PSD1, PSD2, PSD3: 15 years of EU legislation in a nutshell

Who, at the beginning of the 2000s, could offer payment services in the European Union?

At that time, it was extremely difficult to answer the question. Companies which provide payment services could fall under extremely different legal requirements from one Member State to another.

In some countries, one company needed to require authorisation. In others, the same activity would require to become a credit institution, obtain an electronic money institution (EMI) license, a dedicated license… or no authorisation at all.

In 2007, the EU ended this and harmonised the law across the continent with the first Payment Services Directive (PSD1).

The choice of a directive

In EU laws, two key terms often appear: "directives" and "regulations." These are important tools that the EU uses to make and enforce laws, but they work in slightly different ways.

Directives are like guidelines that the EU gives to its member countries. When the EU issues a directive, it tells each country what the end goal or result should be.

However, it leaves the specific details of how to achieve that goal up to each country’s own laws and government. So, member countries have some flexibility in implementing these rules, as long as they achieve the intended outcome.

On the other hand, regulations are more like strict, one-size-fits-all rules. When the EU passes a regulation, it becomes the law in every member country, and each country has to apply it exactly as written. There is less room for individual interpretation or adjustment.

One of the main advantages of the directive is that the European legislator does not have to think about every single payment institution that may be affected by the new text. Each country can adapt the legislation to its own specific payment landscape.

On the flip side, the lack of standardisation of the rules on the day-to-day retail payments scope can be challenging. We will come back to this below.

PSD1: the foundation for a single European retail payments market

PSD1, or the first Payment Services Directive, was introduced in 2007 and enforced in 2009 with the primary objective of laying the groundwork for a unified European retail payments market.

This legislative framework was designed to serve as the legal basis for establishing a single European payments market, enhancing the safety and innovation of payment services throughout the European Union. Its core aim was to make cross-border payments as seamless, efficient, and secure as domestic payments within any EU Member State.

Another significant aim of PSD1 was to foster competition and diversity in the payment services sector, thereby reducing the exclusivity of traditional banks in this domain. This directive opened the door for new players to enter the market and introduce price competitiveness, beyond the traditional world of banking institutions.

An important consequence of PSD1 was the introduction of electronic money institution licenses, which paved the way for non-traditional entities like Ayden to thrive in the European market. The landscape of payment service providers expanded as a result, with thousands of them settling in the EU.

PSD2: open banking and strong customer authentication for groundbreaking legal innovations

The Commission quickly proposed to revise PSD1 in July 2013. It was adopted in 2015.

PSD2 widened the scope of PSD1 by covering new services and players as well as by extending the scope of existing services, enabling their access to payment accounts.

Three major points were at play:

• extended geographical coverage of the directive

• the harmonisation of open banking on the continent

• strong customer authentication for electronic payments

Geographical coverage

While PSD1 had limited jurisdiction and only applied to payments occurring within the European Economic Area (EEA), it did not grasp payments involving third countries.

However, PSD2 brought about significant changes by including payments to and from third countries when one of the involved payment service providers operates within the EU. This extension of scope ensured that a broader range of international transactions is subject to EU regulations and information requirements, especially regarding information disclosure.

Open banking

Open banking allows individuals and businesses to securely share their banking data with third-party providers, such as fintech companies and other financial institutions.

This data gathered through open banking can include information about account balances, transaction history, and other financial details. The data comes through APIs, which enable the secure exchange of information between different financial service providers.

The revised PSD2 played a pivotal role in providing a stable regulatory framework for open banking in the EU. PSD2 constrained banks and financial institutions to open up secure access to their customer's account information to licensed third-party providers.

PSD2 also introduced specific strong customer authentication measures to enhance security and protect the privacy of individuals engaging in open banking payments.

By establishing these regulations, PSD2 encouraged the development of innovative financial services and improved customer choice by enabling new players to enter the market. In this way, PSD2 provided a stable and secure regulatory framework for open banking, benefiting both consumers and the financial industry as a whole.

