Discover how PSD2 and PSD3 are transforming Europe’s payments with enhanced security, open banking, and simpler cross-border transactions, promoting innovation and consumer protection.

From PSD2 to PSD3: The Only Guide You Need To Understand the Future of Payments

The European Union has introduced two key regulatory frameworks to reshape the payment services sector: the Payment Services Directive 2 (PSD2) and its proposed successor, the Payment Services Directive 3 (PSD3). Both aim to create a more integrated, secure, and competitive environment for financial services across Europe.

Understanding why these directives matter is essential for anyone navigating the modern financial landscape. PSD2 has already brought significant changes, such as stronger security measures and increased competition by allowing third-party providers into the market. PSD3 is set to build on this foundation, pushing innovation even further and preparing the industry for the future of payments in Europe.

These regulations impact a wide range of people and industries, from individual consumers to businesses and financial institutions. With enhanced security protocols, greater transparency, and a more level playing field, these directives are transforming the way we handle payments.

As the landscape evolves, understanding PSD2 and PSD3 will help consumers and businesses alike adapt to new opportunities and challenges in Europe's ever-changing financial system.

Table of Contents

  1. What are PSD2 and PSD3?
  2. Strong Customer Authentication (SCA)
  3. Open Banking
  4. Third-Party Providers (TPPs)
  5. Consumer Protection and Rights
  6. Impact on Different Stakeholders
  7. Cross-Border Payments

1. What are PSD2 and PSD3?

Payment Services Directive 2 (PSD2)

PSD2, introduced in 2018, updated the original 2007 Payment Services Directive. Its primary goals are to boost competition in the European payments industry, encourage innovation in financial services, and strengthen consumer protection and security.

Key features of PSD2 include:

  • Open Banking: Banks must allow approved third-party companies to access customer account information and initiate payments, with the customer's permission. This is done through secure communication channels called APIs (Application Programming Interfaces).
  • Strong Customer Authentication (SCA): This requires additional security checks for many online payments to reduce fraud.
  • Improved consumer rights: PSD2 gives customers more protection against unauthorized transactions and provides clearer information about payments.
  • Regulation of new services: It brings new types of financial services under official oversight, ensuring they meet safety and quality standards.

Payment Services Directive 3 (PSD3)

PSD3 is a proposed update to PSD2, introduced by the European Commission in June 2023. It aims to address limitations of PSD2 and further improve the payment services landscape. Key proposed changes include:

  1. Better fraud prevention through improved information sharing between payment providers
  2. Creating a more level playing field between traditional banks and newer financial technology companies
  3. Enhancing open banking functionality
  4. Improving access to cash services
  5. Creating more consistent rules across EU countries

Timeline of Implementation

The timeline for the implementation of the Payment Services Directives (PSD) spans over nearly two decades, beginning with the original PSD1 in 2007. In 2013, the European Commission proposed PSD2 as a way to modernize the framework. PSD2 officially entered into force in January 2016, with EU countries required to incorporate it into their national laws by January 13, 2018.

To enhance security in online transactions, Strong Customer Authentication (SCA) was initially required to be implemented by September 14, 2019. However, the deadline was extended to December 31, 2020, giving financial institutions more time to comply with the new standards.

In June 2023, the European Commission proposed PSD3, marking the next step in the evolution of payment regulations. If approved, PSD3 is expected to be implemented by 2026, though this will depend on approval and national adoption across EU member states.

2. Strong Customer Authentication (SCA)

What is SCA?

Strong Customer Authentication (SCA) is a security measure introduced by PSD2 to make online payments safer and reduce fraud. It requires customers to prove their identity using at least two out of three possible methods when making electronic payments or accessing their accounts online.

Why is SCA Important?

Strong Customer Authentication (SCA) is crucial because it significantly reduces the risk of fraud in online transactions, builds consumer trust in digital payment systems, and helps banks and payment providers comply with regulations. It also creates a standard approach to security across Europe.

