At the end of June 2023, the EU presented a comprehensive package to modernize payments: the new Payment Services Directive (PSD3) and the complementary Payment Services Regulation (PSR). The goal is greater security, innovation, and fair competition. Banks, fintechs, and consumers must prepare for profound changes. Implementation will take years, but the first steps are needed now.
PSD2 is no longer sufficient
With the second Payment Services Directive (PSD2), the EU created the legal framework for digital payments in 2015. It brought significant progress: consumers were better protected, new players such as FinTechs were able to gain a foothold in the market, and “Strong Customer Authentication” (SCA) established a high security standard. Since its full implementation in 2019, however, it has become clear that reality is more complex than legislators assumed at the time.
On the one hand, the payments market has become significantly more dynamic: digital payments and e-commerce are booming, while cash is declining in importance. At the same time, new fraud schemes are emerging, such as social engineering attacks, which cannot be prevented by technical security measures alone. The implementation of PSD2 was also uneven across member states, leading to regulatory fragmentation. Ultimately, it became apparent that although Open Banking had taken off, it was slowed down by technical hurdles and inconsistent interfaces.
Against this backdrop, the European Commission presented a new package on June 28, 2023, to replace and further develop PSD2: PSD3 and the accompanying PSR.
Two building blocks for the future: PSD3 and PSR
The reform is based on a two-pronged structure.
- PSD3 as a directive: It focuses on issues relating to the authorization, supervisi-on, and organization of payment institutions and e-money institutions. It defines who may provide payment services, the conditions under which this occurs, and how supervision works.
- PSR as a regulation: It establishes directly applicable rules for business relati-onships, consumer rights, and transparency. Since a regulation applies directly in all member states, differences in implementation should be avoided in the future.
With this combination, the EU aims to create a more uniform framework while maintai-ning sufficient flexibility for national supervisory structures.
The objectives are clearly formulated (see figure 1): to reduce payment fraud, strengthen consumer rights, ensure fair competition between banks and non-banks, make open banking more practical, and secure the supply of cash in Europe.
The most important innovations in detail
The Commission’s proposals contain a whole series of measures that, taken together, represent a significant change for the industry.
A first major step is the integration of the e-money regime. Until now, a separate e-money directive existed alongside PSD2. This led to duplicate rules, different authoriza-tion procedures, and the coexistence of two regimes. PSD3 is intended to eliminate this parallel structure: e-money institutions will in future be treated like payment instituti-ons, although separate regulations will remain in place for certain specific features of e-money.
Another innovation concerns open banking. Under PSD2, banks had the choice of providing third-party providers with either their own interface (API) or – in cases of doubt – access via existing online banking channels. In practice, this led to considerable friction. PSD3 and PSR now clarify that banks must provide dedicated APIs that are free of artificial hurdles. At the same time, a dashboard for consumers is required, through which they can manage their consent and revoke data sharing.
Fighting payment fraud is also a key focus. A key element is the verification of the recipi-ent’s name and IBAN before each transfer. This measure, previously only intended for instant payments, is now to be made mandatory for all transfers across the EU. It will also allow payment service providers to exchange data on fraud cases in order to iden-tify patterns at an early stage. Finally, strong customer authentication will be moder-nized and expanded to make it not only secure but also accessible to all user groups.
Non-banks will also be empowered. In the future, payment institutions will be granted secure access to payment systems that were previously often reserved only for banks. They will also have the right to a bank account, thus curbing so-called “de-risking” – the practice of banks preemptively denying FinTechs access to accounts.
Last but not least, the reform also addresses the issue of cash. Merchants will in future be allowed to offer cash withdrawals without obligation to purchase, i.e., “cashback” at the supermarket checkout, even if the customer does not purchase anything. At the same time, clear transparency requirements are being introduced for independent ATM operators: customers must be able to see what fees apply before each withdrawal.
Impact on Banks, FinTechs, and Consumers
The reform will affect all players in the payment sector – albeit in different ways.
