What Does PSD3 Mean for the Payments Industry?
The European Commission recently published a draft of the third Payment Services Directive (PSD3) and the accompanying Payment Services Regulation (EU PSR).
These are not mere updates, but revolutionary steps aimed at integrating and expanding upon the frameworks established by the second Payment Services Directive (PSD2) and the second Electronic Money Directive (EMD2). Today, we'll take a closer look at some of these proposed changes.
What is PSD3?
The new regulations are intended to increase consumer protection in payments, advance the functionality of open banking services, and create a more level playing field between traditional banks and emerging non-bank payment service providers (PSPs).
In this article, we’ll discuss the changes likely to have the largest impact on the payments industry. Further information on the proposed changes can be found on the European Commission website.
Access Requirements for Non-Bank PSPs
One of the main cornerstones of PSD3 is ensuring that non-bank PSPs have equitable access to payment systems. Though PSD2 introduced similar provisions, it fell short in providing comprehensive coverage, especially concerning systems under the EU Settlement Finality Directive.
The EU PSR steps in to bridge this gap, extending non-discriminatory access requirements. This extension aims at establishing a more vibrant, diverse, and inclusive financial ecosystem.
Strong Customer Authentication (SCA) Accessibility Requirements
In today's digital age, it is imperative for PSPs to consider all customers. This includes often-overlooked populations like the elderly, those living with disabilities, and individuals with “low digital skills.”
The directive requires PSPs to create avenues for these demographics, ensuring universal SCA methods. PSPs will no longer be able to rely on a single authentication tool such as a smartphone.
Fraud Prevention Measures
The proposed regulations include a number of measures intended to combat the growing threat of payments fraud. For merchants, this will likely serve as a boon to their own fraud prevention efforts. For PSPs, however, the new requirements could represent an additional burden.
The EU PSR mandates that, when asked by the payer’s PSP, the payee’s PSP must verify that the payee’s information matches the info given by the payer. The results of this verification must then be communicated to the payer’s PSP.
If there's a mismatch in the details, the payer’s PSP must inform the payer about it before they finalize the payment and the credit transfer takes place. However, the payer can still choose to go forward with the transaction despite the warning.
Additionally, account statements must clearly identify each payee. This may require use of a company’s trade name rather than its legal name. As a result, PSPs might have to obtain more details from the payee’s PSP.
The new requirements mandate that PSPs implement robust mechanisms capable of detecting fraudulent activities by analyzing patterns, previous transactions, and online payment account access. The technical requirements for these fraud detection measures will be developed by the European Banking Authority (EBA).
Data Collection & Sharing
While data protection remains paramount, the revised guidelines permit PSPs to process certain personal data, such as biometric information, to enhance payment services and ensure compliance. This is, of course, with the prerequisite that stringent safeguards are in place.
This data sharing is intended to allow collaborative efforts to identify bad actors across the payments ecosystem. Note that both these uses of identifying information are still subject to the requirements of the GDPR.
Educating Customers and Staff About Fraud
Keeping customers informed about potential fraud risks and training staff to spot and handle them are vital cogs in the wheel of financial security. The EU PSR mandates that PSPs maintain open channels of communication and continuously update their customers when new forms of fraud emerge. Employees must receive training on payments fraud annually.
In addition to the fraud prevention efforts described above, some aspects of PSD3 aim to protect consumers more directly by imposing new requirements and restrictions on PSPs.
Disclosing Currency Exchange Markups
Financial decisions should be made with clarity. The new regulations necessitate that PSPs clearly disclose any charges related to currency conversions in terms of a percentage mark-up over the most recent exchange rate issued by the applicable central bank. While providing additional clarity for customers, this may create additional challenges for some PSPs.
Stricter Requirements for Reimbursing Unauthorized Transactions
Under PSD3, PSPs can only refuse to reimburse a customer for an unauthorized transaction if there is reason to believe the customer is attempting to commit fraud. The PSP has 10 business days to investigate any possible fraud before it must reimburse the customer.
PSPs are also explicitly required to refund customers who fall victim to a fraud scheme involving impersonation of the PSP by a third party. This applies only if the customer reported the fraud to the PSP and to law enforcement.
The introduction of PSD3 and EU PSR is not just a regulatory move but is emblematic of the evolving financial landscape in the European Union.
As a larger portion of commerce moves online, fraud prevention is taking center stage, and new initiatives are paving the way for innovation and competition in the payments space.
As PSPs navigate this new terrain, adaptation and compliance will be paramount, setting the stage for a new era of financial interactions in the European Union.