financial Data Access (FIDA) Published
Numerous technological innovations and new types of services have significantly changed the market. The EU Commission is now responding to these developments as well with a proposal to adapt the regulatory framework for payment services (“Legislative Proposal”) as currently laid down in Directive (EU) 2015/2366 (”PSD2”).
The Commission concludes that although the PSD2 has led to significant improvements in the payment services sector since its entry into force, in some areas its objectives have not fully been achieved. In particular, the following shortcomings have been identified:
- consumers remain exposed to fraud risks (especially social engineering fraud) and show a lack of trust in the integrity of payment transactions despite the implementation of strong customer authentication (“SCA”);
- market barriers in the open banking sector, especially inadequate interfaces for data exchange;
- regulators have insufficient powers and the implementation of PSD2 varies among Member States; and
- unequal opportunities for banks and other payment service providers, especially regarding access to payment systems.
In order to address these shortcomings, the Legislative Proposal not only provides for a revised payment services directive (”Draft PSD3”, available here), but also for a payment services regulation (“Draft PSR”, available here) which will be directly applicable in the Member States. While the requirements for the licensing of payment institutions will be contained in the Draft PSD3 and thus as before in a directive to be implemented by the Member States, all other requirements for the provision of payment services are to be regulated in the Draft PSR and thus in a regulation which applies uniformly throughout the EU. Simultaneously, the Commission has presented a proposal for a regulation on a framework for financial data access (Financial Data Access Regulation, ”Draft FIDA”, available here), which extends access to certain account data introduced with the PSD2 (“open banking”) to a range of other financial data (“open finance”).
In the following, we provide an overview of the main changes envisaged by the Legislative Proposal compared to the existing legal framework for payment services, and outline the main features of the Draft FIDA.
Integration of the Regulatory Frameworks for Payment Services and E-Money
As the requirements for payment and e-money institutions are already largely congruent, the Legislative Proposal widely removes the systematic distinction between payment and e-money services. Accordingly, a separate e-money directive shall no longer be required in the future. This approach stems from the fact that the boundaries between both types of services are increasingly blurred, not least due to the development of innovative products which cannot always satisfactorily be assigned to one of the two areas.
Only as regards features specific to e-money, such as capital requirements or the issuing or the redeeming of e-money, separate provisions shall remain. Both payment service providers and e‑money institutions will have to submit a processing plan with their licence application (Art. 3(3)(s) Draft PSD3).
As a further consequence of harmonisation (and concurrently of an adjustment for inflation), capital requirements for non-bank payment service providers will be increased (cf. Art. 5 et seqq. Draft PSD3). In contrast to the current provision in Art. 9 PSD2, capital requirements for payment service providers which do not provide e-money services shall in the future generally be calculated using ”Method B”, which is linked to the total volume of payment transactions (Art. 7(2) Draft PSD3).
As part of the harmonisation, basic definitions will also be supplemented or rephrased, such as “payment account”, “payment instrument” or “funds”. Furthermore, it is clarified that in accordance with the requirements of the recently adopted MiCA Regulation (Regulation (EU) 2023/1114 on markets for crypto assets – see our Newsletter) e-money tokens shall also be classified as e-money.
Strengthening of Anti-Fraud Measures
In response to new fraud methods since entry into force of the PSD2, more efficient anti-fraud measures shall be taken. The Commission is focusing in particular on the types of fraud known as “spoofing”, i.e. the pretence of a trusted identity by a fraudster (especially by claiming an affiliation with the customer’s payment service provider), and social engineering fraud, i.e. a manipulation of the victim in order to induce them to make payments or disclose account information.
In the future, for all transfers in Euro it shall be mandatory for payment service providers to verify that the IBAN and the name of the recipient account holder match, and to inform the payer of any discrepancies before initiating the payment transaction (cf. Art. 50 Draft PSR). In general, there are stricter requirements for transaction monitoring (cf. Art. 83 and 88 Draft PSR).
