PSD3 Uncovered: Europe’s Next Generation Payments Framework

Photo by rupixen.com on Unsplash

PSD2

The 2nd Payment Services Directive (PSD2) has been a unanimously-loved piece of regulation resulting in a level playing field, consistent, simple to use and high quality bank-side APIs enabling innovation and competition. PSD2 closed all previous consumer security loopholes and created no new ones, and demonstrated to the wider world that the only way to drive an open finance transformation is through regulation.

OK… so there’s a chance I’m not being entirely serious here.

The vision for PSD2 was sensible enough: break the monopoly that the big banks have on their customers’ data and open up the global payments networks to new, consumer-friendly use cases.

In the main, PSD2 has been wildly successful and credit is due to legislators for having the vision and courage to execute such an ambitious programme. Without PSD2, it’s doubtful we’d have seen the rise of fintechs such as SumUp, Revolut, Starling and Klarna at the pace we have. And we certainly wouldn’t have seen Open Banking aggregators such as TrueLayer, Codat and Plaid enjoy such growth and market penetration across Europe.

PSD2 introduced a range of new acronyms and terms that are important to know because they are built upon in PSD3.

• Account Servicing and Payment Service Provider (ASPSP) – This refers to the banks, building societies and payment providers that hold financial accounts for their customers. In general, you can think of this group as “the banks”. The 9 largest banks in the UK were obligated to provide open banking APIs to the rest of the market, other financial institutions are implementing their own too in order to play in the open banking sand pit.

• Account Information Service Provider (AISP) – AISPs are organisations that specialise in processing financial information made available through Open Banking APIs for the purposes of providing guidance to consumers and businesses. A common feature provided by AISPs is a single dashboard view of all of your accounts across different ASPSPs. Some AISPs enrich the raw data from the banks with metadata allowing consumers and businesses to provide psuedo-audited accounts to lenders showing affordability information. Having worked in the industry previously, I would like to see more innovation around protecting gamblers from over-reaching when they can’t afford it.

• Payment Initiation Service Providers (PISP) – Despite sounding like you’re trying to attract a cat, PISPs are at the more exciting end of the PSD2 regulations, giving organisations the ability to trigger payments directly from a user’s bank account without having to go via an intermediary such as Paypal or Square. I’ve used this process to seamlessly transfer money from my current account into a savings account, it works very well.

In the UK, the Competition and Markets Authority (CMA) were tasked with implementing PSD2, and in 2021 expanded the implementation to introduce Variable Recurring Payments (VRP). VRPs are like direct debits, they instruct a bank to move a variable sum of money on a regular basis, but unlike direct debits, the bank account holder initiates the payment schedule. The initial design of VRP enables automated sweeping between accounts, with fintechs such as Plum using this approach to shift small amounts of money into low risk, short-term investment accounts. But VRP could, and will, be so much more.

VRP will be expanded to allow new consumer-oriented use cases such as subscription payments and finance repayments. This will remove the hassle of Direct Debit mandates, but will introduce new risk scenarios for merchants and financial institutions – specifically around redress if a consumer switches off the VRP in their banking app.

This is a scenario that PSD3 and the UK’s new payments framework specifically addresses. You can read about the UK’s new framework in my previous blog here.

PSD3 and PSR1

On 28th June 2023, the European Commission (EC) proposed a series of upgrades to PSD2. As refresher, EU ‘directives’ give member states some leeway in their interpretation and implementation. This has resulted in variation between member states’ and their banks’ implementations of PSD2.

The new framework intends to minimise variation across the EU by introducing a ‘regulation’, the instrument through which the EU sets standards and mandatory rules. In the same announcement as PSD3, the EC introduced the Payments Services Regulation (PSR, widely being referred to as PSR1 with a fair assumption that it will be updated or superseded later).

The goals of PSD3 and PSR1 are:

• Combat and mitigate payment fraud
  Through new information sharing practices, the new framework will strengthen customer authentication, consumer fraud awareness and add new refund rights for fraud victims. The new framework also introduces plans for a system to check IBAN numbers against account names for all credit transfers.
  
• Improving consumer rights
  Making payment processing statuses more transparent (“where is my money?”) and adding new requirements for making charges and fees more obvious.
  
