View German language version here
The third Payment Services Directive (PSD3) and a Payment Services Regulation (PSR) are due to be launched in the EU by late 2024 or early 2025. This will have substantial impact on market participants while bringing new opportunities to serve customers better. Key changes are expected across eight areas, with changes in fraud prevention having the largest financial impact.
Key changes
Continuing the legacy of PSD2, the overarching goals of PSD3 and PSR are to reinforce consumer rights and safety, while improving open banking and competition.1
The regulation introduces major changes in eight key areas. Fraud prevention will see some of the largest impacts, as a significant proportion of the financial burden is shifted from the consumer to banks and payment providers.
The new regulation expands fraud that banks and payment institutions are liable for to include social engineering and unauthorized and unwanted payments. Banks now need to urgently start drawing up plans for additional fraud mitigation.
Improved fraud prevention is also an opportunity for banks to enhance a key competitive edge – the customer trust. In addition, the regulation introduces cost-cutting potential through API simplification that allows, for instance, the possibility to retire backup interfaces for communication with third-party providers.
Moreover, data sharing is extended by the upcoming FIDA, which also covers other areas of financial services.
PSD3 and PSR - key areas of impact
Communication with third-party providers will also undergo significant change. One of the key changes is that customers will be able to manage which third-parties their data is shared with. This will require banks to exchange two-way real-time consent information with third-parties (vs providing consent information as a response to a third-party request as it is currently done).
Moreover, banks will need to offer a consent management panel, where end-users can manage access to their data by each third-party. This service may be provided by the bank itself, a third-party or through a solution by a government agency, like the Consumer Data Right platform in Australia. In addition to the consent management panel, PSD3 and PSR will require banks to implement considerable technical changes to enable the verification of payee (VoP), API standardization and strong customer authentication.
Deadlines and next steps
The implementation deadlines are approaching fast: 18 months for the directive (PSD3) and 21 months for the regulation (PSR), excluding payee verification, from the finalization of the regulation. Given that the regulation is likely to be finalized in the coming months, the earliest deadlines are likely to be in 2026.
To avoid missing deadlines and incurring regulatory fines, banks and payment institutions should immediately start mapping the gaps and identifying solutions to the technical changes the regulations will impose. One of the most challenging tasks is to implement the verification of payee requirements. The VoP was introduced by the Instant Payments regulation earlier in 2024 and will be extended for non-instant credit transfers by PSD3 and PSR.
Although the forthcoming list of compliance requirements is long, PSD3 and PSR promote open banking introduced by PSD2 and banks may finally see some of its benefits starting to materialize. Open banking did not live up to aspirations after PSD2 and was faced with multiple barriers. PSD3 and PSR are removing many of these obstacles through, for example, improving customer trust in data sharing with third-parties by providing customers full control, or by standardizing APIs to allow easier access to customers’ data.2
Conclusion
Although the implementation requirements are substantial, PSD3 and PSR also represent opportunities for banks and payments institutions to serve their customers safer and with greater, open-banking inspired offerings in the future.
Immediate improvement opportunities after implementation include, for instance, easier credit applications with prefilled data from other organizations, improved credit scoring with data from multiple organizations, more comprehensive and automated personal finance management applications.
Banks and payments institutions should revisit their open banking strategies, as PSD3 and PSR will bring the EU a step closer to a unified and competitive payments market. As an urgent step, institutions need to start work on their PSD3 and PSR strategy and implementation roadmap to ensure the best and timely outcomes.
How Capco can help
Our consulting teams are at the forefront of PSD3 and PSR, already providing clients with advisory and implementation support to navigate the evolving payments landscape confidently and in full compliance.
Contact us to discuss how we can help you prepare for the forthcoming changes, making the most of the opportunities available.
For more information on the Verification of Payee, see our earlier article Verification of Payee: What EU banks need to know.
References
• Texts adopted - Payment services in the internal market and amending Regulation (EU) No 1093/2010 - Tuesday, 23 April 2024
• Texts adopted - Payment services and electronic money services in the internal market - Tuesday, 23 April 2024
• https://www.cdr.gov.au/
• https://www.europeanpaymentscouncil.eu/what-we-do/other-schemes/verification-payee
• https://finance.ec.europa.eu/digital-finance/framework-financial-data-access_en
1 PSD3 is a directive, updating and repealing the second Electronic Money Directive from 2009 that included mostly licensing requirements for payment institutions and further refining the work of PSD2. As a directive, PSD3 leaves the legal implementation to member countries but its goals are binding.
PSR is a regulation and, as such, does not need to be transposed into national law. PSR contains rules for payment services providers’ activities, including authentication, communication and banking authority guidelines.
2 Moreover, data sharing is extended by the upcoming FIDA, which also covers other areas of financial services.
