REGULATION (EU) ON PAYMENT SERVICES IN THE INTERNAL MARKET AND AMENDING REGULATION (EU) NO 1093/2010

• The draft Payment Services Regulation (“PSR“) is one of the elements of a package of draft acts, concerning the regulation of the market for payment services and access to financial data (open finance), published by the European Commission in June 2023. The Commission’s objective is to revise the existing rules under Directive 2015/2366 on payment services in the internal market (“PSD2“) and raise the level of secure payments in the EU.
• The object of the Draft PSR is to lay down rules defining its subject matter and scope and the rights and obligations of payment service providers and users, respectively, in relation to the provision of payment services, i.e. transparency of conditions and information requirements for payment services, and rights and obligations in relation to the provision and use of payment services.
• The PSR imposes new obligations on PSPs to ensure better protection of users (e.g. a new matching verification service). See also the draft regulation in relation to instant transfer orders in euro (“IPR”), which also provides for the introduction of such a service (Draft IPR Regulation).
• The PSR also provides for additional powers for non-bank payment service providers (e.g. facilitating access to payment systems).
• The regulatory package announced by the Commission also includes the draft payment and e-money services directive (“PSD3”), which is intended to replace PSD2 and its scope primarily covers the “licensing” of payment service providers (see: Draft PSD3), and the draft financial data access framework regulation (“FIDAR“), which aims to provide clear rights and obligations in the context of the management of shared customer data in the financial sector.

Highlights of the PSR

1. Defines the personal and material scope of application of the Regulation.
2. Provides for a list of exemptions from the application of the Regulation.
3. Establishes harmonised information requirements for users.
4. Defines the rights and obligations of payment service providers and users.
5. Enhances the rights of non-bank payment service providers to access bank accounts and to access payment systems.
6. Introduces an obligation for account payment service providers to provide the user with a panel integrated into the user interface to monitor and manage the authorisations the user has given for account information services or payment initiation services involving multiple or recurring payments.
7. Introduces the obligation for providers to offer a service for verifying a match between the unique identifier and the name or name of the payee provided by the payer when making a credit transfer (verification service). In addition, the PSR regulates the liability of providers for the provision of this service.
8. Regulates the liability of a PSP for unlawful impersonation (i.e. if a consumer has been manipulated by a third party posing as an employee of the consumer’s PSP, unlawfully using the name or email address or telephone number of that PSP, and the manipulation subsequently results in illegal authorised payment transactions).
9. Expands the provisions governing unauthorised payment transactions.
10. Expands provisions governing the obligation to use strong customer authentication (SCA) and governing liability for failure to use SCA.
11. Provides for the development of Regulatory Technical Standards (RTS) relating to, i.a.:
    • defining the conditions for the application of the limited network exemption;
    • definition of criteria for exemption of a payment service provider from the obligation to implement a dedicated interface;
    • the specification of the data to be communicated to the competent authorities as well as the method and frequency of such reporting;
    • fraud reporting;
    • authentication, communication and transaction monitoring mechanisms.
12. Provides for the development of Implementing Technical Standards (ITS) for the establishment of standard forms and templates for the submission of payment fraud data to the EBA by competent authorities.

The PSR will enter into force 20 days after publication and will be applicable 18 months after entry into force.