On 28 June 2023, the European Commission (the Commission) published a package of legislative proposals to propel payments and the wider financial services sector further into the digital age. Since the introduction of the EU's second Payments Services Directive (PSD2) almost eight years ago, the EU has witnessed a steady change in the retail payment services market. Plastic cards issued by brick-and-mortar banks have in part been replaced by new non-bank issuers and BigTechs creating mobile payment services enabling contactless payments. This trend, including new digital payment solutions, the proliferation of payment service offerings as well as new market entries, has increasingly brought to light the limits of the current legislative and regulatory framework.
More importantly, different national implementations of PSD2 and administrative practises of national competent authorities (NCAs) across EU Member States led, in part, to goldplating, exercise of national options and discretions leading to differing interpretations of the scope of regulated payment services (PSPs) and application of exclusions from the authorisation obligation as well as difficulties for new applicants and existing firms to comply with the "local" implementation and supervision of PSD2 across the EU-27. As a result, a certain degree of industry uncertainty and reduced regulatory clarity for firms operating across the EU followed for certain business models, products and services. Equally, the PSD2's aims on "open banking" remained constrained by some of these interpretative barriers both for regulated firms and third-party providers (3TP).
Correspondingly, the EU's 'Payments Services Package' comprised of (i) the third Payment Services Directive (PSD3) replacing PSD2 (and merging in EMD2 - see below), as supplemented by (ii) a new EU Payment Services Regulation (PSR) and (iii) a Regulation on a framework for Financial Data Access (FIDAR) comprehensively reforms but equally expands the existing PSD2/EMD2 framework while at the same time establishing greater harmonisation. The PSR's and FIDAR's provisions notably open the scope of 3TP's access to existing but also new types of accounts and financial products thus driving open banking to more "open finance". Moreover, a number of requirements set out in PSD2's regulatory technical standards (RTS) (i.e. Level 2 rules subject to local divergences) have been moved into the PSR so as to apply in a uniform manner. The new Payment Services Package will have its own implementing technical standards and RTS to cover items previously covered in PSD2/EMD2 as well as new areas. Further coverage on this will be made available as such drafts and final versions are made available.
When taken collectively EU Payment Services Package's reforms aim, beyond improving harmonisation of rules and how they are supervised, to (a) further improve consumer protection and competition in electronic payments, while (b) further empowering consumers to share their data in a manner which is secure and (c) facilitate users' access a wider range of better and cheaper financial products and services and thus improve competition and innovation.
The Commission's revised proposals will need to be considered by the European Parliament and the Council (as the EU's co-legislators). The majority of the amendments are unlikely to take effect before 2025, i.e., 10 years after PSD2's adoption, but many PSPs may want to take preparatory steps ahead of that deadline with some PSD 2 and EMD 2 existing firms having to reapply for licenses and the majority needing to update not only client and counterparty facing documentation (contractual and otherwise) but equally amending existing and introducing new policies, procedures as well as systems and controls to meet the requirements and supervisory expectations of these changes as well as concurrent related EU reforms on (digital) operational resilience.
This Client Alert from PwC Legal's EU RegCORE provides a focused overview of how the co-legislators are aiming to modernise payment services across the EU as well as how an opening of financial services data is envisaged. How are the proposals embracing the new payment services landscape and how are they incorporating aspects of and superseding prior legislation? Our EU RegCORE team has laid out what to expect and which aspects to monitor as the legislative process moves forward. Readers of this Client Alert may want to refer to related coverage in our "payments services" series in particular how other reforms (including CESOP) may impact client facing documentation and authorised target operating models.
The Commission's proposals focus on revising the PSD2 (and merging these with EMD2 as discussed below) into a single legal framework comprised (i) of the PSD3, which, as an EU Directive, will be transposed by Member States into national law and (ii) the associated PSR which will become directly applicable in the Member States. This approach aims to provide greater certainty, consistency and ultimately reduction in barriers and fragmentation.
In addition, the Commission also published a legislative proposal for a financial data access in the form of FIDAR, which seeks to establish clear rights and obligations to manage customer data sharing in the financial sector beyond payment accounts. Its main features include the introduction of stipulations for specialised data access interfaces and the elimination of the need for banks to support dual access interfaces. This is an important step forward in enabling full 'open finance' beyond PSD2 pushing 'open banking'. The major changes of these proposals can be summarised in four goals:
- Strengthening user protection and confidence in payments including by greater combatting of fraud;
- Improving the competitiveness of open banking;
- Harmonising enforcement and implementation across EU Member States; and
- To improve access to payment systems and bank accounts for non-bank PSPs.