How SCA Works

SCA works by requiring you to provide two out of three types of information when making an online payment or logging into your bank account. This could be something you know, like a password (knowledge); something you have, like your phone (possession); or something you are, like your fingerprint (inherence). For example, you might enter a password and then use fingerprint recognition on your smartphone to complete a transaction.

Exemptions to SCA

There are some exemptions to SCA, such as low-risk transactions, payments under €30, fixed recurring payments, trusted beneficiaries you've approved, and corporate payments using business credit cards.

Impact on Consumers and Businesses

For consumers, SCA provides better security but may add extra steps when making payments. This could potentially lead to some customers abandoning their purchases if the process isn't smooth.

For businesses, implementing SCA can be challenging and may require updates to payment systems. However, it also offers benefits like reduced fraud and increased customer trust.

3. Open Banking

What is Open Banking?

Open Banking is a practice that allows approved third-party companies to access your banking information (with your permission) through secure channels called APIs. This enables these companies to offer new financial services and products based on your data.

How PSD2 Enables Open Banking

The Payment Services Directive 2 (PSD2) mandates that banks develop secure channels, known as APIs, that allow third-party providers to access customer account data and initiate payments with customer consent. This regulation effectively opens up the banking sector to new players, fostering innovation and competition in the financial industry.

Benefits for Consumers and Businesses

Open Banking presents a range of advantages for both consumers and businesses. Consumers gain greater control over their financial data, access to a wider array of financial services, and an enhanced user experience with integrated management tools. Additionally, the increased competition among financial institutions can lead to better rates and terms. For businesses, Open Banking creates opportunities to develop innovative financial products, access valuable customer data for personalized services (with consent), and streamline payment processes, potentially lowering transaction costs.

Potential Challenges and Concerns

Despite the many benefits, Open Banking also presents certain challenges. Data security and privacy are major concerns, as more parties handle sensitive financial information, demanding robust security protocols. Consumer trust can also be an issue, as some customers may be reluctant to share their banking data with third parties. Businesses must navigate complex data protection regulations to ensure compliance, while banks and third-party providers face technical challenges in developing and integrating secure APIs. Additionally, liability concerns may arise when multiple parties are involved in a transaction, raising questions about who is responsible if something goes wrong.

4. Third-Party Providers (TPPs)

What are Third-Party Providers?

Third-Party Providers (TPPs) are companies that use the open banking capabilities introduced by PSD2 to offer new financial services. They play a crucial role in the evolving payment ecosystem by accessing customer data held by traditional banks (with customer permission) to provide innovative services.

Types of TPPs

There are two main types of TPPs:

  1. Account Information Service Providers (AISPs):

    Companies that access customer account data to provide consolidated information about one or more payment accounts are known as Account Information Service Providers (AISPs). Examples of these include budgeting apps, financial management tools, and credit scoring applications. AISPs allow users to view all their financial information in one place, even if they have accounts across multiple banks.
  2. Payment Initiation Service Providers (PISPs):

    On the other hand, Payment Initiation Service Providers (PISPs) can initiate payments directly from a user's bank account on their behalf. They offer an alternative to traditional card payments for online transactions, providing a potentially faster and cheaper payment method compared to conventional options.

Role of TPPs in the Payment Ecosystem

TPPs are driving innovation in the financial sector by:

  • Offering new, user-friendly financial management tools
  • Providing alternative payment methods
  • Enhancing competition in the financial services market
  • Improving the overall customer experience in digital banking and payments

Regulations Governing TPPs

Under PSD2, TPPs must:

  • Obtain authorization from relevant national authorities
  • Comply with strong customer authentication (SCA) requirements
  • Adhere to data protection regulations (like GDPR in Europe)
  • Maintain secure communication standards with banks and other financial institutions

PSD3 is expected to further refine these regulations, potentially:

  • Expanding the scope of TPP services
  • Enhancing security requirements for TPPs
  • Improving the standardization of APIs across the EU

5. Consumer Protection and Rights

PSD2 and the proposed PSD3 place significant emphasis on enhancing consumer protection and rights in the digital payment landscape.

