Payment Services Directive 3: What to expect ?

Why revise DSP2 ?

For over 15 years, various DSPs have helped shape the payments industry as it exists today. However, a new review is necessary to adapt the regulatory framework to rapid market developments.

Progress and contributions from previous Payment Services Directives

Adopted in 2007 and transposed into French law in 2009, the first version of the directive (DSP1) established the regulatory foundations of the ecosystem, with a specific objective: to harmonize the European financial market. Initial measures have enabled the standardization of payment methods in the European Union (SEPA credit transfers and direct debits), the distinction between banks and payment institutions (creation of the statuses “payment service provider”, “electronic money institution” and “credit institution”), as well as the introduction of the financial innovation and competition pair.

Faced with the rise of online payments, a second version of the directive (PSD2)
was adopted in 2018. Focusing on “data sharing” and “security,” the Payment Services Directive 2 was a real turning point. New payment service providers were introduced: third-party PSPs (Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs)), strong authentication (SCA) was generalized for all online transactions, and the development of the Open Banking concept was accelerated thanks to the mandatory sharing of payment data between banks and fintechs via APIs.

Limitations of the current model

Five years after the adoption of DSP2, the European Commission presents its revision project aimed at correcting certain identified shortcomings:

• Needs to supervise market developments (Open Finance, electronic money, fraud, etc.)
• Addressing underperforming information exchange and initiation APIs
• Desire to make payment journeys more frictionless for payers

Alongside the announcement of the DSP3 project, the same European body presented a draft publication of an Open Finance Directive (FIDA) as well as a Payment Services Regulation (PSR), clearly displaying its desire to update and align all financial regulations within the Union.

What are the objectives of the Payment Services Directive 3 ?

This revision will strengthen the European Union’s guiding principle on the security and performance of payment tools. With a broader scope, the Payment Services Directive 3 will cover and address market challenges, focusing on three priority areas :

• Better protect consumers in the sharing and processing of financial data
• Boost competition between market players (banks and fintechs)
• Stimulating innovation to help expand the range of financial services

Protection of European consumers

The proposed PSD3 text suggests standardized, stricter, and more secure mechanisms to harmonize the identification, tracking, and control tools and procedures used by financial institutions (banks, payment service providers, and PSP agents) to effectively combat fraud and money laundering. Particular attention will also be paid to protecting European consumers’ financial data by tightening measures for processing and sharing such data by third parties. These new obligations will create a more transparent and secure environment, where consumers will be in control of the data they wish to share or not.

Reflection on Open Finance

By expanding the concept of Open Finance, PSD3 will provide new impetus for the development of a more integrated, collaborative, and innovative European financial environment. Through the broader sharing of financial data between banks and other market players, the Payment Services Directive 3 aims to further stimulate the creation of new tools and solutions to compete with major powers that are pioneers in open finance (the USA, Brazil, India, etc.).

Same playing field

Harmonizing rules for all market players, whether banks or payment institutions, will encourage healthy and dynamic competition, while also encouraging the entry of new, innovative players. PSD3 aims to create an ecosystem where competition is measured in terms of the quality of services offered, not unfair regulatory advantages.

What measures will be included in the DSP3 project ?

The proposal for a Payment Services Directive 3, presented last June, included a first draft of (non-final) measures, of which here is a non-exhaustive list :

Modernizing payment services to protect consumers

• Before sharing their customers’ data with third parties, establishments must obtain their explicit consent and put in place means allowing them to revoke these authorizations.
• All financial data collected must be accessible at all times by the end consumer.
• Two factors from the same group (knowledge, possession, inherent attribute) can be used in the strong authentication process, for example two passwords or facial and voice recognition.
• For recurring payments, only an SCA will be required, upon the first obligation.
• All transaction fees must be displayed clearly and unambiguously.

Open Finance: Strengthening the openness of financial services data

• Banks and fintechs will have an obligation to deliver results regarding the performance of their APIs.
• In order to limit the risk of fraud and strengthen their identity verification rules (KYC / KYB), establishments will be able to share security-related information with each other (fraud attempts, suspicious customers, etc.).
• In the event of failures (breakdown, malfunction, etc.), banking establishments must grant third-party payment service providers the right to use their platforms and interfaces.

“Same playing field” between banks and payment institutions

• Banks will be required to facilitate PSP access to their systems (API) as well as the opening of bank accounts, with appropriate guarantees.
• Banking establishments will be required to share quarterly quantified reports on the performance and availability of their tools (APIs, interfaces, platforms, etc.).

What impact does this have on merchants ?

Payment Services Directive 3 will have an impact on any entity receiving payments into accounts (e-retailers, businesses, marketplaces, merchant networks, etc.), to varying degrees, of course.

• Companies that collect for equity will be impacted to a lesser extent, because most of the changes imposed by DSP3 will be directly handled by their payment service provider (security and verification rules, regulatory requirements and procedures, etc.)

• Companies that collect payments on behalf of third parties and process payments through payment accounts will be subject to mandatory compliance. Like PSPs, these activities that “provide payment services” to third parties (marketplaces, publishers, etc.) will have to take care of all necessary adjustments (customer data management, enhanced identity verification, data sharing measures, etc.).

NB: To maintain their compliance, platforms that collect on behalf of third parties can choose to obtain approval from the ACPR (a complex, long and costly process) or rely on the technical, regulatory and commercial expertise of a payment institution such as CentralPay, which will enable it to integrate and distribute regulated payment services.

We advise all traders to keep informed in order to anticipate, prepare for and best understand the new obligations created by DSP3.

How will the implementation of DSP3 take place ?

In September 2020, the European Commission declared that “ By 2024, the European Union should have in place a framework for open finance […]. This framework will be coordinated with the review of the Payment Services Directive (PSD2) “. Since then, several working groups and commissions have been mobilized to draw lessons from the previous directive and propose areas for development.

Announced six months ago, the Payment Services Directive 3 project has already generated a lot of buzz.

Consultations and contributions from sector stakeholders

With this new text, the Commission aims to correct the errors of previous directives in order to better define the obligations of each party. Holistic yet precise, the PSD3 project concerns and impacts banks, payment service providers, merchants, and end consumers alike. The Payment Services Directive 3 represents a real opportunity for all parties to work together with the regulator to create a sustainable, secure, and competitive framework.

Provisional timetable for the Payment Services Directive 3

Attention is now turning to the upcoming deadlines for PSD3. To date, no clear timeline has been established. Numerous initiatives have been launched to work concretely on the text, which should result in a finalized version by early 2024. The final texts should then be voted on in spring 2024 with a view to entering into force within the following 18 months, i.e., by early 2026.

Although PSD3 promises significant changes, its full and effective implementation remains dependent on a complex and evolving regulatory process. Payment institution CentralPay is working with the regulator and will keep you informed of developments and deadlines as the review of the text progresses.

¹ ABE, « Opinion of the European Banking Authority on its technical advice on the review of Directive (EU) 2015/2366 on payment services in the internal market (PSD2) », (23/06/2022)