What do PSD3 and PSR mean for your business?

Today, the payment landscape is far from that of 2015 – there are new players, new payment methods, and new expectations to meet. As it stands, PSD2 is simply not fit for purpose. And it’s not just industry players who say so – the European EC’s (EC) review of PSD2 acknowledges these shortcomings and looks to address them.

The result is the proposed Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR), outlined in a proposal released on June 28. Its aim? To “bring payments and the wider financial sector into the digital age”.

But what does this actually mean for merchants and payment service providers (PSPs)? In this article, we’ll outline what this new regulatory framework hopes to achieve, as well as consider the impact and limitations of PSD2.

We’ll also advise on what merchants and PSPs might want to do next.

From PSD2 to PSR/PSD3

PSD2 has undeniably had a positive impact on the fight against fraud, specifically through the introduction of Strong Customer Authentication (SCA). In fact, SCA-authenticated payments reportedly are 70–80% less fraudulent than those without, according to the European Banking Authority.

In its evaluation, the EC also recognized that PSD2 has been successful in increasing the efficiency, transparency and choice of payment instruments for consumers. This helped enable and safeguard new ways to pay that have gained popularity in recent years, including digital wallets and BNPL schemes.

We can’t ignore these achievements, but it is clear that existing legislation needs to evolve to meet us where we are now. Electronic payments have shot up over the past few years, making weaknesses in the existing framework more pronounced, while a host of new players have entered the industry.

So, what is the EC actually proposing?

Shedding light on PSD3 and PSR

The proposed changes have been described by the European Commission as an “evolution not a revolution”. In other words, the proposal isn’t looking to tear down what’s already been built; it aims to modernize and harmonize the existing payments regulatory framework, in light of accelerating innovation and digitization. The end goal is sustainable infrastructure. Let’s look at them in more detail.

What is PSR?

According to the proposal, the Payment Services Regulation – in short, PSR – seeks to provide the opportunity for EU payments and open banking to evolve in a way that is streamlined across EU countries. It contains detailed rules that all PSPs, including banks must follow in order to provide payment services.

It’s important to note PSR is a Regulation, while PSD3 is a Directive. Unlike Directives, EU Regulations have to be enforced as-is. This means the PSR will not be open to interpretation, and ensures more consistent application across each country – without needing to be transposed into the legislation of each member-state individual, like PSD2 and PSD3.

Its first incarnation, the PSR1, includes specific proposals on API performance, streamlined authentication rules, risk-based fraud prevention and more. Some of these have been adopted from PSD2. It also clearly defines supervisory powers to address enforcement issues across the EU.

The hope is that PSR1 will lead to a more harmonized payments market with fewer inequalities between member states, and establish a baseline of compliance.

What is PSD3?

Similar to its predecessor, PSD3 is an EU directive that looks to make digital payments and the delivery of financial services faster and safer by laying out regulations for their conduct. It focuses heavily on the licensing and authorization of payment and e-money institutions.

A key area of PSD3 is PSPs. There are new rules for the authorization and supervision of non-bank PSPs, as well as specific new anti-fraud requirements for PSPs. This update essentially makes sure that important players in the payment ecosystem aren't left out.

Tackling payment fraud and protecting consumers is massively important here also. PSD3 will go beyond the efforts of PSD2 in ensuring wide adoption of the highest security standards.

For instance, the proposal highlights an emerging trend for spoofing attacks, where fraudsters pose as employees of a PSP and approach the consumer to obtain consent for access to accounts and funds. The customer, thinking they are speaking to a legitimate member of a licensed organization, is often tricked into granting this. PSD3 addresses these gray areas of customer consent and clarifies what PSPs ought to put in place to prevent it.

What are the goals of PSD3/PSR?

Taking into consideration the identified shortcomings of PSD2, the proposal looks to address four key areas that have been identified by the EC:

1. Strengthen user protection and confidence in payments (and reduce fraud)

2. Improve the competitiveness of open banking services

3. Level the playing field between banks and non-bank PSPs

4. Improve enforcement and implementation in EU Member States

1. Be tougher on fraud and protect consumers better

The reality is that we are seeing more sophisticated styles of fraud that are putting customers at risk that PSD2 and SCA simply don't address. This includes trends like spoofing (impersonation) fraud and a significant increase in social engineering attacks of diverse nature.

PSD3/PSR1 hope to better protect customers and reduce payment fraud by introducing measures such as:

• Strengthening customer authentication (SCA) rules

• Enabling the safe exchange of fraud-related information between PSPs

• Introducing IBAN/name matching

• Improving consumer rights, including extending rights to refunds in cases of fraud

• Requiring PSPs to educate and increase awareness of payments fraud among their customers and staff

2. Further unlock the value of open banking

PSD2 gave open banking a stable regulatory framework, but its success has been mixed. In response to this, PSR1/PSD3 aim to remove any obstacles to providing open banking services and customers better control over their payment data.

The hope is that this will allow new, innovative services to enter the market. Payments industry insiders have already started to speculate on the opportunities and potential complications this approach will bring – inclusive of how it may reallocate responsibility and liability for fraud and how it seeks to address the question of digital exclusion.