Enhanced Security Measures

  1. Strong Customer Authentication (SCA):
    PSD2 introduced SCA, requiring multi-factor authentication for many online transactions.
    PSD3 is expected to refine these requirements further to balance security and user experience.
     
  2. Fraud Prevention:
    PSD3 proposes to facilitate voluntary information sharing among payment service providers to combat fraud more effectively.
     
  3. Mandatory Verification Systems:
    PSD3 aims to introduce mandatory verification of payee account numbers (IBAN) with account names for all credit transfers to reduce fraud.

Improved Transparency in Transactions

  1. Clear Information:
    PSD3 aims to provide consumers with clearer information on account statements and ATM charges.
     
  2. Fee Transparency:
    Payment service providers will be required to furnish comprehensive and transparent transaction charge details.
     
  3. Contractual Clarity:
    PSD3 strives for greater uniformity and specificity in contractual obligations between payment service providers and their clients.
     

Dispute Resolution Processes

  1. Timely Resolution:
    PSD2 requires payment service providers to resolve payment-related complaints within 15 business days in most cases.
     
  2. Alternative Dispute Resolution (ADR):
    Consumers have the right to use ADR procedures for disputes with payment service providers.
     
  3. PSD3 Improvements:
    PSD3 may introduce further improvements to these processes, although specific details are not yet available.
     

Liability Shifts Under PSD2/PSD3

  1. Reduced Liability for Unauthorized Transactions:
    Consumers' liability for unauthorized payments is limited to €50 under PSD2, with potential for further reductions under PSD3.
     
  2. Shift in Liability to Payment Service Providers:
    In cases of fraud or unauthorized transactions, the burden of proof often shifts to the payment service provider to demonstrate that proper security measures were in place.
     
  3. Refund Rights:
    Consumers have the right to refunds for unauthorized or incorrectly executed payments, with PSD3 potentially strengthening these rights further.

6. Impact on Different Stakeholders

PSD2 and the proposed PSD3 have significant implications for various participants in the financial ecosystem:

Traditional Banks

Open Banking Requirements:
Under Open Banking regulations, traditional banks are required to provide secure APIs for third-party access to customer data and payment initiation. This demands significant technological investment and adaptation, pushing banks to modernize their systems to meet these requirements.

Increased Competition:
As Open Banking opens the doors to fintech companies and other financial service providers, traditional banks are now facing greater competition. This competitive pressure can lead to improved services and potentially lower costs for consumers as banks work to retain their market share.

Innovation Pressure:
To remain relevant and competitive, banks must innovate and improve their digital offerings. Many are developing their own fintech solutions or forming partnerships with tech companies to enhance their service offerings and keep pace with new entrants.

Compliance Costs:
Implementing the necessary security measures and developing APIs can be costly. Banks need to find a balance between managing these expenses and generating new revenue streams through innovative services that align with Open Banking.

Fintech Companies

New Opportunities:
Open Banking provides fintech companies with unprecedented access to customer banking data, enabling the development of innovative financial products and services. This opens the door to rapid growth and expansion within the fintech sector as they tap into new opportunities.

Regulatory Framework:
PSD2 provides a clear regulatory framework that legitimizes fintech operations, giving them more credibility. However, it also imposes compliance requirements that can be challenging, especially for smaller startups that may struggle to meet these demands.

Challenges in API Standardization:
The lack of uniform API standards across banks presents integration challenges for fintech companies. Fintechs may need to invest significant resources to adapt their systems to the varying API standards used by different banks.

Increased Competition:
As more fintechs enter the market, competition intensifies, which could eventually lead to consolidation in the sector as companies merge to remain competitive and scale their operations.

Merchants and Businesses

Alternative Payment Methods:
With access to new payment initiation services, businesses can reduce transaction costs. This can be particularly advantageous for companies that process large volumes of payments, leading to significant savings over time.

