Understanding PSD3: Anticipated Market Impact And Preparing for Changes

This article presents an in-depth exploration of PSD3, structured into key sections. If you're a Compliance Officer, Risk Manager, Product Manager, or involved in payment services at a financial institution or payment service provider, this article is essential reading to navigate the impact of PSD3 on your compliance, risk, and operations.

• Evolution of the Payment Service Directive: Tracing the evolutionary trajectory of PSD and highlighting the major outcomes of PSD1 and PSD2.
• The Rationale for PSD3 Implementation: The progression towards PSD3 is contextualized with a backdrop of technological advancements, changing consumer behaviors and the need for regulatory adaptation.
• Essential Components of PSD3: Outlining the core elements of the proposed PSD3, with a spotlight on Payment Services Regulation (PSR) and the approach to evolve its role in combatting fraud, streamlining regulations, facilitating open finance and safeguarding consumer interests.
• Implications and Challenges of PSD3: Examining the potential consequences, the article evaluates the implications of PSD3 for various stakeholders, including financial institutions, payment service providers, consumers, and regulatory bodies. The challenges of implementation, adherence, and balancing innovation with security are also addressed, shedding light on the intricate dynamics that lie ahead.
• The Expected Timeline of PSD3: Highlighting the expected roadmap for the transposition of PSD3 into national laws and adoption and implementation in the market.
• Preparing for PSD3: The concluding segment underscores the significance of proactive measures that stakeholders need to take in anticipation of PSD3's implementation. Recommendations for financial institutions, PSPs, and regulators are outlined to aid in navigating the evolving regulatory landscape effectively and first-mover advantages in implementing expected regulatory changes.

In summary, this article presents a comprehensive analysis of PSD3, encapsulating its evolution, key components, implications, and the roadmap ahead. By addressing a range of challenges and opportunities, PSD3 aims to reshape the payment landscape and establish a foundation for a more secure, competitive, and accessible financial ecosystem.

The Payment Services Directive (PSD) was adopted by the European Union (EU) in 2007 in response to a need to harmonize payment services operations within the EU. PSD established the first framework for regulating payments within the EU, with the main aim of removing the legislative and technical barriers that were holding back electronic payments between different European countries. PSD aimed to create a single market for payment services within the EU by introducing a harmonized regulatory framework. Before the implementation of PSD, each EU member state had its own set of rules and regulations for payment services, leading to fragmented markets and limited cross-border payment options.

PSD has made it possible to develop an integrated single market and has had a major impact on the world of payments, opening the door to new innovations and new payment providers. To underscore the magnitude of this transformation, the visual depiction below illuminates the projected market size of payment gateways across Europe for the year 2030, with a CAGR of 12%. This graphic serves as a snapshot, offering valuable insights into the distribution of digital payment infrastructure and shedding light on the anticipated trends that underscore the paramount importance of payment gateways within the European market and the need for clear regulatory guidance to foster this growth and innovation.

This regulation strengthened consumer rights by requiring payment service providers (PSPs) to comply with higher standards of consumer friendliness, data security and confidentiality, such as the ban on additional charges for card payments.

However, since the adoption of PSD, the payment sector has evolved considerably, in line with new technologies and new use cases (the rise of contactless payment, the development of e-commerce and m-commerce, the arrival of new entrants in the payment market, etc.).

While PSD1 led to the unification of credit transfers and direct debits, its evolution, PSD2, mainly concerns card, internet and mobile payments.

The objective of PSD2 was to stimulate competition and innovation in the field of mobile and online payments, by encouraging the arrival of new entrants and facilitating their access to certain information to reduce the cost of specific payment transactions.

