On 28 June 2023, the EU Commission presented proposals for a Payment Services Directive 3 (“PSD3“) and a Payment Services Regulation (“PSR“). We have already placed the PSD3 and the PSR in the existing regulatory framework in our article “The new EU payment services regulation – the start of our PSD3 & Co. series” from 3 July 2023.
In the following, we provide a brief overview of the main contents and consequences of the transitional provisions, specifically Art. 44, 45 PSD3. A first classification of Art. 45 PSD3 – transitional provision – for e-money institutions authorised under Directive 2009/110/EC (“EMD2“) – has already been made in our article “The regulation of e-money under PSD3 and PSR” of 7 September 2023.
The following applies to the overall temporal context of the transitional provisions: According to the proposed Directive, the German legislator must transpose and apply the PSD3 requirements into national law within 18 months of the entry into force of PSD3 (Art. 49 (1) and (2) PSD3) – and thus already half a year before the central 24-month transitional periods within which payment institutions can continue to operate under the PSD2 authorisation expire.
The proposed PSD3 Directive updates and regulates the authorisation and prudential requirements for access to the activity of providing payment services and e-money services by payment institutions. In doing so, the PSD3 is largely based on Title II of Directive (EU) 2015/2366 (Payment Services Directive 2 – “PSD2″) on “Payment Service Providers – (“PSPs“) and integrates the former Electronic Money Institutions (“EMIs“) as a sub-category of payment institutions (and consequently repeals the second E-Money Directive 2009/110/EC). The term payment institutions will therefore in future also include institutions that conduct electronic money business. The category of “electronic money institution” is no longer applicable.
Overview of the transitional provisions
Art. 44 and Art. 45 of the PSD3 proposal regulate the transitional provisions to be adopted by the member states to implement the PSD3 directive proposal for the respective supervised payment and e-money institutions.
For institutions that received a licence to provide payment services or to operate e-money business before the deadline for transposing PSD3 into national law (i.e. still under the authorisation regime according to PSD2), this licence, as well as the provisions under PSD2 (for the time being), continue to apply with regard to the continuation of the business (so-called grandfathering). Accordingly:
- Pursuant to Art. 44 (1) PSD3, payment institutions that have already commenced their activities as payment institutions prior to the entry into force of PSD3 (and up to 18 months thereafter) may continue to do so for a period of 24 months after the entry into force of PSD3 without having to apply for an authorisation under Article 3 of PSD3 or to comply with any other provisions under Title II of PSD3 (applies mutatis mutandis to payment institutions conducting e-money business pursuant to Art. 45 (1) PSD3). After the expiry of the aforementioned period, the payment institutions must provide the supervisory authorities with all information relating to compliance with the provisions of PSD3, in particular under Title II of the Directive (after transposition, the provisions of national law), so that the competent authorities can assess whether these payment institutions comply with the requirements set out in Title II. If this is not the case, the measures to be taken to ensure compliance or whether withdrawal of authorisation is appropriate shall be communicated. This shall apply mutatis mutandis to payment institutions conducting the electronic money business – i.e. former “electronic money institutions”.
- 44 (2) PSD3 allows Member States to automatically authorise already authorised payment institutions as payment institutions under PSD3 and to enter them in the register under Art. 17 PSD3, if the competent authorities have evidence that the payment institutions comply with the requirements of PSD3 (applies mutatis mutandis to payment institutions conducting e-money business under Art. 45 (3) PSD3). Art. 44 (2) PSD3 extends the scope of application of Art. 44 (1) PSD3 and enables institutions to proactively prove in advance to the competent authorities that they already comply with the provisions of PSD3.
- Pursuant to Art. 44 (3) PSD3, an exemption from the above paragraphs applies to payment institutions that have made use of an exemption pursuant to Art. 32 PSD2 (exemption from supervision if the total value of payment transactions executed by the person concerned, including agents for whom he has unlimited liability, does not exceed, on a monthly average over the preceding 12 months, the limit set by the Member State, but in any case not more than EUR 3 million) and have executed payment services up to 18 months after the entry into force of PSD3. This addresses payment institutions that have so far only provided payment transactions in certain capped aggregate amounts and that have been (optionally) exempted from supervision under national law (applies mutatis mutandis to payment institutions conducting e-money business pursuant to Art. 45 (4) PSD3 with reference to Art. 9 of EMD2).
Note: The German legislator has not yet transposed Art. 32 PSD2 and Art. 9 EMD2 into national law (“the member states may”), so that the exceptions do not apply in German law.
Member States shall now allow such institutions to continue to provide payment services for a period of 24 months after the entry into force of the PSD3 without having to apply for an authorisation under Article 3 of the PSD3 or an exemption under Article 34 of the PSD3 or to comply with any other provisions under Title II of the PSD3.
However, if no authorisation or exemption is granted within 24 months after the entry into force of PSD3 in accordance with the exemption pursuant to Art. 34 PSD3, the payment institution may no longer provide payment services.
