In 2022, the European Commission evaluated the application and impact of the second payment services directive1 (“PSD II”), the conclusions of which resulted in the publication on 28 June 2023 of a new legislative package, including proposals for a new directive on payment services and electronic money services in the internal market2 (“PSD III”), a regulation on payment services in the internal market3 (“PSR”), and a regulation on a framework for financial data access4 (“FiDA”).
The evaluation of PSD II showed that a number of initial objectives had been achieved. However, it also showed the necessity for a new set of rules to take account of the developments in the payment services space, without changing the fundamentals as the industry needs stability.
Against that backdrop, the European Commission proposes to replace PSD II by PSD III, which would be designed to outline the rules regarding the access to the activity of providing payment and electronic money services within the EU and the supervision thereof, and to adopt PSR, which would regulate the provision of payment and electronic money services themselves. Since it would be a regulation, it would be directly enforceable in the entire EU, thereby reducing the risk of misinterpretation or variations in interpretation among the Member States.
In addition, the European Commission proposed to establish FiDA, which would regulate the access, sharing and use of certain categories of customer financial data and would set out rules concerning the authorisation and operation of financial information service providers (“FISP”).
II. Proposed key changes of PSD III and PSR
Amongst the contemplated changes to, and improvements from, PSD II, the following can be highlighted:
A. Merging the legal and regulatory frameworks applicable to payment services and electronic money services
Currently, the regulatory regime applicable to payment services providers (“PSPs”) is set out in PSD II, while the activity of electronic money institutions is subject to the electronic money directive5 (the “E-Money Directive”). Both regimes have been transposed in Luxembourg into the Law of 10 November 2009 on payment services, on the activity of electronic money institution and settlement finality in payment and securities settlement systems, as amended.
Given that both legal frameworks are reasonably consistent and compoundable, it is proposed to merge them into a single piece of legislation6 . Under the new regime, there would be only PSPs which would be allowed to provide e-money services, in addition to the payment services they provide. This would guarantee a greater level of harmonisation and would allow uniformity in the enforcement and supervision by national competent authorities of the legal requirements for payment institutions and former electronic money institutions within the European Union.
B. Improving the operation of open banking services
The open banking services were introduced with PSD II, but some obstacles to the provision of such services remained. Therefore, the purpose of PSR is to focus on the improvement of the functioning of open banking services, while avoiding radical changes, which might destabilise the market or could generate significant implementation costs. PSR would notably introduce the imposition of a dedicated interface for data access for account servicing payment services providers (subject to an exemption depending on their business model), open banking access management capabilities for users through permissions dashboards and a new liability regime for PSPs (for unauthorised transactions or failure to verify the matching of transactions), for technical service providers (for failure to support the application of SCA) and for payers (for unauthorised payment transactions).
C. Strengthening the protection of payment services users against fraud
In light of the ongoing issue of fraud and bearing in mind that PSD II is not appropriate to tackle certain specific types of fraud, the European Commission suggested additional measures to combat fraud, encompassing both prevention and redress.
The newly proposed measures would consist in:
- Strengthening the customers’ authentication rules;
- Expanding the IBAN/name matching verification services to cover all credit transfers;
- Establishing a legal framework that would enable PSPs to share fraud-related information among themselves, while fully adhering to the GDPR7 ;
- Strengthening the transaction monitoring;
- Mandating PSPs to conduct educational campaigns aimed at raising awareness of payment fraud among their customers and staff; and
- Extending consumer refund rights in specific situations.
D. Reducing the imbalance between banks and non-bank PSPs
• Enabling effective access of non-bank PSPs to bank accounts
Non-bank PSPs typically encountered difficulties in opening and maintaining accounts with banks because certain banks simply refused to open accounts for these institutions or closed existing bank accounts for concerns over matters such as anti-money laundering controls.
PSR would reinforce the existing requirements for banks in order to grant non-bank PSPs non-discriminatory access to bank accounts. Banks would thus be obliged to explain access refusal, the justification of which should stem from the unique circumstances of the non-bank PSP, encompassing serious grounds to suspect illegal activities being pursued by or via the non-bank PSP, or a business model or risk profile, which would cause serious risks for the bank. Moreover, non-bank PSPs would have the possibility to appeal to a national competent authority against a decision of a bank not to open or to close an account.
Apart from commercial banks, central banks would also have the possibility to offer account services to non-bank PSPs, at their discretion.
• Enabling effective access of non-bank PSPs to payment systems
The European Commission observed that non-bank PSPs also struggled to access payment systems, directly or indirectly. In this regard, PSR would guarantee the direct participation of non-bank PSPs in all payment systems, including those designated by the Member States in accordance with the settlement finality directive8 , to which the requirement to have proportionate, objective and non-discriminatory access rules in place would be extended. The only grounds for refusal would be if the PSP was unable to comply with the payment system rules or if the PSP poses a high level of risk deemed unacceptable for the payment system operator.
Payment system operators would carry out a risk assessment of a PSP, which would apply for direct participation; the PSP would in return have to provide evidence that its internal arrangements are robust enough against relevant risks, including settlement, operational, credit, liquidity or business risks.
III. Key features of the new framework for financial data access
To complete the proposed regulatory framework applicable to payment services, the European Commission intends to create a legal framework regarding the access and sharing of the financial data of customers of the financial sector, including on a cross-border basis, meant to boost financial innovation in terms of products and services available to customers.
Essentially, this new framework would provide, among other things, for the possibility for customers of the financial sector to share their financial data with certain data users, amongst which PSPs and FISPs – a new category of professionals subject to authorisation by national competent authorities, and to decide who can access such data and for what purpose. In addition, FiDA would put in place a detailed liability framework in the case of data breach on part of the financial data users as well as dispute resolution mechanisms meant to encourage customers to share their financial data by securing their trust in this respect.
The payment services and financial data access package is expected to be adopted in the course of 2025 and would apply 18 months afterwards. The Council is currently reviewing the proposals of the European Commission.
1Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337 23.12.2015, p. 35).
2Proposal for a Directive of the European Parliament and of the Council on payment services and electronic money services in the internal market, amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC [COM(2023) 366 final].
3Proposal for a Regulation of the European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010 [COM(2023) 367 final].
4Proposal for a Regulation of the European Parliament and of the Council on a framework for financial data access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554 [COM(2023) 360 final].
5Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions, amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC (OJ L 267 10.10.2009, p. 7).
6The proposal for a directive on payment services and electronic money services in the internal market foresees the repeal of the E-Money Directive.
7Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119 4.5.2016, p. 1).
8Directive 98/26/EC of the European Parliament and of the Council of 19 May 1998 on settlement finality in payment and securities settlement systems (OJ L 166 11.6.1998, p. 45).