With the successful rollout of PSD2, the European Union (EU) continues to advance innovation in the payments domain through the anticipated introduction of the Payment Services Directive 3 (PSD3). On June 28, 2023, the European Commission published a draft proposal for PSD3 and the Payment Services Regulation (PSR). The finalized versions of this directive and associated regulation are expected to be available by late 2024, although some predictions suggest a more likely timeline of Q2 or Q3 2025. Given that member states are typically granted an 18-month transition period, PSD3 is expected to come into effect sometime in 2026. Notably, the Commission has introduced a regulation (PSR) alongside the PSD3 directive, ensuring more harmonization across member states as regulations are immediately effective and do not require national implementation, unlike directives.

PSD3 shares the same objectives as PSD2, i.e. increasing competition in the payments landscape and enhancing consumer protection. However, PSD3 aims to deepen these efforts with a focus on enhancing security, fraud prevention and inclusivity, broadening open banking, further leveling the playing field for competition and innovation, and enhancing consumer rights:

• Enhanced Security, Fraud Prevention, and Inclusivity: PSD3 focuses on strengthening the security of electronic payments. As technology advances, so do fraud tactics, such as "spoofing". To combat these, PSD3 is expected to implement several improvements:

• More rigorous Strong Customer Authentication (SCA) requirements, including clearer criteria for SCA exemptions and mandatory SCA for mobile wallet enrolment.

• Integration of biometrics and potentially machine learningalgorithms to enhance security without compromising user convenience. This includes strengthened transaction monitoring measures, utilizing extensive data about the payments to assess risks, such as user location, transaction times, devices used, spending habits, and device IP addresses.

• Accessibility-focused SCA methods, ensuring that complex multi-factor authentications provide alternatives to ensure maximum inclusivity for elderly users or people with disabilities. The Commission proposes to drop the PSD2 requirement that MFA factors must belong to two different categories (knowledge, possession, and inherence), which may, however, lead to a serious reduction in security.

• Verification Of Payee (VOP): Mandatory payee validation checks for all credit transfers, aligning with the "Instant Payment Directive", which also mandates this for all instant payments.

• A legal framework to facilitate the sharing of fraud-related information between banks.

• Broadening of Open Banking: Building on the open banking concept introduced by PSD2, PSD3 is set to expand this framework, enhancing user-friendliness. Despite expectations, unfortunately PSD3 does not propose standardization of all data streams. However, it does introduce several elements to make open banking more appealing:

  • A (permission) dashboard for customers to monitor and manage all consents given to third parties, with the ability to withdraw data access at any time.

  • An obligation for banks to provide an alternative interface in case of outages.

  • Mandatory quarterly publication of statistics on API interface availability and performance.

  • A list of prohibited obstacles to data access, such as restricting payments initiation via a Payment Initiation Service Provider (PISP) to payees on the payer’s approved list.

  • The European Commission published at the same moment as the PSD3 and PSR proposals, also a proposal for FIDA (Financial Data Access) or FiDAR (Financial Data Access Regulation). This extra regulation offers a legal framework for sharing customer data between different entities active in the financial services sector. The FiDAR regulation reuses the concept of consent management of PSD2, but can also be used to share other types of financial data, like credit, securities or insurance data.

• Fair Competition and Market Integration: PSD3 seeks to ensure that non-bank financial entities have equal access to banking infrastructure, potentially reshaping the competitive landscape and fostering innovative financial services:

  • Inclusion of new types of financial services and technologiesnot previously covered, such as cryptocurrencies, digital wallets, and peer-to-peer payment platforms.

  • Prohibition for banks to refuse a bank account to non-bank PSPs without substantive reasons, such as suspicion of illegal activities.

  • More stringent restrictions on the use of the eMoney exemptions, such as the use of the commercial agent exemption by platforms and marketplaces.

• Enhancing Consumer Rights: PSD3 aims to increase transparency and protection in currency conversion charges and payment transactions:

  • Greater transparency on currency conversion and ATM charges.

  • Clear identification of payees on account statements.

  • Limitations on the duration and amount of pre-authorizations(held funds).

  • A framework for cash withdrawal services, such as allowing retailers to offer cash withdrawals or exempting certain ATM operators from licensing.

As the details of PSD3 are still under development, much discussion about its content remains speculative. Nevertheless, the directive is expected to significantly evolve the EU’s payments landscape, with an emphasis on security, consumer protection, and market integration. It is advisable for banks and PSPs to begin preparing in the outlined domains to ensure readiness once the regulation takes effect.