PSD2 therefore introduced, in January 2018, several key measures to strengthen the security of online payments and improve consumer protection, such as:

• Strong Customer Authentication (SCA): mandatory for online payments to reduce online payment fraud.
• Creation of new players: payment initiation service providers (PISPs) and account information service providers (AISPs), intermediaries who, with the customer's consent, can present and execute payment transactions with their bank.
• Third-party access to accounts (TPP - Third-Party Providers): providers are required to obtain a special license in order to operate legally. Subject to customer consent, FinTechs can now access customer data via secure API interfaces and offer additional services in this way.
• Reinforcement of consumer rights: capping interchange fees and prohibiting merchants from overcharging for small-value card payments.

Overall, PSD2 has been a transformative directive that has modernized the payment services industry in the EU. Its introduction of Open Banking enhanced security measures, and support for innovative TPPs have led to increased competition, improved consumer experiences, and the development of innovative financial products and services. As a result, PSD2 has had a profound impact on shaping the future of digital payments and fostering a dynamic and consumer-centric financial ecosystem within the EU.

The payments landscape has rapidly evolved into a diverse and complex industry in recent years since PSD2. The introduction of PSD2 brought about significant changes, prompting the European Commission (EC) to propose updates in the form of PSD3 and a new PSR. This move is fueled by technological developments, new entrants, and the pursuit of streamlined payment solutions. As digital innovation continues to reshape financial services, PSD3 emerges as a crucial step to enhance customer protection and create a level playing field for non-bank payment suppliers, aligning the sector with ongoing digital transformations and their associated risks and opportunities.

The shifting payments landscape was accelerated by the rise of digital payment methods and new players, with the COVID-19 pandemic highlighting the importance of secure digital payment systems. The Commission's Retail Payments Strategy initiated a review of PSD2's impact, leading to the proposal of PSD3. The European Banking Authority (EBA) identified issues in the current landscape, including uneven rule implementation across member states and an unlevel playing field between incumbent and new providers, hindering open banking's development.

The proposed legislative acts aim to strengthen user protection, boost open banking competitiveness, improve enforcement, and provide better access for non-bank PSPs. However, these changes also pose challenges, particularly in adapting to new authorization and supervision requirements, making PSD3 a strategic, operational, and technological undertaking. Successfully navigating these challenges requires a defined strategy, operational changes, risk assessment, and meticulous execution.

In the realm of financial regulation, PSD3 emerges as a pivotal framework that reshapes the landscape of payment services, further advancing the foundational groundwork laid by its predecessor, PSD2.  PSD3 introduces a comprehensive set of provisions and objectives that collectively strive to foster a more secure, transparent, and efficient payment ecosystem.

At its core, PSD3 seeks to adapt to the evolving financial landscape by accommodating innovative players such as TPPs and fintech companies. This inclusion paves the way for enhanced competition and innovation, while also establishing stringent regulatory guidelines to ensure consumer protection and data security. The directive's split into the PSR and the revised PSD3 provides a refined structure that addresses varying aspects of payment services, offering a more nuanced approach to regulation, as visualized in Figure 4.

The PSR and PSD3 proposals can be summarized into a few core topics addressing fraud mitigation, simplification and standardization of the regulatory framework, open banking improvements, creating a level playing field between banks and non-banking PSPs and facilitating the availability of cash.

One of the most pressing concerns addressed by PSD3 and PSR is the triad of cybersecurity, data protection, and operational resilience. Recognizing the digital nature of modern transactions, the directive emphasizes the establishment of robust cybersecurity measures, safeguarding sensitive data and fortifying the ecosystem against potential threats. Additionally, data protection regulations are bolstered to enhance consumer trust and privacy, while measures are put in place to ensure operational continuity even in the face of disruptions.

In summary, PSD3 signifies a paradigm shift in the payment services landscape, building upon the foundation set by PSD2. Its provisions and objectives reflect an ambition to create a secure, competitive, and consumer-centric realm. As it embraces emerging players, addresses cybersecurity concerns, and pioneers enhanced authentication, PSD3 propels the financial sector toward a future where innovation harmoniously coexists with the highest standards of safety and user experience.

