PSD3/PSR, DORA, and more – what comes with the next wave of payment regulations?
Between the dynamic poles of regulation, cyber security, and digitalisation, future drivers are having a major impact on today’s payment industry. This article, the second in a three-part series, takes a closer look at current and planned regulatory adjustments. The first article presented the current initiatives shaping payment digitalisation in Europe – the digital euro.
The payment industry is continuously evolving, driven primarily by technological advancements and regulatory changes such as PSD3/PSR, FiDA, Instant Payment, and DORA. These developments present significant opportunities but also pose substantial challenges that require thorough preparation. What impact will these new directives and regulations have on the payment industry, and what do they mean for banks and payment service providers?
Triangle of digitalization, regulation and cyber security in the payment industry
PSD3/PSR – Strengthening consumer protection and enhancing security in payment
With the currently discussed directives PSD3 (Payment Service Directive 3) and PSR (Payment Service Regulation) the European Commission sets out a specific vision for harmonised and secure payment transactions and fair competition within the European Economic Area.
The upcoming directive PSD3 builds on the previous directive PSD2. The main focus is on Strong Customer Authentication and the transparent organisation of payment transactions. PSR supplements PSD3 and leads to a directly applicable law in all EU member states.
The drafts for PSD3 and PSR were published in 2023. Since then, the regulations are under review. Both directives are expected to take place in the second half of 2025.
Banks have the chance to offer new services by integrating innovative technologies and partnering with different Fintechs. By digitalising and automating processes, banks can reduce their operating costs and increase efficiency. Beyond that, banks have the opportunity to increase customer trust and loyalty through improved security measures and innovative services.
For payment service providers PSD3 and PSR encourage competition and allow them to enter the market more easily. They have the chance to develop new technologies and services while meeting customer needs and gaining the trust of business partners. For e-money institutions PSD3 and PSR means that they are required to obtain a licence under the Payment Services Supervision Act (ZAG) and are therefore under the control of stricter regulations. In addition, the shifting of fraud losses from customers to banks increases the risk and poses a challenge for fraud management.
For end users, the PSD3 and PSR directives enhance security through improved authentication processes. They benefit from increased transparency about fees and other costs, leading to better decision-making when choosing banks and payment providers.
Schedule of PSD3/PSR implementation until 2026
DORA – Ensuring digital resilience and cyber security for Europe’s financial sector
The Digital Operational Resilience Act (DORA) is considered a highly influential EU regulation and aims to strengthen the digital resilience of the financial sector. DORA sets IT security standards, particularly in the areas of risk management for information and communication technology (ICT), the reporting of ICT incidents, and the monitoring of risks by third-party ICT service providers.
The DORA regulation came into force on January 17, 2023, but will not be fully applied until January 17, 2025. In this 24-month transition period, banks and other financial institutions have time to prepare their businesses for the actual DORA enforcement by January 2025.
Banks and payment service providers can improve the resilience of their systems and processes against cyber-attacks and other digital threats. By ensuring compliance with DORA regulations, banks and payment service providers can strengthen the trust of their customers and position themselves as trustworthy and reliable partners in the market. Improved risk management and emergency plans help banks to minimise potential financial damage.
End users can rely on more secure and reliable financial services. Beyond that one can expect less downtime and fewer interruptions, allowing them to access their financial services continuously.
Management of third-party ICT risks with DORA
FiDA decoded – the path to seamless financial data sharing
The Financial Data Access Regulation (FiDA) aims to create a unified ‘Open Finance’ space across Europe. By giving authorised third-party providers access to financial data and offering innovative, customised financial products and services, the aim is to increase transparency, promote competition and give consumers more control over their financial data. The decision to implement FiDA is scheduled for the beginning of 2025.
FiDA offers great opportunities for banks and payment service providers to strengthen their customer relationships by developing personalised products and services. Increased transparency will improve fraud management and claims processing. In addition, FiDA aims to promote cooperation between traditional financial institutions and new fintech companies to improve the service offering and reach new customer segments through strategic partnerships.