The four major objectives of this comprehensive legislative overhaul, as stated above, are pursued via a wide-ranging "package of preferred options" laying down a roadmap to that end. Accordingly, these options generally seek to improve the application of a strong customer authentication (SCA) against criteria included in the PSR, shifting of liability to PSPs corresponding to their augmented role and competencies and requiring the creation of dedicated data access interfaces and "permission dashboards" for payment services users (PSUs).
The PSD3 and PSR in detail
The existing regulatory framework applicable to authorisation and supervision of payment institutions and e-money institutions (EMIs) currently anchored in PSD2 and the second E-Money Directive (EMD2) will be merged into a single rule book comprised of PSD3 and PSR. Accordingly, EMIs will become a subcategory of PSPs under the proposed framework with a more harmonised authorisation and common supervision process. The Commission also introduces a new definition of "electronic money services" to include e-money issuance, payment account maintenance and transfer of e-money. PSD2's scope of application and exceptions from the authorisation obligation are rehoused to the PSR so as to standardise the EU payment services regulatory framework across the EU.
Summary of key reforms
As for the modernisation of the PSD 2 - which will become PSD 3 - alongside the new PSR, the legislative proposals focus on the following reforms:
Combating and mitigating payment fraud
Allowing PSPs to:
1. voluntarily communicate and share fraud-related information between themselves;
2. increasing consumers' awareness;
3. strengthening customer authentication and SCA rules; and
4. extending refund rights of consumers who fall victim to fraud and making a system for checking alignment of payees' IBAN numbers with their account names mandatory for all credit transfers.
Improving consumer rights
By improving, inter alia, transparency on consumer account statements in cases where their funds are temporarily blocked as well as providing more transparent information on ATM charges. The contractual requirements that PSPs needed to comply with under PSD2 are moved to PSR which presses forward more harmonisation but contains more specific provisions that affect the contents of the framework contracts, termination rights of customers, notice periods, availability of alternative dispute resolution procedures as well as prohibitions on PSPs unilaterally increasing spending limits as well as extension of surcharge bans to all credit transfers and direct debits (beyond current PSD 2 coverage). Such changes, along with various other changes affecting reporting, such as CESOP (see separate coverage from us) will likely require comprehensive changes to client and customer facing documentation i.e., in contracts and otherwise.
Equally, the European Banking Authority (EBA) will be granted product intervention powers.
Furthering the level playing field between banks and non-banks
By allowing non-bank payment providers - in particular - access to all EU payment schemes, with appropriate safeguards and securing those providers' rights to a bank account.
Improve the functioning of open banking
By removing remaining obstacles to the provision of open banking services and improving customers' control over their payment data and thereby enabling new innovative services and new forms of 3TPs to enter the market and move open banking to open finance.
Improve the availability of cash in shops and via ATMs
By allowing retailers to provide cash services to customers without the requirement of a purchase and clarifying the rules for independent ATM operators.
Strengthening harmonisation and enforcement
By upscaling EU-level rulemaking and enacting most payment rules in a directly applicable regulation and reinforcing provisions on implementation and penalties.
Changes to definitions and exclusions
Some key changes are set out in more harmonised definitions and exclusions (including the widely-used limited network exclusion (LNE) under PSD2), thus aiming to reduce fragmentation of NCA's interpretation and supervisory approaches. This includes:
- Revising the current definition of a "payment instrument" under PSD2 that refers to "personalised devices" used in order to initiate a payment order, was a cause for a lot of confusing interpretations across the EU given that NCAs were frequently seeing high level of personalisation of the instrument as a necessary characteristic. The new definition of payment instrument, contained in both PSD3 and PSR, now refers to all "individualised instruments", clarifying that even not fully personalised instruments (like prepaid cards with customers' name on them) can fall under the definition of a regulated payment instrument;
- Amending the definition of a "payment account" by clarifying that the determining criterion for the categorisation of an account as payment account lies in the ability of the customer to perform daily payment transactions from such an account. That being said, the Commission stresses that structures that require another intermediary account for execution of payment transactions from or to third parties should not fall under the definition of a payment account; and
- The exclusion for "commercial agents" was amended but this will then require such persons to contractually document the framework on which they conclude the sale or purchase of goods and/or services on behalf of the payer or the payee. In contrast, the Commission is using the present reforms to clarify that e-commerce platforms that act as commercial agents for individual buyers and sellers may not rely on the commercial agent exclusion;
- The exclusion for technical service providers is also subject to further clarification in that pass-through wallets including those that use the digitalisation and/or tokenisation of an existing payment instrument are themselves not a payment instrument for purposes of PSD3 but instead a payment application which effectively means the operators of such payment application are unlikely to be subject to a licensing obligation;
- The widely-used LNE will be supplemented by specific forthcoming criteria that set out clear rules upon when the LNE can be used.