Amidst the current era of digital transformation, global financial systems are undergoing unprecedented changes, with a growing focus on security and transparency. In the context of these developments, several themes are attracting the attention of regulators, financial institutions, and the public at large. The upcoming discussion touches upon the stakeholder landscape, market innovation, compliance costs and harmonization within the EU as well as the impact on global companies, encompassing the implications and challenges.

Shaping Stakeholder Landscape

As the effects of PSD3 spread far and wide, various stakeholders experience a significant transformation. This includes PSPs, TPPs, merchants, and consumers, all of whom are directly impacted by the directive. For PSPs, it marks a crucial moment, requiring them to adapt to heightened security measures while also presenting chances to offer innovative services. TPPs are in a similar position, balancing compliance requirements with the potential of exploring new opportunities in a broader market environment. As for merchants, who benefit from more efficient payment processes and consumer empowerment, they must now adjust their systems to align with the updated regulatory landscape.

Market Competition and Innovation: Advancing Transparency and Empowering Customers

The landscape of market competition and innovation is set to shift as PSD3 unfolds. The directive ushers forth both opportunities and challenges in this realm. Financial transparency, a fundamental pillar for a healthy and efficient financial system, is gaining prominence. Consumers and investors are increasingly seeking clear and accessible information concerning financial transactions, fees, and institutional policies. To bolster trust and promote transparency, PSD3 is taking proactive measures in critical areas. In the event of an account freeze, Financial Institutions (FIs) are committed to providing clear and detailed explanations to customers, ensuring they fully understand the reasons behind such actions. Additionally, transparent bank statements with comprehensible breakdowns of transactions empower customers to monitor and manage their finances more effectively. Moreover, enhancing transparency in the realm of ATM expenses guarantees that customers have a complete view of the associated costs, enabling them to make informed decisions when utilizing these services. By embracing transparency in these pivotal scenarios, PSD3 moves the financial industry towards fostering a more level playing field and empowering customers. When transparency is enhanced, it leads to increased information availability and allows consumers and businesses to make more informed decisions. Greater transparency also encourages healthy competition among financial institutions, and players are motivated to improve their products, services, and pricing to attract and retain clients. This competition in turn can drive innovation and efficiency.

Electronic Money Institutions (EMI), steadily gaining prominence in the dynamic financial landscape, further contribute to the evolution of market competition and innovation. To tap into the potential of EMIs and streamline regulatory oversight, PSD3 is actively exploring the incorporation of EMIs as a distinct subcategory within the payment institution framework. This strategic move aims to foster innovation while maintaining robust security standards and consumer protection.

In this evolving scenario, heightened transparency, access to enriched consumer data, and the influx of new entrants promise heightened market competition and catalyzed innovation. Yet, amid this surge, the imperative of upholding security and compliance may potentially temper the pace of groundbreaking advancements. Striking the delicate balance between encouraging innovation, ensuring competition, and maintaining security remains a central challenge for all stakeholders navigating the complexities of PSD3's impact on market dynamics.

Taming Compliance Costs and Market Fragmentation

Amid the ongoing digital evolution, the imperative of security and fraud prevention stands paramount. The escalating digitization of financial transactions has exposed vulnerabilities to cyberattacks and financial fraud, compelling regulators, and financial institutions to collaborate within the framework of PSD3. The directive ushers in a more robust security approach that better shields customers' sensitive data and mitigates the risks of financial fraud.

However, the surge in online fraud and cyber-attack techniques to extract personal information (i.e., Passwords, PIN), combined with outdated processes, accentuates the urgency for proactive measures. The global cost of online payment fraud is expected to reach €194 billion by 2025, up from €122 billion in 2020, according to Juniper Research. In response, PSD3 seeks to implement innovative solutions. These range from the adoption of IBAN verification to ensure secure transactions (Name/IBAN), to mandating PSPs to provide education plans that empower customers with insights into potential risks and best practices. Furthermore, PSD3 takes a decisive step by banning obsolete processes, such as Booking without a Card, that could expose customers to fraud. Simultaneously, the directive mandates the enhancement of new, secure methods like "Link to Pay," streamlining payment procedures while upholding stringent security standards.