For banks, the PSD3/PSR reform initially means significant investments. They must develop powerful APIs, introduce customer dashboards, and upgrade their systems for new fraud controls. Compliance burdens will increase as transparency and infor-mation requirements are tightened. At the same time, competition will increase as non-banks gain better access to infrastructure. On the positive side, however, banks will benefit from a more uniform legal framework that facilitates cross-border business and reduces regulatory uncertainty.
For FinTechs and payment institutions, the changes are ambivalent. On the one hand, market access and expansion will be facilitated, as many rules will apply uniformly across Europe in the future. Secured access to payment systems and the right to bank accounts will eliminate significant hurdles that previously hampered business. On the other hand, the requirements will increase: safeguarding customer funds, SCA imple-mentation, and enhanced fraud prevention require additional resources and invest-ments. In the long term, however, this should be worthwhile, as a more strictly regula-ted environment creates greater trust among customers and investors.
Finally, PSD3 and PSR promise tangible improvements for consumers. They gain greater security through mandatory name-IBAN matching, more rights in cases of fraud – even if payments were authorized through social engineering – and greater transparency regarding fees. They retain control over their data via the Open Banking dashboard and can easily revoke consent. The option to withdraw cash at the supermarket also ex-pands their everyday options. Overall, consumers should have more choice, security, and control in payment transactions.
The Commission also plans to strengthen the role of the European Banking Authority (EBA). It will not only develop technical standards but also coordinate the exchange between national supervisory authorities. This should ensure more uniform enforce-ment of the regulations.
Despite clear objectives, many questions remain unanswered. These include, in particu-lar, liability rules in cases of fraud, the precise design of API standards, and how natio-nal special approaches (e.g., regarding the use of cash or sanctions) can be avoided. The practical implementation of the SCA exceptions could also still lead to discussions.
Expected Timeline
At this point, only a rough outline of the plan can be provided. Political deliberations in the Parliament and the Council are expected to begin in the second half of 2023 and extend well into 2024. This will then likely be followed by trilogue negotiations between the EU institutions, which are expected to be concluded in 2024 or 2025.
If this timeline is adhered to, the final text could be adopted starting in 2025. After that, transitional periods will apply: The regulation (PSR) will likely not be applicable until 18 to 21 months after entry into force, and the directive (PSD3) must be implemented by the member states within the same period. It is therefore realistic that the new rules will become noticeable in the market in 2026/27.
- June 28, 2023: Publication by the European Commission
- H2 2023 – H1 2024: Consultations in the EU Parliament and the Council
- H2 2024 – H1 2025: Trilogue negotiations and conclusion of a compromise
- From 2025: Formal adoption and publication in the Official Journal
- After 18–21 months: Application of the PSR and implementation of PSD3 into natio-nal law
- From 2026/27: First practical effect of the new rules on the market
To-Dos for Market Participants
Even though the actual negotiations are just beginning, one thing is clear for banks, FinTechs, and payment service providers: The direction has been set. Initial preparati-ons should be made now to avoid running out of time later. These include:
- Banks should develop roadmaps now for how they can set up APIs, fraud checks, and dashboards.
- FinTechs are well advised to review their compliance readiness and plan possible adjustments to their licensing strategy early on.
- Providers with direct customer contact should consider how they will clearly com-municate future changes to payment processes or information requirements.
- Managers at all institutions should already plan budgets and project structures to be able to act quickly when the rules come into force.
Conclusion
PSD3 and PSR are not a revolution, but a logical development. They combine consumer protection with the promotion of innovation and competition. Those who adapt to the changes early on can not only avoid risks but also take advantage of opportunities for new business models and customer relationships.
Sources
- European Commission, „Financial Data Access and Payments Package: Questions and Answers“, June 28, 2023, Link
- European Commission, „Payment services: Commission proposes new rules to enhance protection of consumers and competition in electronic payments“, June 28, 2023, Link
- European Banking Authority (EBA), „EBA welcomes the European Commission’s proposal on the revision of PSD2“, June 28, 2023, Link
- BaFin, „PSD3 und PSR: EU-Kommission legt Entwurf für neue Zahlungsdienste-Regeln vor“, July 2023, Link
Comment