Services of issuing of payment instruments and of acquiring payment transactions, which were listed together under PSD2, are listed now separately under proposed PSR/PSD3 framework. Since joint listing of these two services under PSD2 was a cause for a lot of confusion in the industry, the Commission has decided to list them separately now by emphasising that that the issuing and acquiring services may be offered separately by PSPs.
Changes to authorisation and supervision matters
What remains unchanged, under the current proposals, relative to
PSD2 are the authorisation application procedures and control of
shareholding as well as the provisions regarding agents, branches,
and outsourcing. The regulation of cross-border provision of
services by PSPs and the supervision of such services likewise
remain broadly unchanged.
Moreover, the PSD3 and PSR do not materially alter the current list of payment services. However, existing PSD2 and EMD2 firms are required (under current drafting of the proposals) to reapply for a licence under the new PSD3/PSR regime within 24 months of PSD3 coming into force in order to rely on 'grandfathering provisions" allowing firms' existing licenses to remain valid for 30 months after PSD 3 enters into force. Affected firms will want to engage proactively with their professional advisors to forward-plan that project as both the world of payments but financial services regulation generally has changed considerably since 2015 and merely updating application materials as submitted previously will not be sufficient.
In addition, among some further reforms in the legislative proposals are a new requirement for PSP (re-)applicants to submit a winding-up plan as part of the licensing procedure. This is in keeping with practice and supervisory expectations that have long existed in other parts of regulated financial services and applicants seeking authorisation. The same is true in the new requirement that PSPs need to provide an overview of the EU jurisdictions where they are submitting or planning to submit an application for an authorisation.
Equally, business continuity plans of PSPs must comply with Regulation (EU) 2022/2554) (DORA) - see our standalone coverage on this. As part of this greater focus on (digital) operational resilience, PSP's (re-)applicants need to also submit a detailed risk assessment, including the risk of fraud and illegal use of sensitive and personal data, accompanied with details of other measures set out in the PSR on the sharing of fraud-related data.
Moreover, safeguarding rules for payment institutions remain largely unchanged under the proposal with the exception of the possibility of safeguarding in an account of a central bank - at the discretion of the latter - in order to extend the options for PSPs to that end as well as the introduction that payment institutions must endeavour to avoid concentration risk in safeguarded funds. To this end, the EBA is tasked with developing RTS on risk management of safeguarded funds as well as guidelines on more detailed provisions regarding internal governance of payment institution. The EBA will also receive product intervention powers.
The role of the EBA is also enhanced proportionally to the digital leap endeavoured in the proposals in that it will continue to maintain, alongside the Member States, a register of authorised payment institutions as well as to develop a list of machine-readable payment initiation services providers and account information service providers. Specific provisions for the clarification of the cooperation between NCAs are also detailed in the proposals. Notably, NCAs are permitted to request assistance of EBA in solving possible disagreements between NCAs to this extent. It is also conceivable that the EBA will make greater use of common supervisory actions through coordinating NCAs' thematic reviews and on-site inspections of persons in-scope of the new EU Payment Services Package.
Importantly, under the (current) PSD3 proposal, PSPs which only carry out account information services are subject only to a registration requirement as opposed to full-fledged authorisation. In the context of supervision of PSPs, the proposals acknowledge that payment initiation service providers and account information service providers may hold initial capital (EUR 50,000) instead of maintaining professional indemnity insurance coverage, considering that the requirement to hold a professional indemnity insurance at the licensing stage may indeed prove difficult to fulfil when taking into account previous experience. On a similar note, possible methods for own funds calculation remains unchanged, either for payment institutions covered by PSD2 or for former electronic money institutions.
Finally, a further clarification is set out for de minimis transactions. In as much as the availability of cash is enhanced under the proposal, operators of retail stores are exempted from the requirement for a payment institution license when they offer cash withdrawal services without a purchase on their premises (on a voluntary basis), where the amount of cash distributed does not exceed EUR 50, in line with the need to avoid unfair competition with ATM deployers. Likewise benefitting from this exemption are distributors of cash via ATMs who do not service payment accounts - so-called "independent ATM deployers" - and only have to fulfil a registration requirement which must be accompanied by certain documentation.