By merging this new security and fraud prevention framework with proactive measures, PSD3 sets forth the objective of creating an environment that's safer and more resilient. This approach aligns with the overarching aim of nurturing customer trust and safeguarding their interests within the ever-evolving digital financial landscape.

However, while aiming high with these important goals, the significant impacts of PSD3 also touch on the issue of compliance costs, which affects everyone involved. Adapting to the rules of the directive requires investing a lot in technology, setting up strong security measures, and creating clear routes to follow the rules. But that's not the only challenge to think about. There's also the possibility that different countries in the EU might interpret the rules in their own ways, which could lead to a divided market. This divide might introduce complexities that could hinder seamless operations for individuals and businesses alike.

Treading the Path of Harmonization

This is where the pivotal role of the EBA comes in harmonizing regulations and overseeing financial operations throughout the EU. With PSD3, the EBA's authority receives a significant boost, enhancing its capacity to safeguard the stability and security of the European financial landscape. The EBA's expanded powers include the ability to temporarily ban specific products or services associated with potential risks. By wielding this authority judiciously, the EBA aims to proactively mitigate emerging threats and protect consumers from harmful financial practices. Through these measures, the EBA reinforces its role as a guardian of financial well-being, fostering confidence and resilience within the European financial ecosystem.

At the core of PSD3's vision lies the pursuit of harmonization. Striving for consistent implementation and uniform interpretation of the directive's mandates across all EU member states is pivotal. This harmonious approach to regulation eliminates disparities that could hinder cross-border transactions and dilute the directive's overarching objectives. By facilitating a cohesive and efficient European financial framework, harmonization underscores the commitment to creating a harmonious environment that benefits both consumers and the financial industry.

Global Reach, Non-EU Companies

The domain of PSD3 extends its reach beyond EU borders. Non-EU entities operating within the European market confront a dual challenge: understanding and complying with PSD3's intricacies while navigating their own home regulatory landscape. As cross-border transactions and collaborations burgeon, these entities must navigate the cascading effects of the directive on their operations and strategic trajectories.

It's worth noting that even though the UK has incorporated PSD2 into its domestic laws, it has now reclaimed its autonomy from formal adherence to future EU directives like PSD3. However, the payments industry operates on a global stage by its very nature, and the pervasive influence of pan-European banks, payment service providers, and major card schemes within the UK is poised to exert significant pressure. This pressure may lead the UK to independently revisit its regulatory framework to address the same challenges that PSD3 seeks to resolve.

The implementation of PSD3 is expected to follow a structured timeline, like previous directives. The European Commission will publish the final text of PSD3, specifying its provisions and requirements. Following this, EU member states will have a set period to transpose the directive into their national legislation. The timeline for transposition can vary, but it typically ranges from one to two years after the publication of the final text. During this period, each member state will need to adapt its existing laws and regulations to align with PSD3's provisions, ensuring uniformity and consistency across the EU.

The process of transposing PSD3 into national legislation is a crucial step in ensuring its effective implementation. It involves the relevant government bodies of each member state taking the necessary legislative actions to incorporate PSD3's requirements into their domestic legal frameworks. This process may require amendments to existing laws or the introduction of new legislation to fully align with the directive's provisions. National authorities will also need to engage in consultations with relevant stakeholders, including PSPs, consumer associations, and other industry players, to address any specific concerns and ensure a smooth transition.

A definite timeline for the implementation of PSD3 and PSR has not yet emerged. It is anticipated that the finalized versions may become available by late 2024. Typically, member states are granted an 18-month transition period, implying that PSD3 and PSR might come into effect around 2026 and will see a transition period for stakeholders to become compliant.

As for sanctions, the ECB could impose putative penalties on significant banks that breach directly applicable European Union (EU) law or ECB decisions or regulations. Penalties can go up to 10% of a bank’s total annual turnover in the preceding business year, or twice the amount of profits gained or losses avoided because of the breach, where those can be determined.

