You’ve likely heard about it: PSD3, the third version of the Directive on Payment Services, is on the horizon following the new policy project shared by the European Central Bank at the end of June 2023.
Contrary to what one might think due to its acronym, PSD3 is not just a directive that EU member states must comply with; it also offers numerous prospects in terms of Open Banking and Open Finance.
Understanding the main points of the upcoming PSD3 is a key issue for all businesses, especially for merchants offering subscriptions. So, let’s start by looking back a bit to give you a clear vision of the previous versions.
Long before PSD3: two initial directives were born – the foundation of payment standardization in Europe and their expansion – and they had their limitations.
PSD1: Contributions and Limitations
The Directive on Payment Services in its first version, which came into force in Europe in 2009, marked a significant turning point in the standardization of payment methods in Europe, particularly SEPA transfers and SEPA direct debits, by creating a more competitive unified space among different players.
Before this directive, the market was fragmented with regulatory constraints established at the national level according to the states considered.
For this 1st directive, three major challenges are to be remembered:
→ Develop innovation and encourage competition by offering new access for payment service providers (PSPs);
→ Reduce transaction fees by standardizing networks to process transfers and direct debits at the SEPA level;
→ Strengthen security in payments with new cross-border standards.
PSD1, the genesis of unified payments in Europe, also outlined strong evolution perspectives with the amplification of actors who innovate more and more in this field and regulatory updates.
Indeed, with technological evolution, various innovations, and new challenges, the European Union, through the European Central Bank (ECB), recognized the need to adjust its regulations so that this sector remains at the forefront of innovation.
For you, merchants, it is this regulation that allows you today the possibility of selling subscriptions through direct debits across the European Union.
For other companies, this allows them to perform SEPA transfers without paying fees for cross-border transactions.
PSD2, Evolution of the First Directive: Contributions and Limitations
It is in this context that the second directive was created and came into force in 2018, marking the beginning of a new era, especially for payment companies.
These companies differ from traditional banks by acquiring increased legitimacy with roles and statuses defined by the Prudential Control and Resolution Authority (ACPR):
👉 payment institution,
👉 electronic money institution,
👉 credit institution.
This, not to mention one of the major contributions of PSD2, thanks to the implementation of the outlines of Open Banking, which forces, among other things, traditional banking institutions to open and share their clients’ account data with PSPs via strong authentication, which we will return to later in this article to present its contours and evolutions.
Thanks to PSD2, PSPs, as is the case with SlimPay, are now authorized to be:
– providers of account information services (AISPs),
– or payment initiation service providers (PISPs).
However, PSD2 has reached its limits, and many use cases have highlighted this:
- Prospects too often give up on subscribing because the customer journeys are not simple, not intuitive, and are considered insecure with recurring requests for strong authentication updates.
- The APIs that allow the exchange of information between payment providers and traditional banks (and vice versa) are not considered relatively performant.
- The lack of consideration for evolutions is notable, in terms of information sharing, for example.
Thus, while PSD1 established regulatory bases, PSD2 represents a real leap forward for new actors in the payment field with strong growth potential in this constantly evolving sector.
To overcome the limitations of the latter, several reflections have been initiated for several years, pushed by the health crisis.
Digital payments have thus developed with a proposal for a new directive launched by the European Commission.
To address all these limitations, on June 28, 2023, the European Commission presented a new policy project for a revision of the latest texts, called PSD3.
You may not have realized it, but without this directive, you would not have as many choices in terms of providers for managing payments related to your subscriptions.
It should be noted that, of course, these providers must comply with the regulatory standards imposed on them.
PSD3: Scope and Stakeholders
As its name suggests, it is a logical continuation of the evolutions of the two previous versions, aiming to address the weaknesses of PSD2 by reducing frictions encountered in customer journeys while strengthening the principles of Open Banking and the development of Open Finance.
It should be noted that the impacts of the proposal carried by PSD3 are much broader, with provisions taken on cardholders and SEPA transfers so that the regulatory framework is homogeneous concerning different payment methods.
PSD3 is structured around two founding texts:
→ A directive (PSD) on payment services and electronic money with various proposals having a national scope and field of action.
→ A regulation (RSP) that aims to harmonize the rules for payment services and electronic money within the European Union (EU).
This regulation will apply directly to all EU member states once it comes into force in the member states.
It does not require specific adaptation by the member states and contributes to the standardization and coherence of payment methods in the area.
