Open finance: The contributions of PSD2 and the upcoming PSD3
The PSD2 regulation has profoundly changed the world of banking and payments. Policy expert Dr. Dirk Haubrich, Head of Conduct, Payments and Consumers at the European Banking Authority, gives us his feedback on the successes of PSD2 as well as the improvements to be made, and sheds light on the EBA's recommendations for the PSD3 directive in preparation.
The PSD2 regulation has profoundly changed the world of banking and payments. Policy expert Dr. Dirk Haubrich, Head of Conduct, Payments and Consumers at the European Banking Authority, gives us his feedback on the successes of PSD2 as well as the improvements to be made, and sheds light on the EBA's recommendations for the PSD3 directive in preparation.
What is your assessment of PSD2 and its impact?
The PSD2 has been a paradigm shift for the regulation of payment services. It introduced for the first time in EU law detailed security requirements, in particular the requirement to apply two-factor strong customer authentication (SCA) for the initiation of electronic payment transactions and for accessing payment accounts online. It also laid the foundations for the concept of open payments and open banking, by bringing into the scope of regulation two new payment services that are based on access by third party providers to customer data held primarily by credit institutions, namely payment initiation services (PIS) and account information services (AIS). The Directive also had an explicit competition-enhancing objective by regulating services that are provided by legal entities that operate as competitors to incumbent credit institutions. And then there are PSD2 objectives such as facilitating innovation, further enhancing a single EU market for retail payments, and enhancing customer convenience.
This directive has therefore been uniquely ambitious and, thus, also challenging for a supervisory authority like the EBA, because some of these objectives are mutually contradictory and require regulatory requirements to make difficult trade-offs between these competing demands.
However, we are satisfied that many objectives have materialized in a significant way. For example, the requirements on strong customer authentication (SCA) are having the desired effect of having significantly reducing fraud. This is evidenced in particular by our preliminary analysis of payment fraud data and the assessment of the SCA migration data for e-commerce card-based payment transactions, which suggests that fraud rates are 40-60% lower for payment transactions where SCA is applied compared to those where SCA is not applied. We are expecting these figures to improve further once we have completed our analysis more comprehensively later in 2023. In addition, data from the EBA’s central register under PSD2 reveals that more than 2700 PIs and EMIs, including 400 non-bank third party providers (TPPs), have been authorized or registered in the EU, thus contributing to the competition enhancing objective of the Directive.
Nevertheless, we are also of the view that there are some issues. The most important one is the continued obstacles that some AIS and PIS providers face when accessing payment accounts at some banks, and the often cumbersome journeys customers have to endure using the interfaces provided by those banks. This remains a priority for us to address in 2023, jointly with our national competent authorities as direct supervisors of those banks. We would want to see this issue addressed and also not repeated when the concept of open payments may be extended in EU law to other banking products or financial services more generally (open banking / open finance).
What is the objective of the PSD3 regulation and when will it come into effect?
It is not for the EBA to define the objectives of the PSD3, or of any other EU directive or EU regulation for that matter. It is a prerogative of the EU Commission to propose ‘Level-1’ law and then for the EU Council and EU parliament as co-legislators to approve and enact it. The EBA, therefore, is not in a position to answer this question.
However, should there indeed be a PSD3, the EBA might be requested to support the implementation of the directive, by developing technical standards and/or guidelines that set out more detailed requirements how the objectives of, and provisions in, the directive are to be fulfilled. And the EBA would stand ready to fulfil this role. We would do so by developing the PSD3 mandates in a similar way as we developed, between 2016 and 2018, the mandates under PSD2: we will carefully analyze the scope of the mandates, develop draft requirements and their underlying rationale, publish those draft requirements for consultation, and we will then thoroughly assess the consultation responses we will receive, to decide whether or not we need to make amendments to the final requirements before publishing them.
We will accompany this final publication with an extensive ‘feedback table’, in which we list every comment or concern raised by respondents, set out our assessment of the arguments presented therein, and explain whether, and if so how, we have decided to amend the requirement. This process is elaborate and intensive for us but also a key element of the EBA’s policy development approach, as we aim for utmost transparency on how we arrive at our decisions.
What should PSD3 change?
We have recently provided advice to the EU Commission on what issues a potential future PSD3 should address. More specifically, we made more than 200 detailed recommendations. The proposed amendments include the merging of the PSD2 and the Electronic Money Directive; clarifying the application of strong customer authentication (SCA) and the precise transactions that are in scope; addressing new security risks for customers such as social engineering fraud where customers are tricked into initiating a payment transaction; and addressing concerns about particular authentication approaches chosen by banks (e.g. based on smartphones) that have led to exclusion of certain groups of society from using payment services online.
We have also recommended addressing underlying issues and obstacles to the provision of PIS and AIS services, including the proposals for AIS providers to apply their own SCA with their customers instead of relying on the authentication procedures by banks, to empower customers to remain in control of their data, and to support the development of high-quality interfaces across the EU. We have also recommended addressing the enforcement shortcomings in relation to the implementation and application of SCA for e-commerce card-based transactions and the removal of obstacles to the provision of AIS and PIS services, addressing unwarranted de-risking practices by banks affecting payment and e-money institutions, and adjusting the prudential requirements, in particular in relation to initial capital, own funds, the use of professional indemnity insurance, the proposal for recovery and wind-down for significant payment institutions, and possible consolidation group supervision.
As I said earlier, the EBA stands ready to assist the EU Commission and co-legislators with the implementation of a potential PSD3.
ESG community
With Qorus memberships, you gain access to exclusive innovation best practices and tailored matchmaking opportunities with executives who share your challenges.