The European Commission’s new package on digital payments and financial data access (Part I): Payments Services
- September 2023
On the 28th of June, the European Commission has rolled-out an ambitious set of legislative proposals in financial data and digital payments sector:
While the proposal on digital euro will leave wide discretionary powers to European Central Banks, National Banks and and Member States, the other draft legislative acts will be mostly decided at European level, falling within internal market shared competences of the European Union (Article 114TFUE), with a pivotal impact on companies and businesses active in the digital financial and smart payments services.
In this first article (1/2), we will focus only on the set of proposals for digital payments services in Europe, namely the revision of the current Payment Services Directive (PSD2) and the new Payment Services Regulation (PSR1). With these initiatives, the Commission aims at amending and modernising the current regulatory framework - which did not succeed in harmonizing rules across the Member States – as well as creating a level playing field for new companies and start-ups doing businesses in payments and digital payments services sector in the European Single Market. A second article (2/2) will then analyse the Commission’s proposal for a Regulation on Financial Data Access (FIDA) designed with the purpose to establish new rights and obligations for financial data and better enable data sharing between the financial sector and other ones.
Introducing the direct effect of European legislation will tackle European payment services system with relevant impacts on competition and consumers
Due to several issues related to the inconsistent application of the previous PSD2 across the EU, the Commission decided to make of use if its powers to put forward a regulation aimed at setting common and equal rules for all the Member States. The EU wants to tackle the unlevel playing field between banks and non-banks by improving access to payment systems and bank accounts for non-banks, also boosting competitiveness of different Payment Service Providers (PSPs) and other open banking services. The update of the PSD3 is certainly essential for a new regulatory framework, but eyes will be mainly on the second proposal for the first Payment Services Regulation (PSR1) which will incorporate most of the existing rules and obligations.
Opportunities of the new Payment Services framework
The Payment Services Directive proposal (PSD3) will introduce more compliance requirements for safeguarding customer funds and limits to cashback services; moreover, the updated directive will amend the Settlement Finality Directive (SFD) adding payment institutions, such as companies which provides only digital or smart payments services to the list of firms in the SFD, which may participate directly in payments systems. This answers to request of many payment institutions that cannot directly participate in payment systems, relying on potential bank competitors to gain indirect access. This proposal is likely to raise concerns among banking services providers, particularly worried about scams and fraud in an increasingly complex environment. However, at this stage, the PSD3 does not extend access to securities settlement systems, but changes might occur at later stage during the political negotiations.
Regarding the new Payment Services Regulation (PSR1), a key legislation of the package, the Commission intends to move rules on strong customer authentication (SCA), currently in regulatory technical standards, into this new regulation. Potential benefits for consumers and open banking services providers are expected to come from this proposal. On one hand, the PSR1 would improve consumer rights and transparency on their account statements, providing also more transparent information on ATM charges. On the other hand, the new regulation would boost the functioning of open banking, by removing remaining obstacles to providing open banking services and improving customers' control over their payment data. This could enable new businesses and start-ups to launch new innovative services to enter the European Single market and force large, established banks to be more competitive with smaller and newer banks, ideally resulting in lower costs, better technology, and better customer service.
Finally, the PSR1 will extend the matching verification system of the payee’s name against their IBAN, now foreseen only for instant payments, to all intra-EEA credit transfers and to instant credit transfers which are not made in euros; moreover, the payer’s PSP will be held liable where it fails to flag a discrepancy. Consumers are likely to be better off from these new rules as well.
Challenges of the new Payment Services framework
However, this would not happen without costs, especially in IT and digital tools (such as dashboard to manage data access) which are likely to increase for banks and other account servicing payments service providers. The smaller actors, in particular smaller and local banks, might be affected in terms of potential costs related to the obligation of a transaction monitoring mechanism and refund guarantee for payment fraud. According to the proposal, Payment Service Providers will be obliged to compensate customers where they are tricked into making a payment by someone pretending to be an employee of the PSP. This would mean that PSPs could be considered liable of failing to monitor costumers’ transactions and to counter cyber-attacks or malicious threats due to potential pitfalls in their cybersecurity systems.
Digital payments and open banking services are not without security risks and it could pose threats to financial privacy and the security of consumers' finances, as well as resulting liabilities to financial institutions. For this reason, the compliance of banks, financial institutions, PSPs and start-ups to this new set of rules is crucial to build security and trust around a sector which could benefit both consumers and new businesses by increasing competition as described above. But this could also have the reverse effect and increase consumer costs and fear if it leads to consolidation in financial and banking services, due to the natural economies of scale from big data and network effects or to a widespread of data breaches due to poor security, hacking, or insider threats of certain players in the single market.
Questions also remain regarding the interplay between this regulation and the protection of personal data (e.g., GDPR), especially regarding processing of certain personal data where necessary to provide payment services, open banking services and regarding compliance and monitoring costs that banks and other payments institutions might sustain.
These proposals will be debated during two different parliamentary terms making particularly difficult at this stage to foresee potential outcome from the political negotiations. Although, the ordinary EU legislative process could take up to 18 months, it will be strategic to constantly monitor the political discussion, especially within the European Parliament which will be renewed after its elections on 6-9 of June 2024. After the summer break, MEP Marek Belka has been appointed rapporteur of the PSR file for the Socialists and Democrats political group (S&D), while MEP Lidia Pereira has been designated shadow rapporteur for the European People’s Party (EPP).
Regarding the PSD3, it would be necessary to implement the Directive into national legislation within a timeframe to be determined by the EU legislator. Two reviews are already scheduled. The first is due within three years after PSD3 enters into force and it will focus on the Directive’s scope and specifically whether it should be extended to cover payment systems, payment schemes and technical service providers. The second review is due two years later and will involve a wide-ranging consideration of the appropriateness of the regime. At this stage, the European Parliament has not assigned rapporteurs to the legislative file yet, but it will likely publish designated MEPs shortly.
The new PSR1 Regulation will be instead directly applicable in Member States when the Council and the European Parliament will agree upon and adopt a final text, most likely end of 2024 beginning of 2025. After a specific transitional period for the rules of the PSR, the regulation should start applying. Further levelling the playing field between banks and non-banks, in particular by allowing non-bank payment service providers access to all EU payment systems, is strategically important to make digital European enterprises to grow and thrive in the single market and globally. Nevertheless, appropriate cybersecurity and privacy safeguards, and securing those providers' rights to a bank account shall be fundamental to create a trustful business environment for all European consumers.
A call for feedback on these three pieces of legislation is open until end of October 2023. Lighthouse will take a deep-dive in these proposals on payment services and closely follow the legislative process. If you have any questions about the potential impact of financial data and payment services package on the digital payments sector or interest in advocating your position with European policymakers, our team is ready to help you!
As a public affairs firm based in Paris and Brussels, Lighthouse Europe supports its clients in the analysis of European mechanisms as well as National and European political priorities, particularly in the digital and environmental sectors. The EC package will create new opportunities for innovative digital companies and start-ups active in the financial and payment services sector and beyond. Lighthouse Europe seeks to bring valuable and diverse voices to the attention of regulators from more than 10 years. If you want a better understanding of the European regulatory framework in relation to your activity and make your voice to be heard, please do not hesitate to contact us: email@example.com.
By Filippo Guidi