Focusing on FIDAR
As for the legislative proposal setting out a financial data access framework, the FIDAR proposal aims to establish clear rights and obligations allowing to manage the sharing of customer data in the financial sector beyond payment accounts notably to:
- mortgages, loans and accounts (other than payment accounts in scope of the PSR);
- savings products, financial instrument investments, crypto-assets, real estate and related investments;
- occupational and personal pension products;
- non-life insurance products (excluding sickness and health insurance); and
- data forming part of a creditworthiness assessment.
FIDAR applies to both (i) financial information services providers (FISPs) authorised under FIDAR (standards and requirements are similar to those applicable to account information service providers under PSD3 as well as DORA compliance) and (ii) regulated firms providing in-scope financial services and products, both where they act as data holders or data users.
As such this regime includes:
Possibility but no obligation for customers to share their data with data users e.g., financial institutions or fintech firms, in secure machine-readable format to receive new, cheaper and better data-driven financial and information products and services.
Example: financial product comparison tools and personalised online advice.
Obligation for customer data holders (i.e., financial institutions) to make this data available to data users (i.e., other financial institutions or fintech firms)
By putting in place the required technical infrastructure and subject to customer permission.
Full control by customers over who accesses their data and for what purpose
Standardisation of customer data and the required technical interfaces
As part of financial data sharing schemes, of which both data holders and data users must become members.
Clear liability regimes for data breaches and dispute resolution mechanisms
As part of financial data sharing schemes so that liability risks do not act as a disincentive for data holders to make data available.
Additional incentives for data holders to put in place high-quality interfaces for data users
Through reasonable compensation from data users in line with the general principles of business-to-business (B2B) data sharing laid down in the FIDAR proposal (smaller firms will only have to pay compensation at cost)
FIDAR, as such, will be applicable to various entities, including credit institutions, payment institutions, investment firms and insurance undertakings, thereby capturing an extensive scope of customer data related to a variety of financial products and accordingly counterparty in addition to client facing documentation will need to be amended and/or introduced in addition to a flurry of firm-specific policies, procedures, systems and controls.
Outlook and next steps
The proposed payment services legislative overhaul reflects a thorough assessment of the current needs and trends, but most importantly deficiencies, of the current payments landscape and will undoubtedly nudge further changes in the open banking and overall payments ecosystem. In practice, these legislative changes lay down the necessary guideposts to foster development for more innovative financial products and services for users and will foster more competition in the financial sector. PSPs were however also warned, as assessed in our standalone coverage, to also improve on identified weaknesses on their anti-financial crime prevention efforts.
With the move from PSD2 and EMD2 to PSD3 and the PSR, PSPs but also the market participants they deal with will need to step-up their compliance with new rules, take advantage of new means of doing business, but equally stricter supervisory expectations.
The PSD 3, PSR and FIDAR proposals are just on their first step in the EU legislative process. The European Parliamentary elections scheduled 6 to 9 June 2024 along with complications around the rotating presidency of the Council of the EU (a co-legislator with the European Parliament) may delay the final acceptance of the combined Payment Services Package. The hope remains that political agreement during trialogue negotiations can at least be agreed as swiftly as possible so that the package of proposals could be finalised by the end of 2024 or at worst during the first half of 2025. If a delay happens, then the projected start of new requirements in 2025 could slip further.
Ultimately, at such point when the final legislative texts are published in the Official Journal of the EU and thus adopted with entry into force, Member States will have 18 months to implement PSD3 into national law and the PSR will apply directly in all EU Member States 18 months after its entry into force. That date however then defines the 24-month reapplication and 30-month grandfathering timelines. As is the case with all EU legislation, much of the devil will also be in the detail of further rulemaking accompanied in various Level 2 "technical standards".
While arguably, all of these timelines may seem like a long way away, given all the opportunity and change this package of proposals promises, affected PSPs and other relevant firms will want to conduct gap plus readiness analyses as well as more broadly consider, earlier preparatory action both on immediate short-term business model and compliance as client-facing and internal documentation changes along with scoping out the much longer strategic priorities and commercial opportunities as early as possible.
Alongside the above and the introduction of legislative proposals for the roll out of the 'digital euro', as well as CESOP covered by our EU RegCORE Team in a separate Client Alert, market participants are well advised to reflect on their current business models so as to be optimally positioned in this dynamically developing ecosystem. Further updates to the discussion in this Client Alert will be published by our EU RegCORE Team in subsequent standalone Client Alerts as the Payment Services Package progresses along the legislative path from proposal to practical application.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.