Dylan July 25, 2023 Europe, PSD3, Regulation A Brief Summary of PSD3 and the new Open Finance rules Payments Directive & Regulation Issues in the EU Payments Market Europe Moves towards Open Finance Notable changes What’s the timeline? On June 28, the European Commission (EC) published the much-awaited proposals for modernising the EU payments market and financial sector. The proposals include the revised Payment Services Directive (PSD3) combined with a new EU Payments Regulation (PSR), as well as a framework for accessing financial data beyond payments (FIDA). Payments Directive & Regulation The payments package is composed of two measures: The new Directive on Payment Services and Electronic Money Services (PSD3) covers how National Competent Authorities (NCAs) should authorise organisations to operate, which requirements to put in place (e.g. capital) and how they should interact with and supervise the market. To tackle the lack of consistency across Member States, the EC also proposes the Payment Services Regulation (PSR), which incorporates the rules governing the conduct of payment services in the EU. Once passed it will be applied to all EU Member States with little room for interpretation. Issues in the EU Payments Market Despite the achievements of PSD2, an impact assessment revealed the following landscape: end-users continue to be exposed to fraud risk and their choices of payment services are both limited and expensive; the open banking sector isn’t functioning correctly, thus providers face obstacles to offering basic OB services that also hinder innovation; non-bank PSPs are at a competitive disadvantage with banks and are uncertain about their obligations; economic inefficiencies and higher costs of commercial operations are negatively impacting EU competitiveness; the internal market for payments is fragmented. There are divergent implementations and guidelines due to different interpretations of the rules, encouraging regulatory arbitrage and triggering what could be called “forum shopping” – where service providers choose member states where the rules are more advantageous. This distorts competition in the EU. Considering the above issues, the Commission envisions four objectives, each accompanied by a handful of options to achieve them. Europe Moves towards Open Finance The Financial Data Access (FIDA) Regulation is a legislative proposal aimed at establishing a framework for sharing financial data beyond payments, essentially expanding the scope of Open Banking and setting the stage for Open Finance. The framework is in line with the EU’s 2020 Digital Finance strategy, which sets data-driven financial services as one of its priorities. Unlike PSD2 and PSD3, which only apply to banking institutions offering online-accessible accounts, FIDA extends its scope to include institutions across the entire industry, thereby promoting the advancement of Open Finance and the Open Data economy within Europe. These regulations provide the necessary guidelines and infrastructure for the sharing of open data, allowing individuals with accounts across different organisations to exercise their right to access their data. In particular, the regulation addresses the target data and institutions below. Notable changes Below are ten notable areas where the directive and these regulations will have an impact. Dedicated Interface Account Servicing Payment Services Providers (ASPSPs) will be required to offer a specialised interface for exchanging data with third-party providers (TPPs). Third parties that fall under the scope of this regulation are not allowed to access data via the customer interface, except in specific circumstances and with precise procedures outlined in the proposal; Permission Dashboard Users should be able to view and manage their open banking permissions conveniently. Thus, (ASPSPs) should launch permissions dashboards that allow users to manage their granted open banking access permissions; Strong Customer Authentication ASPSPs only have to apply SCA for the first data access. When this first authentication expires (after 180 days), AISPs are obligated to authenticate the user themselves. Additionally, PSPs must provide a variety of authentication methods suitable for individuals with disabilities and the elderly, ensuring they are not solely reliant on smartphones or digital channels. Release statistical data ASPSPs are required to regularly disclose quarterly data on the accessibility and efficiency of their dedicated interface through their official website. Financial data sharing schemes To promote data and interface standardisation, FIDA requires data holders, data users and consumer organisations to form financial data sharing schemes to decide, among other things, the standards, governance rules, and contractual frameworks governing access to specific datasets. Compensation for API Implementation: In order to establish a fair distribution of costs between data holders and data users, the European Commission (EC) enables data holders under FIDA to seek compensation from data users for implementing APIs that facilitate data access within the regulatory framework. The process for determining the appropriate compensation level is still to be established by the financial data-sharing schemes. IBAN Checks The PSR mandates that, before initiating any type of credit transfer, the PSP must be able to provide a service that verifies that the payee’s name and unique identifier (IBAN) align. Electronic Money Institution / Payment Institutions PSD3 further aligns the authorisation and supervisory regimes for EMIs and PIs. Existing PIs and EMIs will have to (partly) reapply for a licence under PSD3. Expanded supervisory powers NCAs will have expanded sanctioning and investigative powers, including the ability to impose measures that help end infringements. No Fallback Mechanism Maintaining a permanent fallback interface is no longer obligatory. Nonetheless, in the event that the aforementioned dedicated interfaces are unavailable, with authorisation from the relevant NCAs and following the correct procedures, TPPs will be allowed secure access to data through customer interfaces. What’s the timeline? All proposals enter into force twenty days after their publication in the Official Journal of the EU. PSD3 and PSR are likely to receive final approval and be published in the Open Journal of EU by the end of this year. FIDA is anticipated to take more time due to the need for synchronisation across various industry verticals. Keep your eyes peeled for our next summary, which will outline the main factors that regulators should consider. For a more specific and in-depth analysis, reach out to contact@tesobe.com and our experts will be happy to explain how the regulation impacts your organisation and what you can do to comply.