Improved Cash Flow:
Faster settlement times for transactions can help businesses, especially small and medium-sized enterprises (SMEs), improve their cash flow. Quicker payments can provide immediate access to funds, which is crucial for day-to-day operations.

Enhanced Customer Data:
With customer consent, businesses can access richer financial data, allowing them to offer more personalized services. This can result in improved customer experiences and more effective, targeted marketing efforts.

Compliance Requirements:
Merchants must ensure their payment systems are compliant with Strong Customer Authentication (SCA) and other PSD2 requirements. This could require updates to existing payment infrastructures to ensure compliance with the new standards.

Consumers

More Choice:
Open Banking provides consumers with access to a wider range of financial services and products. They can choose from more personalized financial solutions tailored to their specific needs.

Improved User Experience:
Consumers benefit from more integrated and user-friendly financial management tools, making it easier to compare financial products across providers and manage their finances more effectively.

Enhanced Security:
Stronger authentication measures are in place to protect against fraud, although this may also introduce additional steps in the payment process, which some consumers might find cumbersome.

Data Control:
Consumers now have more control over their financial data and how it is shared. However, they must remain vigilant about consent and privacy when sharing their information with third-party providers.

7. Cross-Border Payments

PSD2 and the upcoming PSD3 aim to simplify cross-border payments within the EU, making them as easy, efficient, and transparent as domestic transactions. This is a key step in promoting economic integration and facilitating trade across EU member states, ensuring smoother financial interactions between countries.

Changes in Cross-Border Transaction Regulations

Expanded Scope:
Under PSD2, payments are covered as long as at least one party is located in the EU or European Economic Area (EEA), even if the other party is outside these regions. This expansion ensures consistent protection for EU consumers and businesses engaging in international transactions, extending the scope of the regulations beyond EU borders.

Currency Neutrality:
The regulations apply regardless of the currency involved in the transaction. This ensures fairness and consistency across different types of cross-border payments, allowing users to enjoy the same level of protection and transparency, no matter the currency they use.

PSD3 Proposals:
The proposals for PSD3 aim to further harmonize payment rules across EU member states, which could simplify cross-border transactions even more. If enacted, this could lead to a more unified European payment market, making it easier for businesses and consumers to navigate cross-border financial exchanges.

 

Conclusion

The Payment Services Directive 2 (PSD2) and the proposed Payment Services Directive 3 (PSD3) represent significant milestones in the evolution of the European payment services landscape. These directives are reshaping the financial industry, aiming to create a more secure, innovative, and competitive environment for both consumers and payment service providers.

Key takeaways from this guide include:

  1. Enhanced Security: Strong Customer Authentication (SCA) and other measures are improving the safety of online transactions, reducing fraud, and building consumer trust.
  2. Open Banking Revolution: PSD2 has paved the way for Open Banking, fostering innovation and competition in the financial services sector. This has led to the emergence of new services and improved user experiences.
  3. Consumer Empowerment: Consumers are gaining more control over their financial data and access to a wider range of services, potentially leading to better financial management tools and more personalized offerings.
  4. Cross-Border Efficiency: Payments within the EU are becoming faster, cheaper, and more transparent, facilitating trade and economic integration.
  5. Continuous Evolution: PSD3 aims to address the limitations of PSD2 and further improve the payment ecosystem, adapting to new technologies and market realities.
     

As technology continues to evolve, introducing concepts like central bank digital currencies (CBDCs) and advanced AI-powered services, it's clear that the regulatory framework will need to remain flexible and responsive. PSD3 and potential future directives will likely continue to shape a payment landscape that balances innovation with security and consumer protection.

For businesses, consumers, and financial institutions operating in or with the EU, staying informed about these regulatory changes and their implications will be crucial. As we move towards an increasingly integrated and digital financial ecosystem, the principles established by PSD2 and expanded in PSD3 will undoubtedly play a pivotal role in defining the future of finance in Europe and beyond.