On 28 June 2023, the EU Commission presented proposals for a Payment Services Directive 3 (“PSD3“) and a Payment Services Regulation (“PSR“). Whilst we have already positioned PSD3 and PSR within the existing regulatory framework in our article “The new EU payment service regulation – Kick-off of our PSD3 series” of 3 July 2023, we will now provide a brief overview of the main content of PSD3 and PSR as well as major innovations compared to PSD2 and the E-Money Directive.
Scope of application of PSD3 and PSR
PSD3 regulates the granting of authorisation and the supervisory requirements for payment institutions. In the future, the term “payment institutions” will also include institutions that conduct e-money business, whilst the category of “e-money institution” will no longer exist.
PSR regulates the transparency and information obligations for all categories of payment service providers (in particular credit institutions and payment institutions) as well as the rights and obligations of all categories of payment service providers on the one hand and payment service users on the other when providing payment services and e-money services. In this respect, the subject matter of PSR consists in particular of rules on pre-contractual information obligations of payment service providers, rules on the conclusion, content, amendment and termination of payment service contracts, liability rules, as well as of provisions on combating fraud and on strong customer authentication.
Catalogue of payment services
The catalogue of payment services that are subject to authorisation will probably remain unchanged.
In future, payment services will also include the provision of e-money services.
Account information services will continue to be subject to the legal framework of PSD3 and PSR and will not be subject to the Financial Data Access Regulation.
Credit and Buy Now Pay Later
According to the wording of PSD3, credit may only be granted by payment institutions in connection with the execution of credit transfers, direct debits and card payments. In contrast to the previous legal situation, the authority to grant credit is missing for the issuing of payment instruments and for acquiring. This is somewhat at odds with recital (35) of PSD3, which explicitly allows the issuance of credit cards. Appropriate clarifications should be made here in the further legislative process.
In this context, the statement in the recitals of PSD3 that Buy Now Pay Later products do not constitute payment services and would fall under the scope of the new consumer credit directive should also be emphasised. It remains to be examined for which products on the market this statement applies and what effects this will have on corresponding products (e.g., requirement of a banking licence for the offer of (certain) Buy Now Pay Later products that may currently still be offered under a payment services licence?)
Authorisation requirement and grandfathering
Companies that want to provide payment services or e-money services also require the authorisation of the national supervisory authority under the application of PSD3.
For institutions that have been granted an authorisation to provide payment services or to conduct e-money business before the deadline for the transposition of PSD3 into national law, transitional provisions apply with regard to obtaining an authorisation under PSD3 and compliance with the requirements of PSD3 (so-called grandfathering).
Exemptions
Art. 3 of PSD2 currently contains a catalogue of services that do not fall under the scope of PSD2 and may therefore be provided without authorisation. There are likely to be some changes here that will have a significant impact on certain business models.
First of all, it is noteworthy that the different exemptions will be regulated in PSR in the future. Due to the direct applicability of PSR in the EU member states, this should lead to a significant reduction of the discrepancies in the interpretation of the exemptions by the supervisory authorities in the EU member states.
The practice-relevant commercial agent exemption is to be further restricted. The relevant text now explicitly requires – in line with BaFin’s already very restrictive administrative practice – that the commercial agent has a real margin or autonomy to negotiate or to conclude the sale or purchase of goods when concluding contracts for the purchase of goods/services. This is likely to have implications for internet marketplaces, petrol stations selling fuel as agents and retail outlets acting as agents for goods (e.g., travel agents, ticket sellers). The question of how the explicit reference to the Commercial Agents Directive contained in the PSR will affect the central regulator (Zentralregulierer), which has been privileged by the German legislator up to now, also needs to be analysed.
The exemption for cash-in-transit companies (CITs) and cash management companies (CMCs) is no longer provided for. The question therefore arises whether these companies will need an authorisation for their business activities in the future.
The cashback exemption is to be extended. Under certain conditions, retailers are to be able to issue cash at the shop checkout in future even if the customer has not made a purchase of goods.
The newly formulated group exemption, according to which payment transactions between group companies do not require an authorisation, could be understood in such a way that the centralisation of group-wide payment transactions to a group company is to be permitted without a licence. This takes up the interpretation on payment factories agreed between BaFin and the industry associations in recent years. However, the other conditions that BaFin has attached to the admissibility of payment factories (in particular the establishment of processes to prevent money laundering and terrorist financing) have not found their way into the legal text.
According to a first analysis, the wording of the practice-relevant limited network/limited range exemption does not provide for any decisive changes compared to the previous wording of this exception. The EBA will also issue Guidelines with interpretation notes on this exemption. Further developments on this point therefore remain to be seen.
