For the PSR, these include insertion of an explicit Recital reference to joint responsibility of payment service providers and electronic communications services providers in the event of fraud where the latter fails to cooperate, and additional provisions around technological safeguards. Also in the context of fraud prevention, there would be an extension of PSPs’ obligations in relation to payment instruments to include provision of a free of charge telephone line allowing for 'personal human support' for payment service users. Now is the time for firms to grapple with the detail, with a view to potentially helping to shape the finalised legislation.
On 16 November 2023, the European Parliament's Economic and Monetary Affairs Committee (ECON) published draft reports on PSD3 and the PSR (both dated 13 November 2023) setting out proposed amendments to the Commission's June texts. This article explores some of the key proposed changes in the draft ECON reports. For an overview of the whole June 2023 legislative package, take a look at our previous article 'Evolution not revolution: European Commission publishes financial data access and payments package' which also links to a full form briefing.
PSD3 – Draft ECON report proposals
Existing payments and e-money firms: clarification of re-authorisation and grandfathering requirements
One area of particular concern for existing payments and e-money firms that arose from the June 2023 proposals was the merging of the e-money and payment services regimes - so that electronic money institution (EMI) status will be folded into payment institution (PI) status - and the consequent administrative and costs burdens involved in having to reapply for a licence under the new regime (with potential wider business implications in the event of delayed reauthorisation).
Firms should therefore be relieved to see that the draft ECON report on PSD3 clarifies that PIs already authorised under the current Payment Services Directive ((EU) 2015/2366) (PSD2) will not have to go through a full authorisation process. Instead, they will only have to provide their competent authority with the extra elements provided under the updated rules (eg a winding-up plan), following which the competent authority will make a decision on the continued authorisation of the PI. Similar changes are proposed in relation to EMIs already authorised under the second Electronic Money Directive (2009/110/EC) (EMD). However, unlike for existing PIs the proposed provision allowing for automatic authorisation under PSD3 where the competent authorities have evidence that an existing EMI already complies with PSD3 has not been amended to make such automatic authorisation a requirement for Member States. It remains an optional provision in the draft report.
Access of PIs to designated payment systems: accelerating implementation of Settlement Finality Directive changes
The Commission's June text proposed amending the Settlement Finality Directive (98/26/EC) (SFD) to include PIs as possible participants in designated payment systems, helping to level the playing field with credit institutions. The ECON report highlights that this amendment has also been proposed under the Regulation on instant credit transfers in euro (2022/0341(COD)), which is currently being finalised. As access to settlement for payment institutions is seen as a priority for the Parliament - and pending finalisation of the Regulation - the draft report re-emphasises this by shortening the period for Member States to transpose the relevant changes to the Settlement Finality Directive from 6 to 3 months after the entry into force of PSD3.
Streamlining central contact points
The ECON draft report explains that under PSD2, Member States were given the option to request that PIs established in another Member State set up central contact point(s) (CCPs) in the host Member State in order to report periodically to the host Member State on activities within that Member State for information or statistical purposes. However, there have been divergent applications of this provision across the Single Market and the report queries whether CCPs should be done away with. The suggested first step is to streamline the provisions to ensure that PIs send all relevant information to one contact point, which would then communicate the relevant information to the national competent authority of the Member State.
Emphasising the importance of access to cash
Both the PSD3 and PSR proposals emphasise the importance of access to cash through various provisions, but the draft report goes further, for example by increasing the amount that retailers are permitted to give customers in the form of cashback without a purchase from EUR 50 to EUR 100.
As under the PSR proposal (see 'Enhancing transparency measures' below), ATM fee transparency – here, specifically in relation to independent ATMs - is another focus. The draft report suggests the insertion of a new provision requiring independent ATM providers to comply with the requirements on transparency of fees and charges in the proposed PSR, with a particular obligation to ensure the display of those fees and charges as soon as a card is recognised by an ATM at the very beginning of the transaction.
Opening of accounts by payment institutions: further reinforcement against de-risking
With the objective of avoiding unwarranted de-risking, the draft report includes a new Recital which provides that, where a credit institution refuses to open, or decides to terminate, a PI's account, the credit institution should be required to provide the PI with a 'duly justified response and reasoning'. There is also a suggested expansion of the scope of related regulatory technical standards (RTS) which the EBA is mandated to develop to specify the situations in which a credit institution is able to refuse to open or is able to close a payment account for a PI, its agents or distributors or for an applicant for a licence as a PI.
PSR – Draft ECON report proposals
Ensuring better anti-fraud protection for consumers
The proposed PSR's anti-fraud provisions show a clear liability shift in favour of consumers, and the provisions include an obligation on electronic communications services providers (ECSPs) - such as mobile network operators and internet platforms - to cooperate with payment service providers (which includes the newly expanded definition of PIs as well as banks) (PSPs) in the fight against fraud. The ECON draft report goes a step further by proposing an explicit Recital reference to joint responsibility of the PSP and the ECSP in the event of fraud where the latter fails to cooperate.
