PSD3 vs PSD2 Regulations: What New EU Directive Means for Payment Sector

Payment Services Directive (PSD2) marked a significant milestone in the payments industry in 2015. It established open banking principles and fostered collaboration between traditional financial institutions and third-party providers.

Building upon this foundation, the European Commission introduced the Payment Services Directive 3 (PSD3) in 2023. This iteration aims to modernize the payments landscape further, addressing emerging challenges and enhancing consumer protection. Now, when PSD3 UK transitions from a directive to binding legislation, businesses must adapt to its evolving requirements to remain compliant.  

In this article, I’m talking in more detail about the key changes of the newest payment directive, PSD3, compared to PSD2. I believe, it would be useful for businesses both in banking or non-banking industries as the upcoming legislation might influence the whole fintech segment. Hence, without further ado, let’s see what innovations to implement in the future to achieve PSD3 regulation compliance. 

What Is the PSD3 EU Directive?

PSD3 is a proposed update to the second European Union’s Payment Services Directive (PSD2) that provides rules for the authorization and supervision of non-bank payment service providers (PSPs) in the EU.

The PSD3 aims to protect consumers’ rights and personal information while fostering healthy competitiveness in the digital payments sector. It’s expected to empower consumers to share their data and contribute to the development and distribution of financial products and services. Since PSD3 UK is a directive, not the regulation itself, the PSD3 rules need to be transposed into the national laws of the EU Member States, i.e., countries belonging to the European Union. 

The list of key parties affected by the payment services directive 3 proposal is shown in the infographic below:

As a banking or a non-banking business, you will be provided with additional opportunities as well as responsibilities and obligations before legislation as well as your panthers and your customers. Change, modifications, and impacts that will potentially be brought upon payment services directive 3 translation into laws are provided in the following sections:

PSD3 vs PSD2: Key Changes, Updates, and Impacts Expected

While PSD2 meaning essentially transformed open banking, its implementation raised a number of issues. These include an inflexible open banking approach and a lack of regulation in customer data handling. Besides, traditional banks tended not to meet requirements to a full extent, often interfering with providing their banking services within third-party applications in an intended format or just not providing third party access and refusing to participate in open banking operations. 

PSD will cover a more extensive scope than PSD regulation. It aims to address issues with uneven rule implementation and encourage regulatory arbitrage. In general, payment services directive 3 will concern all parties listed above and will be applicable to:

• Transparency in the financial industry.
• Liability of all parties involved in interactions within the payment landscape.
• Open banking.
• Strong Customer Authentication (SCA).
• Operation of payment system and data handling within them.
• Handling of account information.

Upon translation of PSD3 UK provisions on actual laws of every European country separately, it can derive into varying requirements that will be set to all parties involved. 

PSD3 Directive in the Context of Open Banking

Open banking regulation, which emerged from PSD2 regulation back, is expected to be modified by changes introduced by PSD3 directive. 

You can discover more about the open banking integrations from another our blog post. 

The major changes to open banking Europe regulation proposed by the PSD3 vs PSD2 include:

• Removed obstacles to providing open banking services and increased uptime for banking and financial services.
• Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) will have the authorization to create personalized interfaces for connections with banking service providers.
• Banks and other e money institutions will be obligated to share more information about API performance by providing quarterly updates.
• In case of financial institution downtime, banks need to allow PISPs and AISPs to use their own banking interfaces to prevent downtime.
• Banks are required to provide customers with a permission dashboard to monitor and manage permissions granted to AISPs.
• Non-bank PSPs will have access to all EU payment systems while implementing necessary safeguards and ensuring their right to hold bank accounts.
• Granting consumers more control over their financial data access permissions.
• Empowering national competent authorities with more robust enforcement powers and facilitating the implementation of clarified rules.

In essence, PSD3 regulation is intended to make it easier for businesses aiming to integrate open banking to request, provide, and maintain related innovative services. It is also expected to grant customers more control over the data handleв by parties involved. 

PSD3’s Impact on the Strong Customer Authentication (SCA) Requirements 

#1 Enhanced data sharing for monitoring

Businesses using open banking and banking APIs will be obligated to share additional data with API issues, i.e., payment institutions they partner with. Data types includes:

• User location.
• Transaction time.
• Devices used.
• Spending habits.
• Transaction history.
• Session data.
• Device IP.

The information will be used for regular and cross border payments fraud prevention and better determining which transactions to approve and which to decline. This will result in the need to technologically and procedurally modify the flow of collaboration of businesses with financial institutions. 

#2 Payment fraud liability shift

As per PSD3, schemes, and technical third party providers, such as companies offering digital wallets or digital infrastructure, will now be liable for fraud if they fail to apply SCA. 

