On June 28, 2023, the European Commission unveiled its draft for an updated European Payment Services Directive, known as the Payment Services Directive 3 (PSD 3). The aim of PSD 3 is to further streamline the laws across member states, while also addressing the evolving landscape of the payment services market and the shifting needs of both payment service users and providers. The provisions of PSD 3 are complemented by the provisions of the Payment Services Regulation (PSR).
Both PSD 3 and PSR are still navigating the European legislative process. Their enforcement is anticipated approximately 18 months after the finalization of the decision.
National law: the first step for PSD 3 implementation
While PSD 3 is a directive and PSR is a regulation, the stipulations of PSD 3 are not directly applicable to all payment service providers (particularly banks and payment institutions) within individual member states. These will only come into effect once they have been incorporated into national law. Considering the potential significant impact on business operations here, it is advisable to review and adjust existing processes as necessary in light of the proposed changes.
Key elements of PSD 3 and PSR
PSD 3 outlines the authorization process and ongoing supervision for payment institutions. PSR supplements this with rules on transparency, information obligations, general requirements for payment contracts, liability, fraud prevention and robust customer authentication.
The competent Member State for permit issuance
Under the proposed new regulation, the Member State responsible for granting authorization will be the state where the applicant was established, has its principal place of business and provides at least some of its payment services. This aims to prevent companies from exploiting the authorization procedure in the Member State with the most lenient authorization conditions (forum shopping). Moreover, the competent authority must make a decision on completed authorization applications within three months.
Transition from e-money institutions to payment institutions
In the future, issuing e-money will be regulated as a payment service. The designation as an e-money institution will be phased out, and there will no longer be a separate e-money regulation.
The role of the Market in Cryptoasset (MiCA) Regulation
PSD 3 and PSR are linked to the already adopted MiCA regulation. Going forward, e-money tokens will fall under the regulations of the newly defined payment service, ‘issuance of e-money.’ It would be beneficial to update the PSR during the legislative process to include regulations concerning the requirements for robust customer authentication in instances where machines compensate each other for services (‘machine-to-machine payments’).
The Commission’s proposals on the new regulations concerning exceptions to authorization-required payment services have significant implications for implementation:
Cash supply/Issuing services without account management/Cashback
To ensure widespread access to cash for the public, the future plan is to exempt cash dispensing without account management from the authorization requirement. This means that cash can be dispensed at the checkout even if the customer has not made any purchases.
Sales agent exception/Customer negotiation scope
The exemption from the licensing requirement for commercial agents will hinge on whether there is scope for negotiation for the customer. This change could significantly affect trading if the trader acts as an agent or intermediary, accepting money from the customer to forward to the operation manager.
If this proposal is implemented as planned, there will be a pressing need for action, particularly for online platforms, petrol stations, ticket sellers and travel agencies, to adapt their business model to the new regulation.
Account information services
In the future, the necessity for stringent authentication will be confined to the initial login to an account information service provider. As a counterbalance, the payment service providers holding the accounts must provide a consent management dashboard. This gives the customer a space from which they can oversee the permissions they have granted to third-party service providers.
ApplePay, GooglePay, SamsungPay
Should wallet operators supply and authenticate one or more elements of robust customer verification for institutions, these will be deemed as outsourcing entities. Such entities must meet stringent qualifications and are held accountable by the institutions they represent.
Protection of Vulnerable Groups
Payment service providers are obligated to ensure that robust customer authentication is not exclusively reliant on smartphone ownership. They must extend suitable alternatives to accommodate individuals with disabilities, the elderly and individuals without smartphones.
Our consultants are available to assist you with any inquiries related to PSD 3 and PSR. Please contact us at any time!