News from Brussels: Regulatory disputes concerning PSD3 and PSR

Preliminary remark

While the latest developments surrounding the FIDA regulation are providing plenty of talking points in the market, the Council of the EU has finally published its position on Payment Services Directive 3 (PSD3) and Payment Services Regulation (PSR) this summer after a long wait. Now all three positions are on the table and the decisive negotiations can begin.

For banks and payment service providers, this means it is high time to keep a close eye on the upcoming changes and prepare for the new requirements – especially since the requirements of PSD3 and PSR are expected to be implemented earlier than those of FIDA.

PSD3 and PSR – things are moving forward

It has now been a good two years since payment service providers and banks eagerly awaited the first drafts of the Payment Services Directive 3 (PSD3) and Payment Services Regulation (PSR). In June 2023, the Commission published its initial drafts for the revision of the second Payment Services Directive (PSD2) and the E-Money Directive (EMD2). This was followed in April 2024 by the Parliament’s draft amendments – after which, however, things went quiet in Brussels for a while.

Now, at last, things are moving forward: this summer, the Council of the EU published its own position on both legislative acts. This paves the way for the trilogue negotiations between the Commission, Parliament, and Council, which are now entering their decisive phase.

What are the different positions of the legislative bodies? Where is there consensus? And where could there still be points of contention in the trilogue? What has been the reaction from the industry so far? And what is the expected timeline?

In our blog post, we take a look at the key points that are now on the negotiating table and what requirements the industry can expect.

Where current regulation reaches its limits

Despite the successes of the Payment Services Directive, a review of the current PSD2 and E-Money Directive revealed four main problems in the payments market.

Due to the sharp increase in social engineering, consumers are increasingly exposed to the risk of fraud and therefore have little confidence in payments. At the same time, it is apparent that the open banking sector has not been functioning smoothly due to the high fragmentation of interfaces, which means that open banking providers are only able to offer their basic services to a limited extent. Added to this are unequal competitive conditions, which pose additional hurdles for market participants within Europe. Finally, the Commission sees differences in supervisory powers and obligations in the individual EU member states, which leads to payment service providers choosing the jurisdiction that is most favorable to them.

The Payment Services Directive 3 and Payment Services Regulation are intended to counteract precisely these problems by strengthening the protection of payment service users and improving access to payment systems and bank accounts for non-bank payment service providers. Another objective of the revised legal acts is to improve competitiveness in open banking services. Last but not least, the choice of different legal provisions in both replacement legal acts shows that the Commission is seeking to improve enforcement in the member states.

PSD3 remains a directive: authorization procedures and supervisory requirements must therefore continue to be transposed into national law by the individual member states. Civil law requirements, on the other hand, are being transferred to the new PSR – a regulation that applies directly in all EU countries and does not require additional implementation at the national level.

Who is affected by the new requirements?

PSD3 is primarily aimed at payment and e-money institutions. It specifies who is permitted to offer payment services in the EU and which regulatory requirements must be met. This particularly affects the authorization process, capital requirements, and ongoing supervision. Credit institutions – such as those subject to the German Banking Act (KWG) – do not require an additional license under PSD3, as they are already comprehensively regulated.

The PSR has a much broader scope. It applies to almost all payment service providers (PSPs) in the EU, including banks, payment and e-money institutions, postal check offices and, in certain cases, central banks.

In short: PSD3 primarily regulates market access and the supervision of payment and e-money institutions, while the PSR covers, with a few exceptions, all providers offering payment services in the EU.

The EU is changing the rules of the game

An overview of the key elements of Payment Services Directive 3 and Payment Services Regulation

With the initial drafts of PSD3 and PSR, the EU Commission aims to modernize the foundations of European payment transactions and remedy weaknesses in PSD2.

The proposed changes can be divided into six key elements. These include adjustments to regulatory requirements, improved transparency on fees and exchange rates, and extended liability for identity fraud. There is also a particular focus on fraud prevention through measures such as an extension of the IBAN name check (verification of payee), enhanced transaction monitoring mechanisms, and the mandatory exchange of fraud-related data among payment service providers. Similarly, strong customer authentication (SCA), which is already familiar from PSD2, is to be made barrier-free in order to give vulnerable groups improved access to payment services. In the context of open banking, account-holding payment service providers are also to provide a dashboard for better management of third-party access.

