The financial world is in constant state of change, driven in particular by technological advances and regulatory adjustments. The current regulatory initiatives of the European Commission, PSD3 (Payment Service Directive 3) and PSR (Payment Service Regulation), will be further steps in this development. According to the European Commission, they aim to harmonize payment transactions within the European Economic Area, increase the security of payment transactions, and promote competition in the payment market. These new regulations present a number of challenges, but also opportunities for banks and payment service providers.
In this blog article, we look at the key points of PSD3 and PSR and their potential impact on banks and payment service providers. We highlight the measures that need to be taken to efficiently and timely implement the regulatory requirements.
What are PSD3 and PSR?
PSD3 builds on previous regulations, particularly PSD2, and clarifies existing regulations. It includes, among other things, an extended liability for banks and sets new IT and risk standards. A key focus is on strong customer authentication and transparent payment transactions.
The PSR (Payment Service Regulation) complements the Payment Service Directive and leads to directly applicable law in all EU states. Its goal is to harmonize regulatory standards within the EU and ensure uniform regulation in European payment services.
The objectives of PSD3 and PSR:
Where do PSD3 and PSR stand now?
In June 2023, the drafts for PSD3 and PSR were published as proposals to revise PSD2. The European Parliament approved this proposal on April 23, 2024, with some amendments, including regulations on strong customer authentication and liability rules. Currently, the European Parliament and the European Council are negotiating the final statutory text. The final version of the statutory texts is expected by the end of 2024. Given these developments, we expect the new regulations to come into effect in 2026.
PSD3 implementation schedule (2023-2026)
What does this mean for banks and payment service providers?
Adapting to the new PSD3 requirements is essential for banks and payment service providers to ensure compliance with the regulations and seize opportunities. This results in the following impacts requiring action:
Strong Customer Authentication (SCA): PSD3 and PSR foresee the introduction of stricter requirements for customer authentication and an expansion of authentication options for people with low digital affinity and vulnerable groups. Additionally, in April 2024, the European Parliament proposed expanding the inherence factor to include environmental and behavioral characteristics. This means that banks and payment service providers must invest in the development and implementation of more robust and innovative security mechanisms. This can increase the security of payment transactions but is associated with implementation costs and additional complexity in adapting systems and processes.
Extended liability for payment institutions: With the tightening of liability rules in fraud cases, banks, payment service providers, and providers of electronic communication services are held more accountable. Issuers will have to prove that, for example, a fraudulent transaction is unequivocally due to customer misconduct to avoid liability. Additionally, payment service providers are obliged to immediately block a payment instrument if there are objective risks or suspicions of fraudulent use. This will be difficult to demonstrate in many cases and may not be in the interest of the relationship with the customer in question. Investments in customer communication, prevention, and handling of fraudulent transactions are to be expected, as well as the challenge of maintaining an efficient balance between transaction conversion and fraud prevention. Furthermore, the reversal of the burden of proof could have a massive impact on customer behavior. The issue of fraud will gain significant momentum. This is already evident in the UK, where the mere sharing of liability risk has led to a significant increase in damages. The issue of fraud should be a major priority for payment institutions in the coming years.
Transaction monitoring and exchange of fraud-related data: To effectively combat fraud, banks and payment service providers must monitor transactions and exchange fraud-related data among themselves to detect early warning signs and respond appropriately.
IBAN-name-check: Implementing the IBAN-Name-Check requires verifying the entered IBAN and the associated account holder’s name to reduce fraud cases and increase transaction security. This may result in additional costs for banks as they will need to adapt their existing systems and processes to integrate this new measure.
Prohibition of fees for certain payment services: PSD2 introduced the surcharge ban, which prohibits providers from charging customers extra fees for certain payment methods. The new draft of the PSR expands this ban. Providers should not be allowed to charge fees for payments, although discounts or special offers that steer the selection of a particular payment method are not excluded. Banks and payment service providers should now identify alternative revenue sources and develop new service offerings to remain competitive.
The impact of PSD3 on banks and payment service providers at a glance:
What are the next steps for a smooth implementation of PSD3 and PSR?
Given these new regulations, it is crucial for banks and payment service providers to act proactively to ensure early compliance with the regulations and secure the competitiveness and profitability of their offerings.
The following measures should be taken to meet and successfully implement the new regulations:
Optimization of security mechanisms:
- Advanced authentication technologies that are both secure and user-friendly should be introduced to meet the requirements of PSD3
Strengthening fraud detection and prevention:
- Fraud detection and risk management systems should be integrated to detect and prevent fraudulent activity early on
- Staff should be trained to identify suspicious transactions to raise awareness of fraud prevention
- Decision-makers should exchange information on fraud issues to learn from each other and create synergies
Integration of the IBAN-name-check:
- Automated solutions for the IBAN-name-check should be introduced to meet the requirements. It remains to be seen to what extent efficiency and security of payment transactions will be improved
Development of alternative revenue streams:
- New service offerings and payment solutions that provide additional value for customers, such as innovative financial services or personalized offers, should be introduced
- The business model should be diversified by exploring new markets or partnerships to tap into additional revenue sources and remain competitive
With our long-standing expertise in the areas of payment transactions and regulation, we navigate our clients through the complex requirements of the payment market, in particular PSD3 and PSR. Our team of experts supports you in leveraging market developments, developing tailored solutions, and making your business models future-proof. From analysing business processes, identifying and tapping into new revenue sources to selecting and implementing technology solutions – together, we can strengthen your company’s position in the payment market. Please feel free to contact us.
What impact does PS3 and PSR have on your company?
PSD3 and PSR are part of our new workshop “NextGen Payments: Revolution or evolution by 2030?”. In a customised workshop, we discuss with you how the future drivers of digitalisation, regulation and cyber security will affect your business models and we will work together to develop individual solutions. You can find more information here.
Further regulatory requirements – DORA
Alongside PSD3 and PSR, other regulatory requirements such as DORA are influencing payment transactions. Learn more in this blog article.
Jens Hegeler
Hauke Peters