3. Better access for non-bank PSPs

Another key aim of PSD3 is to level the playing field between bank and non-bank PSPs, where there are still imbalances. This has had a negative impact on competition and innovation in the payment market.

New providers may have entered the market, but they haven’t really been taken into account by the old directive. This is believed to be down to uncertainty and inequality in regulatory obligation from PSD2 and national legislation.

In response, PSR/PSD3 looks to allow non-bank PSPs access to EU payment systems with appropriate safeguards, giving them a right to have a bank account. Under PSD2, banks have been known to not allow PSPs to operate bank accounts, or even to shut down their bank accounts due to money laundering concerns (or, at the very least, concerns that such an account might breach anti-money laundering regulations).

The proposal has been welcomed by payment institutions and e-money institutions previously facing obstacles that hindered their innovation.

4. Improved enforcement and accountability

As we saw above, the shift from PSD2 to PSR means that, once the implementation period is up, regulations will have to be applied directly and consistently across the EU. Moreover, each Member State is required to designate National Competent Authorities (NCA), who will both oversee implementation and enforcement and provide authorizations and licensing where appropriate.

The proposal also suggests reinforcing penalty provisions and getting rid of the e-money directive (EMD). For the sake of clarity, e-money institutions (EMIs) will become a subcategory of payment institutions (PIs).

How do PSD3 and PSR1 affect 3DS?

In addition to making some of PSD2’s requirements into regulations through PSR1, PSD3 also introduces some changes related to SCA measures such as 3DS.

PSD3 aims to simplify and set in stone SCA measures, to be applied across countries via PSR1. There are also new liability provisions and clarifications specific to SCA. They include:

• New clarifications regarding the implementation of SCA:

  • For merchant-initiated transactions (MITs), initial setup requires SCA, but not subsequent payments.

  • Regarding the enrollment of payment instruments into digital wallets, this is clarified to require SCA at the time of enrollment of a new token or replacement of a token.

  • For mail order and telephone orders (MOTOs), only the initiation of a payment needs to be non-digital for the payment to be exempt from SCA.

  • For MOTOs, an exemption from SCA payment still needs to be subject to fraud checks, transaction risk analysis (TRA), and other security controls, to avoid abuse.

  • The SCA exemption for direct debits has been narrowed.

  • New SCA obligation for direct debits placed on a channel with the direct involvement of a PSP.

• New accessibility requirements for the 3DS or other SCA step – for example for persons with disabilities as well as those with “low digital skills” and those with no physical access to smartphones.

  • PSPs are required to provide customers with SCA methods that “are adapted to their needs and situations” rather than depend on a single device or technology.

It’s worth noting that in their review of PSD2, the European Commission “concluded that strong customer authentication has already been highly successful in reducing fraud” and thus is looking to further strengthen this approach with the new Directive and Regulation.

What should merchants and PSPs do next?

As a merchant or PSP looking into the developments around this new EU legislation, there are a number of takeaways to keep in mind.

Step 1: Compliance is a long-term goal

Nothing is set in stone, yet. The 128-page documentation released by the EU on June 28, 2023 is a proposal and is thus not enforceable. It will be voted on in late 2024/early 2025, followed by an implementation period that typically lasts over a year.

So although it certainly helps to be prepared, keep in mind that this is a longer-term project for your organization rather than something that can be addressed and resolved right away.

Step 2: Identify its relevance to you

Merchants and PSPs will want to be proactive in identifying which of the proposed updates and additions affect their operations, and what would need to be done on an organizational basis to support them. In some cases, this would entail one-off projects such as a new application, while in others there could be a need for new processes or staff training.

For example, PSPs may need to require new authorization from the National Competent Authority (NCA) of their home country. What’s more, PSPs are required to respond to new types of fraudulent activity.

There are also potential new TRA requirements, refund rights and staff training to further raise awareness of payment fraud internally.

Step 3: Consider your locale

Keep in mind that the upcoming regulation and directive apply not just to those merchants and PSPs based in the EEA but anyone operating in the EU market.

As of the time of writing, there is no official information from the UK Government on whether PSD3 will be adopted or matched in UK legislation. However, organizations active in both locales need to be prepared to handle things differently for the UK and EEA markets. On a practical level, automated decisioning is expected to be of great help to this end.

Step 4: Consult with experts

At this stage, it is a good idea to speak with industry experts and your payments partners to better understand how the proposed legislation applies to your operations. These can be providers of transaction risk analysis solutions as well as SCA.

Consulting with a 3DS and risk prevention partner will help shed light on which parts of your workflow may need adjustment and where you can be proactive and prepare. Putting in place transaction optimization will give you recommendations on what route or exemption to take based on what will have the highest chance of overall transaction success – taking into account the legal framework and data points linked to each customer’s behavior and known patterns. Then, when PSD3/PSR1 are fully decided and enforceable, the different routes to authorization can be updated to comply with the new frameworks.

In the case of Ravelin’s 3DS offering, there is a 3DS authentication server as well as transaction optimization available separately. The solution can, for example, utilize SCA exemptions, including TRA, in order to minimize customer friction while remaining compliant with legislation requirements, all in full alignment with your risk appetite.

Reach out to the Ravelin team of payments experts to book a friendly chat in order to discuss your needs.