The European Commission has unveiled proposals for the Payment Services Directive III (PSD III) and a new Payment Services Regulation (PSR) as part of its plans to modernize payment systems and expand open banking services. This infosheet explores the background, key objectives, and significant changes introduced by PSD III and PSR to address critical issues in the European payment market and promote a level playing field, while also improving user protection and data sharing practices.
Banking & Finance
As part of the plans to modernize payments and further expansion of open banking services, the European Commission has published proposals for a renewed payment service directive (PSD III) and a new Payment Services Regulation (PSR).
In 2022 a review was undertaken of PSD II which led to the proposals of PSD III and PSR to amend PSD II and improve functioning of the payment markets. The review highlighted four key problems in the EU payment market that PSD II has not been able to resolve. These four key problems are the following ones:
Addressing and improving these key problems is the main objective of the newly proposed PSD III and PSR.
The most fundamental change from PSD II is the new split between the new PSD III directive and the PSR. PSD III will need to be transposed to national law in each member state and covers the payment service licence and the main supervisory rules. The PSR shall apply immediately in each member state after adoption and after it has been entered into force. It covers for the most part the conduct obligations of payment institutions, information and transparency requirements, access to payment systems and the open banking sector improvements.
Besides the new split between a directive and a regulation, one of the most notable changes of PSD III is that it will integrate the current regulatory regime for e-money institutions after which the PSD III/PSR regime will be applicable to both payment institutions
and e-money institutions.
However, the proposal for PSD III contains different requirements for e-money institutions regarding initial capital, own funds and several governance requirements which are in line with the current regulatory e-money regime.
Another noteworthy change is the connection with MiCA (the EU regulation which aims to regulate crypto). Under the MiCA regime, most e-money tokens (crypto’s which refer to an official currency) will qualify as e-money unless an exception under MiCA exists. As a consequence, e-money tokens also fall in the scope of PSD III as e- money. Issuers of e-money tokens can thus be subject to two regulatory regimes: (i) as issuers of e-money under PSD III, and (ii) as issuers of crypto-assets under MiCA.
The PSR also includes some changes to the existing commercial agent exclusion of the licensing regime. In the current proposal of the PSR, the exclusion will become more limited and will only be applicable if the following three conditions are met:
The first condition refers to the definition of a commercial agent in the EU commercial agent Directive. This is a new reference that was not included in PSD II. It also implies that the relevant clauses and protection measures as included in that Directive will apply to the users of the commercial agent exemption under the revised PSD-regime. This Directive (as implemented in the Dutch Civil Code in the Netherlands) contains a number of mandatory clauses which cannot be deviated from (at the expense of the commercial agent), which cover for example: termination grounds, termination period, non-compete, indemnification and compensation for the agent. In summary, the exemption will be less flexible and provide more protection measures for the commercial agent.
Within one year after entry into force of the PSR, EBA will issue guidelines to clarify the changes to the commercial agent exclusion.
PSD III requires authorised payment institutions and e-money institutions to re-apply for a licence under PSD III. The current licences will be grandfathered (prolonged in validity) for 18 months after PSD III will enter into force. Payment institutions and e-money institutions which are licensed under PSD II and wish to acquire a PSD III licence must submit their application within 24 months after PSD III has entered into force.
The scope and content of the regulated payment services as included in PSD III do not differ from the payment services as included in PSD II, but are numbered differently in PSD III.
Several other noteworthy changes to the payment regime are:
The new payment regime includes several measures to improve user protection and to address payment fraud. Among these measures is the new requirement of IBAN name/number verification for all credit transfers (whether or not instant credit transfers and including all currencies). A mandatory alert must be sent to the user if there is a discrepancy found in the name/number verification in line with the proposed amendment to the SEPA regulation. This IBAN verification is already common practice in the Netherlands. As a result of the addition in PSD III if it fails to send this alert, the payment institution will be liable for the amount of the credit transfer. Also, additional clarification is provided about liability of payment institutions in case of fraud and in case a consumer has been manipulated into authorizing a payment transaction by a third party who pretends to be an employee of that payment institution.
Also, several measures are taken to strengthen the implementation of strong customer authorisation and to improve prevention and detection of fraud by payment institutions by for example (i) transaction monitoring mechanisms and analysing whether this is a typical use of the user, (ii) sharing (on a voluntary basis) certain data with other payment institutions and (iii) narrowing the scope of exemptions for using strong customer authorisation.
As to the payment system landscape itself, PSD III aims to tackle the current unlevel playing field between banks and non-banks. Significant in this regard is the proposal to require that all payment institutions have direct access to payments systems, unless restriction is necessary to safeguard a specific risk. A second important change in this regard is that credit institutions may now only in exceptional circumstances refuse to open a payment account for a payment institution or its agent and distributor. In this regards, the fact that payment institutions may now also safeguard their funds with the central bank as mentioned above will improve the aim of a level playing field.
Building on the open banking measures taken in PSD III and PSR, the European Commission has also published a regulation on a framework for financial data access to further govern access and the use of user data. The legislative proposal has incorporated safeguards to limit and prevent conflicts with the GDPR.
All new proposals will be reviewed by the European Council and the European Parliament. The implementation deadline for PSD III and the entry into force of PSR is unclear as of now, but it is not expected to be before the end of 2026. We will provide new updates when there is more visibility of the next steps.