The most important points of both legal acts are clearly summarized in the following chart.

An overview of the negotiating positions of the central bodies

Although the positions of the Commission, Parliament, and Council are close on many points, there are key issues on which the legislators differ. The following section highlights some of the main points of contention.

E-money and the risk of double regulation

One sensitive issue is the regulation of e-money and e-money tokens (EMTs). Within PSD3, the Commission proposes to combine payment institutions and e-money institutions into a single licensing regime in the future. This means that there would only be one license for providers offering payment services and e-money services. At the same time, PSD3 refers to the MiCA Regulation ((EU) 2023/1114), which legally classifies EMTs as traditional e-money.

This raises a legitimate question for providers that issue EMTs: Am I potentially subject to double regulation – on the one hand under MiCA as an e-money issuer, and on the other hand under PSD3 as a payment institution?

While the Parliament shares the Commission’s view, the Council recognizes the risk of double regulation and lists isolated exceptions where e-money token providers are not subject to double regulation. However, there is still no clear answer from the legislator in the current versions.

Definition of authorized payments

The question of when a payment is considered authorized is particularly sensitive, even though this aspect is already enshrined in PSD2. The Commission, supported by Parliament, makes it clear that simply entering a PIN or using SCA elements is not generally sufficient to consider a payment authorized. The Council remains closer to the current legal situation and considers a transaction to be authorized if it has been carried out correctly from a technical point of view and with the required security features.

Implicitly, this means that, according to the Commission and Parliament’s line, banks and payment service providers could also be liable if a fraudster initiates a transaction with the correct access data. The Council wants to limit this liability risk and essentially maintain the status quo.

Liability for identity fraud

Opinions differ widely on the subject of liability for identity fraud. In the Commission’s view, the payment service provider must reimburse the consumer in full if the consumer has been deceived by a third party—for example, by someone pretending to be a bank employee—and has authorized a payment as a result. If a payment service provider informs the communications service provider of the consumer concerned about a case of fraud, the latter must cooperate immediately with the payment service provider and implement appropriate security measures to prevent, for example, phone number and email spoofing.

If the consumer has acted with gross negligence, the PSP is generally exempt from liability, but the burden of proof lies with the payment service provider. Similarly, the Commission does not provide a specific definition of gross negligence.

The Parliament, on the other hand, is calling for a clear definition of gross negligence by the EBA. In addition, the liability obligation is to be significantly extended. According to this, communication service providers should also be held more accountable for such forms of fraud. The Parliament stipulates that providers who have not removed reported fraudulent means of communication are themselves liable and must reimburse the payment service provider for the damage caused by the authorized fraud.

The Council generally follows the Commission’s position, but would like to limit the liability of the payment service provider to cases where the fraudster has used the payment service provider’s communication channels.

Strong customer authentication (SCA) & accessibility

The Commission calls for accessible SCA methods so that vulnerable or less tech-savvy payment service users are also able to perform them. The SCA methods must not require the possession of a smartphone. If the authentication is carried out by a third party, appropriate outsourcing agreements must be concluded with that party.

Although Parliament rejects outsourcing agreements across the board, it requires that all SCA means must be provided free of charge.

The Council proposes a more flexible solution: it also sees the need for outsourcing agreements in the case of delegated authentication. However, the SCA requirements should be compatible with the business model of the respective PSP.

Open banking

Account-holding payment service providers should provide their customers with a dashboard for managing data access. However, the Commission only specifies non-functional requirements for the dashboard.

While the Council calls for reactive deactivation of access in addition to other non-functional requirements, the Parliament wants to include a supplementary opt-out option for all accesses – both existing and future – as a requirement for the dashboard.

Both Parliament and the Council go one step further. Both institutions also call for the dashboard to be compatible with the FIDA Regulation. Technically, this means that banks and other account institutions must provide interfaces in such a way that users can manage their data sharing from both sets of regulations (PSR and FIDA) via a single dashboard.

In practice, this entails a certain degree of complexity: the data to be exchanged, formats, and specific rules are primarily determined by the market in FIDA, as stakeholders must organize themselves into so-called data-sharing schemes. Banks must therefore provide flexible interfaces that are compatible with these dynamically emerging standards.