In the dynamic landscape shaped by PSD3, practical guidance becomes a compass for businesses and organizations navigating its implications. PSD3, much like any regulatory evolution, demands necessary adjustments across various company facets, whether they are established PSPs or innovative TPPs.

How can organizations prepare for the regulatory changes of PSD3?

1. Stay informed: monitor the regulatory developments and announcements in the period leading up to expected implementation.
2. Conduct impact assessments: understand how PSD3 will impact your organization. Identify areas of your business that will be affected to size the work to be done. Sia Partners identifies four key drivers that define the impact:
   1. Type of organization (e.g., traditional bank, PSPs, TPPs)
   2. Service model
   3. Life cycle (start-up, growth stage, maturity stage etc.)
   4. Size of the company
3. Compliance training: ensure your compliance experts are up to date on the expected regulations and host training and awareness sessions within your organization.
4. Review existing processes and policies: review policies to meet expected changes in areas like customer authentication, fraud prevention, data protection and risk management.

Considering the critical domains PSD3 impacts, and Sia Partners’ experience with implementing PSD2 for clients, an effort has been made to describe possible changes to the way each company is organized, as illustrated in the figure below.

This introspective evaluation, spanning operations, infrastructure, and systems, is not only a regulatory requirement but a strategic opportunity to ensure compliance readiness while proactively preparing for the shifting landscape. Amid these adjustments, collaboration emerges as a fundamental tenet. Establishing a unified front among stakeholders – businesses, regulators, and industry players – fosters an environment ripe for cooperative adaptation, knowledge exchange, and the seamless realization of the regulatory transition. Engaging with regulators serves as an instrument for open dialogue, ensuring alignment with expectations and facilitating timely adjustments, thereby contributing to a harmonious and successful transition process.

Companies that proactively prepare for PSD3 before the mandatory deadline will gain a competitive advantage, building trust with customers by showcasing their commitment to security and compliance. They reduce the risk of fines, improve their security infrastructure, and can offer innovative, seamless payment experiences. Early preparation facilitates partnerships with banks and fintech firms, enables data monetization, ensures regulatory alignment, and provides valuable market insights. Moreover, it allows for cost-efficient compliance, positioning first-mover companies at the forefront of the evolving European payments industry.

Drawing from their extensive experience, Sia Partners' expert team is well-equipped to guide businesses in proactively preparing for PSD3 with effective and strategic measures. Different possible intervention strategies depend on the level of maturity of the bank/company to prepare for the implementation of PSD3. Interventions can include an audit of the existing, impact study, a compliance plan or optimization of the product offering.

As we explore PSD3, Sia Partners delved into its multifaceted implications for stakeholders across the financial spectrum. From PSPs to consumers, merchants to regulators, each entity is impacted by the changes of PSD3. As the payments landscape evolves at an unprecedented pace, PSD3 emerges as a compass guiding the path toward a safer, more competitive, and innovative future.

PSD3's impact is far-reaching, emphasizing the importance of consumer protection while paving the way for groundbreaking innovations. As financial systems embrace digitization, the directive's provisions aim to fortify security against evolving risks like cyberattacks and fraud. Simultaneously, the directive fosters transparency, empowers consumers, and supports the rise of EMIs, ushering in a new era of accessible and agile financial services.

The potential for market competition and innovation is immense, as PSD3 encourages new entrants and innovative solutions. While challenges exist, such as compliance costs and the need for harmonization, these are hurdles that can be overcome through strategic planning and collaboration.

To all stakeholders, be prepared for the winds of change that PSD3 brings. Stay informed, engage with developments, and anticipate the shifts ahead. As we anticipate the changes to come, Sia Partners stands ready to help navigate the changes PSD3 is expected to bring to the payment landscape from a Regulatory, Product and Service Offering as well as Internal Organization perspective.