Before detailing the impacts, it is already necessary to know the companies concerned, and these are of several kinds:
- Traditional banks: despite its two little sisters (PSD1 and PSD2), these financial institutions will have strong obligations, particularly in terms of information sharing;
- Payment service providers (PSPs): new actors who have been highlighted with the previous versions, including fintechs;
- In France, it is the Prudential Control and Resolution Authority (ACPR) that will be the main sovereign authority for this application.
Indeed, it will now have a role of control that can lead to significant sanctions for actors not respecting the new directive.
PSD3: Genesis of Innovations in the World of Payments?
Of course, PSD3 will bring many new features for all actors in the payment value chain, revolving around the following objectives:
→ Increased protection of end consumers,
→ An increase in data exploitation in connection with the expansion of Open Banking,
→ Reflection on open finance topics and the future of payments.
Let’s detail each of these objectives with concrete use cases so that you can project yourself into future evolutions.
Protection of Consumers
👉 Protection of End Customers
PSD3 plans to strengthen control and user rights over their personal and financial data.
It will require PSPs to obtain explicit consent from clients before sharing their information with third parties.
Moreover, it will allow clients to revoke this consent at any time via a dashboard for managing access authorizations to their financial data.
👉 Numerous Modifications to Strong Customer Authentication Policy
If you offer subscriptions through automatic debits, this update should interest you.
Indeed, the scope of functionalities, no longer requiring Strong Customer Authentication (SCA), has been reviewed with several exemptions confirmed with the following updates:
- the required period before repeating strong authentication is extended to 180 days;
- strong authentication every 180 days is not necessary for recurring payments (SEPA direct debits) not requiring an intermediary. Only the first operation may require an SCA.
For SEPA direct debits, when the mandate is given by the payer to the payee through a PSP, strong authentication will be required, which remains a guarantee of security for your operations.
In practice, it is therefore crucial to manage your subscriptions by choosing a secure solution to ensure that this obligation on strong authentication is respected.
👉 Fees Must Be Clearly Displayed for Greater Transparency
You will have the possibility to cancel a contract without fees, except for contracts whose start date is less than six months.
In this case, the payment provider you have chosen may apply fees, but these fees must be mentioned beforehand in the contract.
The impact for you, merchant, is that the payment service provider must maintain a high level of security to provide you with guarantees and avoid fraud, with shared rates on termination fees.
Beyond user protection, data exploitation is a key issue of this new directive.
Increase in Data Exploitation in Connection with the Expansion of Open Banking
Data, a key issue for many years, is indeed a notable element of PSD3, which plans an increase in its exploitation via several axes.
👉 Provision of a Dashboard
A major evolution propelled by PSD3 through its regulation (RSP), the obligation for institutions to provide their clients with a clear dashboard containing the following elements:
- the detail of each ongoing direct debit authorization with data such as the name of the initiator, the validity duration of the authorization, the client account…;
- an option allowing the user to delete rights for data access;
- an option to reactivate the authorization for data access rights if deleted;
- the recording of data access authorizations for a period of two years.
The objective of this dashboard is to be able to monitor and manage the different authorizations that the PSP has granted on multiple or recurring payments.
The updating of this data between a traditional bank and a PSP leads to the sharing of modified information between the two actors (in both directions) with strong authentication.
👉 Data Exploitation to Prevent Fraud
New payment sector companies, including SlimPay (PSP), will be authorized to use personal data to prevent fraud thanks to the data protection regulation (GDPR) mentioned.
This information will be shared in both directions between traditional financial institutions and new payment actors.
Finally, PSD2 gave birth to the sharing of data between traditional banks and new third-party companies via the establishment of dedicated interfaces called APIs (Application Programming Interfaces), which, over time, have not met performance requirements.
👉 Obligation of Performance for Banking APIs
Following the adoption of PSD2, Open Banking made it mandatory for financial institutions to share their clients’ data via dedicated interfaces called APIs.
These interfaces require strong user authentication but allow PSPs to benefit from client data by using dedicated APIs.
What About the Next Steps After PSD3?
Far from being a simple regulatory update, PSD3 plans beautiful innovations for companies active in the payment value chain, especially with data exploitation.
Once it is definitively voted on, the impacted institutions will have around 18 months to comply with it.
Thus, PSD3 should remedy the shortcomings of previous directives while guaranteeing the security of transactions carried out, consumer protection, and the development of innovation with a new use of data. A case to follow, therefore, because with the development of open finance, we are certain that PSD3 will have a bright future ahead of it.