Wondering what the new Payment Services 3 (PSD3) regulations will contain? In this article, we’ll look at how it’s a revision of the PSD2’s regulations, and how this will impact the payments industry.
What is PSD3?
Payment services directive 3 (PSD3) is a response to technological changes for the digital payments industry since the PSD2 was introduced to the EU and the EEA from 2019/2020 onwards. This payment services framework was designed to regulate electronic payments, standardize compliance across all EU banks, increase security and security, and to reduce payment fraud via the enforced use of Strong Customer Authentication requirements (SCA) by third party providers.
Thanks to the PSD2, customers can make quicker, safer payments, while granting regulated third parties the permission to access a customer’s payment account information legally. This has in part led to a boom in the e-Commerce and online services industry.
These new regulations provided in the PSD3 are considered to be a required update on the previous Payment Services Directive regulations. There are some areas that regulators believe need improving to increase customer safety, consumer rights and service value. Below, we’ll explore how the online payments industry has changed since PSD2 was first introduced, and what the revised Payment Services Directive might include.
What has changed since PSD2
With PSD2 came huge shifts in the online payments and financial landscape. FinTech companies took center stage, and so have Buy Now, Pay Later (BNPL) solutions, digital wallets and contactless payments. This is thanks to the more flexible payment and open banking possibilities offered by PSD2 regulations for TPPs. We’ve also seen the rise of cryptocurrency, which has started a new conversation about the deregulation of virtual currencies.
Open banking has allowed customers to take out loans and mortgages without the kind of extensive KYC checks that can increase friction in their experience. Modern banks have therefore improved the customer’s journey by making processes like these much, much faster.
Therefore, consultations have been useful in considering the above changes, and whether current regulations need to adapt around them.
What are the effects of these consultations?
Consultations were held with stakeholders in 2022 to find out whether PSD2 had been achieving what was required of it. They also set out to figure out what was potentially missing from the current legislation. The PSD3 consultations in general, however, were open to the public in August 2022. This included opinions and suggestions from citizens, public authorities and business associations alike. They also carried out targeted consultation requiring PSD2’s technicalities, and finally a consultation addressing open finance/open banking.
Questions that were asked include whether it’s achieved the successful prevention of most forms of payment fraud, whether it successfully increased consumer rights, whether it’s still relevant following changes to technology and whether/how PSD3 is a necessary replacement of the original regulations.
Now that consultations have been concluded, bodies handling PSD3 regulations will review the answers to these questions, using them to aid any changes that they think might be needed.
Why may things be changing from the consultations?
The EU found via consultations that PSD2 was mostly successful in preventing fraud payments thanks to the introduction of SCA. Since PSD2 was first introduced, online payments have grown ever popular and with them, online payment fraud. While PSD2 did help to prevent many instances of payment fraud by requiring third parties to use Strong Customer Authentication.
This does, however, continue to exist as fraudsters find their way around open banking’s authentication systems. This can be done via phishing or SIM swapping techniques – although it’s much harder than it used to be before PSD2.
The new regulations are set to answer questions around whether it’s possible to either strengthen pre-existing SCA, or whether it needs to be replaced by a new form of authentication to combat these new types of online fraud that are emerging.
Some other ideas for PSD3 include whether there should be any limits on contactless card payments (and the security surrounding that), or whether the SCA period needs to be extended from 90 to 180 days to reduce the friction that customers experience when purchasing an item. Another big question is whether cryptocurrencies can be left unregulated.
It might be that no changes are required or currently possible for the PSD2. In which case, the PSD2 won’t be updated. However, it’s looking increasingly likely that at least some changes will happen to the PSD2, since the huge changes in consumer needs, behavior and technology that have emerged since the legislation was introduced.
How might PSD3 affect the payments industry?
If PSD3 changes do come into force by 2026, you can expect them to change the payments industry landscape. But how exactly it will change is not certain yet, and depends very much on what parts of the current legislation is updated or left as is. With a key focus of PSD3 consultations being customer safety, it’s likely that consumers and organizations will have further protections that either go beyond or reinforce SCA. Not only that, it’s likely to provide additional safety for national and local economies too.
PSD3 might also standardize application programming interfaces (APIs) as suggested by the European Banking Authority, providing an EU standard which has to be complied with. The idea is that this will reduce the number of barriers faced by FinTech companies looking to access customer account data from banks and other financial institutions. That’s because as there are no standardized bank APIs, it can be difficult for them to connect to them all without considerable effort.
The European Banking Authority also recommended that some payment services need to be more clearly distinguished from others, such as in the case of the money remittance business.
Like with PSD2, there will be penalties for not complying with the new PSD3 regulations once they’re made mandatory. This is more of a concern for payment processors than the merchants that rely on them.
At the end of the day, PSD3 compliance will be mandatory for all payment processors in around three years after the EU law comes into play. It’s worth considering working out how this will affect your business as soon as it is possible to do so, as it probably won’t be easy to quickly adapt to changes if there are any. It’ll probably take five years for the implementation deadline, if the PSD2’s timeline is anything to go on.