Introduction
The European Commission introduced a proposed financial data access and payments package on 28 June 2023. The package includes revisions to the current regulatory framework on payment services, as currently captured by the second Payment Services Directive or PSD2. Besides the proposed revisions to PSD2, which will become PSD3, the Commission intends to introduce a Payment Services Regulation (PSR), a framework regulation for financial data access, and changes to the Settlement Finality Directive (SFD).
The proposal follows a review the Commission carried out under the EU's 2020 Retail Payments and Digital Finance Strategies. In its findings, the Commission concluded that there are still factors hindering the development of a full-fledged level playing field between banks and other payment service providers such as account information service providers (AISPs) and payment initiation service providers (PISPs). As the regulatory framework is aimed at protecting consumer rights and safety, as well as encouraging innovation and technical developments, in the European payments sector , the proposal also contains elements aimed at strengthening user protection, including on data-sharing permissions and enhanced authorisation requirements.
The Commission's proposal will now be reviewed by both the European Parliament and the European Council in order to agree on the final text. The timeline for the adoption and subsequent entry into force of PSD3 and the PSR is still uncertain. In light of the legislative process, the revised framework's entry into force is not expected before 2026.
Impact on authorisation regime for payment service providers and licensing requirements
The authorisation procedure for payment institutions and e-money institutions will be updated and aligned. These institutions will have to obtain a new licence under the PSD3, even if they have an existing licence. For the latter group, a transitional regime will apply for 30 months after the PSD3's entry into force.
The authorisation process is also expected to become more stringent. An important reason for these amendments is the need to standardise rules across the different EU member states to avoid regulatory arbitrage due to divergent PSD2 implementation.
Where not already required by national implementing legislation, payment institutions and e-money institutions will be required to provide a winding-up plan supporting their application. This plan will need to address the continuity of critical functions, as well as when these functions are outsourced to third parties. PSD3 will also make reference to the Digital Operational Resilience Act (DORA), for example in relation to ICT business continuity and response and recovery plans. In addition, the initial requirements for payment institutions will be adjusted to account for inflation since they were introduced in 2007.
In relation to capital and liquidity information provided as part of the authorisation application, the method for calculating own funds requirements will be maintained, but Method B (based on payment value) will be allocated as the "default" calculation method. Based on the business model of the relevant institution, specifically where it carries out a "small number of transactions", the relevant national competent authorities (NCA) may, on a case-by-case basis, decide that Method A or Method C should be applied. A best efforts obligation will be introduced to avoid capital concentration risk by "ensuring that the same safeguarding method is not used for the totality of their safeguarded customer funds".
In the new authorisation process, governance plans submitted as part of the application will receive additional attention. The NCAs are specifically asked to monitor the adequacy of the institution’s internal governance arrangements and to look into whether a sound risk culture is applied at all levels. To this end, the EBA is to develop guidelines on internal governance arrangements, taking the business models used by payment institutions into account.
To ensure EU-wide consistency of the application process, the EBA will be mandated to develop draft regulatory technical standards on authorisation, including on the information to be provided to NCAs, a common assessment methodology and requirements regarding professional indemnity insurance for payments institutions.
PSD2 and the current E-Money Directive will be combined to ensure a better level playing field between payment institutions and e-money institutions, although distinctive requirements will be maintained: the Commission notes in the proposal that certain licence requirements, such as those on own funds and initial capital, and basic concepts governing the e-money business, including the issuance of electronic money, electronic money distribution and redeemability, are distinct from those provided by payment institutions. Under the combined framework, these distinctive requirements will, therefore, be maintained.
Further measures to level playing field between banks and e-money/payment institutions.
The Commission identified that payment institutions still encounter market entry hindrances, for example in accessing bank accounts and payment systems, which, in turn, hamper the further development of technological innovations by these players. The proposed set of rules, therefore, aims to eliminate current obstacles as much as possible. This will be done by requiring that:
(1) banks may not refuse to open a payment account for a payment institution and its agents, except in specific cases such as there being serious grounds to suspect defective money-laundering and terrorist-financing controls; and
(2) payment institutions and their agents are granted direct access to payment systems (such as TARGET2) through an update of the SFD, and offered the possibility to hold user funds in an account with one of the EU's central banks at the discretion of that central bank.
Apart from these measures, the Commission intends to introduce various amendments to promote "open banking" at a more general level by facilitating access to and the exchange of data between different players in the payment services chain. Importantly, account servicing payment service providers (ASPSPs) must provide a dedicated, separate interface to PISPs and AISPs in order for these parties to gain access to payment accounts and related data. In case of a disruption of the dedicated interface, PISPs and AISPs should be allowed to request their NCAs to make use of the dedicated customer interface of the ASPSP until the dedicated interface is again available. To enable access, PISPs and AISPs should be provided with details of the technical specificities underlying the interface, as well as opportunities to test the interface. Furthermore, ASPSPs will need to offer a "permissions dashboard" to users to allow them to easily track to whom they have given permission to access their data. Through this interface it should also be possible to withdraw permissions.
For further reading, see this recent article on De Brauw's website.
In the new authorisation process, governance plans submitted as part of the application will receive additional attention.