JANUARY 21, 2024
%22%3E%3Cpath%20d=%22M12%206.18945C12%205.99054%2011.921%205.79978%2011.7803%205.65912%2011.6397%205.51847%2011.4489%205.43945%2011.25%205.43945S10.8603%205.51847%2010.7197%205.65912C10.579%205.79978%2010.5%205.99054%2010.5%206.18945V14.4395C10.5%2014.5717%2010.535%2014.7015%2010.6014%2014.8158S10.7632%2015.0249%2010.878%2015.0905l5.25%203C16.3003%2018.1836%2016.5022%2018.2056%2016.6905%2018.1518%2016.8788%2018.0981%2017.0386%2017.9728%2017.1358%2017.8028%2017.2329%2017.6327%2017.2597%2017.4314%2017.2104%2017.2419%2017.1612%2017.0523%2017.0397%2016.8896%2016.872%2016.7885L12%2014.0045V6.18945z%22%20fill=%22%23111%22/%3E%3Cpath%20d=%22M12%2024.9395c3.1826.0%206.2348-1.2643%208.4853-3.5148C22.7357%2019.1743%2024%2016.1221%2024%2012.9395c0-3.18264-1.2643-6.23489-3.5147-8.48533C18.2348%202.20374%2015.1826.939453%2012%20.939453S5.76516%202.20374%203.51472%204.45417C1.26428%206.70461.0%209.75686.0%2012.9395c0%203.1826%201.26428%206.2348%203.51472%208.4852C5.76516%2023.6752%208.8174%2024.9395%2012%2024.9395zm10.5-12c0%202.7847-1.1062%205.4554-3.0754%207.4246-1.9691%201.9691-4.6398%203.0754-7.4246%203.0754-2.78477.0-5.45549-1.1063-7.42462-3.0754C2.60625%2018.3949%201.5%2015.7242%201.5%2012.9395c0-2.7848%201.10625-5.45554%203.07538-7.42467S9.21523%202.43945%2012%202.43945c2.7848.0%205.4555%201.10625%207.4246%203.07538C21.3938%207.48396%2022.5%2010.1547%2022.5%2012.9395z%22%20fill=%22%23111%22/%3E%3C/g%3E%3Cdefs%3E%3CclipPath%20id=%22clip0_1107_2521%22%3E%3Crect%20width=%2224%22%20height=%2224%22%20fill=%22%23fff%22%20transform=%22translate(0%200.939453)%22/%3E%3C/clipPath%3E%3C/defs%3E%3C/svg%3E){kind=small}
8 min read
Proposed back in 2015, PSD2 established ground rules for the payments industry. It introduced open banking and enabled third-party providers to collaborate effectively with traditional financial institutions.
Nowadays, Most everyday transaction processing, provision ‘of banking services, and operation of fintech businesses in the EU and beyond it boards rely upon the provided PSD2 concepts. However, in 2023, the European Commission was presented with a third payment services directive. Therefore, now businesses have to adapt to changes in the directive that will likely translate into actual laws in the near future.
In this article, you’ll discover more about the key changes of the newest payment directive, PSD3, compared to PSD. You’ll also discover what to expect, as a banking or a non-bank business, from the upcoming legislation and what innovations to implement in the future to achieve PSD3 compliance.
What Is the PSD3 EU Directive?
PSD3 is a proposed update to the second European Union’s Payment Services Directive (PSD2) that provides rules for the authorization and supervision of non-bank payment service providers (PSPs) in the EU.
The PSD3 aims to protect consumers’ rights and personal information while fostering healthy competitiveness in the digital payments sector. It’s expected to empower consumers to share their data and contribute to the development and distribution of financial products and services. Since PSD3 is a directive, not the regulation itself, the PSD3 rules need to be transposed into the national laws of the EU Member States, i.e., countries belonging to the European Union.
The list of key parties affected by the PSD3 proposal is shown in the infographic below:
As a banking or a non-banking business, you will be provided with additional opportunities as well as responsibilities and obligations before legislation as well as your panthers and your customers. Change, modifications, and impacts that will potentially be brought upon PSD3 translation into laws are provided in the following sections:
PSD3 vs PSD2: Key Changes, Updates, and Impacts Expected
While PSD2 essentially transformed open banking, its implementation raised a number of issues. These include an inflexible open banking approach and a lack of regulation in customer data handling. Besides, traditional banks tended not to meet requirements to a full extent, often interfering with providing their banking services within third-party applications in an intended format or just not providing third party access and refusing to participate in open banking operations.
PSD will cover a more extensive scope than PSD regulation. It aims to address issues with uneven rule implementation and encourage regulatory arbitrage. In general, PSD3 will concern all parties listed above and will be applicable to:
- Transparency in the financial industry.
- Liability of all parties involved in interactions within the payment landscape.
- Open banking.
- Strong Customer Authentication (SCA).
- Operation of payment system and data handling within them.
- Handling of account information.
Upon translation of PSD3 provisions on actual laws of every European country separately, it can derive into varying requirements that will be set to all parties involved.
PSD3 Directive in the Context of Open Banking
Open banking regulation, which emerged from PSD2 regulation back, is expected to be modified by changes introduced by PSD3.
You can discover more about the open banking integrations from another our blog post.
The major changes to open banking Europe regulation proposed by PSD3 include:
- Removed obstacles to providing open banking services and increased uptime for banking and financial services.
- Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) will have the authorization to create personalized interfaces for connections with banking service providers.
- Banks and other e money institutions will be obligated to share more information about API performance by providing quarterly updates.
- In case of financial institution downtime, banks need to allow PISPs and AISPs to use their own banking interfaces to prevent downtime.
