Since the introduction of the Payment Services Directive 2 (PSD2) in 2015, the payments industry has seen rapid progress, accompanied by the emergence of innovative payment solutions and increasingly sophisticated fraud techniques. In response to these developments, the European Commission has proposed targeted changes and updates to the existing regulatory framework for payment services and electronic money. This legislative package includes proposals for a Payment Services Directive 3 with its annexes (PSD3) and a Payment Services Regulation with its annexes (PSR) and a Financial Data Access Regulation (FIDA).
These proposals aim to enhance security, strengthen harmonisation and improve access to payment systems and financial data. The key elements of the PSD3/PSR and Open Finance package include the following 10 points:
- Regulatory Structure: The new PSD3 will unify the licensing and supervision of payment institutions (“PIs”) and electronic money institutions (“EMIs”) into a single regime. EMIs will be incorporated as a sub-category of PIs. The PSR sets out rules for the provision of payment services. The transposition period for PSD3 into national law is 18 months from its publication in the Official Journal of the EU, and the PSR will become directly applicable in each EU Member State.
- PSD3, PSR, and FIDA Objectives:These include enhancing user protection, strengthening open banking, improving the harmonisation of payment services regulation, and supporting the digital transformation of financial services. For example, user protection and trust in payment services will be bolstered through adjustments to the functioning of Strong Customer Authentication (SCA) and improved access to payment systems and bank accounts for non-bank payment service providers.
- Adaptation of Existing PIs and EMIs to the New Rules:The proposal appears to envisage a process similar to the adaptation required under PSD2, as implemented in the transitional provisions of Act No 370/2017 Coll., on Payments. Domestic PIs and EMIs will have 24 months to submit all necessary information and supporting documents to the Czech National Bank (CNB) to demonstrate compliance with the new PSD3/PSR requirements.
- Scope and Exemptions:The proposals maintain the current scope of regulated payment services and update the exemptions. New features include, for example, an exemption for cashback without purchase, and clarification of the “merchant agent” or “limited network” exemptions. The latter exemption will likely continue to apply only to funds used for goods or services at physical premises operated by the issuer, meaning online commerce would not fall within the scope of “premises used by the issuer.”
- Access to Payment Systems and Competition:The PSR tightens the rules on access to payment systems, granting non-bank payment service providers access. Any denial of access must be justified.
- Authorisation and Monitoring of Transactions:A uniform requirement for confirmation of payee details for all payments is introduced. Security standards for indirect payment orders are also tightened.
- Role of Technical Service Providers (TSPs):TSPs will face new requirements and liabilities, particularly regarding failures in providing SCA. PIs and EMIs must enter into an outsourcing agreement with TSPs.
- Liability:The PSR tightens rules on liability for unauthorised payment transactions, limiting the ability of payment service providers to refuse refunds for unauthorised transactions only to cases where there is reasonable suspicion of fraud on the part of the payer.
- Other Changes Under the PSD3 and PSR Proposals:These include extensions of user information, alternative dispute resolution mechanisms, and a ban on payment service providers increasing spending limits agreed with the user for transactions made using a specific payment instrument (Article 51 PSR).
- Open Finance and Data-Driven Financial Services: The FIDA proposal enhances control over consumers’ financial data and introduces regulations for financial data sharing. It establishes a new category of licensed entity—a Financial Information Service Provider (FISP)—which will have access to personal and non-personal consumer data held by regulated financial institutions (such as banks, PIs, investment firms or insurance/reinsurance companies) for the purpose of providing financial products and services to consumers in the EU. FISPs must comply with requirements similar to those for Account Information Service Providers (AISPs).
Although these proposals are not expected to take effect until after 2025, payment service providers should begin preparing for the upcoming changes. This includes analysing the requirements, conducting a gap analysis, and closely monitoring the legislative process. Adapting to these developments will ensure compliance with industry standards for PSPs, enhance user confidence, and foster innovation across the EU.