Independent ATM operators
Independent ATM operators are to be exempt from the authorisation requirement if certain conditions are met. An exemption for independent ATM operators already exists at present under PSD2. Currently, BaFin applies this exemption on the basis of a restrictive interpretation to only purely manual service activities in connection with the operation of ATMs. However, independent ATM operators must – similar to account information service providers – go through a registration procedure and in this context submit certain information and documents to the national supervisory authority.
Safeguarding of customer funds
Payment institutions are to have the right to safeguard customer funds directly with a national central bank as well. In contrast to the current legal situation, they are therefore no longer obliged to open a trust account with a credit institution.
Newly introduced is the obligation for payment institutions to avoid concentration risks when safeguarding client funds by not using the same safeguarding method for all customer funds. In particular, they may not keep all customer funds at a single credit institution. This could be a reaction of the legislator to the increased number of bank failures in the recent past.
Strengthening the rights of payment institutions to access the payment processing infrastructure
The rights of payment institutions to access the payment processing infrastructure are strengthened. This will make them less dependent on credit institutions. In this context, particular reference should be made to the following regulations:
Payment institutions are to be included in the Settlement Finality Directive. This will allow payment institutions direct access to participate in payment systems (such as SEPA payments, Target2).
Payment system operators may only prohibit payment institutions from accessing payment systems to the extent necessary to protect the respective payment system from certain risks (e.g., operational risks, liquidity risks).
Credit institutions may only refuse to open a payment account for a payment institution if they have serious reasons for doing so (e.g., suspicion of insufficient money laundering controls of the payment institution, suspicion of illegal activities of the payment institution or its customers, reasons related to the risk profile of the payment institution’s business model). The right to a payment account is also to be granted to agents of a payment institution as well as to companies applying for a payment institution authorisation.
Open Banking under PSD3 and PSR
There are also some innovations in the area of Open Banking, i.e., access to payment accounts for account information service providers and payment initiation service providers.
First of all, it should be noted that a revised definition of the term “payment accounts” is introduced. The definition and its interpretation will determine which accounts are accessible under Open Banking. It is not clear from the definition of the term whether an account that can only be used to send funds or only to receive funds qualifies as a “payment account” This question is relevant for credit card accounts, for example.
Account servicing payment service providers must in principle provide dedicated interfaces (APIs) for data exchange with account information service providers and payment initiation service providers. The obligation to provide a permanent contingency mechanism does no more apply. PSR does not contain any requirements for the technical design of the interfaces. In this respect, it only stipulates that the interfaces must comply with European or international standards.
The account servicing payment service provider must provide the account holder with a so-called “permissions dashboard” through which the account holder can monitor and manage the authorisations he has granted to account information service providers and payment initiation service providers.
The account servicing payment service provider may also in the future neither charge the account holder nor the payment initiation service provider or the account information service provider for access to the account holder’s payment account.
The account information service provider shall apply strong customer authentication (SCA) only for the first access to payment account data by the account holder and thereafter only for 180 days after the last customer authentication.
Digital wallets, NFC
The provision of digital wallets, such as ApplePay and GooglePay, is also considered a technical service under PSD3, which is not subject to the authorisation requirement. This is to be assessed differently if the wallet itself becomes a payment instrument due to its design. However, digital wallet providers that provide or check elements of strong customer authentication must conclude an outsourcing agreement with the payers’ institutions.
It is also clarified that Near-Field Communication (NFC) is not a payment instrument in itself and therefore does not qualify as a payment service.
Surcharging
Under PSD2, the prohibition of surcharging for the use of credit transfers and direct debits is limited to payments in euros. The prohibition of surcharging is to be extended to credit transfers and direct debits in all EU currencies.
Strengthening the protection of payment service users against payment fraud
The PSD3 and PSR proposals strengthen the protection of payment service users against payment fraud in particular in the following respects:
The EU Commission’s proposal for an Instant Payment Regulation published on 26 October 2022 stipulates that payment service providers offering instant payments in euro must offer payers the IBAN-name check. PSR extends this requirement to payment service providers offering credit transfers in an EU currency.
A liability of payment service providers in the case of so-called “spoofing” is to be newly introduced. If a payment service user who is a consumer has been deceived by a third party pretending to be an employee of the payment service provider misusing the name, e-mail address or telephone number of the payment service provider and if this deception has led to a fraudulent payment transaction, the payment service provider shall in principle be liable for this.
Payment service providers will be required to implement enhanced transaction monitoring mechanisms to ensure strong customer authentication and improve the prevention and detection of fraudulent transactions.
Protection of vulnerable payment service users
Without prejudice to the requirements of the EU Directive on accessibility requirements for products and services, payment service providers shall provide alternative means of strong customer authentication to customers with disabilities, elderly customers, customers with low digital literacy and customers who do not have access to digital channels. In particular, strong customer authentication must not be made dependent on the possession of a smartphone.
In the following articles of our series, we will look at the listed topics in more detail. Stay tuned.