End customers benefit from greater transparency, easier financial management, and personalised financial products such as embedded finance solutions.
The implementation of FiDA presents a challenging task, particularly for banks and payment service providers. The preparation includes developing scalable and resilient interfaces for data transmission and creating a consent management dashboard. The potential entry of big tech into financial services adds competition to the market.
Instant Payments Regulation – accelerating the shift to real-time transactions
The Instant Payment Regulation (IPR) aims for real-time payments within the Single Euro Payments Area (SEPA). Adopted on March 13, 2024, the IPR requires that payment service providers facilitate instant payments by 2025, ensuring transactions are processed within seconds, 24/7, throughout the whole year. The regulation aligns with the European Commission’s objective to enhance the efficiency, speed, and security of the payment system.
For banks, instant payments offer the opportunity to work with real-time cash flow transparency and rely less on outdated forecasting methods. Corporates benefit from a better overview of funds, which can lead to more accurate decision-making and lower operating costs.
The shift to real-time payments also comes with significant challenges. The speed of instant payments leaves little room for error or recovery, which makes transaction and data fraud easy. Processing transactions 24/7 demands significant investment in upgrades, including cloud-based solutions for scalability and sophisticated fraud detection mechanisms.
Beyond that, payment service providers must comply with real-time sanctions screening and transaction monitoring. Meeting regulatory standards requires integrating advanced monitoring tools into payment systems.
End users gain immediate access to funds, making financial management more flexible and convenient.
Advice on handling the realisation of regulatory adjustments in payment
How can banks and payment service providers take advantage of the opportunities presented by these regulatory changes? Here is some key advice.
Security mechanisms and fraud prevention
- Advanced authentication: Implement secure and user-friendly authentication technologies;
- Fraud detection: Integrate fraud detection and risk management systems, and train staff to identify suspicious transactions;
- ICT governance: Adapt internal policies and processes for continuous risk assessment and management.
Technology and Infrastructure
- Technology investment: Upgrade IT infrastructure and develop secure, real-time data sharing APIs;
- Scalable IT infrastructure: Invest in scalable cloud solutions and advanced IT systems to handle high transaction volumes for instant payments.
Resilience and incident management
- Digital resilience testing: Conduct annual baseline tests and threat-led penetration tests (TLPT);
- Incident management: Develop an internal reporting system for ICT incidents and synchronise all ICT systems with a reliable reference time.
Third-party-management and collaboration
- Fintech partnerships: Form partnerships with fintech companies to expand service offerings and facilitate the transition to instant payments;
- Third-party risk management: Review and update outsourcing policies and contracts, and conduct regular due diligence.
Development of new revenue sources
- Alternative revenue: Introduce new service offerings and payment solutions, and diversify the business model by entering new markets or forming partnerships.
For banks, instant payments offer the opportunity to work with real-time cash flow transparency and rely less on outdated forecasting methods. Corporates benefit from a better overview of funds, which can lead to more accurate decision-making and lower operating costs
Banks and payment service providers need to act now in order to keep up with current trends to remain competitive in the payment market. This includes analysing current business processes, identifying gaps in terms of regulatory requirements and new customer expectations to effectively shape existing business models for the future. Moreover, banks and payment service providers should incorporate regulatory aspects into their business strategy and consider the selection and implementation of new technology solutions and suitable third-party providers.
In the next article of this three-part series, we will take a closer look at the increasing importance of cyber security in the payment industry. Why is it important to include a sophisticated cyber security strategy and what are the possible consequences of disregarding cyber risks in today’s world?
This article was first published on ‘The Paypers‘.
What impact does the regulatory changes have on your company?
Discover in our exclusive workshop “NextGen Payments: Revolution or Evolution by 2030?” how PSD3 / PSR, DORA, FiDA and the future drivers of digitalization and cyber security will affect your business models and how you can make your company future-proof.
We look forward to hearing from you and will be happy to answer any questions you may have.
Dr. Carlos Nasher