PSD3 overview: the draft has pitfalls lurking amongst the good intentions

PSD3: Act three of payment innovation regulation

The Payment Services Directive is the EU's one-size-fits-all legislation that's designed to make banking and financial services secure, reliable, transparent and convenient across the bloc's member states. Introduced in 2007, it covers factors such as security, customer authentication, Open Banking connections, safety of deposited funds and more.

The second version, PSD2, was created in 2015 and somewhat hastily revised in 2018, and is now looking a little long in the tooth. That's because the world has moved on. In addition to natural growth in take-up, Covid (and more importantly lockdowns) happened, forcing many more consumers to use online payment and banking services whether they wanted to or not. That's the good news.

New checks and balances needed now

The bad news is that criminals have become more cunning, finding loopholes and work-arounds to defraud consumers of money. Secure Customer Authentication (SCA) has helped in this respect but it's not perfect.

Also, the APIs that were supposed to allow any Open Banking client to connect to any bank have not all met that goal with the same efficiency. Some are clunky and unreliable, others require tweaks and adjustments, and as is too often the case with technology, occasionally all the customer sees is an error screen.

In addition, traditional banks still have a significant advantage over non-bank PSPs (Payment Service Providers), a fact which is seen as holding back innovation in this sector.

What does PSD3 offer?

PSD3 is designed to fix these problems and others. It was released in late June 2023 as a draft proposal (which means there's still time for changes to be made) and is likely to come into effect a few years from now. Some of its stated aims are as follows.

1. To reduce fraud, which negatively affects customer confidence: The existing Secure Customer Authentication (SCA) protocols will be beefed up to reduce the risk of fraud. There will be more frequent matching of IBAN numbers with account names, for example, along with better sharing of information between PSPs so that they can identify fraudulent activity faster. There's also a requirement to better educate consumers about fraud, which makes sense because 'social engineering' fraud becomes more commonplace when technical fraud is made more difficult. There will also be stronger refund rights for consumers who are caught out by fraudulent transactions, along with greater use of two-factor authentication across more than one device (e.g. smartphone, laptop).

2. To enhance the reliability of the Open Banking network by providing better access to data: This might be the trickiest aspect of PSD3 to implement in the short term, because the draft proposal will provide detailed specifications for Open Banking data interfaces (APIs). Wasn't this already in place? Yes, to an extent, but some of the fine detail was left to the discretion of banks and developers. That leeway is likely to be reduced or eliminated, requiring stringent adherence to a very precise set of protocols. There will also be penalties for non-compliance. Again, there already are such penalties, but PSD3 brings a less relaxed attitude towards enforcement.

3. To improve consumer rights, especially access to personal data stored or used by financial companies, and harmonise them in all member states of the EU: Partly this will be provided by PSD3, in that there will be better transparency regarding account details and the data that PSPs and banks hold on their clients. The 'permissions dashboard' will be offered to users so that they can easily manage their data and who has access to it. This process can be thought of as the application of GDPR to banking and payment services, with some exclusions (e.g. age, sickness) where they might unfairly discriminate against or exclude the customer from some services. However, the harmonisation aspect will be covered by a new Payment Services Regulation (PSR) which will come into force alongside PSD3 and will apply across the EU.

4. To improve access and security between banks and non-bank PSPs and level the playing field, so that non-bank PSPs are no longer discriminated against: This is important because it should allow for better innovation, allowing smaller, potentially more nimble fintech firms to compete on the same basis as banks. All PSPs will, in theory, have the same level of direct access to all payment systems under PSD3. This is a strong theme in PSD3: it even allows payment institutions to hold funds with the central bank in order to keep their users' money safe. It also makes it almost impossible (aside from suspicion of illegal activity) for payment system operators to refuse to work with any given PSP.

The sting in the tail?

PSD3 will still be an EU directive as opposed to a regulation. Regulations automatically apply to all member states, whereas a directive must first be written into the national laws of each state.

So there will still be scope for interpretation of some of the terms, which may water down the effectiveness of the directive as a whole. This could make it harder for PSPs and other fintechs to roll out their services across the EU without some fine-tuning for less compliant states.

However, there's a more serious challenge facing fintechs and PSPs: there is no automatic licensing upgrade path from PSD2 to PSD3. In other words, just because you're compliant with PSD2 doesn't mean you can make a few changes and carry on with business as usual. All payment institutions have to submit a new licence application to their national authority within two years from the date of PSD3 taking effect. There is a grace period: existing licences will remain valid for 30 months after PSD3 comes into effect. 

In addition, PSD3 requires that payment institutions must have a winding-up plan which will clearly describe the steps to be taken in the event of the failure of that institution. This helps to build resilience into the system, but it means that some institutions will have to increase their regulatory capital. Risk must also be spread, so not all customer funds can be kept in the same account.

What happens next?

The draft proposal for PSD3 will be examined by the European Commission, being reviewed by both the Council and the Parliament. Any changes must be agreed upon during those stages. Once that's completed, the PSR regulation will include a fixed transition period, while the PSD3 will have to be incorporated into each member state's legislation. Realistically nothing much will change until 2026... but it would be good idea to start preparing now.