On 28 June 2023, the European Commission published a Proposal for a Directive on payment services and electronic money services in the internal market (the “Draft PSD3”) and a Proposal for a Regulation on payment services in the internal market (the “Draft PSR”).
The Draft PSD3 and the Draft PSR aim at adapting the legislation to new providers of payment services or electronic payment services (the “Services”) in an open-banking context, while enhancing consumers’ protection via new requirements regarding the strong customer authentication.
We will briefly set out hereunder the changes under the Draft PSD3 as well as the new content of the Draft PSR.
1. The proposal for a directive (the draft PSD3)
One of the main changes under the Draft PSD3 consists in the integrating of the licensing regimes for payment institutions and electronic money institutions.
Pursuant to the Draft PSD3, an undertaking which intends to provide the Services is required to seek an authorisation from the competent authorities of its home Member Sate for the provision of the Services. Instead of having parallel requirements, the Draft PSD3 has harmonised the authorisation requirements for the provision of both types of Services.
Apart from the authorisation requirement as a payment institution, the Draft PSD3 subjects to registration requirements natural or legal persons providing only the account information service and natural or legal persons providing cash withdrawal services offered by ATM deployers not servicing payment.
However, natural or legal persons providing cash in retail stores independently of any purchase may be exempted from the Draft PSD3 if (i) the service is offered at its premises by a natural or legal person selling goods or services as a regular occupation, and (ii) the amount of cash provided does not exceed EUR 50 per withdrawal.
In addition to branches or agents, payment institutions that provide electronic money services may distribute and redeem electronic money through distributors.
Finally, directive 2009/110/EC is repealed. Kindly note that the Draft PSD3 is at the earlier stage of the legislative process and may be amended.
2. The proposal for a Regulation (the Draft PSR)
The Draft PSR lays down uniform requirements on the provision of the Services, as regards (i) the transparency of conditions and information requirements for the Services; (ii) the respective rights and obligations of payment and electronic money service users (the “PSUs”), and of payment and electronic money service providers (the “PSPs”) in relation to the provision of the Services.
The Draft PSR applies to payment services provided within the Union by (i) credit institutions, including branches thereof where such branches are located in the European Union (the “EU”), whether the head offices of those are located within or outside the EU; (ii) post office giro institutions which are entitled under national law to provide payment services; (iii) payment institutions ; (iv) the European central bank, national central banks, Member States and their regional or local authorities or other public authorities when not acting in their capacity as monetary authority or as public authorities. The Draft PSR also provides a list of entities excluded from its scope and, under certain circumstances, allows the parties to certain transactions and contracts to exclude certain rules set out in the Draft PSR in whole or in part where the PSU is not a consumer.
The Draft PSR sets out a list of new definitions such as instant credit transfer, payment system operator, remote initiation of a payment transaction. These new definitions take into account notably the evolution of the manner in which services are today provided.
The Draft PSR also introduces new provisions on data access interfaces for account information services and payment initiation services and thus describes (i) the requirements incumbent to account servicing PSPs that offer to a payer a payment account that is accessible online, notably regarding dedicated data access interfaces, (ii) the data access parity between dedicated access interface and customer interface, (iii) the contingency measures for an unavailable dedicated interface and (iv) derogation from having a dedicated interface for data access.
More broadly, the account servicing PSP informs and communicates on (i) payment initiation services, (ii) account information services and (ii) the restriction of access to payment accounts. It also provides the PSU with a dashboard integrated into its user interface to monitor and manage the permissions regarding the payment service and it ensures that their dedicated interface does not create obstacles to the provision of payment initiation and account information services. Account information service providers and payment initiation service providers are subject to specific obligations provided for by the Draft PSR, for instance they may access payment account data exclusively via the dedicated interface.
A new liability regime is provided for by the Draft PSR: (i) liability regime of the PSP for unauthorised transactions, incorrect application of the matching verification service, impersonation fraud, (ii) liability of technical service providers and of operators of payment schemes for failure to support the application of strong customer authentication (SCA), (iii) payer’s liability for unauthorised payment transactions. In certain cases, the payer may request a refund of payment transactions initiated by or through a payee to the PSP. As far as execution of payment transactions is concerned, refusal, charges and revocation of payment orders and amount transferred are strictly regulated. The liability for incorrect unique identifiers provided by the payment initiation service provider lays on the PSP.
PSPs establish a framework with appropriate mitigation measures and control mechanisms to (i) manage operational and security risks relating to the payment services they provide, (ii) prevent and detect potentially fraudulent payment transactions, including transactions involving payment initiation services, and (iii) alert their customers. PSPs organise at least annually training programmes on payment fraud risks and trends for their employees.
A PSP applies SCA where the payer (i) accesses its payment account online; (ii) accesses payment account information; (iii) places a payment order for an electronic payment transaction; (iv) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. An exemption of SCA pertains to payment transactions that are initiated by the payee under very specific conditions. Account servicing PSPs allow payment initiation service providers and account information service providers to rely on the authentication procedures provided by the account servicing PSP to the payment service user. The account servicing PSP only applies SCA for the first access to payment account data by a given account information service provider unless it has reasonable grounds to suspect fraud.
A payer PSP may enter into an outsourcing agreement with its technical service provider in case the latter is providing and verifying the elements of SCA but the full liability of the SCA remains with the payer PSP. PSPs ensure that all their customers, including persons with disabilities, older persons, with low digital skills and those who do not have access to digital channels or payment instruments, have at their disposal at least a means, adapted to their specific situation, which enables them to perform SCA.
Severe administrative fines, public statement, order to cease unlawful conduct and a temporary ban preventing a member of the management body of the legal person from exercising managing functions and periodic penalty payments may be applied by the relevant competent authority in case of breach of applicable provisions.
Kindly note that the Draft PSR is at the earlier stage of the legislative process and may be amended.