In Europe, the Payments Services Directive is getting a makeover.
To that end, as announced on Wednesday (June 28), the European Commission has proposed a series of what it says would be “upgrades” to PSD2.
And as has been widely reported, the changes will help usher the transformation of PSD2 to PSD3.
At a high level, the European Commission said, the rules will “bring payments and the wider financial sector into the digital age … [and] will further improve consumer protection and competition in electronic payments.” The changes come about, said the EC, where electronic payments in the region have reached 240 trillion euros as of 2022, surging from 184 trillion euros in 2017.
The commission took note that an evaluation of PSD2 found that though strides have been made in protecting stakeholders, “there remains an unlevel playing field between payment service providers, due partly to the lack of direct access by non-bank Payment Service Providers (PSPs) to certain key systems that are necessary to finalize payments.” There has been “mixed success” in the uptake of open banking, particularly with non-bank providers.
“More sophisticated types of fraud have also emerged, putting consumers at risk and affecting trust,” wrote the EC. The new regulations strive to bolster fraud defenses and protect consumers and enterprises in an age when social engineering is on the rise.
Moving forward, payment service providers (PSPs) will be able to more fully share fraud-related information between themselves. The EC has proposed an extension to all credit transfers of IBAN/name matching verification services — and, particularly, for instant payments conducted in euros.
There’s also a mandate for PSPs to carry out education actions to increase awareness of payments fraud among their customers and staff, while broadening refund rights. The refunds would be granted in the event of a failure of the IBAN/name verification service to detect a mismatch between the name and IBAN of the payee, and for consumers falling prey to “spoofing” fraud. “Victims of ‘spoofing’ fraud can be entitled to claim damages from their PSP for the full amount of the fraudulent transaction, subject to conditions including filing a police report and notification to their PSP without undue delay,” the EC wrote.
The new rules also streamline authentication efforts. The application of strong customer authentication (SCA) in respect of payment account information services will only apply SCA for the first access to payment account data by open banking account information service providers, as the proposals state, “unless there are reasonable grounds to suspect fraud.” Thereafter, account information service providers will then be responsible for SCA for subsequent data access.
The move to PSD3 also seeks to foster “more transparency” for credit transfers and money remittances from the European Union to third countries. Specifically, for credit transfers and money remittances from the EU to third countries, payment service users would have to be informed about the estimated charges for currency conversion. The charges would conceivably be expressed as a percentage mark-up over the “latest available euro foreign exchange reference rates” that are in turn issued by the European Central Bank.
Non-bank payment providers will be allowed to access to all EU payment systems. And there will be more cash availability in brick-and-mortar settings and via ATMs, by allowing retailers “to provide cash services to customers without requiring a purchase and clarifying the rules for independent ATM operators.”
Elsewhere, the European Commission seeks to establish “clear rights and obligations” when it comes to data sharing beyond the confines of payment accounts: Customers will be enabled to share their data with FinTechs and FIs in secure machine-readable format “to receive new, cheaper and better data-driven financial and information products and services.”