Payment service providers shall also be given the opportunity to exchange fraud-related information amongst each other in compliance with the GDPR (Art. 83 Draft PSR). Payment service providers shall further to be obliged to train their employees on fraud methods and to inform their customers accordingly (Art. 84 Draft PSR).
The above provisions will be bolstered by planned changes to the provisions regarding strong customer authentication (cf. Art. 85 et seqq. Draft PSR). Especially, its areas of application shall be more clearly defined. In order to simplify the handling of SCA in the context of payment account information services, SCA shall only be required for the first access to payment account data, thereafter only if there are grounds for suspected fraud (Art. 86(3) Draft PSR). In the context of digital passthrough wallets, an SCA shall be performed when a payment instrument is first registered in the wallet. A planned obligation for payment service providers to conclude a respective outsourcing agreement with the wallet operator is intended to ensure that payment service providers are liable for possible authentication defects. In addition, payment service providers shall ensure that all customers have access to a selection of SCA methods which are not all subject to the same technical requirements (e.g. possession of a smartphone, cf. Art. 88 Draft PSR).
These additional provisions on fraud prevention are accompanied by an expansion of consumers’ compensation rights in the event of fraud: consumers shall receive full compensation if the payment service provider has failed to correctly check the IBAN of the payee against their name, or has failed to notify the payer of a discrepancy (Art. 57 Draft PSR). Spoofing victims shall also to be entitled to full compensation from payment service providers, provided that they have reported the fraud to the police and have informed the payment service provider without undue delay. No right to compensation shall exist if the payer was grossly negligent; however, the payment service provider bears the burden of proof in this regard (Art. 59 Draft PSR).
Strengthening of the Rights of Non-Bank Payment Service Providers
In order to reduce entry barriers for non-bank payment service providers and thereby promote competition between banks and other payment service providers, banks shall only be allowed to reject applications by payment service providers to open a payment account under strict conditions (e.g. in case of serious grounds to suspect defective money laundering or terrorism financing controls, or in case of an excessive risk profile). In particular, banks shall be required to disclose the reasons for refusal to the payment service provider, which shall be able to appeal to the competent supervisory authorities (Art. 32 Draft PSR).
The provisions regarding the admission of payment institutions as participants in payment systems are also to become more transparent in the future and shall leave less room for discrimination (Art. 31 Draft PSR). The access requirements established by the Finality Directive (Directive 98/26/EC) shall in effect thus be transferred to non-bank payment service providers.
Lowering of the Entry Barriers to Open Banking
The entry barriers for service providers in the area of open banking shall also be lowered. Account servicing payment service providers providing payment accounts with online access functionality shall be required to provide dedicated data interfaces (cf. Art. 35 et seqq. Draft PSR) which account information services providers and payment initiation service providers can use to access any required data. On the other hand, the obligation to provide fall-back interfaces in case of malfunction shall fall away. Instead, account servicing payment service providers shall be obliged to offer alternative solutions in case of malfunction of the interface and, if necessary, provide access to the interfaces they themselves use vis-à-vis their customers (Art. 38(2)(f) Draft PSR).
In order to ensure that customers have a transparent overview of any granted access permissions, account servicing payment service providers shall provide their customers with access to a dashboard containing a summary of the granted data access rights, including the name of the beneficiary, and allowing customers to revoke or re-establish individual permissions (Art. 43 Draft PSR).
Increased Consumer Protection
Also beyond the areas already mentioned, further measures shall be taken to strengthen consumer protection. For example, in the context of credit transfers and money remittance transactions payment service providers shall be required to state currency conversion fees as a percentage mark-up over the latest available applicable foreign exchange rates issued by the relevant central bank (Art. 13(1)(f) Draft PSR). To increase transparency, on account statements the payees’ commercial trade names shall be shown (Art. 25(1)(a) Draft PSR). Additional information obligations (e.g. regarding fees for the use of domestic ATMs of other networks) are laid out in Art. 20 Draft PSR.
