What are PSD3 and PSR?

Since the implementation of PSD2, the EU payment services market has undergone significant changes due to the rise of electronic payments and new open banking providers. In response to these developments, the European Commission proposed updates on June 28 to modernize PSD2, leading to the creation of PSD3 and the introduction of a new Payment Services Regulation (PSR).

  • Payment Services Directive 3 (PSD3) is an updated iteration of Payment Services Directive 2 (PSD2), providing regulations to enhance the efficiency and security of electronic and digital payments as well as financial services within the EU. Its goal is to boost competition and spur innovation in the financial sector. PSD3 provides rules for the authorization and supervision of non-bank payment service providers (PSPs) in the EU

  • PSD3 introduces more comprehensive Strong Customer Authentication (SCA) requirements and enforces stricter regulations on access to payment systems and account information.

  • PSD3 seeks to safeguard consumers' rights and personal data while fostering greater competition in the payments industry.

  • The new proposals also include a Payment Services Regulation (PSR) aimed at enhancing consumer protection, which will be directly applicable across EU member states.

  • Timeline: The exact timeline for implementing PSD3 and PSR remains unclear. The final versions might be available by late 2024, with member states typically granted an 18-month transition period, indicating that PSD3 and PSR could become effective around 2026.

What is the main difference between PSD2 and PSD3?

PSD3 modernises the previous Payment Services Directive (PSD2) and introduces various changes.

  • PSD2 vs. PSD3

    PSD3 will encompass a broader scope than PSD2, making it better suited to the current state of the payments industry and addressing the uneven implementation of rules that may lead to regulatory arbitrage. It retains key elements of PSD2, such as transparency, liability, and open banking, but introduces more comprehensive Strong Customer Authentication (SCA) regulations and stricter rules on access to payment systems and account information. These enhancements are crucial for protecting payment transactions and combating payments fraud.

The impact of PSD3 and PSR on the payments industry

  • Strong Customer Authentication (SCA)

    The PSD3 changes regarding Strong Customer Authentication (SCA) will create safer buying experiences with new rules on data sharing, fraud prevention, authentication, transactions, and accessibility. Businesses will share more data with issuers, enhancing transaction approval accuracy, and under GDPR, PSPs can process personal data for fraud prevention without explicit consent. Liability for fraud will shift to payment schemes, service providers, and gateways if SCA is not applied, with issuers also liable for spoofing fraud. PSD3 allows SCA factors from the same category and considers SCA delegation as outsourcing, requiring compliance with outsourcing rules. Exemptions from SCA include merchant-initiated transactions after the first payment and card-based mail orders and telephone orders, benefiting sectors like travel. Tokenized transactions only need SCA if initiated by the cardholder. Additionally, SCA must be accessible to vulnerable customers, including the elderly, people with disabilities, and non-digitally savvy consumers, by providing non-smartphone-dependent authentication methods.

  • Access to account information and payment systems

    The PSR will revamp the Open Banking framework, streamlining open banking services and enhancing uptime for financial services. Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) can now develop custom interfaces connecting to banks. Banks must disclose API performance quarterly, fostering transparency for businesses to make informed partner choices. During bank downtime, AISPs and PISPs can utilize their interfaces, expediting digital payment processes. Additionally, banks must offer customers a permission dashboard for convenient management of AISP permissions, with businesses retaining the right to claim damages for losses incurred under civil law.