PSD3 – Top 10 Industry Impacts

The draft PSD3 has appeared on the horizon for Europe’s merchant and PSP community and has created barely a ripple. This is in strong contrast to the storm of angst created by the PSD2 which introduced groundbreaking legal constructs such as Open Banking and Strong Customer Authentication, while PSD3 is more of a tidying up exercise. PSE has carried out reviews for a number of PSPs and merchants with pan-European presence and have identified 10 key issues which are worthy of note even at this early stage of the drafting process.  

Before diving into the detail, it is worth noting that the PSD2 is being split into two parts: 

  • The PSD3 as a Directive, will be transposed into national law by each EU member state, which will slow its adoption. It now only covers the authorisation and supervision of non-bank payment service providers. Providers who are regulated under PSD2 will need to be re-authorised under PSD3, but non-regulated entities (including most merchants) will not be impacted. The remainder of the topics covered by PSD2 will be moved into the new payment regulation. 
  • The Payment Services Regulation (PSR). As a Regulation rather than a Directive this will apply verbatim to all member states. The objective is to remove/ reduce the inconsistent application and enforcement of PSD2 across the EU which currently leaves scope for regulatory arbitrage. 

Within this new PSR there 10 key noteworthy differences from the PSD2: 

1. An 8 week right of unconditional refunds on merchant-initiated transactions (MIT), to level the playing field between MITs and Direct Debits. 

2. Technical Service Providers (TSPs) are being brought under the regulatory umbrella, making them liable for losses resulting from failure of their platforms 

3. Where a payer’s PSP relies on authentication carried out by a TSP such as a mobile wallet provider, they must now enter into an explicit outsourcing contract 

4. Mail Order/Telephone Order (MOTO) transactions are explicitly exempt from strong customer authentication (SCA), but do require some other means of authentication 

5. Standardisation of Open Banking interface requirements, and measures to prevent unavailability and underperformance 

6. Banning of IBAN discrimination (where payment services do not provide uniform services to IBANs from all EU countries, hence undermining the intent of SEPA) 

7. Obligatory Confirmation of Payee on credit transfers 

Merchants, issuers and acquirers should also be aware of two interesting proposals under discussion, which might not make it into the final text: 

8. Within Strong Customer Authentication it may be possible to use two factors of the same type (e.g. two knowledge factors) as long as they are independent 

9. Also within  Strong Customer Authentication, transaction history might be allowed as an inherence factor for strong customer authentication (like a biometric) 

10. Online platforms may be made financially liable for fraud resulting from disinformation on their platform which they have been informed of but failed to remove 

This list is just an initial perspective on some of the key impacts of the PSD3/PSR. Every organisation will be affected differently, so it will be important to keep your eye on developments of the Directive/Regulation. If there is one thing that the industry has learned from the PSD2 that its better to understand and explain unwanted impacts from regulation in advance, than deal with the mess they produce once sealed into the rule book! 

 

To find out more, get in touch