Payment Services Regulation: key impacts on Payment Service Providers

In June 2023, the European Commission issued a legislative package aimed at modernizing and streamlining the EU’s retail payments framework. The package consists of two key legislative acts revising the second Payment Services Directive (Directive (EU) 2015/2366 - PSD2): 1) a Payment Services Regulation (PSR); and 2) a third Payment Services Directive (PSD3).

PSD3 will clarify and update provisions related to the authorization and supervision of payment institutions (PIs), incorporating electronic money institutions (EMIs) as a sub-category. Therefore, PSD3 will embed requirements from the second Electronic Money Directive (Directive 2009/110/EC - EMD2) and subsequently repeal this directive. The changes introduced by the draft proposal for PSD3 are discussed further here.

The PSR consolidates the harmonization of most payment rules concerning Payment Service Providers (PSPs) across EU Member States, through a directly applicable regulation. It primarily comprises provisions addressed to the credit institutions providing payment accounts but also includes measures impacting non-bank PSPs (i.e. payment institutions, electronic money institutions) and, to some extent, non-financial players such as technology and electronic communications service providers. As part of the new framework, the PSR introduces enhanced measures to combat and mitigate payment fraud, strengthens customer rights by increasing transparency, further levels the playing field between bank and non-bank PSPs, and enhances the functioning of open banking by removing remaining obstacles for market participants and improving customers’ control over their data access.

In addition, the PSR mandates the European Banking Authority (EBA) to draft a set of new Regulatory Technical Standards (RTS) and Guidelines, most likely replacing the existing ones. It should address the following areas:

• Authentication, communication, and transaction monitoring mechanisms.
• Reporting obligations related to access to accounts.
• Harmonized format and information to be included in the notification in case of onboarding refusal or offboarding of TPPs.
• Statistical data on fraud, building on and complementing guidelines on payment fraud reporting, risks, and trends.
   

Third-party providers (TPPs) access to payment data

Dedicated interfaces for TPPs

Except in authorized exceptional circumstances, PSPs offering payment accounts accessible online will be obliged to offer at least one dedicated interface (API) for data exchange with TPPs, the option to maintain permanently a “fallback” interface being removed. Accordingly, new obligations are foreseen for dedicated interfaces regarding their performance and functionalities, along with strengthened measures to ensure data access parity between the dedicated access interface and the customer interface.
 

Consent dashboard

PSPs offering payment accounts accessible online will be required to develop a permission dashboard, known as 'consent' under PSD2. This dashboard will allow Payment Service Users (PSUs) to monitor, in real time, which TPPs have been granted permission to access their data and to withdraw or re-grant that permission for any given TPP.

A key priority for the concerned PSPs will be to support PSUs in revoking and re-establishing their permissions while ensuring that TPPs are promptly informed of these actions. TPPs, in turn, should share information about PSUs’ permissions with PSPs to keep the permission dashboard continuously up to date. This requires ASPSPs and TPPs to cooperate to ensure that permission data remains accurate and synchronized.
 

Combating and mitigating payment fraud

To tackle evolving fraud trends (such as social engineering and “spoofing” scams), the PSR proposal imposes a revised set of anti-fraud measures.

Transaction monitoring and fraud data sharing

PSPs will need to reinforce their transaction monitoring mechanisms for the application of Strong Customer Authentication (SCA), with the aim to enhance the prevention and detection of fraudulent transactions. These mechanisms should rely on the analysis of past payment transactions and online access to payment accounts, by tracking typical elements of the PSU, including environmental and behavioral patterns linked to the payment user’s habits. For transaction monitoring purposes, PSPs may establish information-sharing arrangements to enable the exchange of a payee’s unique identifier with other PSPs where fraudulent payment transactions are suspected.
 

Liability for employee impersonation fraud (“spoofing”)

The PSR proposal introduces a new provision extending the liability of PSPs in the event of authorized fraudulent transactions initiated by PSUs manipulated by a third party pretending to be an employee of the PSP, by using the name, e-mail address or telephone number unlawfully. In such scenarios, the PSP will be obligated to refund the consumer the amount of the fraudulent authorized payment transaction within 10 business days, unless they are able to prove that the consumer acted fraudulently or with gross negligence.

The Parliament proposed to significantly extend the liability of PSPs to also cover authorized fraudulent transactions resulting from impersonation by “any other relevant entity of a public or private nature”. The trilogue negotiations will determine the extent to which the liability will be retained in the final PSR.

Electronic communications service providers (ECSPs) (such as mobile network operators, internet platform providers, etc.) will also be obliged to cooperate closely with PSPs and act promptly to ensure that appropriate organizational and technical measures are implemented to protect the security and confidentiality of communications. The Parliament suggested that ECSPs failing to cooperate will be held jointly responsible in the event of such fraud if they fail to remove fraudulent or illegal content after being informed of it. The Council’s position does not provide for such liability of ECSPs but rather emphasizes cross-sectoral cooperation between ECSPs and PSPs with the objective of preventing and detecting fraud.
 