Additionally, issuers will also be liable for payment fraud in cases where a criminal utilizes a bank’s employee to force a user to authenticate a payment or acts fraudulently in any other way. 

#3 Flexible authentication categories

While PSD2 required two of three authentication factors to be used, knowledge, possession, or inheritance, PSD3 regulation allows the use of two of the same categories. For example, now users can have two passwords for two-step authentication instead of being obligated to have a password and undergo either biometric, email, or phone number authentication. 

#4 Exemptions from SCA

Merchant-initiated transactions (MITs) and card-based mail orders and telephone orders also called MOTO transactions, are now exempt from SCA. It means that only the first transaction of, for example, merchant-initiated subscriptions, will have to be SCA authenticated, easing the procedure for authenticating recurring digital payments. 

#5 SCA accessibility enhancement

SCA methods must now include authentication ways for vulnerable customers such as the elderly or people with disabilities who don’t rely solely on smartphone access. 

Basically, new SCA provisions are focused on reducing the boundaries and inflexibilities that are now experienced by users committing purchases online. They also focused on open banking PSD compliance and embedded finance facilitation. Allowing customer to utilize the modified authentication methods will require additional mobile app development update.  

Summing Up: PSD3 vs PSD2 Key Legislation Changes Applicable to Businesses

To banking service providers, changes introduced by PSD3 compared to PSD2 results in the following:

1. Liability to receive additional customer data from non-banking businesses in your API network in a secure way to enhance transaction processing by improving approval rates and minimizing fraud.
2. Liability to provide PISPs and AISPs in your API network with means to create their custom API data access interfaces to rely on in case of your API downtime.
3. Required modification of authentication methods offered by your digital applications so they can support flexible SCA.
4. Liability to tightened access to payment systems and account information. 
5. Fraud liability if your employees or other resources and mechanisms are used to force a user to authenticate a payment.

In their turn, to startups and non-finance organizations, changes introduced by PSD3 compared to PSD2 results in the following:

1. Required modification of authentication methods offered by your digital applications so they can support flexible SCA.
2. Possibility and the right to create your custom open banking API and banking API interfaces. 
3. Liability to maintain your custom API interface and use it in case of your banking service provider’s API interface downtime.
4. Required provision of customer financial data to your banking service provider.
5. When setting up recurring methods like subscriptions, you now have to authenticate only the first transaction. 

These are the key changes as of 2024, which will likely take effect in one form or another in two to three years. To be able to respond to these changes, both banking and non-banking businesses, as well as startups and providers of digital infrastructure, will need to make software updates to their digital products and modify procedures and protocols. 

When Will PSD3 Become a Law and What to Expect In 2024 and Beyond?

To be able to respond to the changes listed above, banking and non-banking businesses, as well as startups and providers of digital infrastructure, will need to make software updates to their digital products and modify procedures and protocols. 

Considering that it took PSD2 three years to become active as a law back in 2018, after its proposal in 2015, we can expect PSD3, proposed in June 2023, to be released approximately in 2026. Basically, it means that companies have about two years to prepare to comply with EU laws that emerged from PSD3. 

Quick reminder: penalties for non-compliance with PSD2 regulations can amount to up to 4% of annual returns. The same probably will apply to PSD3 non-compliance cases. 

Aside from the technical and procedural modifications detailed above, changes in the regulatory landscape that businesses should expect upon transferring PSD3 to actual legislation are:

1. Stricter data security regulations and requirements toward more open sharing of banking information.
2. Stricter requirements for authentication technologies in place.
3. Tighter collaboration of electronic money institutions with fintech companies and other providers aiming to adopt banking services in their software solutions.
4. Enhancement of cross-border payment partnerships and related efficient payment processes.
5. Additional security measures focused on financial fraud detection and prevention.

One of the key ways to prepare for PSD3 directive is to start strategizing for the development of fintech software or updating your existing digital product so it will meet upcoming regulatory standards and requirements. 

Final Take

PSD3 came to light as an extension to PSD2 to broaden the right of customers to control their data sharing. This new legislation allows users to authenticate in their preffered ways and empowers businesses to create and user their custom API interfaces. More so, it obligates banks to use additional information about customers to improve the banking services the said customers are recieving.

It’s crucial for each new fintech business, and achieving PSD3 directive compliance requires a strategic approach and technical expertise. DashDevs’ fintech experts are equipped to guide you through the complexities of the new directive. Our business analysts and engineers can provide tailored solutions to help your business meet the evolving demands of the payments industry and ensure a seamless transition to PSD3 vs PSD2 compliance.

Contact us