PSD2 is getting a makeover

The European Commission recently announced their plans to update the Payment Services Directive Two (PSD2) legislation. In their own words, this revision is in a bid “to bring payments and the wider financial sector into the digital age”. So we’re diving into what’s relevant now, and what the future under PSD3 might hold — read on to find out more.

What is PSD2?

PSD2 is a regulation for electronic payment services, designed to compel payment institutions — like open banking providers and fintechs — to improve the security of online payments. From Strong Customer Authentication (SCA) to more stringent regulation around third-party involvement, PSD2 is firmly part of the fabric of online payments.

Anyone that transacts with consumers inside the European Union and European Economic Area (EEA) are covered under the PSD2 regulations, regardless of their location, and it affects anyone dealing with digital financial services.

So what’s changing under PSD3?

There are a few big changes being considered under the draft PSD3 proposals. The regulation is being brought up to speed with the developments in — and demand for — online payments that have taken place since 2018 when PSD2 was first implemented.

One key point is that PSD2 — which became the PSR in the UK — addresses all rules incorporating payment service provider activities. This allows the standardisation of payments across the European Union. As the UK is not part of the EU, we aren’t obligated to follow the directive, but will likely do so, so fintechs and other payment service providers can maintain parity with Europe and continue to scale.

Since its implementation, not only has the payments sector significantly transformed, but demand and adoption has accelerated, especially since the COVID-19 pandemic when all we could do was shop online in between our Zoom calls and daily walks.

Whilst there has been a leap forward in tech standards, the fraudsters are never far behind and so the updates aim to mitigate payment fraud, improve customer rights and access to cash, narrow the divide between the traditional and neo banks, improve open banking functionalities, and strengthen current regulations.

Capital replaces insurance

The first change stings for insurance companies like ours. Under the proposals, payment institutions will have the option to hold €50,000 in initial capital instead of buying professional indemnity insurance. This type of cover can be costly, particularly as there are not many brokers that understand the nuances of the requirements under PSD2/PSD3, so having the option of holding €50,000 in capital may be more appealing for early stage fintechs that do not want that initial outlay.

It is worth noting that the European Commission have said that this is appropriate at the “licensing and registration stage only” and that the “licensing or registration stage should be without prejudice to the requirement for those providers to subscribe to a professional indemnity insurance without undue delay after their licence or registration has been obtained”.

This effectively means that once an Account Information Services Provider (AISP) or Payment Initiation Service Provider (PISP) is regulated, they will still need to take out the appropriate level of professional indemnity cover under the European Banking Authority (EBA) guidelines.

Safeguarding funds

Secondly, safeguarding rules look likely to be amended to allow payment institutions to hold funds at a Central Bank, rather than in a safeguarding account. The new PSD3 directive acknowledges that payment institutions find it difficult to open and maintain specific payment accounts with credit institutions and, therefore, have given the option to hold client funds at a Central Bank. There is still the need to segregate payment institutions' own funds from the payment service user funds, but payment institutions should find it easier to find appropriate bank accounts to do so.

Prevent fraud and protect data

The third change covers all payment institutions that are looking to become authorised. The application process now requires a detailed risk assessment, including an evaluation on the use of sensitive data and how firms can combat fraud. Business continuity plans should also now be compliant with regulation (EU) 2022/2554 and be provided as part of the authorisation process. Firms will also likely need to declare which jurisdictions they are applying to — or planning to apply to — for authorisation, if there is more than one jurisdiction. These changes are themselves not too significant, but the need for a full risk assessment to be done as part of the process may lengthen an already arduous process.

And if you think because you’re already authorised under PSD2 and the last change won’t affect you, think again. Already authorised payment institutions under PSD2 will have to reapply under PSD3.

How long do I have to make these changes?

These changes are currently just in draft form, and so there has been no roadmap for implementation. Whether PSD3 completely replaces PSD2 or if PSD2 just gets a revamp is yet to be fully seen.

Once these draft proposals have been fully hashed out, and approved, EU member states will then have 18 months to transfer the directive into their own national laws.

As we’re not at this stage, we’re looking at mid-2025 at the earliest for any major work to be completed by firms. It is, however, clear that the European Commission is aware of the issues facing payment institutions, and so we welcome the move for further regulation and standardisation of the payments space.

As further information is released, we’ll be sure to share this with you, but if you have any questions in the meantime, we are here to help — just get in touch with your account handler to chat.