Strengthening of the Powers of Supervisory Authorities
In order to strengthen the powers of supervisory authorities, among other measures additional investigative powers vis-à-vis technical service providers, operators of payment schemes and outsourcing companies are envisaged. Pursuant to Art. 97 Draft PSR, violations of the provisions regarding the opening of payment accounts for payment service providers pursuant to Art. 32 Draft PSR or the provisions on fraud prevention shall be sanctioned with maximum administrative fines of at least 10 % of the annual turnover in the case of legal persons, and in the case of natural persons with maximum administrative fines of at least EUR 5 million.
In the interest of consumer protection, the EBA shall be granted wide-reaching powers of intervention, including the power to prohibit individual types of payment services if the national supervisory authorities fail to act (cf. Art. 104 Draft PSR).
Increased Availability of Cash
Finally, in order to increase the availability of cash the Legislative Proposal provides that retail businesses shall be allowed to dispense cash to customers even without a previous purchase by the customers. However, in order to limit competition with ATMs a maximum amount of EUR 50 per payment is envisaged.
Framework for Financial Data Access (Draft FIDA)
The proposal for a regulation on a framework for financial data access provides for uniform rules on access to customer data for a range of financial services. This is intended to supplement the account access rights introduced by PSD2 (“open banking”) with further access rights (“open finance”). Systematically, payment account data shall continue to be subject to the regulatory regime for payment services (i.e. in future the PSR), while access to data in connection with other financial services is to be regulated by the Draft FIDA. The aim of the Draft FIDA is to enable customers to effectively control the use of their financial data.
The Draft FIDA is intended to apply to financial data which financial institutions process and store in the normal course of their business with customers, regardless of whether the customers are consumers or entrepreneurs. However, financial data for the credit assessment of consumers as well as for life, health and medical insurance shall be excluded. Customers shall be given a right to direct electronic access to data that financial institutions have stored about them. Furthermore, customers shall be given the right to grant other service providers access to this data. However, these other service providers must be licensed as financial institutions or regulated as financial services information providers. While customers shall be able to access their data free of charge, it is planned to allow financial institutions to charge other service providers for data access granted by customers.
In order to create transparency for customers also in this regard, financial institutions shall maintain dashboards (similar to those envisaged under the Draft PSR) containing information on any granted data access permissions and enabling customers to easily revoke such permissions.
The Legislative Proposal submitted by the Commission and the Draft FIDA will now undergo the further legislative process which may well last into 2025. It is envisaged that the PSR shall take legal effect 18 months after its entry into force (with 24 months, the implementation period for name verification is even longer). The entry into force of the PSD3 will insofar be synchronised with the PSR in that the Member States will have 18 months to transpose it into national law. This time is likely to be necessary to adapt the national laws to the new requirements. In Germany, this applies in particular to the civil law aspects of payment services, regulated in Sect. 675c et seqq. German Civil Code (BGB) and in the Introductory Act to the German Civil Code (EGBGB). It is currently envisaged that in large parts FIDA will not take legal effect until 24 months after its entry into force.
For payment service providers, it would seem advisable to tackle the upcoming changes at an early stage and to review the effects on their own business model or business organisation. This applies both with regard to the economic consequences of the necessary changes to their business model and with regard to the analysis of further legal details. As an example, although licences already granted for the provision of payment services or the e-money business do not automatically lapse when the new regulations enter into force, licensed financial services providers will have to document vis-à-vis the competent supervisory authorities that they also meet the amended licensing requirements (Art. 44(1) Draft PSD3).
In particular FIDA will provide room for innovative business models. It will be intriguing to observe how the market for data on financial services evolves. The drawback is, however, that the financial institutions which possess the relevant data will have to expect additional organisational efforts in order to be able to ensure the provision of such data.
In any case, it is evident that payment services regulations will continue to be a dynamic and innovative area of law. The Draft PSR clearly paves the way to greater harmonisation within the EU. The innovations envisaged by the Draft FIDA in relation to open finance also demonstrate that payment services regulations, which years ago introduced open banking via the PSD2, remain a strong driver of innovation in the financial sector.