"The world will not be inherited by the strongest, it will be inherited by those most able to change." ~ Charles Darwin
The European Commission describes the proposed Third Payment Services Directive (PSD3) as an evolution to the incumbent PSD2. But will this evolution have revolutionary impacts on the provision of payments in Europe?
According to The Global Treasurer’s latest Transaction Banking Survey, sponsored by CGI, payments and cash management services remain key differentiators for corporations, placing significant pressure on payment service providers to deliver access to real-time rails, improve payments visibility, and minimize friction on complex transactions.
This blog looks at the catalysts for the new PSD3 and accompanying Payment Services Regulation (PSR1). I’ll provide a bite-size summary of the changes and discuss key considerations in putting your organization on the right compliance path. I’ll also describe the main compliance challenges and opportunities, and, of course, offer some help.
What are the catalysts for the evolution of PSD2?
PSD2 has done a lot to shape the payments landscape of Europe and the UK. It’s regarded as largely successful, but the European Commission concluded there is more to be done. The main areas for consideration are familiar:
- Fraud changes but never goes away. Despite the success of strong customer authentication, as payment systems evolve, fraud evolves alongside them. Consumers remain at risk of rising fraud in areas such as authorized push payments (APP) and identity fraud. To maintain consumer confidence, the response to fraud needs to continue to evolve.
- Open banking has made an impact but not as great as was expected. This is, in part, due to obstacles that still exist such as data access and the reliability of banking APIs.
- Inconsistency in the market is another area to be addressed. The European payments market is fragmented due to varying interpretations and implementations of the PSD2 directive in European Union (EU) member states. This has led to what is referred to as “forum shopping” with payment service providers (PSPs) shopping around for the most favorable implementation of the PSD2 directive.
- Finally, because of uncertainty and regulatory inconsistency, an uneven playing field continues to exist between bank and non-bank PSPs.
So how does PSD3 respond to these challenges?
PSD3 remains an EU directive focused on defining licensing and rules for payment institutions. As a result, it will need to be adopted into EU national law. By contrast, the newly introduced PSR1 is an EU regulation that applies directly to EU member states, without the need for national implementation.
There are many points to note about each, including the following:
- Moving from a directive to a regulation: PSD2 will become a regulation (PSR1), ensuring consistent implementation across domestic markets.
- Better APIs: PSR1 (section 54 onward) contains new rules on the minimum functionality and performance PSP APIs must support. The regulation also allows for “premium” APIs, with a possible charge to access these. This presents an opportunity, and it will be interesting to see how banks respond.
- Better user authentication (especially for open banking customers): User authentication journeys will be streamlined under PSR1. The regulation provides examples of prohibited obstacles. For example, one such obstacle is account-holding PSPs requiring payment initiation service providers to limit payment only to those payees that are on the payer’s beneficiaries list or to domestic beneficiaries. There are many others.
- Direct access to payment systems for non-account holding PSPs: As part of the PSD3 proposal released last summer, the European Commission has included an amendment to the Settlement Finality Directive (SFD), which gives payment and e-money institutions the right to directly access settlement infrastructure (assuming, of course, they can meet payment system requirements in relation to risk, etc.).
- Strengthening measures to combat payment fraud: PRS1 will extend international bank account number (IBAN) and name check requirements (to be introduced by the Instant Payments Regulation) to all forms of credit transfers. It also clarifies that payment providers are responsible for ensuring that payee account details provided by the payer match those on the receiving account.
- Merging e-money and payment institutions: PSD3 proposes integrating the licensing regimes for payment institutions and equal monthly instalments (EMIs). This will result in a large-scale reduction in differences between the regimes (with some residual differences remaining).
Publication of PSD3 is expected in late 2024, after which member states have an 18-month transition period to bring the directive into law in each member country. This means that PSD3/PSR1 will likely come into effect in 2026.
European payments: Evolution or revolution?
I am going to predict evolution over revolution, as PSD3 extends the same objectives put forward in PSD2. However, that doesn’t mean that there will not be winners and losers.
While banks, as payment account providers, must comply with the new PSD3/PSR1 requirements, there are opportunities for those flexible enough to take advantage of them. For example, in complying with new fraud and account verification requirements, banks can take advantage of artificial intelligence, creating significant differentiation in the areas of customer experience and internal cost reduction.
The need remains for flexible payment systems built on architectures that enable changes to discrete parts, such as a microservices and API-led architecture, avoiding risk and disruption to the whole. Further, PSPs should consider reviewing their overall payment strategies to ensure they are not simply reacting to the new legislation but taking advantage of it. They also should seek opportunities for adopting new technologies such as AI or moving to cloud computing.
What about the UK? Although the UK is not formally bound by PSD3, payments is an international business and so there will undoubtably be requirements to assess how the UK’s (slightly different approach) aligns to that of Europe. This, in part, may be played out through the development of a new payments architecture in the UK.
For financial institutions that are not formally bound by PSD3, it is worth considering that payments is an international business and is always in a state of transformation. Regulatory initiatives in other financial jurisdictions—such as the UK’s New Payments Architecture—will likely be measured against, if not mirrored by, PSD3 and PSR1.
At CGI, we have been at the heart of payments technology and consulting for decades, working with many of the largest banks in Europe and the UK, as well as top banks across the globe. If the above is of interest, we would welcome a conversation. Do feel free to give me a call or look out for us at EBA day and other conferences this year.