Payment services regulation (PSR) and 3rd Payment services directive (PSD3) – drafts
In June 2023. The European Commission unveiled a draft Regulation on payment services in the Internal Market ("PSR") and a draft Directive on payment services and electronic money services in the Internal Market("PSD3"). Together, the two acts are the successors to the Second Payment Services Directive ("PSD2").
Electronic money institutions are being abolished. Bigtechs engaged in storng customer authentication must accept outsourcing. Account providers must create a common IBAN database and check the compatibility of the payee and IBAN before accepting a transfer order.
PSR, PSD3, Regulation on payment services, Directive on payment services and electronic money services, PSD2
Key takeaways
- Electronic money institutions will be abolished.
- Payment institutions will be allowed to issue electronic money and participate in ELIXIR-type systems.
- ATM operators must be licensed.
- Bigtechs must enter outsourcing agreements with payment service providers if they participate in strong authentication service.
- Account providers must create a common IBAN database and check the match between the payee and IBAN before accepting a transfer order.
- Providers and telecom operators are responsible for spoofing.
- In the event of an unauthorized transaction, evidence of authorization is required.
- In open banking, a dedicated interface and consent panel are mandatory.
- The PIS provider is to receive the account holder’s name even if it is not in the user interface.
Timeline
2023.06.29 Announcement of draft PSR and PSD3
2024.04.23 Adoption of draft PSR by the European Parliament.
Polish Payment Services Act (PSA) will be mostly repealed. The exception will be regulations of licensing process of payment institutions, the ongoing supervision of the Financial Supervision Commission, access to payment systems, and accounts of non-banks with banks. Existing provisions of PSA implementing the Payment Accounts Directive (basic account, etc.) and national solutions (for example, the obligation to accept cash payments) will stay.
Non-bank licensing
PSD3 both removes some existing licenses (e-money) and introduces licensing of more business models (ATM operators). It also introduces and modifies exemptions from licensing payment service providers.
E-money instutions
PSD3 abolishes e-money institutions (EMI). The existing EMIs become payment institutions. These institutions will be able to issue e-money as a separate service. The e-money directive is repealed.
Payment institutions
PSD3 allows payment institutions to expand their authorization to include electronic money activities. Due to the changes in the list of the payment services, the structure of services in individual authorizations will be adapted to the new regulations.
As in the case of PSD2, there will be so-called re-authorization, that is, verification of the compliance of payment institutions’ activities with the new requirements. The new requirements include, among other things, compliance with DORA and a liquidation plan.
In terms of own funds, the so-called B method is mandatory in each country.
Operators of ATMs
Independent ATM operators must obtain a license in order to continue operating. Licensing is accomplished through a registration along the lines of the registration for providers of so-called AISPOs, which are providers of account information access services only.
An operator enrolled in the registry benefits from a so-called European passport, meaning it can provide services in any European Economic Area country after a notification procedure in its home supervisory area.
Exemptions
Retail outlets may offer a cash withdrawal service of up to EUR 50 even if the withdrawer does not make purchases at the establishment.
Strong customer authentication
The design of strong authentication (SCA) does not change significantly. The PSR clarifies some SCA issues, including translating into binding legislation the solutions of SCA introduced by the EBA in their FAQ to the PSD2.
SCA elements
A fundamental change to the SCA is being discussed in the legislative process, that is, allowing both elements of the SCA to fall into one category.
The payer provider is required to provide such SCA mechanisms that are accessible without a smartphone and to people with functional or competency limitations.
For electronic transactions at POS terminals or analogs, SCAs with dynamic linking are required (under PSD2, dynamic linking is only required for remote transactions). The alternative is to introduce a mechanism equivalent to SCA.
Subscriptions
In subscriptions, the SCA is only required against instrument registration. However, this applies only when the subject is goods and services (i.e., it does not apply, for example, to donations to NGOs) and when registration is made with the recipient’s clearing agent service.
Facing a specific payment for SCA subscriptions is not required if the payer does not have to take any action that initiates the payment.
Unauthorized and manipulated transactions
The PSR maintains the basic construct of liability for unauthorized transactions. However, it extends the liability of the payer’s provider to authorized transactions in which the payer has been manipulated (known as spoofing).
