EU introduced revised rules for payment services and will reshape the existing payment market
On 28 June the European Commission introduced new regulatory proposals for payment services in order to bring payments sector further into the digital age. Therefore, the PSD2 shall be replaced by the following regulations:
- Directive on Payment Services and Electronic Money Services (PSD3) which shall focus on the authorisation and supervision of the payment institutions (PIs) and e-money issuers EMIs);
- Payment Services Regulation (PSR) which shall cover the conduct of payment services with the focus to improve the provisions of open banking type of services.
The PSD3 has largely taken over the regulation in the PSD2 in regard to the authorisaton and supervision. However, the PSD3 shall bring the following most notable changes:
- EMIs within the scope of PSD3. The PSD3 shall embed the current E-Money Directive (Directive 2009/110/EC) bringing the EMIs also under the same regulatory umbrella with the PIs. EMIs are referred to in the PSD3 as PIs if no specific exception is done to EMIs.
- New or amended definitions. The PSD3 is still in the proposal format due to which it shall most likely be subject to number of changes, however, it can be noted that the PSD3 introduces several changes to the existing definitions, e.g., “payment account”, “payment initiation service”, “account information service”, and some new ones, e.g., “technical service provider”.
- Scope of payment services. Under the PSD3 the scope of regulated payment services has remained largely the same though instead of eight services under PSD2, the PSD3 lists seven services.
- One of the main changes to the scope of payment services is that the service of enabling cash to be placed or withdrawn from a payment account is dissociated from the activity of servicing the payment account as the providers of cash placement or withdrawal services may not service payment accounts. At the same time, the services of enabling cash to be placed and to be withdrawn are under PSD3 in the same clause (PSD 3 Annex I clause 1).
- The services of execution of payment transactions (PSD2 Annex I clause 3) and execution of payment transactions where the funds are covered by a credit line (PSD2 Annex I clause 4) are listed together under PSD3.
- The services of issuing payment instruments and acquiring payment transactions which were listed together under PSD2 (clause 5 of the Annex I) are now separated under the PSD3.
It is vague under the PSD3 what would be consequences to the existing licenses where the PI has a right to provide one service which under PSD3 is under same point with a one PI has no previous license.
- Additional requirements to the authorisation. The PSD3 shall foresee that the undertakings who submit the authorisation application should also submit most importantly the following information and documents compared to PSD2:
- a description that the applicant’s governance arrangements and internal control mechanisms are in compliance with Regulation (EU) 2022/2554 (DORA) (Articles 6 and 7);
- a description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints in accordance with Chapter III of the DORA;
- a description of the business continuity plan in accordance with Article 11 (6) of the DORA;
- a security policy, including risk assessment related to the provision of payment and electronic money services, a description of security control and mitigation measures to adequately protect payment service users against the risks identified, etc;
- more specific overview of structure (agents, outsourcing), operating as a PI;
- winding-up plan.
- Requirements to initial capital. Adjusted requirements to the initial capital of the PIs and EMIs:
- money remittance (PSD3 Annex I clause 5) EUR 25 000;
- payment initiation service (PSD3 Annex I clause 6) EUR 50 000;
- other payment services according to PSD3 Annex I, except account information service, EUR 150 000;
- electronic money services (PSD 3 Annex II) EUR 400 000.
Account information service providers (AISPs) are not subject to initial capital requirements.
- Requirements to own funds. In addition to the existing own funds calculation methods the PSD3 foresees additional own funds calculation methods for PIs.
- Registration of the AISPs. Natural or legal persons intending to provide only account information service are not subject to the authorisation under the PSD3 but for registration. Requirements to their registration are less complex than for authorisation of the Pis.
- Professional indemnity insurance. The PSD3 foresees that due to the difficulties the AISPs and payment initiation service providers (PISPs) have faced with the professional indemnity insurance they may choose to hold initial capital of EUR 50 000 as an alternative during the licensing / registration stage. The text of the PSD3 is still vague in this matter as the text in the recitals and main text does not coincide.
- Main part of business. PSD3 clarifies that the PIs may carry out in its home state only part of its activity and not a majority, thereby contributing to cross-border provision of services.
- The existing PIs and EMIs already operating must undergo a reapplication process. The PIs and EMIs currently operating must reapply for a license within 24 months of PSD3 coming into force. If the PI / EMI demonstrates its compliance with the new requirements the authorisation shall be granted. The existing licenses are valid for 30 months as of PSD3 entering into force if the aforementioned application has been made.
- Payment services exemption reapplication. Natural or legal persons benefitting from any of the exemptions under the PSD2 (Article 32) must obtain a new exemption under the PSD3.
The PIs and EMIs should analyse the impact of the PSD3 on their activities and be prepared for the reapplication process. The same applies to those natural and legal persons operating under exemptions.
PSR has taken over the regulation in PSD3. However, the PSR has clarified and extended the current regulation under PSD2. Also, considering that the PSR is on a regulation level it is directly applicable to the service providers. We have listed here only the most notable changes:
- Update of “commercial agent exclusion” and other exclusions. PSR has updated the definition of commercial agent exclusion introducing limitations such as ‘the commercial agent should be a self-employed intermediary within the meaning of Directive 86/653/EEC’ and ‘giving the payee or payer a real margin to negotiate with the commercial agent or conclude the sale or purchase of goods and services’. This will most likely limit the possibilities where the market places can rely on the specific exclusion.
The PSR also introduces some other clarifications on exclusions, such as an exclusion for technical service providers (TSPs), etc.
- Changes to the access to payment systems and accounts. The PSR extends the access to payment system requirement to payment system designated under the EU Settlement Finality Directive. The PSR shall further require that where a credit institution is required to motivate its decision to either refuse to open or to close a payment account then such decision can not be generic in the nature but must be specific to the risks posed by the activity or planned activity of the PI or its agents or distributors. Thus, it expands the requirement to motivate the decision to both opening and closing the payment accounts as well as PIs still undergoing licensing.
- Changes to open banking. The PSR introduces several new requirements regarding the open banking which should allow AISPs and PISPs to provide their services more easily.For example, the PSR foresees that the account servicing payment service providers (ASPSP) offering payment accounts that are accessible online are now required to provide at least one dedicated interface (API) and there is no longer a choice between dedicated interface and modified customer interface (with exceptions). ASPSPs are also required to disclose detailed technical information to AISPs and PISPs and should inform AISPs and PISPs of changes to their dedicated interface immediately and not less than 3 months before the change. ASPSPs are required to make available testing facility, disclose to the public information about the availability and performance of their dedicated interface, etc.
- Changes to Strong Customer Authentication (SCA). The PSR introduces several new requirements regarding the SCA.For example, AISPs need to perform SCA of the payment service user every 180 days after the first access. Also, the PIs should establish an outsourcing agreement with the TSPs if the TSP offers SCA.
- New requirements to tackle fraud. The PSR requires the PIs to share data on fraud with other PIs, report on fraud to the competent authorities more heavily, inform the payment service users and employees on forms and trends of fraud, etc.
The natural and legal persons should analyse whether their activities still fall within any of the exclusions, especially under the commercial agent exclusion as this has been unclear for a long time. Also, the existing PIs should analyse the impact of the changes the PSR introduces and prepare plans and forecasts to implement the changes in a timely manner.