Payments – a zoom on key upcoming regulatory challenges

The European Commission (EC) has been continuing its efforts to reach the ambitions of the Digital Finance Strategy and the Retail Payments Strategy, in terms of Open Banking, Open Finance, Instant Credit Transfers and Crypto-Assets.

In addition, new innovations, such as Buy Now Pay Later have emerged in the last few years across the payment industry, often triggering the need for legal and regulatory revisions.

As developments come with new challenges for Payments Services Providers (PSPs), they should waste no time and start assessing the impact but also the opportunities these developments bring to their business. 

1. PSD3 is coming!

When?

The publication of the revision of the second Payment Service Directive (PSD2), is expected on the 28th of June 2023.

What are the main expected changes?

• Scope: merge of PSD2 with the Electronic Money Directive (EMD2), clarifications of key concepts (like payment account), definitions and exclusions in PSD2, review of the list of payment services;
• Prudential requirements: changes in the minimum initial capital requirements, appointment of  the volume-based method as the default method for calculation of own funds, clarifications on safeguarding requirements, introduction of additional own funds requirements for granting credits related to the provision of payment services, introduction of a recovery and wind-down framework for significant PIs and Electronic Money Institutions (EMIs) – the significance of these institutions being determined based on specific criteria to be defined by the EBA;
• Rights & obligations: review of the liability regime between Third Party Providers (TPPs) and Account Servicing Payment Service Providers (ASPSPs) and issuing and acquiring PSPs in case of Strong Customer Authentication (SCA) exemption;
• Access to accounts: development of a common API standard across the EU, removal of requirements on the fallback mechanism, requirements for Account Information Service Providers (AISPs) to apply their own SCA;
• SCA: clarification related to reliance on third party technology, delegation to TPPs and to technical providers for conducting SCA, clarification on the optional or mandatory nature of SCA exemptions as well as the introduction of authentication methods for more vulnerable groups of the society;
• Social engineering fraud risk: incentives for more efficient transaction monitoring mechanisms, educational & awareness campaigns, exchange of information between PSPs on known fraud cases.

2. Open Finance Framework (OFF)

When?

OFF answers to the EC’s ambition to broaden the PSD2 scope of ‘Open Banking’ to an ‘Open Finance’ framework. This is why the EC conducted its legislative developments regarding PSD3 and OFF in parallel. Similarly to PSD3 the publication of the draft OFF is expected by the end of June 2023.

What are the main changes PSPs should expect?

The objective of the Open Finance Framework is to “allow customer data beyond the scope of PSD2 to be shared and re-used by financial service providers for creating new and improved services”.

PSPs should expect OFF to bring new requirements, such as :

• Scope : expansion from access to payment accounts data towards access to other types of financial data such as savings, investments and insurance data, inclusion in OFF of Account Information Services requirements previously included in PSD2;
• Access to accounts : development by the industry of a common API standard across the EU, possibility to decide on the appropriate compensation for the use of these APIs by third parties, use of consent dashboards and easy way to revoke consent;
• SCA: extension of requirements on SCA under PSD2 to access to other types of account data under the OFF;
• Security & fraud risk: inclusion of adequate security requirements to ensure the safety of customers’ data and reduce the risk of fraud and scams.

The implementation of the OFF is expected to be phased; opening access to non-payment accounts and banking products first and, as a second phase, extending the access to other financial products.

3. Instant payments as the ‘new normal’

When?

On October 26th, 2022, the EC published a legislative proposal focused on instant payments in EUR. This proposal will amend the Single Euro Payments Area (SEPA) regulation and the Cross-Border Payments Regulation.

The next steps and adoption by the Council of the EU could still take a few months before publication of the final act in the Official Journal.

What are the main impacts PSPs should expect?

The legislative proposal will require all PSPs who offer credit transfers in EUR to their customers in the EU to :

• Provide Instant Payments, 24/7, 365 days a year, at no extra cost compared to traditional non-instant credit transfers in EUR;
• Perform IBAN checks and notify and inform the payer on the risks of authorizing this transaction in case of mismatch between the IBAN and the name of the beneficiary;
• Perform sanction screening on their customers, at least on a daily basis and not during the execution of an Instant Payment.

