By Herodotos Michael
Senior Manager, Authorisations and Regulatory Business Development
The European Union (EU) has proposed a transformative directive to modernize the regulatory framework for payment services and electronic money within its Internal Market. This directive, which amends Directive 98/26/EC and repeals Directives 2015/2366/EU and 2009/110/EC, is a response to the dynamic changes in digital payments, aiming to bolster consumer protection, enhance market efficiency, and streamline regulatory coherence.
Background and Objectives of PSD3
1. Evolution since PSD2
Implemented in 2015, the second Payment Services Directive (PSD2) significantly reshaped the retail payment services market by fostering innovation, increasing security, and enhancing consumer protection. However, the rapid adoption of digital payment methods, including credit and debit cards, digital wallets, and contactless payments, has created new challenges. The COVID-19 pandemic further accelerated this digital shift, underscoring the need for secure and efficient digital payment systems.
Despite its achievements, PSD2’s implementation highlighted several gaps, particularly inconsistencies in its application and enforcement across member states. These discrepancies led to regulatory arbitrage, which undermined the directive’s intent to create a level playing field. PSD3 aims to address these shortcomings by establishing a more harmonized and comprehensive regulatory framework.
2. Key Provisions
a) Harmonization and Enhanced Supervision
A core goal of PSD3 is to ensure the uniform application of payment service regulations throughout the EU, thereby eliminating ‘forum shopping,’ the practice where institutions choose jurisdictions with more favorable regulations. This will be achieved by differentiating the rules governing the conduct of payment services, which will be incorporated into a new regulation (the Payment Services Regulation, or PSR), from those related to the authorization and supervision of payment institutions, which will remain under the new directive.
Existing payment institutions will not be required to reapply for licenses under the new framework. This decision ensures continuity and market stability and allows these institutions to adapt to the new regulatory requirements without undergoing a renewed licensing process. Enhanced cooperation between national supervisory authorities will be crucial to maintaining this harmonized regulatory approach, ensuring consistent application and enforcement across the EU.
To summarise, PSR is set to replace PSD2. This new regulation will centralize and standardize all rules governing the activities of Payment Service Providers (PSPs) across the EU. Unlike directives, regulations like PSR are directly applicable in all EU member states without needing national transposition. This direct applicability ensures a more uniform implementation of the legislation, minimizing discrepancies and ensuring a consistent regulatory framework throughout the EU.
The proposed PSR encompasses several critical requirements, including stringent authentication protocols, enhanced API performance standards, and sophisticated risk-based fraud prevention measures, among others. These measures aim to address the evolving needs of the digital payments landscape and ensure robust security and efficiency in payment services.
PSD3 complements PSR by focusing specifically on the licensing and authorization processes for payment institutions. While PSR sets out the core definitions and operational rules for PSPs, PSD3 is designed to oversee their regulatory supervision. As a directive, PSD3 requires each EU member state to incorporate its provisions into their national laws. This allows for some flexibility in how the directive’s rules are implemented across different jurisdictions, catering to local legal and market conditions, while maintaining overall regulatory coherence within the EU.
b) Enhancing Consumer Protection
Consumer protection remains a fundamental aspect of the new directive. Key measures include:
- Restriction on Deposits: Payment institutions offering electronic money services are prohibited from accepting deposits from users. This ensures that funds held by these institutions are solely dedicated to payment services and not used for other purposes, safeguarding consumer funds.
- Usage of Payment Accounts: Payment accounts must be used exclusively for executing payment transactions, minimizing the risk of fund misuse and enhancing the security of digital payment services. This measure is designed to boost consumer confidence in digital payment systems and encourage broader adoption.
c) Authorization Requirements for Existing Institutions
For payment institutions already authorized under PSD2, the new directive offers a seamless transition. These institutions will not need to reapply for authorization under the updated framework. Instead, they can continue operations under their existing licenses, provided they comply with the new directive’s requirements. This approach minimizes administrative burdens and disruption, allowing institutions to focus on aligning their practices with the updated regulations.
Supervisory authorities will oversee this transition, ensuring that existing institutions meet the new operational and consumer protection standards, including the specified initial capital requirements.
d) Short-term Credit and ‘Buy Now Pay Later’ Services
The directive allows payment institutions to offer short-term credit services, such as issuing credit lines and credit cards, as long as these services facilitate payment transactions and the credit terms do not exceed 12 months. This provision acknowledges the role of short-term credit in supporting consumer spending and economic activity, while ensuring that such credit remains manageable and does not lead to excessive consumer debt.
However, ‘Buy Now Pay Later’ (BNPL) services, which enable consumers to defer payments or pay in instalments, will not be classified as payment services under this directive. Instead, BNPL services will be regulated under the new Directive on Consumer Credits. This distinction ensures that BNPL services are subject to appropriate consumer protection measures specific to lending activities, reflecting their primary nature as credit products.
e) Record-Keeping and Data Protection
To ensure compliance with regulatory obligations, the directive requires payment institutions to maintain comprehensive records for at least five years. This facilitates regulatory oversight and enforcement by providing a clear audit trail of activities and compliance.
Additionally, the directive includes strong data protection provisions. Personal data must not be retained longer than necessary, and data related to the withdrawal of authorization must be deleted no later than five years post-withdrawal. These provisions balance the need for compliance documentation with the rights of individuals to data privacy, ensuring that personal data is protected throughout its lifecycle.
Transitional Provisions
To facilitate a smooth transition to the new regulatory framework, the directive includes provisions that provide clear timelines and guidelines for existing payment institutions. These provisions are designed to minimize market disruptions and give institutions sufficient time to adapt to the new requirements. The transitional period will help ensure the practical and efficient implementation of the directive’s provisions, maintaining stability and continuity in the market.
Alignment with Other EU Policies
PSD3 is closely aligned with several overarching EU policies and strategies, reinforcing the EU’s commitment to a cohesive and secure digital economy. It supports the Retail Payments Strategy for the EU, which aims to foster a more integrated and efficient payments market, and its Digital Finance Strategy, which seeks to leverage digital technologies to enhance financial services.
Additionally, the directive complements other legislative initiatives such as the Settlement Finality Directive, which ensures the finality of payment and securities settlement, and the Markets in Crypto-Assets Regulation (MiCA), which provides legal clarity and investor protection in the crypto-assets market. Furthermore, it aligns with the Digital Operational Resilience Act (DORA), which ensures that financial institutions can withstand and recover from ICT-related disruptions and threats.
Conclusion
The new directive on payment services and electronic money services represents a significant advancement in the EU’s regulatory framework for digital payments. By addressing the limitations of PSD2 and introducing robust measures for consumer protection and market harmonization, the directive aims to foster a more competitive, secure, and efficient environment for digital financial services. This will enhance consumer confidence and drive the adoption of digital payment methods, supporting the broader objectives of the EU’s digital and financial integration strategies. The streamlined authorization process for existing institutions and the detailed capital requirements laid out by PSD3 underscore the EU’s commitment to stability and growth in the evolving digital economy.
MAP S.Platis can provide comprehensive advisory support to Payment & Electronic Money Institutions. Please contact us for more information on our related services.