Assessment of the transition process
For payment institutions already operating under PSD2 and affected by the transitional regulations, the question arises as to how the transition process from PSD2 to PSD3 authorisation, which ends at the latest upon expiry of the transitional period of 24 months (after the entry into force of PSD3), will proceed in terms of content and in detail.
Art. 44 (1) PSD3 (or Art. 45 (2) PSD3 for former “e-money institutions”) only imposes a general obligation on Member States to require payment institutions previously operating under a PSD2 authorisation to provide the competent authority with the information needed to verify compliance with the provisions in Title II PSD3.
The PSD3 does not provide any more detailed specifications in this regard, and is silent, for example, on which documents are “required”. Does this mean only information that relates to innovations brought about by PSD3? Or is all the information needed for a complete [new] authorisation application under PSD3 to be submitted? In terms of time, the only provision is that the documents are to be submitted in such a way that the official review can take place within 24 months after the entry into force of PSD3 – i.e. in parallel with the end of the transition period.
As outlined above, the German legislator is required to transpose and apply the aforementioned requirements into national law within 18 months of the entry into force of PSD3 (Art. 49 (1) and (2) PSD3) – i.e. already half a year before the 24-month transitional period during which payment institutions can continue to operate under the PSD2 authorisation expires.
The legislative procedure for the transition from Directive 2007/64/EC (Payment Service Directive – “PSD1“) to PSD2 provides orientation for the expected German implementation practice. PSD2 already contains a transitional provision in Art. 109, which largely corresponds to Art. 44 PSD3 (similarly, Art. 18 EMD2, which is similar to Art. 44 PSD3). The German legislator has implemented the transitional provisions of PSD2 in sec. 66 ff. ZAG and outlined the time frame of the transition process at that time as follows:
Sec. 66 (2) and 67 (2) ZAG stipulated for the transition from PSD1 to PSD2 that already authorised institutions wishing to operate beyond the transitional period applicable under PSD2 had to notify BaFin of this intention no later than two weeks after the entry into force of the (revised) ZAG (= 24 months after the entry into force of PSD2) and had to submit the documents required for the examination of the amended requirements no later than four weeks after the entry into force of the (revised) ZAG – i.e. already at that time no later than five and a half resp. five months before the end of the 30-month transitional period to be granted under Art. 109 (1) PSD2.
The empirical values show: Payment institutions could only comply with the German legislator’s tightened timetable if they had already initiated the preparations for submitting the required documents before the transitional provisions transposed into national law came into force. There is much to suggest that the German legislator will make corresponding provisions for the transition to PSD3. In addition, the overall time frame for the transition from PSD2 to PSD3 in the PSD3 draft (24 months transition period for institutions, 18 months implementation period for national legislators) is already tighter than for the transition from PSD1 to PSD2 (30 months transition period for institutions, 24 months implementation period for national legislators).
With regard to the documents to be submitted, however, the experience with the legislative procedure gives reason for hope: Sec. 66 para. 2 sent. 2 and sec. 67 para. 2 sent. 2 ZAG did not require the submission of all documents required for a [new] licence application, but limited themselves to selected documents: In essence, the description of individual security strategies/monitoring measures pursuant to sec. 10 para. 2 no. 6-10 ZAG had to be submitted, i.e. such information that was specified precisely by the provisions of PSD2. In particular, an elaborate description of the business model as well as the business plan including budget planning did not have to be submitted again – these were already available to BaFin and had not regularly changed. The ZAG legislator was able to link this in particular to the welcome clarification in Art. 109 para. 1 subpara. 2 PSD2 (also Art. 18 para. 1 subpara. 1 EMD2) that only “relevant” information is to be submitted. Such an explicit restriction to relevance is missing in Art. 44 para. 1 and 45 para. 1 PSD3. However, the information mentioned in the draft directive, which is “required” for checking compliance with the PSD3 standards, is likely to address precisely this relevance criterion. It remains to be seen whether the further legislative process will result in a corresponding tightening of the wording.
The following interim conclusion can be drawn on the design of the transition process:
According to the current status, the keyboard of requirements under PSD3 is not expected to change significantly; in particular, the requirements for authorisation and supervision will remain largely the same as under PSD2. Whether the transition process will actually result in a particularly increased administrative burden is not yet foreseeable at this point in time. However, with the existing empirical values (transition PSD1 to PSD2, sec. 66 ff. ZAG), there are good reasons to assume that this will not be the case.
The Commission’s draft will next go through the ordinary legislative procedure of the European Parliament and the European Council. There is no time limit for the first reading of the draft in the European Parliament. For the second reading, the institutions have three months. Taking into account a normal procedure (approx. 19 months) and reaching an agreement, the final version could be available by the end of 2024. Taking into account the transitional provision of 18 months, the PSD3 could enter into force in the course of 2026.