For more information about instant payments and how PSPs should prepare, consult our previous EY article How to prepare for instant payments?

4. MiCA, the MiFID of crypto-assets

When?

Early June 2023, Regulation (EU) 2023/1114 on markets in crypto-assets (MiCA) was published in the Official Journal of the EU. The MiCA Regulation will apply from the 30th of December 2024.

What should Crypto-Asset Service Providers (CASPs) expect?

Among other things, the Regulation will cover rules about:

• Authorization, supervision and operation of CASPs, issuers of asset-referenced tokens and issuers of electronic money tokens;
• Protection of holders of crypto-assets in terms of issuance, offering and admission to trading;
• Consumer protection against risks related to the investment in crypto-assets, tackling various topics such as liability regime, money laundering, terrorist financing, insider dealing, market manipulation, suitability assessment to be performed by CASPs providing advice on crypto-assets, etc.;
• Environmental footprint of crypto-assets : further information is awaited from the European Securities and Markets Authority (ESMA) who should draft regulatory technical standards in this matter.

5. Buy Now Pay Later’ (BNPL) soon to be regulated?

When?

A proposal for a Directive on Consumer Credit (CCD) was published in June 2021 and should replace the existing Directive 2008/48/EC on credit agreements for consumers. The Parliament is expected to provide a decision on the proposed Directive in September 2023.

What to expect?

This proposal is in line with the EU’s objective to further protect consumers in the digital transition against over-indebtedness and will include in its scope, among other things, the credit agreements provided by BNPL schemes, the so-called short-term high-cost loans usually with amounts lower than the EUR 200. The proposed directive will include measures to increase transparency and enhance consumer protection.

How should payment actors prepare ?

The priority for PSPs is to embed the applicable elements in strategic roadmaps and to:

• Identify concerned functions: the scope of the regulatory developments will most probably require the involvement of all functions within the organization (Business, Legal, Risk, Compliance, Finance,…);
• Conduct impact assessments: identify and size the changes in existing processes, IT developments, security testing, business opportunities, review of customer journeys  etc.;
• Prioritize and plan developments to include these in the current strategic planning of the organization;
• Assess budget and capabilities required for roll-out and change.

These regulations will also require PSPs to strengthen the IT and security risk management measures related to payment flows. In this matter, PSPs should ensure they dispose of an end-to-end view of all their payment flows, by comprehensively documenting their technical architecture, dependencies between IT assets, but also the underlying business and technical rules, security controls and protocols used.

Finally, PSPs should keep in mind that compliance with regulatory requirements will be evolving through time and at the pace of PSPs’ business developments. This is why, it cannot be seen as a one-off exercise. Instead, PSPs should implement adequate measures to have a 360° view on their compliance, and to remain in control in this domain. This should be achieved through: 

• Continuous compliance monitoring : compliance monitoring activities should capture each business initiative before its launch, to assess the impact it might have on the PSP’s compliance with regulatory requirements;
• Regular enterprise-wide compliance assessment and reporting : as most regulatory challenges will impact several departments, it is key to ensure these are conducted at the level of the organization, and not in silos, to capture all dependencies. Also, regular compliance assessments should enable the organization to maintain a 360° view and to report to the executive management and Board at least on a yearly basis;
• Adequate governance: compliance monitoring and assessment can only be achieved when supported by adequate governance measures, where roles and responsibilities are clearly identified throughout the organization and where compliance by design is embedded in the business targets and objectives.

Upcoming regulatory developments will continue to shake the payment industry in the European Union. It is urgent for banks and other PSPs to assess the challenges and opportunities that PSD3, Open Finance Framework, Instant Payments, MiCA and Buy Now Pay Later will represent for their organization.

Do not hesitate to contact us, should you wish to discuss the detailed requirements or seek any assistance in this respect.