However, the picture is not fully bright. Open banking implies that a third-party provider (TPP) will connect to a bank through APIs. But all APIs are not the same and of the same quality.

Hence, the absence of uniformity in the PSD2 APIs offered by various banks presents a significant hurdle for TPPs. It is impractical and demands substantial resources to integrate with a distinct API for every bank.

This fragmentation of APIs can result in unintended consequences. To streamline their operations, TPPs may opt to exclusively work with the APIs of the largest banks, potentially neglecting customers of smaller banks. This approach allows them to reach a maximum number of potential clients with minimal development efforts.

In response to API fragmentation, some aggregators came into play over the past few years in order to answer the need to uniformise API for TPPs.

Strong customer authentication

Under PSD2, all payment service providers, including banks, were mandated to adopt robust security measures.

A key requirement was the implementation of strong customer authentication (SCA) for electronic payments– with some exceptions – ensuring heightened security.

This measure aimed to strengthen the security of electronic payments and, consequently, provide greater protection for consumers.

SCA existed before PSD2, but PSD2 certainly enhanced electronic payment security for customers and harmonised these dispositions across the continent.

PSD3: “an evolution, not a revolution” of retail payments

In June 2023, the European Commission suggested new evolutions for the directive, after a year of consultations. The idea of a third directive, PSD3, is set.

The amendments suggested by the European Commission aim to represent “an evolution, not a revolution” of the EU payments framework. The amendments are meant to improve the functioning of EU payment markets and to solve some issues that were raised after PSD2 came into force, for instance, about open banking and technical implementation aspects of the directive.

A few objectives, though, particularly stand out as they did not appear in previous iterations:

• strengthening measures to combat payment fraud

• allowing non-bank payment service providers (PSPs) access to all EU payment systems, with appropriate safeguards, and giving them a right to have a bank account

• further improving consumer information and rights

IBAN-name check to combat payment fraud

The European Commission has pushed forward a proposal for instant payments, introducing a service that identifies and alerts the payer about any discrepancies between the name and unique identifier of the payee before a euro-denominated instant credit transfer is finalised.

In an effort to create a consistent framework for all credit transfers within the EU, PSD3 aims to extend this service to cover all credit transfers. Importantly, this service must be offered to consumers without any additional charges.

Under this proposal, the payment service provider of the payee will have to, upon request from the PSP of the payer, verify whether the unique identifier (IBAN number) and the payee's name, as provided by the payer, are in alignment. This measure aims to enhance security, thus consumer confidence, in credit transfers across the EU.

Redefine how PSPs access bank account services

Regulations governing bank account services provided to non-bank PSPs are set to become significantly stricter. Banks will face more severe obligations if they wish to refuse PSPs access to their services.

Banks are key to non-bank PSPs. They ultimately hold customer funds. They allow PSPs to access EU payment systems.

Hence, banks will be asked to provide extensive explanations detailing why they are preventing a PSP from this access. This could include compelling reasons to suspect illegal activities conducted by or through the PSP or concerns about the PSP's business model and risk profile posing substantial threats to the credit institution.

Refund rights and GDPR to protect consumers

The European Commission's proposed directive introduces two key refund rights for consumers:

1. Incorrect IBAN-name chack: this provision offers protection to consumers who have suffered financial losses due to the failure of the IBAN-name verification service to detect a mismatch between the payee's name and IBAN. In such cases, affected consumers are entitled to refunds.

2. "Spoofing" Fraud: the directive addresses situations where consumers fall into "spoofing" fraud traps, where scammers impersonate bank employees and deceive consumers into taking actions that lead to financial harm. Victims of such fraud will be eligible for refunds, too.

Here again, in line with the will to harmonise several pieces of EU laws, the proposal also emphasises alignment with the General Data Protection Regulation (GDPR) to safeguard consumer data and privacy. It introduces clarifications and adjustments aimed at ensuring consistency with GDPR regulations, further enhancing consumer protection and data security.