• Divesting more control and power from banks to non-banks
  Continuing the fintech innovation explosion we’ve seen in recent years, PSD3 and PSR1 will allow non-bank payment service providers with access to all EU payment systems and enshrining these providers’ rights to a bank account
  
• Improving the quality of open banking-based services
  In a similar vein to the UK’s new payments regime (see previous blog), PSD3 and PSR1 sets new non-functional requirements for open finance APIs. This means providers must meet certain performance and availability thresholds.
  
• Make cash more available
  Counter-intuitively, the new framework aims to increase the amount of cash flowing around the system, with new obligations for retailers to offer ATM services without purchasing anything first, and clarifying rules for ATM operators.
  
• Standardisation
  The introduction of a Regulation (capital R), means member states will be obliged to implement payment rules in prescriptive way, with penalties being levied if this is not done. This will cause some controversy as Eurosceptics will highlight this as an example of further federalisation and top-down bureaucracy, meanwhile anyone who has worked in regulated industries, and FS in particular, will welcome clear guidelines on how the new framework should be operationalised.

FIDA

FIDA is the somewhat-awkward acronym for “Financial Data Access”.

Awkward abbreviating aside, FIDA represents a raft of new opportunities for consumers and fintechs:

• Allowing customers to securely share more of their financial data
  With the aim of allowing businesses to offer more appropriate, applicable and affordable products and services, FIDA sets out provisions for standard data sharing formats, standardising and harmonising integrations with large legacy financial institutions (FIs). FIs will be obligated (fraud controls aside) to share this data where their customers permit it to be shared.
  Standardising the data format and sharing processes will be overseen by a new scheme of which data holders and data users will need to become members.
  

• Data sharing dashboard
  Data holders (e.g. banks) are obliged to provide transparency around who data has been shared with and for which purposes. Data holders are also obliged to provide mechanisms for customers to control and change access to their data. This is being referred to as a “dedicated permissions dashboard” in the regulations.

• Clarity around liability and disputes
  As mentioned above, PSD2 introduced a number of new fraud vectors. Taking control and decision-making from banks with their robust and heavyweight risk management machines and putting it into the hands of consumers reduces friction but also reduces security in some cases.
  Overall, PSD2’s Strong Customer Authentication (SCA) provisions has, to quote the EC’s factsheet, reduced the average value of fraudulent transactions by almost 50% for card payments.
  However, Authorised Push Payment (APP) fraud is largely new and enabled by PSD2 payment initiation features. APP costs over £500m in the UK alone and the trend is for this to continue rising. Like the UK’s new payments regime, PSD3 and PSR1 aims to improve customer authentication and also rights for compensation and redress in the event of fraud. One specific goal of PSD3 is to improve SCA journeys for disabled people and others with difficulties.

• Charging for Data Services
  The Proposal also shows an illustration of charges and fees that the Commission believes to be equitable and fair, while encouraging new entrants and smaller service providers into the market. Small service providers will be able to take advantage of data sharing services from FIs at cost, while larger integrators will be charged “reasonable” fees for access to data.
  It is interesting to compare this to the UK’s new framework which specifically calls out a structure for ASPSPs to add “Premium Services” to their APIs.

The Opportunity: Beating the PSD3 Rush

EU regulation takes a long time to implement – it’s one of the major criticisms of the Ever Closer Union project. However, just because the regulation itself will move slowly doesn’t mean that banks and fintechs need to wait around.

There is a huge opportunity for early-movers to begin capitalising on the benefits PSD3 brings. The US and Canada have shown that market-driven open finance can be enormously successful (you’ve heard of Plaid, right?) and the same is true in Europe. This really is one of those build-it-and-they-will-come moments, anything you build today based on the PSD3 proposals will only improve in value and application as more EU FIs implement the changes.

The Digital Euro

Announced at the same time as PSD3/PSR1, the Digital Euro package, a proposal (yet to be approved by either the EuroParl or Council) for a digital version of the Euro providing the following benefits:

The proposed implementation is clever with interesting technical aspects (particularly around the Offline Digital Euro) which I’ll cover in another blog very soon. Stay tuned!