PSD3 - New Payment Services Directive

The second Payment Services Directive (PSD2) was published on 23 December 2015. The deadline for national implementation of this so-called second Payment Services Directive was 13 January 2018.

The aim of this Directive is to bring a wider range of payment services under regulation, while at the same time bringing the regulation of payment services in line with market developments.

In Finland, the PSD2 Directive was implemented nationally in two parts. The Payment Services Act was amended by Act 898/2017 and the Act on Payment Institutions  was amended by Act 890/2017. Amendments came into force mainly on 13^th of January 2018.

PDS2 extended the scope of the Payment Services Act by bringing Third-Party Payment Service Providers (TPPs) under regulation and supervision.

The new payment service providers were:

• Payment Initiation Service Providers (PISPs)

• Account Information Service Providers (AISPs)

Account-holding banks must allow these third-party service providers to access customers' accounts based on their explicit consent. The payment initiation service provider and the account information service provider shall be entitled to use the strong authentication procedures provided to the customer by the bank holding the payment account.

With PSD2, the issuance of Card Based Payment Instrument Issuer (CBPII) was also regulated.

Also new was the requirement for strong customer authentication for electronic payment transactions such as internet payments and online access to payment accounts.

The need for legislative reform has re-emerged following the rapidly changing operating environment. Since the entry into force of PSD2, the EU e-payments market and the volume of e-payments have grown significantly. The need for change is driven by, inter alia, accelerated digitalisation of the financial sector, the expansion and clarification of data protection rules and the increase of the amount of cryptocurrencies.

In May 2022, the European Commission published a four-month consultation period to assess the need for changes to the Directive. During this period, the aim was to assess whether the current legislation is still fully appropriate and what needs to be changed in the light of the changing environment.

On 28 June 2023, the European Commission presented proposals for a Third Payment Services Directive (PSD3) and a new Payment Services Regulation (PSR), the main aim of which is to strengthen the foundations laid by the previous Payment Services Directives. Most of PSD2 will be incorporated into the PSR, which will contribute to regulatory consistency across Member States due to its direct applicability.

PSD2 brought with it a strong customer authentication and a requirement for banks to carry out additional checks to verify consumer transactions. Despite this, users of payment services are still vulnerable to fraud risks, even though, according to the Finnish Financial Services Industry Association, with PSD2, Finnish banks managed to prevent tens of millions of euros in transfers of funds to fraudsters in 2023. However, the losses caused by cybercrime remain high.

Through PSD3 and PSR, the European Commission aims to strengthen security against new threats, improve consumer protection and enhance competition in electronic payments.

The Third Payment Services Directive (PSD3) would, like the previous directive, include provisions on strong authentication and open banking standards. The new regulation aims to speed up payments and improve security.

A key element of the legislative reform has been the Open Banking (OBP) functions made possible by PSD2. This refers to practices whereby banks share financial information and access to banking services with third parties on the basis of customer consent through open interfaces, and customers authorize payments from their bank accounts.

For consumers, the changes will mean, among other things, the confirmation of the payee's account for every SEPA payment made within the EEA, stronger protection of consumer rights and personal data, and the possibility for customers to see all the consents they have given in open banking. The reforms will also increase competition in the financial sector, enabling new and better products to be offered.

From the banks' perspective, the reforms mean, among other things, strengthening open banking and enabling the provision of new banking services. PSD3 will also impose stricter obligations on banks, for example in terms of developing technical solutions, and sanctions. The reforms will further harmonize national differences within the European Union.

The new regulation may also lead to the modification, deletion or addition of new exceptions to PSD2. Furthermore, the capital adequacy requirements for payment institutions and e-money issuers will be clarified by harmonizing the capital requirements for AISPs and PISPs and introducing additional capital requirements for lending payment institutions.

PSD3 also brings extensions to new unregulated areas. These extensions include payment transactions using cryptocurrencies, "buy now pay later" services and digital wallet services.

Overall, PSD3 is effectively an updated version of PSD2, providing new rules to make online payments and financial services in the EU more efficient and secure, while promoting competition and new innovation. PSD3 strengthens identification obligations and access to payment systems and account information. One of the key objectives of the changes is to protect consumer rights and personal data.

PSD3 and PSR are expected to enter into force in 2026.