Transaction monitoring & fraud data exchange

All three institutions require payment service providers to set up mandatory monitoring for fraud prevention and to exchange fraud-related data with each other. According to the Commission and the Council, a unique identifier, such as the IBAN, should be transmitted for this purpose. The Parliament extends the exchange to a broader range of data, including personal information such as names and email addresses that can be attributed to a fraudster. In addition, the Parliament holds PSPs liable if they have not blocked fraudulent IBANs identified through the exchange.

Information requirements on fees, exchange rates, and transaction duration

Further negotiations are needed on the issue of transparency and fees for currency conversions. The Commission is calling for a detailed breakdown of the fees that the payment service user has to pay to the payment service provider. This also includes currency conversion fees, which are calculated as a percentage surcharge on the current reference exchange rate of the relevant central bank. In addition, the payment process is to be made more transparent by providing customers with information on the estimated maximum execution times for cross-border payments.

Parliament is taking a different approach to the disclosure of currency conversion fees and is demanding that these be disclosed both as a total amount and as a percentage surcharge in order to ensure better comparability. This information should be clearly visible at the latest before the final execution of the transaction. A reference exchange rate in accordance with the EU Reference Rate Regulation should be used as the basis for the calculation. The Council, on the other hand, would like to use an aggregated mid-market exchange rate as the basis.

Regardless of the positions taken, a key challenge lies in the technical implementation of fee disclosure. On the one hand, fee structures are individual and dynamic, consisting of various components depending on the system landscape. On the other hand, essential fee information must be provided in real time at or even before the authorization of the payment transaction.

Differences in the implementation period

The legal acts are expected to be finalized and published by the end of 2025. However, there are significant differences between the legislative institutions in the subsequent implementation periods.

With regard to PSD3, the Commission and Parliament are of the opinion that the directive must be transposed into national law within 18 months. The Council, on the other hand, is calling for a longer period of 24 months.

As a regulation, the PSR will automatically enter into force on the 20th day after its publication in the Official Journal of the EU. However, its application will be delayed by transitional provisions: the Commission envisages 18 months, the Parliament 21 months, and the Council 24 months.

This means that, depending on the final outcome of the negotiations, PSD3 would be transposed into national law in mid-2027 at the earliest and by the end of 2027 at the latest. Depending on the deadline, the PSR could be directly applicable in mid-2027 at the earliest and by the beginning of 2028 at the latest.

First reactions from the market

At the beginning of September, the German Banking Industry Committee (DK) critically assessed the draft amendments and highlighted key points.

The proposed liability rules for identity fraud are seen as particularly controversial, as they result in a shift in risk that banks cannot control. Furthermore, this gives payment service providers’ customers incentives that could lead to an “all-risk insurance” mentality.

On the other hand, the Council’s proposal to limit liability for identity fraud and the call for stronger options for blocking suspicious payments are viewed positively. The associations see challenges in transparency requirements and fees, as these create disproportionate effort and offer little added value for customers.

In the area of open banking and SCA, the DK advocates for more flexibility, for example through risk-based application of SCA instead of rigid rules. The removal of the reactivation function for data access is welcomed.

Overall, implementation is considered to be very complex, as numerous delegated acts create uncertainty. The banking industry is therefore calling for an implementation period of at least 24 months.

Between clarity and open questions

The positions of the Commission, Parliament, and Council now allow for a detailed look at the issues being negotiated behind the scenes in the ongoing trilogue negotiations. It is considered certain that a comprehensive update of European payment law will ultimately be achieved. Controversial issues such as liability for identity fraud, the specific design of strong customer authentication, and transparency requirements for fees will set the tone for negotiations in the coming months.

One thing is clear: almost all of the proposed changes will be implemented in some form—some in a watered-down version, others possibly even more stringent. The broad framework has been established, and the details will now be negotiated in the trilogue.

For payment service providers and banks, this means that they should prepare for extensive adjustments at an early stage, even if individual regulations are still being fine-tuned.

Feel free to contact us. We can support you in analyzing and implementing the new requirements from PSD3 and PSR.