New provisions are proposed regarding the PSP’s liability for impersonation fraud, including an obligation on ECSPs and PSPs to ensure that all required technological safeguards, particularly those relating to the security of the communication between PSPs and payment service users, are in place and provided free of charge. In addition, ECSPs would be required to have in place certain technical safeguards in order to prevent fraudulent activities, including verifying the legitimacy of all calls and messages that are routed through telecommunication networks, preventing the use of a specific telephone number in violation of its attribution, authorisation, or allocation, and preventing the creation of fraudulent websites and preventing internet search engines from displaying those websites in their list of results. Failure to establish the technical safeguards would mean that the ECSP would be financially liable towards the payer’s PSP for the amount that the PSP has refunded to the customer.
In relation to transaction monitoring mechanisms and fraud data sharing, it is proposed that exchange of information on fraudulent unique identifiers should become an obligation rather than just an option. A new provision requiring the EBA to set up a dedicated IT platform to allow PSPs to exchange information on fraudulent unique identifiers with other PSPs is also inserted, along with another new provision stating that where a PSP fails to block a unique identifier which was reported to it as fraudulent or involved in fraudulent transactions, the payment service user shall not bear any resulting financial losses.
The obligations of PSPs in relation to payment instruments would be extended to include provision of a free of charge telephone line allowing for 'personal human support' for payment service users to, among other things, notify a fraudulent transaction and receive feedback when they suspect fraud.
The draft report also proposes new provisions on fraud education which would require Member States to allocate 'substantial means' to invest in education on payment-related fraud, either in the form of a media campaign or lessons at schools. PSPs and ECSPs would be required to co-operate in those educational activities free of charge.
Enhancing transparency measures
The June 2023 proposal did not contain any significant changes concerning transparency requirements. However, as experience with PSD2 showed, apparently small amendments can turn out to be very complicated to implement from an IT perspective in particular.
With regard to credit transfers and money remittances from the EU to a non-EU country, the June proposal introduced an obligation for PSPs to provide payment service users with certain information, in particular: (i) the estimated time for the funds to be received by the PSP of the payee located outside the EU and (ii) (in an effective extension of the revised Cross-Border Payments Regulation to this type of transaction) the estimated currency conversion charges must be expressed, for comparability purposes, as a percentage mark-up over the latest available ECB euro foreign exchange reference rates. Here, the ECON draft report proposes further changes aimed at providing better information, for example to stipulate that estimated currency conversion charges should be disclosed transparently in a monetary value as a mark-up over the latest available applicable foreign exchange reference rates issued by the relevant central bank.
Another evolution in the PSR proposal is that fee information will have to cover any charges to be debited for domestic ATM withdrawals. This proposed new obligation is the result of concerns from the EBA and the Commission over the fee that can be debited for a domestic ATM withdrawal operation. For example, in France some banks currently debit fees if a consumer makes a cash withdrawal from an ATM at a different bank. The ECON draft report suggests widening the new obligation to remove the reference to domestic ATMs, although this change is only shown in the related Recital where there is also clarification that 'more transparency' of ATM charges also means 'better information' from the PSP as regards currency exchange.
Strengthening the EBA's role
The draft report advocates for the role of the EBA to be strengthened in recognition of the very technical nature of the subject matter and the constantly changing payments landscape. In particular, the report suggests mandating the EBA to develop various additional RTS or guidelines including:
- in relation to the new anti-fraud provisions, guidelines on how the concept of 'gross negligence' is to be interpreted for the purpose of the PSR, taking into account that the term is interpreted in very different ways across the EU;
- draft RTS setting out a standardised list of data categories of information to be disclosed on the dashboard that banks and other account servicing payment service providers will be required to offer to their Open Banking customers to allow them to see at a glance what data access rights they have granted and to whom and to cancel TPP access to their data (this is also relevant to enhancing transparency); and
- draft RTS setting out an exhaustive list of the methods that can be used as a unique identifier (taking into account relevant market practices), which will be relevant to the proposed new IBAN/name verification service to tackle payments fraud. The draft ECON report proposes that the verification carried out by PSPs should not focus solely on the IBAN number but also encompass other proxies defined by the EBA. Again, these proposed amendments are also relevant to enhancing transparency.
What's the timeline for the PSR and PSD3?
There are a number of elements to take into account here, not least the EU legislative process to reach agreement between the Council of the EU and the Parliament on final texts and the effect of the 2024 European elections on this process. In addition, the EBA is mandated to develop several RTS and implementing technical standards (ITS) and guidelines under the proposals – a list that, as outlined above, the draft ECON report on the PSR suggests should be increased.
Even when finalised, for the PSR there will be an 18-month implementation period and in relation to PSD3 there will be grandfathering of the licensing process which means 24 months for implementation and re-authorisation (albeit hopefully not such an onerous process for the latter in relation to existing payments and e-money firms in light of the ECON draft report's proposed clarifications).
Given the European elections and the European Commission having to be sworn in before trilogues can start again, our current view is that the PSR could take effect in H2 2026, with PSD3 taking full effect in early 2027.
Looking for more insight into the proposals?
We recently ran a series of three webinars where members of our Financial Services Regulatory practice took each of the PSD3, PSR and FIDA proposals in turn and considered their potential implications for new and existing PSPs. You can access recordings of the webinars via the following links:
If you have any questions arising from this article or the other topics discussed in the webinars, please get in touch with any of the listed people or your usual Hogan Lovells contact.
Authored by Eimear O'Brien and Virginia Montgomery.
Hogan Lovells (Luxembourg) LLP is registered with the Luxembourg bar.