The upcoming Payment Services Directive (PSD3), Payment Services Regulation (PSR) and Financial Data Access (Fida) framework are major building blocks in the European Union’s regulatory framework, said Andrei Costica, senior associate at Allen & Overy during an event held by the law firm and open banking platform in Kirchberg on 18 April 2024.
PSD3 will cover licensing requirements for payment service providers (PSPs), internal governance rules and supervision of payment institutions, while the PSR will focus on transparency requirements, rights and obligations of PSPs and payment service users.
Tackling fraud
A key element in the PSR, noted Costica, is anti-fraud measures. These include verification of payee, new post-transaction information requirements, additional transaction monitoring mechanisms, data exchanges between providers, and customer warnings and staff training.
“The idea is to allow customers who make a transfer to see--on their account statements--to whom exactly they made the transfer,” he said, offering an example of the post-transaction information requirements. Sometimes, when you make a payment--let’s say, for a newspaper or gym subscription--the name on your bank statement “doesn’t ring a bell.” This is because the “commercial name of the payee” may have nothing to do with the business.
Read also
“The [European] Commission said that’s an issue, because customers cannot really identify to whom they make payments,” said Costica. “So from now on, there will be an obligation by PSPs to help customers unambiguously identify their payees.”
When it comes exchanging data about fraud, “the commission said, ‘Well, one problem that we have at EU level is that whenever there is fraud, PSPs do not communicate with one another,’” which makes monitoring more difficult, he continued. “If we manage to connect PSPs and oblige them to share information--for example, whenever there is a fraud,” that will help prevent future fraud.
PSPs will also have to issue customer warnings--like a pop-up message--telling users they may be subject to a phishing or social engineering scheme, said Costica, offering another example of regulatory requirements.
Three changes on liability
The new payments package also brings three key changes related to liability. “One is stricter liability requirements for PSPs,” said Costica. This is not in terms of increasing the liability amounts, but rather obliging PSPs to--for example--investigate and report back to a customer who says that a certain transaction was unauthorised on a “pretty strict timeline.”
Change number two concerns “impersonation fraud” or “spoofing.” The scope is fairly broad and “basically covers all situations where the payer is tricked by someone who pretends to act on behalf of an entity--public or private--by using fraudulent email addresses” or other information. Under the new requirements, PSPs will be forced to reimburse clients, though in principle, these cases of spoofing could be captured by the verification of payee process, noted Costica.
The third point covers the liability of technical service providers. “The commission also noted that very often PSPs rely heavily on technical service providers, especially for SCA [strong customer authentication] purposes.” The new regime would make technical service providers liable towards the PSP in case there’s a failure that leads to losses.
Opportunities in Fida
Finally, although open finance doesn’t cover only payments, it’s important to consider as well as it’s moving at “more or less” at the same pace as the PSD2 review, said Anne-Sophie Morvan, Luxhub’s chief commercial officer. The Financial Data Access (Fida) framework and open finance have a far broader scope than open banking, with a wide range of financial institutions--banks, insurance companies, electronic money institutions, crypto providers, etc.--included.
The types of data to be shared will also be much broader, she added, such as insurance data, investment data, mortgage data or securities data, just to name a few. And “there will be a potential compensation for the data holder.”
Open finance is an opportunity to retrieve more data… and understand better and build some use cases and eventually new products based on this data
Many people who are in the entities obliged to share data are “not happy,” because they’re thinking mostly about the obligations. But “what we try to make our customers and partners understand is not only the obligation part--it’s also a fantastic opportunity,” said Morvan. “Open finance is an opportunity to retrieve more data--of course, with your customers’ permission--but to retrieve more data and understand better and build some use cases and eventually new products based on this data.”
The topic, moreover, is quite timely, as the European Parliament’s committee of economic affairs was due to vote on Fida the morning of 18 April, noted Morvan.
A published later in the day announced that economic and monetary affairs MEPs had adopted the Fida proposal, with 43 votes in favour, 1 vote against and 5 abstentions. The press release emphasised customers’ control over their data as well as the exclusion of data related to sickness, health and “confidential business data and undisclosed know-how.”
“The European Banking Authority should establish a register of authorised financial information service providers,” noted the communiqué, while large digital platforms like Amazon, Apple, Bytedance, Meta and Microsoft (designated as “gatekeepers” under the EU’s Digital Markets Act) will not be eligible to become financial information service providers, added the communiqué.
Following the European elections on 6-9 June 2024, the new European Parliament will follow up with the Fida file.