Read also our previous blogs in this series!
Earlier, the European Commission unveiled its findings on the evaluation of the Second Payment Services Directive (PSD2), which hinted at an upcoming revision of this framework. On 28 June 2023, these revisions were formally proposed. The package contains a proposal for a new Directive, which will become known as the PSD3, a Payment Services Regulation (PSR), addressing the issue of financial data access – also known as Open Banking – and the issues of transaction authorization and customer authentication, and a Regulation concerning financial data access (FIDA). In this blogpost, we provide an initial overview of the expected changes coming in the PSD3. In the next blogposts, we will address the Payment Services Regulation and the Financial Data Access Regulation.
The review of the PSD2 was fairly positive about its accomplishment as an improvement over the PSD1. Nevertheless, four main shortcomings were identified:
A new regulatory initiative, this legislative package, would need to address those four concerns. In doing so, it was also decided to split the framework into a new Directive (PSD3), which mainly addresses the licensing and supervision of payment institutions, and a Regulation (PSR), which contains the more operational rules for payment institutions.
Another notable change is that the framework for electronic money, or e-money, is merged into the payment services framework. As a result, ‘payment services’ now means to include both payment services and e-money services. This should not be a surprise, given that the existing e-money framework, the Second E-Money Directive or EMD2, already refers to the payment services framework for a substantial part of its provisions – such as scope exemptions, licensing procedure and operational requirements. This is therefore a logical move, which has been a long time coming. PSD3 thus now regulates both payment institutions (PIs) and e-money institutions (EMIs).
Generally, the PSD3 maintains the definitions found in the PSD2. However, there are a few changes in the list of payment services, still found in Annex I. The services of cash placement and cash withdrawal (Services 1 and 2 for the PSD2 die-hards) have been merged. The same goes for the payment services of ‘Execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider or with another payment service provider’ and ‘Execution of payment transactions where the funds are covered by a credit line for a payment service user’ (Services 3 and 4 PSD2). On the other hand, former service 5 has been split into two separate services, ‘issuing of payment instruments’ and ‘acquiring of payment transactions’. For those keeping count, that brings the tally to seven payment services under PSD3.
E-money services are listed in Annex II and include the issuance of electronic money, maintenance of payment accounts storing electronic money units and transfer of electronic money units.
Other changes to the definitions seem mainly aimed at further clarifying the concepts, without major changes.
As before, those offering payment services – including e-money services – require a prior authorization in their home Member State. The application procedure has remained largely the same. One notable change is that applicants must now also provide a wind-up plan, which outlines what happens in case of failure. The aim here is to protect customers and ensure continuity as much as possible.
The initial capital requirements have gone through some indexation. Under PSD2 and EMD2, the requirements were either EUR 20.000, EUR 50.000 or EUR 125.000, depending on the type of service provided, and EUR 350.000 for electronic money. Under PSD3, this becomes EUR 25.000, EUR 50.000 or EUR 150.000 for payment services and EUR 400.000 for e-money services. The calculation for own funds has, however, remained largely the same.
The requirements for safeguarding customers’ funds have been strengthened a bit. The rules on ancillary activities have been maintained, as are the rules on auditing and recordkeeping.
Also the rules regarding the use of agents, distributors, branches and outsourcing remain largely the same.
As before, Member States must designate their competent authorities, the supervisors. These provisions have been largely maintained.
As before, some entities may be exempted, for instance if the monthly average of the preceding 12 months’ total value of payment transactions does not exceed EUR 3 million, or if the average amount of outstanding e-money does not exceed EUR 5 million.
Account information service providers (AISPs) do not require an authorization, but must only register. There are, however, still a few requirements to be met under this registration duty. In practice, this will likely not differ too much from the lighter authorization procedure these entities already enjoyed under the PSD2.
If a retail store, selling goods or services as a regular occupation at its premises, provides cash services independent of any purchase, such service is exempted if the amount of cash provided does not exceed EUR 50 per withdrawal. Similarly, ATM deployers not servicing payment accounts are exempted for the cash withdrawal services they provide. However, they do need to register with the competent authority, which does come with a few requirements – as with AISPs.
The PSD3 will largely maintain the existing authorization/licensing schemes for payment service providers, now including the provision of e-money services.
It is, however, important to note that PIs and EMIs licensed under PSD2 or EMD2 will need to comply with this framework as well. Given that there are a few changes to the licensing procedure and requirements, they will either need to demonstrate their compliance with the new framework, or obtain a new license under PSD3. In any case, any licensed entity will need to be (re-)authorized under PSD3 within two years after the framework becomes applicable.
The same goes for EMIs, who now must be authorized as PIs providing e-money services under PSD3. They can either provide the necessary documentation to prove their compliance with the new framework within two years, or will need to obtain a new registration.
If you have more questions on PSD3 and payment services, please contact Timelex.