On 28 June 2023, the European Commission (the Commission) announced its proposal for modernizing payment services and opening financial services data (the Proposal). The Proposal aims to bring payments and the larger financial sector into ‘the digital age’ whilst keeping consumer protection, competition, security, and trust at the core.
The Proposal consists of two distinct measures: 1) a revision of the Payment Services Directive; and 2) a legislative proposal for a framework for Financial Data Access. The Proposal seeks to ensure the EU’s financial sector is fit for purpose and capable of adapting to the risks and opportunities the ongoing digital transformation presents, particularly for consumers. In line with this, the Commission has also put forward its proposal for a legislative framework to support the establishing of the digital euro.
Background
In the 2020 Digital Finance Strategy, the Commission identified the promotion of data-driven finance as a key priority and announced it intended to put forward a legislative proposal on a framework for financial data access. The Proposal also shows a key commitment to the Commission’s 2020 Retail Payments Strategy which emphasises that effective and efficient retail payment systems are key for the smooth running of the EU economy and for private economic operations between individuals.
The Proposal builds on Directive (EU) 2015/2366 on Payment Services (the revised Payment Services Directive) (PSD2). PSD2 was intended to enable the sharing of financial data between banks and third-party service providers ( so-called open banking albeit different in scale and extent to the UK Open Banking initiative), address barriers to new types of payment services, and improve the level of consumer protection and security.
As stated by Executive Vice-President Dombrovskis in a speech of 28 June 2023, the Proposal is not advocating for major change, and should be seen as representing an evolution not a revolution of the EU payments framework.
Evaluation of PSD2
The Commission undertook an evaluation of the PSD2 last year. The evaluation concluded that PSD2 has had varying degrees of success. It viewed its successes as including the introduction of Strong Customer Authentication (SCA), and increasing the efficiency, transparency, and choice of payment instruments for payment service users.
The evaluation found that PSD2 fell short in achieving a level playing field between banks and non-bank Payment Service Providers (PSP), and that issues remain relating to data access interfaces for open banking service providers in the EU.
The proposed legislative amendments to PSD2 deal with four identified issues:
- EU consumers are at risk of fraud and lack of confidence in payments;
- The EU open banking framework functions imperfectly;
- EU supervisors have inconsistent powers and obligations; and
- banks and non-bank PSP discrepancies in the EU.
Proposal’s measures
PSD3 – Revising the Payment Services Directive.
PSD3 looks to amend and modernise the current PSD2, addressing the gaps identified in the 2022 evaluation. The Proposal will repeal PSD2 to become PSD3 and establish a Payment Services Regulation (the PSR1) which would have direct effect in member states (to address current discrepancies in implementation and enforcement approaches).
The PSD3 Proposal puts forward the following objectives:
- Further combat and mitigate payment fraud by strengthening existing protections. The Commission is looking to build on SCA’s anti-fraud goals. New types of fraud have emerged since the implementation of PSD2 for which PSD2 is not equipped. PSD3 will therefore go further and address these new types of fraud, such as impersonation for which SCA has so far been thought insufficient to address.
- Improve consumer rights. The Proposal aims to improve transparency, such as on account statements and ATM charges, and ensure consumers can continue to make electronic payments and transactions safely and securely in the EU, domestically or cross-border, in euro and non-euro. This includes proposals to directly legislate for how long blocked funds may be held (e.g. in relation to petrol station or hotel transactions) and how much a PSP could be permitted to block.
- Further level the playing field between banks and non-banks. The measure will allow non-bank payment service providers access to all EU payment systems, with appropriate safeguards.
- Improve the functioning of open banking. The PSD3 Proposal aims to improve the performance of data interfaces, remove obstacles to open banking services, and achieve better consumer control over data access permissions.
- Improve the availability of cash. Currently an EU retailer may provide cash to a customer without being licenced and supervised as a PSP if the customer makes a purchase (‘cashback’). The measure will allow retailers, without the need to obtain a licence or be an agent of a Payment Institution, to offer up to 50 euros in the absence of a purchase. The measure also proposes to further allow certain ATM operators to operate ATMs without licences. A transparency requirement to disclose any possible fees is attached to both shops and ATM provisions.
- Strengthen harmonisation and enforcement. The measure looks at enacting most payment rules in a directly applicable regulation, and reinforcing provisions on implementation and penalties.
Financial Data Access - Legislative proposal for a framework for Financial Data Access.
The Financial Data Access measure looks to establish clear rights and obligations on managing customer financial data sharing in the financial sector beyond payments, and facilitate widespread access to data-driven financial services and products for customers. The measure will establish a framework for Financial Data Access and builds on the open banking regime set up in PSD2 and creates a new data access right for sets of data not previously covered by EU legislative frameworks.
The 2022 evaluation pointed to public concern over the sharing of their financial data, highlighting a lack of trust over privacy and digital security, and a general sense of not being in control of how their data is used. Professional stakeholders were found overall to be more inclined to favourdata sharing and cited such benefits as increased competition and innovation for financial products and services.
This measure includes the following objectives:
- The possibility (but not obligation) for customers to share their financial data with data users such as financial institutions or fintech firms;
- The obligation for customer data holders, such as financial institutions, to make this data available to data users;
- The obligation on data holders to put in place necessary technical infrastructure to allow financial data to be made available to data users, subject to customer permission;
- Full control by customers over who accesses their data and for what purpose, aiming to enhance trust in data sharing. This is to be facilitated by a requirement for dedicated permission dashboards and fortified protections for customers' personal data in line with the General Data Protection Regulation ;
- Clear liability regimes for data breaches and dispute resolution mechanisms to ensure liability risks do not act as a disincentive for data holders to make data available; and
- Additional incentives for data holders to put in place high-quality interfaces for data users in the form of reasonable compensation from data users in line with the general principles of business-to-business data sharing under the Data Act proposal.
Implications
The Proposal is designed with the aspiration of encouraging more innovation in financial products and services for users, and to stimulate competition in the financial sector. The Commission intends that it will enhance access to better-quality financial services, offering personalised and more user-centric services, and improve the overall price-quality relationship.
The Commission hopes that previously burdensome processes such as comparison services or switching to a new product should become smoother and cheaper, . It is hoped that if creditworthiness data would be more accessible, customers would be able to access a wider, more competitive range of financial services and products.
Brexit
The UK is outside the scope of the Proposals. The UK’s existing Open Banking framework and existing infrastructure seeks to address some of the market and user protection issues flagged here. Similar themes emerge in the current UK proposals for the future of Open Banking.
Next steps
Business should analyse the commercial impacts of these proposed changes to understand how it may affect their business. Those doing business in the UK and EU should consider gap analysis exercises in order to measure how and where any divergences may emerge. Whilst neither the UK nor EU proposals are final it is important to identify the potential impact and plan how to engage with them.
Implementation
There isn’t yet a clear timetable to implementation. For PSD2, European countries had two years to transpose the agreed form of PSD2 into national law, and companies had a further three years (having been extended from two years) to ensure full compliance with the PSD2.
For more information regarding the Payment Services Directive and how this Proposal will affect your business, contact Sophie Lessar.