Fraud reporting

As in PSD2 and the related guidelines, PSPs will be required to provide, at least annually, statistical data on payments fraud to their National Competent Authority (NCA). It remains unclear whether this reporting will complement the current Payment Statistics Reporting or replace it. The EBA is expected to draft Regulatory and Implementing Technical Standards to provide clarity on this matter.
 

Payment fraud awareness

A new requirement is introduced, requiring PSPs to conduct proper customer awareness initiatives on new forms of payment fraud, helping them identify fraudulent actions and take appropriate actions and precautions. Regarding their own employees, PSPs will need to organize, at least annually, training programs dedicated to payment fraud risks and trends to ensure they are properly equipped to carry out their responsibilities and effectively prevent and manage payment fraud, in line with guidelines to be issued by the EBA.
 

Verification of Payee Service

The draft PSR also requires the payer’s PSPs to verify, free of charge, the consistency between the name and unique identifier of a payee before the initiation of credit transfers. These requirements extend the scope of the “IBAN name checks” (also known as “Verification of Payee”) originally introduced by the Instant Payment Regulation (Regulation (EU) 2024/886 - IPR) for instant credit transfers in euro and recently extended to all intra-EEA credit transfers, including non-instant and non-euro credit transfers.

PSPs will already need to comply with VOP requirements by October 2025 for instant and non-instant SEPA Credit Transfers in euro, as pushed forward in the IPR.
 

Key changes to Strong Customer Authentication (SCA)

Key provisions from the existing Regulatory Technical Standard (RTS) on SCA and Common Secure Communication (CSC) are now embedded in the PSR proposal, which also introduces new measures to strengthen payment security and enhance customer protection.
 

Accessibility requirements

The accessibility requirements under the proposal aim to ensure the inclusion of customers with low digital skills or disabilities. All customers must have access to at least one method of performing SCA that does not depend on the use of a smartphone (such as a card reader or similar device). PSPs will be required to offer a range of solutions for the application of SCA to accommodate different customer needs.
 

Technical Service Providers

PSPs will be required to conclude outsourcing agreements with technical service providers offering or verifying SCA elements such as wallet providers (e.g. Google Pay, Apple Pay), including provisions for auditing and controlling security measures. However, this requirement is challenged by the Parliament, which removed the requirement for an outsourcing agreement and instead refers to new RTS to be issued on this matter.
 

SCA flexibility

The PSR proposal no longer requires SCA elements to belong to different categories (knowledge, possession, inherence) as long as their independence is fully preserved.

Access for Account Information Service Providers (AISPs) is permitted for 180 days following the initial SCA performed by the Banks (as already modified in 2023 by a change in the RTS). The responsibility for performing subsequent SCA on the PSU will lie with the AISP, but the Banks will have the option to re-require SCA in case of fraud suspicion.
 

Non-bank PSPs access to payment systems and bank accounts

While Payment Institutions (PIs) and Electronic Money Institutions (EMIs) were already granted access to payment systems, the PSR requires payment system operators to implement non-discriminatory, transparent and proportionate rules regarding such access. A payment system operator may refuse the participation of an applicant only if it poses risks to the system and must inform the PSP in writing of its decision, providing full reasons for any refusal.

The rules obliging credit institutions to grant banking services, including payment accounts, to non-bank PSPs are also strengthened under the new framework to tackle “AML de-risking” practices. The grounds on which access may be refused or withdrawn are limited to specific cases, including serious grounds for suspecting illegal activities or inadequate AML controls, breach of contract, an excessively high-risk profile of the applicant, or disproportionately high compliance costs for the credit institution. The Council’s position added a deadline of one month for credit institutions to notify PSPs of any decision to open an account and a notice of three months for the closure of an account.
 

Next steps

The recent adoption by the Council of its negotiating mandates and the launch of the trilogue represent a significant milestone, providing more clarity regarding the upcoming adoption of the PSR. The market may now expect the final version of the text to be adopted and published by the beginning of 2026.

Under the Commission’s proposal, in-scope market participants would have 18 months from the publication of the PSR to comply with its provisions. The Council proposed extending the entry into force deadline to 24 months.
 

Preparing for the future

The PSR will undoubtedly require developments that must be incorporated into strategic plans and budget forecasts in prevision of its upcoming adoption. Therefore, PSPs should assess the impact of these changes on their organization right now, rather than waiting for the final proposal of the PSR.

To ensure timely compliance with the PSR, PSPs should undertake the following steps:

• Identify the functions impacted by the PSR changes, such as credit transfers and card payment flows, fraud departments, legal teams handling contracts, liability and terms & conditions, IT & security departments, etc.
• Assess the impact of the PSR on each affected function to determine the necessary process changes and developments, as well as the required budget and capabilities.
• Incorporate the impacts into the strategic planning of the organization.
• Roll out changes to ensure timely compliance.

Just like any important change impacting multiple functions within an organization, it is crucial to ensure that adequate governance is defined to follow up on the planned changes. As PSPs progress in implementing these changes, it is important to monitor compliance to ensure it is achieved by the regulatory deadline.