EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
In June 2023, the European Commission issued a legislative package aimed at modernizing and streamlining the EU’s retail payments framework. The package consists of two key legislative acts revising the second Directive on payment services (PSD2): a Payment Services Regulation (PSR) and a third Payment Services Directive (PSD3). As part of the ongoing legislative process, the European Parliament adopted, in April 2024, amendments on both proposals. The Council’s position is now awaited in the coming months ahead of trilogue negotiations.
PSR supports the further development of open banking and consolidates all rules concerning Payment Service Providers (PSPs). It also introduces enhanced measures to combat payment fraud and strengthens customer rights by increasing transparency. As a directly applicable regulation, not requiring transposition in local laws, it will also promote greater harmonization by ensuring a more consistent application of rules across EU Member States.
PSD3 will clarify and update provisions relating to the authorization and supervision of payment institutions (PIs), incorporating electronic money institutions (EMIs) as a sub-category. Therefore, PSD3 will embed requirements from the second Electronic Money Directive (Directive 2009/110/EC - EMD2) and subsequently repeal this Directive. Furthermore, it includes rules on cash withdrawal services offered by retailers without purchase or by independent ATM deployers.
This article outlines the key changes introduced by the PSD3 legislative proposal, including new authorization requirements for payment and e-money institutions, adjustments to initial capital requirements, updates to own funds calculations and modifications to safeguarding measures. This proposal is part of the payment services package issued in June 2023 and aimed at modernizing the EU's retail payment framework.
1. Authorization requirements
While the PSD3 proposal requires authorized PIs and EMIs under PSD2 and EMD2 to obtain a ‘new authorization’ in order to continue their activities, amendments from the European Parliament rather mention a ‘simplified process’ for authorized PIs and EMIs. The application procedures for authorization and control of shareholding remain mostly unchanged compared to PSD2, with the exception of new requirements for the submission of a winding-up plan as part of the application process. Additionally, PIs are required to demonstrate compliance with additional ICT, data sharing and passporting arrangements.
In particular, PIs and EMIs will be required to demonstrate compliance with the following requirements as part of their new/updated authorization:
Winding-up plan
As part of their application, the PSD3 proposal requires PIs providing payment or electronic money services to submit a detailed winding-up plan. Such a plan must define suitable measures to be undertaken in the case of failure of the institution so as to ensure an orderly wind-up of activities in accordance with applicable national legislation, including continuity and recovery of any critical activities performed by the outsourced service providers, agents or distributors. The winding-up plan should be proportionate to the size and business model of the payment institution.
Business continuity
PIs are required to describe their business continuity arrangements including the procedures to test and review their adequacy and efficiency in accordance with Regulation (EU) 2022/2554 on digital operational resilience (DORA).
Security
PIs willing to enter information-sharing arrangements to exchange data related to payment fraud, as provided for under the draft PSR, should present in their security policy document:
- the conclusion of the data protection impact assessment; and
- where applicable, the conclusions of the relevant National Competent Authorities (NCA) on the dedicated data access interfaces.
Passporting
The PSD3 proposal requires PIs to provide an overview of the EU jurisdictions where they have submitted or intend to apply for authorization to operate as a PI.
2. Initial capital requirements
The initial capital requirements for the different categories of payment services have been adjusted to reflect inflation over the last few years. These new requirements are as follows:
* The PSD3 proposal introduces the option for Payment Initiation Service Providers (PISP) and Account Information Service Providers (AISP) to hold initial capital instead of having a professional indemnity insurance. This possibility has been introduced to overcome the difficulties faced by PIs in obtaining a professional indemnity insurance at the authorization stage.
3. Own funds calculation
PIs’ own funds must currently be calculated according to one of the three methods (A, B or C) provided for in PSD2 whereas, under EMD2, method D prevails for EMIs. PSD3 does not change the methods for calculating own funds. However, method B is promoted to the ‘default’ method for PIs providing payment services, while the use of methods A and C is limited to those whose business models result in low volume but high value transactions and is subject to validation by the NCA. The criteria for such business models are expected to be further detailed in dedicated Regulatory Technical Standards (RTS) from the European Banking Authority (EBA).
4. Safeguarding
Although safeguarding requirements remain largely unchanged compared to PSD2, PSD3 introduces following measures to mitigate the concentration risks related to safeguarded funds:
- PSD3 provides PIs with a new option to safeguard their customers’ funds directly in an account held with a central bank, at the discretion of that central bank. Compared to the European Commission’s proposal, the amendments of the European Parliament are stricter and require central banks to duly justify any refusal to open a safeguarding account for a PI.
- PIs are required to diversify their safeguarding methods by ensuring that the same safeguarding method is not used for the totality of their customer funds. For example, by safeguarding their consumers’ funds in several credit institutions.
- PIs must also inform their NCA in advance in case of material change to the safeguarding measures applied to funds related to payment or electronic money services.
Finally, the EBA is mandated to develop RTS dedicated to safeguarding requirements for PIs, including detailed provisions on the safeguarding risk management frameworks they should implement to ensure protection of their customers’ funds.
5. Other changes
Cross-border provision of services
Rules pertaining to the cross-border provision of services remain mostly unchanged in the PSD3 proposal. However, specific clarifications are provided (e.g. passport notifications) for specific cases involving three Member States, such as scenarios where a PI offers payment services in a Member State other than its home Member State through an agent, distributor or branch located in a third Member State.
Cash withdrawals
Under PSD3, retail stores remain exempt from obtaining a PI authorization to offer cash withdrawals to customers that don’t purchase anything from the retailer. However, this exemption only applies if the cash withdrawal is below EUR 50 (EUR 100 in the European Parliament proposal) and on the condition that the withdrawal takes place within the retail store premises. Under the PSD3 proposal of the European Commission, independent ATM deployers (i.e. not servicing payment accounts) are also excluded from authorization obligations. However, the European Parliament proposed to modify this exemption by introducing a lighter registration process for such entities.
Next steps
While the official adoption timeline remains uncertain, the market expects a final version of PSD3 to be adopted and published by the end of 2025. As from then, Member States will have 18 months to transpose PSD3 into national law.
Under the new authorization regime introduced by the PSD3 proposal, authorizations already granted to PIs and EMIs will remain valid for 24 months from the entry into force of PSD3. However, PIs and EMIs will have to submit a new application to their NCA to allow them to assess their compliance with the new PSD3 requirements. According to the explanatory memorandum, the validity period could be extended to 30 months, on condition that application for a license (authorization) is made at the latest 24 months after PSD3 entry into force.
Based on PSD2 experience, the market could expect NCAs to publish grandfathering measures and require PIs and EMIs to submit the necessary information by a formal deadline.
If the final PSD3 text opts for the European Parliament’ s proposal for a lighter instead of a full authorization process, PIs and EMIs will rather be required to submit supplementary information necessary for the NCA to assess compliance with the new requirements and to determine whether the authorization should be maintained or withdrawn. If a PI or EMI meets all PSD3 requirements, the NCA must grant automatic authorization. However, if a PI does not comply with new requirements by the end of the transitional period, its authorization will be suspended until the necessary information is provided. In such cases, the NCA must inform the PI of any obstacles to the obtention of the authorization, and proceed accordingly with their removal without undue delay.
Preparing for the future
To prepare for the changes that PSD3 will bring, conducting a regulatory impact assessment is a practical first step for existing PIs and EMIs. This process will help identify gaps in the current framework compared to PSD3’s new obligations and lay the groundwork for timely compliance. By acting early and taking a strategic approach, institutions can not only ensure alignment with regulatory expectations but also position themselves to navigate challenges and seize emerging opportunities in the evolving payments landscape.