After much anticipation, the European Commission (EC) has published its proposed revisions to EU payment services legislation, as well as a proposal on Open Finance/data access in the financial services sector beyond Open Banking/payment accounts in the form of a new Open Finance framework called “FIDA”.
The following article is excerpts of a paper written by Bird & Bird LLP which can be found here.
The proposals are available here along with other various documents, including Impact Assessments, etc.
This is now the beginning of the EU legislative process in relation to those texts. It isn’t clear how long this legislative process will take, but it is possible that they would not be adopted in final form before at least Q2 2025.
Following their adoption in final form (which may differ quite substantially from the drafts published by the EC) and their publication in the Official Journal of the EU, the texts will “enter into force” 20 days later. Then it is proposed that:
- Member States would have 18 months to implement PSD3 into their national legal order;
- Market participants would have 18 months to comply with the PSR (no need for the PSR to be implemented into national laws since it is a Regulation and therefore is directly applicable), with the exception of the rules on confirmation of payee/”matching service” in relation to which payment service providers (PSPs) would be given 24 months to comply.
Since the proposed revisions its has been possible to review the proposals and provide initial thoughts on the proposed PSD3 and PSR.
PSD3 and PSR
Essentially, the EC is proposing that PSD2 would be split into two different instruments:
A third Payment Services Directive (PSD3) that would deal in particular with the authorisation process for payment institutions (PIs) (which now also includes electronic money institutions (EMIs)) and the prudential regime. Of course, a directive remains the most appropriate instrument since licensing and supervision of PIs remains a national competence of EU Member States.
A separate Payment Services Regulation (PSR) that would deal essentially with rules (and related penalties) for PSPs and users. The EBA, in its Opinion on PSD2 (published in June 2022), identified differences in Member States’ approaches to applying PSD2, and an EBA Peer Review (published in January 2023) concluded that deficiencies in approaches led to different supervisory expectations for PIs and EMIs.
A regulation (rather than a directive) is meant to enhance harmonisation of the rules and enforcement across the various EU Member States.
In addition, the EC proposed to merge the EU E-Money Directive (EMD2) with the proposed PSD3 and PSR texts, so as to have one coherent regime for both payment services and e-money services, and thereby ensure a level-playing field between PIs and EMIs.
Currently, EMD2 contains requirements in terms of authorisation and supervision for EMIs, whereas PSD2 does the same for PIs, but also sets out the rule of conduct that apply to various categories of PSPs (which also apply to EMIs).
This means that there is already a lot of similarities between the two legal frameworks (at least when payment transactions involve e-money) and there are only a few specificities when it comes to e-money, and therefore it appears sensible for PSD3/PSR to regulate both PIs and EMIs.
PSD3 also amends the Settlement Finality Directive (SFD) in order to allow non-bank PSPs (e.g. PIs and EMIs) to participate directly in SFD-designated payment systems.
That way, those non-bank PSPs would no longer need to rely on banks in order to execute payment transactions (especially in a context where some banks may have adopted a de-risking strategy).
The EBA is given once again a number of mandates under PSD3 and the PSR to prepare draft regulatory technical standards (RTS) and draft implementing technical standards (ITS), ultimately to be adopted by the EC, as well as guidelines, and to continue maintaining the register.
PSD3: the EBA is given a number of mandates to prepare draft RTS and draft ITS, e.g. on cooperation and information exchange between national competent authorities (NCAs) of the Home Member State and of the Host Member State, on a common assessment methodology to be provided to NCAs in the application for the authorisation of PIs and on the circumstances in which the appointment of a central contact point is appropriate, etc.
PSR: the EBA is given a number of mandates to prepare draft RTS and draft ITS, e.g. on the criteria on the basis of which an Account Servicing PSP (ASPSP) may be exempted from the obligation to have in place a dedicated interface exposed to TPPs, on the exclusions from the scope of the PSR, fraud reporting requirements, authentication, communication and transaction monitoring mechanisms, etc.
The PSR would be followed by a review, five years after the date of application, focusing in particular on open banking rules, fees and charges for payment services and combating fraudulent transactions.
The PSD3 will also be reviewed for its effectiveness and efficiency in achieving its objectives.
The whole directive will be considered, however there will be some topics of focus; these will include the scope and safeguarding of PIs’ funds which may be affected by new rules on deposit guarantee schemes which were adopted on 18 April 2023 (which can be found here), as well as the possibility to include other technical service providers (TSPs) such as payment system operators, payment processors or gateways under the under the scope of PSD3.
Five years is usually the period after which a review would take place, however the review specific to the extension of scope to TSPs will likely take place three years after the application date in consideration of Regulation 2022/2554 on digital operational resilience for the financial sector (DORA) which only applies to financial entities regulated/supervised under EU legislations.
The full B&B paper can be found HERE