Unauthorized transactions
The main change introduced by the PSR to the existing PSD2 solutions is in the evidence required from payer’s provider. If the payer disputes a transaction, the payer’s provider will demonstrate not authentication, but authorization.
Mainpulated transactions
If the payer has ordered a transaction as a result of a third party impersonating a person representing the payer’s supplier in telephone or email contact, the payer’s supplier shall reimburse the amount of such transaction at the payer’s request.
The condition is that the payer reports the incident to law enforcement authorities and that the payer does not act negligently. Unlike in unauthorized transactions, the obligation of the payer’s supplier to return the transaction to the payer excludes not only gross, but also ordinary negligence.
If the telecommunications operator contributed to the transaction, the payer’s provider has recourse to the operator. Telecommunications operators thus receive obligations to the financial market under PSD3/PSR parallel to their obligations under DORA.
Verification of payee
The PSR introduces an obligation to verify IBAN and payee similar to the solution already in place for instant payments in euros in the so-called IPR regulation.
After the payer enters the transfer data, the payer’s supplier contacts the payee’s supplier indicated in the transfer order in real time. For this purpose, providers of the European Economic Area must create a common database of account numbers or an API-type solution (cf. the solution in place in Italy that checks the IBAN against the tax number). The payee’s supplier responds in real time to the payer’s supplier as to whether the IBAN number and the name of the payee provided match.
The payer’s supplier informs the payer of the correspondence between the IBAN and the name of the payee, or the degree of inconsistency. On this basis, the payer decides whether he sends a transfer to the indicated IBAN despite the warning about the discrepancy, or does not order the transfer. If he orders the transfer, the payer’s supplier is not responsible for making the transfer to another person.
For immediate payments covered by the IPR, if the name of the payee given by the payer in the transfer order and the name of the payee in the payee’s account agreement with the supplier differ slightly, the payee’s supplier informs the payer explicitly that the difference is minor (e.g., Kris instead of Chris) and transmits the name of the payee appearing in the account agreement (disclosure of bank or other secrets). For transfers covered by the PSR, the recipient’s supplier is not authorized to do so.
The obligation to verify the recipient in the PSR extends to all channels of transfer ordering. In the case of instant payments, this applies only to electronic channels.
Recipient verification is free of charge for the payer.
Access of non-bank providers to designated payment schemes
National payment institutions may participate in designated payment schemes. The provisions of the PSR and PSD3 complement the provisions of the IPR in this regard. The IPR provisions lead to an amendment of the Law on Settlement Finality and the Law on Payment Services, unlocking the possibility for national payment institutions to participate in these systems. Entities operating these systems may refuse to accept a domestic payment institution into the circle of participants only for the reasons indicated in the regulations, primarily because of excessive risk.
The regulations do not require the National Bank of Poland to maintain accounts for national payment institutions.
Access to accounts in credit institutions of non-bank payment providers
The PSR and PSD3 clarify the rules for opening and maintaining bank accounts by credit institutions (banks).
During legislative work, an appeal of a credit institution’s refusal to the supervisory authority was considered.
Open banking
Questions and answers
Does a bank with a network of ATMs have to obtain a registration with the FSA?
No. The obligation applies only to providers that do not provide other payment services to ATM users.
Is an authorized payment institution obliged to join a designated payment scheme?
No. Participation in any such scheme is optional for any authorized payment institution.
What specific SCA mechanisms other than smartphone-based must be ensured by the payer's provider?
The regulations do not impose any specific requirements in this regard. Best practices in 2FA (2-factor authentication) or MFA (multi-factor authentication) envisage methods that do not require a smartphone. This includes one-time passwords provided by automated calling devices (phone passwords) and USB memory sticks or similar, which must be inserted into a computer and remain there for the duration of operations requiring authentication.
Also check
#Banking & Fintech #IT & Outsourcing #Online & eCommerce
CASP transitory period for VASP under MICAR
Regulation on markets in crypto assets (MiCA) e...
CASP transitory period for VASP under MICARThe European Digital Identity Regulation, EDI Regulation, EDIR
Regulation (EU) 2024/1183 of the European Parli...
The European Digital Identity Regulation, EDI Regulation, EDIRPolish Act on the prevention of the effects of identity theft
The Polish Act of 7 July 2023 on the amendment ...
Polish Act on the prevention of the effects of identity theft