Nicole Green, VP Product Strategy, Operations & Policy at Yapily, dives into the details of the latest release of the PSD3 directive.
The TL;DR
In 2016 PSD2 entered into force in the EU, opening payments accounts data to new players in order to create innovation and competition in the retail payments market. Now, after a lengthy consultation, PSD3 has arrived. This new legislative package takes important learnings from the last six-plus years, strengthening the commitment to making open banking truly competitive in the payments marketplace. The revisions to rules on payment services has been split into a directive (PSD3) and a Regulation (PSR) and has four main objectives:
- Strengthen user protection and confidence in payments
- Improve the competitiveness of open banking services
- Improve enforcement and implementation in Member States
- Improve access to payment systems and bank accounts for non-bank PSPs
On the directive level, the proposal merges Payment Institutions (PIs) and Electronic Money Institutions (EMI) into an updated licensing regime, which will require participants to go through re-authorisation. This is designed to create coherence across member states for licensing and supervision, clarifying standards for enforcement. With this comes enhanced access rights to central banks and payment systems via the Settlement Finality Directive (SFD).
The Payment Service Regulation (PSR) complements PSD3 and focuses on consumer confidence in payments and open banking competitiveness. Proposals to improve confidence in payments include enhancing Strong Customer Authentication (SCA) and adding additional measures for fraud prevention such as IBAN verification and clarifying liability if something goes wrong. Measures to improve open banking competitiveness includes improving consumer control of data sharing permissions and creating more detailed minimum requirements for open banking APIs.
Building on open banking, the Financial Data Access Regulation (FIDA) creates a framework for how open finance will work in the EU, with the goal of creating innovation to offer customers increased choice and personalisation in their financial products. The regulation opens the aperture for data sharing beyond payments accounts to include other financial products, such as savings, investments, mortgages and pensions.
Creating a better customer experience
One of the main objectives of the PSD3/PSRs is to improve the competitiveness of open banking. Key to this is improving API performance and removing friction in user flows, which will drive up conversion and lead to greater adoption of open banking services. The way the regulations are addressing these challenges can be divided into three buckets.
First, they are creating minimum standards for open banking APIs. The regulation mandates that all banks provide a “dedicated interface” (aka API) and makes this the primary obligation, although it doesn’t get rid of screen scraping completely. It also establishes minimum standards for availability and performance for open banking APIs, along with requirements for banks to report their performance on a quarterly basis. Finally, they have added requirements for improved payment status and error messaging. All this should mean that open banking “just works.”
Second, the regulation adds requirements which should lead to less friction and abandonment in the open banking user journey. This includes a list of “prohibited obstacles” that banks cannot implement to ensure that the open banking user journey is at least as good as other journeys that a bank offers its customers. Ultimately this should lead to higher conversion and repeat usage.
Finally, the regulation is looking to help customers feel in control with open banking powered products and services . They’ve mandated that banks create consent dashboards for their customers, where they can see and manage all their open banking authorisations and permissions.
What to watch: With all of these requirements, the devil will be in the details. More clarity is needed across the board, but particularly in areas such as how status messaging should be improved between banks and TPPs. The legislation leaves much of this detailed work to the European Banking Authority (EBA), which will be updating the Regulatory Technical Standards (RTS) to support these objectives.
Steps towards consistency across Member States
A shortcoming often cited about PSD2 was that the roll-out wasn’t coordinated and consequently led to the fragmentation of implementation across individual EU member states. This, in turn, hampered the performance of open banking across the region. But, rather than requiring banks to move to a single API standard, which would be costly and unpopular, the package looks to create more harmony through the introduction of minimum standards.
In particular, a Payment Account has been clearly defined as an account that is used to send or receive funds with third parties. This means current and credit card accounts are in scope, whereas savings accounts are not. We hope that this will not lead to a loss of service in some jurisdictions, such as Italy, where savings accounts are available via open banking APIs.
The regulations also clarify which payment types should be supported via open banking APIs. These include standing orders, single payments, future-dated payments, and bulk payments. This means that fintechs should be able to offer the same payment services across the EU.
What to watch: While the proposals go a long way towards clearly defining the scope of open banking as mandated by law, there are still references to “parity”, which is the requirement for open banking APIs to meet, at a minimum, the standard in the bank’s customer interface. This is referenced in particular to availability and performance levels and the data available in AIS. This creates inconsistency at the individual bank level in what can be offered to end users, making it harder for fintechs to innovate and meaning that inevitably some consumers will lose out. As this legislation evolves we hope to see a more explicit baseline, helping to drive consistency and a clear delineation between the regulated and therefore “free” space and the commercial space.
Innovation will be in the commercial space
PSD3 maintains prohibition of contracts, but clearly spells out that innovation will be left to the market. With initiatives such as the EPC’s SEPA Payment Account Access (SPAA) scheme we will hopefully see developments such as Dynamic Recurring Payments (VRP to those of you in the UK). The EPC has published version 1.1 of the rulebook, which defines the minimum viable product (MVP), but the commercials still need to be agreed.
The Financial Data Access (FIDA) proposal builds on this concept of schemes for the development of open finance. These “Financial Data Sharing Schemes” will be expected to create common standards and contractual frameworks, and determine compensation for data holders. It’s great to see as part of this a concerted effort to create harmonisation across member states, and also clarification on what data can be accessed, including pensions, investments, mortgages, certain types of insurance and data for credit worthiness.
What to watch: For TPPs to participate in Financial Data Sharing Schemes they will need to be authorised as Financial Information Service Providers (FISPs). FISPs will be required to conform to the Digital Operational Resilience Act (DORA) and cybersecurity standards, among other things, and should be at least equivalent to the requirements for Account Information Service Providers (AISPs). Indeed, the Commission envisions migrating AISPs from PSD3 to FIDA at some point in the future (at least four years post implementation). However, this is problematic as it implies that open finance is being seen as a “read-only” capability. We should be learning from our open banking experience, and the experiences of similar open finance and open data implementations across the globe, that combining write access with read access, such as the ability to make payments or open and close accounts, is key to innovation and adoption.
Final thoughts
All together these three proposals are nearly 250 pages and there’s a lot to unpack. There was much that, in this brief blog post, we couldn’t address, including the details of the changes to licensing and supervisory regimes, changes to enforcement and the strengthening of fraud protections, all important issues that need to be agreed.
The deadline for this package becoming law is April next year, as Parliament will be dissolved in advance of the European elections in June 2024. Now is when the work starts towards promoting a better future for open banking and open finance, with a more consistent experience across the EU and strong incentives for innovation - powering better experiences for financial services, which ultimately benefits consumers and businesses across the EU.