- Banks are required to provide customers with a permission dashboard to monitor and manage permissions granted to AISPs.
- Non-bank PSPs will have access to all EU payment systems while implementing necessary safeguards and ensuring their right to hold bank accounts.
- Granting consumers more control over their financial data access permissions.
- Empowering national competent authorities with more robust enforcement powers and facilitating the implementation of clarified rules.
In essence, PSD3 is intended to make it easier for businesses aiming to integrate open banking to request, provide, and maintain related innovative services. It is also expected to grant customers more control over the data handleв by parties involved.
PSD3’s Impact on the Strong Customer Authentication (SCA) Requirements
#1 Enhanced data sharing for monitoring
Businesses using open banking and banking APIs will be obligated to share additional data with API issues, i.e., payment institutions they partner with. Data types includes:
- User location.
- Transaction time.
- Devices used.
- Spending habits.
- Transaction history.
- Session data.
- Device IP.
The information will be used for regular and cross border payments fraud prevention and better determining which transactions to approve and which to decline. This will result in the need to technologically and procedurally modify the flow of collaboration of businesses with financial institutions.
#2 Payment fraud liability shift
As per PSD3, schemes, and technical third party providers, such as companies offering digital wallets or digital infrastructure, will now be liable for fraud if they fail to apply SCA.
Additionally, issuers will also be liable for payment fraud in cases where a criminal utilizes a bank’s employee to force a user to authenticate a payment or acts fraudulently in any other way.
#3 Flexible authentication categories
While PSD2 required two of three authentication factors to be used, knowledge, possession, or inheritance, PSD3 allows the use of two of the same categories. For example, now users can have two passwords for two-step authentication instead of being obligated to have a password and undergo either biometric, email, or phone number authentication.
#4 Exemptions from SCA
Merchant-initiated transactions (MITs) and card-based mail orders and telephone orders also called MOTO transactions, are now exempt from SCA. It means that only the first transaction of, for example, merchant-initiated subscriptions, will have to be SCA authenticated, easing the procedure for authenticating recurring digital payments.
#5 SCA accessibility enhancement
SCA methods must now include authentication ways for vulnerable customers such as the elderly or people with disabilities who don’t rely solely on smartphone access.
Basically, new SCA provisions are focused on reducing the boundaries and inflexibilities that are now experienced by users committing purchases online. They also focused on open banking PSD compliance and embedded finance facilitation. Allowing customer to utilize the modified authentication methods will require additional mobile app development update.
Summing Up: PSD2 vs PSD3 Key Legislation Changes Applicable to Businesses
To banking service providers, changes introduced by PSD3 compared to PSD2 results in the following:
- Liability to receive additional customer data from non-banking businesses in your API network in a secure way to enhance transaction processing by improving approval rates and minimizing fraud.
- Liability to provide PISPs and AISPs in your API network with means to create their custom API data access interfaces to rely on in case of your API downtime.
- Required modification of authentication methods offered by your digital applications so they can support flexible SCA.
- Liability to tightened access to payment systems and account information.
- Fraud liability if your employees or other resources and mechanisms are used to force a user to authenticate a payment.
In their turn, to startups and non-finance organizations, changes introduced by PSD3 compared to PSD2 results in the following:
- Required modification of authentication methods offered by your digital applications so they can support flexible SCA.
- Possibility and the right to create your custom open banking API and banking API interfaces.
- Liability to maintain your custom API interface and use it in case of your banking service provider’s API interface downtime.
- Required provision of customer financial data to your banking service provider.
- When setting up recurring methods like subscriptions, you now have to authenticate only the first transaction.
These are the key changes as of 2024, which will likely take effect in one form or another in two to three years. To be able to respond to these changes, both banking and non-banking businesses, as well as startups and providers of digital infrastructure, will need to make software updates to their digital products and modify procedures and protocols.
When Will PSD3 Become a Law and What to Expect In 2024 and Beyond?
To be able to respond to the changes listed above, banking and non-banking businesses, as well as startups and providers of digital infrastructure, will need to make software updates to their digital products and modify procedures and protocols.
Considering that it took PSD2 three years to become active as a law back in 2018, after its proposal in 2015, we can expect PSD3, proposed in June 2023, to be released approximately in 2026. Basically, it means that companies have about two years to prepare to comply with EU laws that emerged from PSD3.
Quick reminder: penalties for non-compliance with PSD2 regulations can amount to up to 4% of annual returns. The same probably will apply to PSD3 non-compliance cases.
Aside from the technical and procedural modifications detailed above, changes in the regulatory landscape that businesses should expect upon transferring PSD3 to actual legislation are:
- Stricter data security regulations and requirements toward more open sharing of banking information.
- Stricter requirements for authentication technologies in place.
- Tighter collaboration of electronic money institutions with fintech companies and other providers aiming to adopt banking services in their software solutions.
- Enhancement of cross-border payment partnerships and related efficient payment processes.
- Additional security measures focused on financial fraud detection and prevention.
One of the key ways to prepare for PSD3 is to start strategizing for the development of fintech software or updating your existing digital product so it will meet upcoming regulatory standards and requirements.
Final Take
Basically, PSD3 came out as an extension to PSD2. It broadens the rights of customers to control their data sharing and authenticate in their preferred ways, empowers businesses to create and use their custom API interfaces, and obligates banks to use additional information about customers to provide them with better banking services. Besides, PSD3 introduced stricter provisions about customer data security and authentication protocols to make the digital environment safer for end users.
If you strategize for future PSD3 compliance, you’ll need a fintech service provider to back you up from the technical perspective. Don’t hesitate to contact expert business analysts and engineers from DashDevs. We are ready, willing, and able to help you meet ever-evolving demands in the payment services industry.
Share article
