Skip to main content

Shedding light on PSD3/PSR

Unlocking the code for change through enhanced customer protection and inclusion

The payments landscape has evolved significantly since the European Commission’s (EC) Revised Payments Services Directive (PSD2) was enforced in 2016. Recognizing the limitations of PSD2 and the shifts in the traditional bank-led industry, the EC proposed amendments to the Payments Services Directive for a second time (PSD3) and introduced a new Payments Services Regulation (PSR) in June 2023.

This PSD3 and PSR package aims to foster a more innovative, competitive, and secure European payment market. PSD3 addresses regulatory aspects and licensing of payments, while PSR focuses on specific use cases and provides comprehensive insights into the responsibilities of various stakeholders involved in the delivery of payment services within Europe.

What are the main changes introduced by PSD3/PSR?

 

In 2016, PSD2 paved the way for the emergence of Open Banking . To foster improvements, the EC divided the new regulation into two parts:

PSD3: A directive focusing on licensing and operations of payment service providers, implemented through domestic legislation.

PSR: A regulation covering banks' obligations, which takes effect immediately across all EU Member States.

Fraud has always been a major risk in the payment sector and PSD2 grasped the nettle with the introduction of Strong Customer Identification (SCA)1, reducing fraud by 70-80%. However, the current regulation lacks measures to tackle increasingly sophisticated fraud methods (e.g., authorized push payment, spoofing, etc.). The EC intends to strengthen the rules for customer protection by:

  • Clarifying SCA rules and monitoring:  New Regulatory Technical Standards from the EBA will update transaction monitoring requirements and SCA exemptions (e.g., for merchant-initiated and Mail Order Telephone Order transactions).
  • Extending the Verification of Payee: The mandatory Verification of Payee service (IBAN) which was introduced in 2022 will now cover all credit transfers within the EU and must be offered to consumers at no cost. This service alerts payers to discrepancies between the payee’s name and unique identifier before payment completion.

Payment Institutions (PIs) and Electronic Money Institutions (EMIs) were governed by outdated regulations, including EMD2 for EMIs. PSD3 intends to streamline and harmonize these various rules by granting PIs and EMIs access to payment systems, such as TARGET2 and other central banks clearing and settlements mechanism (CSM), a privilege previously reserved for banks.

To cite an example, EMIs or PIs  we initially excluded from the Instant Payments regulatory framework adopted by the EC on April 8th 2024. However, upon reassessment by the EC, their definitions outlined in Directive 98/26/EC2 were updated, and both EMIs and PIs were introduced into the regulatory framework. EMIs and PIs must now comply with Instant Payments by April 2027.

Open banking allows customers to share financial data with other service providers, allowing them to benefit from innovative financial services. However, many hurdles remain to unlock the value of open banking.

PSD3 and PSR intend to foster open banking services by clarifying the regulated baseline, removing obstacles, improving the performance of data interfaces, and allowing customers to control their payment data through a Permission Dashboard . The Permission Dashboard provides a clear view of the entities customers have authorized to access their financial data.

EMIs and PIs have operated under distinct legal frameworks, each having specific licensing requirements, causing practical difficulties for supervisory authorities in clearly delineating the two frameworks and making distinction between products/services offered by EMI and payment services offered by PI. To address this, the new legislation will merge these frameworks, aiming for harmonization, simplification and consistency of legal requirements for both PIs and EMIs.

This will create a more a streamlined payments industry with uniform application across institutions. The EC’s PSR proposal ensures that all EU Member States will harmoniously enforce and comply with these regulations, including penalty provisions.

PSD3 and PSR are steps forward for financial systems, but challenges remain:

  • Virtual IBAN rules: Uncertainties persist regarding virtual IBAN rules. It remains unclear whether these will be clarified under future Anti-Money Laundering Directives or a revised PSD. 
  • IBAN discrimination: “IBAN discrimination” occurs when a person is not able to make or receive a Single Euro Payments Area (SEPA)   credit transfer, or pay via a SEPA direct debit from her/his bank account located in another Member State. This issue is not addressed by PSD3/PSR and remains unresolved.
  • Interplay between fraud and gross negligence: The delineated limit between fraud and gross negligence and the associated responsibility is not clearly outlined under the new regulations.
  • Delays in cash segregation: EMI are currently required to segregate client funds from their own operational funds within 5 days, but this will reduce to 24 hours under the new regulation and the fusion of the EMD and the PSD. Without adequate systems, money transfers between the settlement and safeguarding accounts could potentially take too long. 

These gaps indicate the complexities and nuances of financial systems, and future revisions of the directives may seek to clarify these points for a more cohesive financial payments system across the EU.

PSD3 and PSR timeline

The PSD3 and PSR proposals are currently under review by the European Parliament and Council. The specific timelines for their enforcement are not yet known, but drawing on the standard legislative procedure, it's likely that the finalized versions may become available by the end of 2024 or in early 2025.

With an expected 18-month transition period, EU Member States should be ready for the implementation of the PSD3 and PSR by around 2026. This timeline showcases a proactive and strategic move toward a technologically advanced financial regulatory environment, and allows Member States to align their systems with the new regulations.


Is this related to FIDA?

The proposal for PSD3/PSR and the proposal for the Financial Data Access (FIDA) are “different but complementary3” in the sense that they stem from different backgrounds: FIDA is a shift toward the emerging market of Open Finance and is based on financial services that are not covered by PSD3.


What are the next steps?

There is no definite timeline for PSD3 implementation but finalized versions may become available by late 2024. Member States are granted a two-year period to incorporate the new regulation, leading to the enforcement of PSD3 and PSR by 2026.


How Deloitte can help

Deloitte can assist to ensure regulatory compliance and to leverage on opportunities arising from these upcoming regulations and changes. Our experts teams can provide support on, but are not limited to the following areas:

  • Awareness and business impacts
  • Regulatory and compliance
  • Risk management
  • IT solutions design and implementation

Contact us for more information on PSD3/PSR implications, support on regulatory compliance and to identify new revenue opportunities.
 

Did you find this useful?

Thanks for your feedback