PSD3: Everything you need to know

If you’re running a business that accepts electronic payments, it’s important to gain an understanding of the regulations. Payment technology is evolving all the time, and the rules governing this sector are periodically updated. PSD3 is the third iteration of a key piece of European legislation. A draft proposal outlining plans for PSD3 was published in June 2023, alongside plans for a new Payments Services Regulation (PSR - not to be confused with the Payments Systems Regulator in the UK). This article will explain everything you need to know to be ready when this legislation goes into effect.

Key takeaways

• PSD3 and PSR are expected to take effect around 2026 or 2027

• Together, they aim to enhance innovation in payments technology, combat fraud, improve customer rights and improve trust in financial data sharing.

• The Strong Customer Authentication standards that businesses must implement when accepting payments are likely to be upgraded.

• Modern, global, technologically advanced payment providers (like Airwallex) can help ensure your business remains compliant even as legislation evolves, while optimising your risk strategy for success.

What is PSD3?

To explain what PSD3 is, it’s necessary first to describe how the first Payment Services Directive (PSD) came about. Introduced in 2007, PSD1 was a response to the explosion of innovation happening in payments technology. It ensured that electronic payments remained safe for consumers, while new types of products were developed to make paying online increasingly seamless.

PSD established a legal framework for payment service providers (PSPs) – the companies enabling businesses to accept electronic payments – and set out the rights and obligations of users and providers.

PSD2 was adopted in 2015 and made applicable in EU member states in 2018. It mandated Strong Customer Authentication (SCA) to make online transactions more secure and encouraged more collaboration between traditional banks and fintech firms. For example, third-party providers were granted the right to access bank account information with user consent.

PSD3 will be the third version of the Payment Services Directive, and is not expected to be implemented until 2026 or later. It addresses disparate issues that will be explained in more detail below. These include: stronger measures to combat fraud, improving open banking, merging the legislative frameworks governing card payments and e-wallet transactions, levelling the playing field between bank and non-bank PSPs and improving consumers’ access to cash.

What is PSR?

The draft proposal published by the European Commission in June 2023 didn’t just outline plans for PSD3. It also introduces the concept of the Payment Services Regulation (PSR), which will regulate all payment service provider (PSP) activities uniformly across all EU member states.

Together, PSR and PSD3 will replace the pre-existing Electronic Money Directive. While PSD3 is an EU Directive, which must be transposed into the national laws of EU Member states, PSR is an EU Regulation. This means that it will directly apply across all EU Member States, without having to be implemented in national laws. 

What is the purpose of PSD3 and PSR?

The intention of this updated legislation, according to the European Commission, is to protect customers as they make electronic payments in the EU, while providing a greater choice of payment service providers on the market. More specifically, here are some of the aims of PSD3 and PSR:

Innovation 

A key aim of the legislation is improving the functioning of open banking. This means improving the use of APIs to share financial data with third-party companies, who can use it to improve the quality and choice of financial services available to customers. PSPs also benefit from a more level playing field between themselves and legacy banks, which should make competition fairer.

Security

Payment fraud is becoming more and more sophisticated, with “authorised push payment” (APP) fraud, for example, becoming increasingly widespread. This takes place when victims are manipulated into sending money to fraudsters who are pretending to be someone else, such as an investment firm, bank or a partner in an online romance. Regulations relating to security need to be updated to keep pace with these new types of fraud.

Consumer protection

Consumers’ rights, privacy and personal information also need to be protected. Open banking involves the sharing of information, but PSR and PSD3 aim to ensure this is done in a way that protects consumers. The legislation also aims to ensure more transparency for consumers, and also to improve their access to cash in shops and via ATMs.

Enhance trust in data sharing 

By giving control to consumers in regards to who can use their financial data and how, and ensuring their data is well protected, the legislation aims to enhance trust in financial data sharing. This can have a beneficial effect on both businesses and consumers.

Consistent and clear implementation

Regulations included in the new PSR will apply directly and consistently across the EU. More clarity will be introduced about breaches to the rules and the sanctions that apply, and the way that financial services companies have been classified will be streamlined. 

What are the key changes to regulation?

The broad aims of the new legislation were outlined above; in this section we’ll dive deeper into the specific measures being put in place.

Anti-fraud measures

• Enabling payment service providers to safely share fraud-related information between themselves, while remaining compliant with GDPR.

• Clarifying and reinforcing Strong Customer Authentication (SCA).

• Extending refund rights of consumers who fall victim to fraud. This includes new types of fraud like ‘spoofing’, which involves fraudsters tricking consumers into authorising payments, blurring the distinction between unauthorised and authorised transactions.

• To this end, making it mandatory to check that recipient’s IBANs align with their account names for all credit transfers. Initially this had only been proposed for instant payments.

• Strengthening transaction monitoring.

• Requiring PSPs to educate customers and staff about payments fraud.

Spurring innovation and fair competition

• Allowing but not requiring customers to share their data with data users (such as fintech firms) in order to have access to better services, like personalised online advice.

• Requiring financial institutions to create the necessary infrastructure for third parties, such as fintech firms, to access and use customers’ financial data, with appropriate safeguards in place.

• Giving non-bank PSPs the right to have a commercial bank account. Currently this can be denied to them by banks.

Improving customer rights and experience

• Enabling consumers to have more control over their data access permissions.

• Improving consumer information. For example, for credit transfers and money remittances from the EU to third countries, the Commission is proposing an obligation to inform the payment service user about the estimated charges for currency conversion. More transparency is also proposed for payment account statements and ATM charges.

• Making Strong Customer Authentication (SCA) more accessible to disabled persons and others with difficulties.

• Making it easier to access cash, including allowing customers to withdraw cash in stores without making a purchase, and making things easier for independent ATM providers.

Streamlining rules and implementation

• Reinforcing the enforcement powers of national authorities, facilitating implementation of the rules and clarifying various elements.

• Merging the legal frameworks applicable to electronic money and to payment services. Rather than talking about “e-money institutions,” the legislation now refers to “payment institutions,” which can be authorised to offer e-money services.

Who is affected by PSD3 and PSR?

Businesses that operate in the European Union (EU) will need to comply with PSD3 by implementing the changes to Strong Customer Authentication (SCA) regulations for customers paying online from within the European Economic Area (EEA). Although the UK is no longer formally bound to follow the new PSD3, the international nature of the payment industry means that it is likely the UK will be under pressure to review its own rules and align with the PSD3 requirements.

Because PSR will give businesses access to more detailed information on payment systems, they will be able to make better informed decisions about who to partner with for their payment processing needs.

The other types of entity that are affected by PSD3 and PSR are:

• Customers, i.e. the people making electronic transactions, either for business or personal purposes.

• Legacy or ‘traditional’ banks, which allow customers to deposit and borrow money.

• Third-party financial service providers, sometimes referred to as fintech companies or firms. In the context of open banking and the EU regulatory framework, these can be divided into the following categories:

• Account Information Service Providers (AISPs): These are authorised to view bank account information but cannot move money on behalf of their users. For example, companies that check credit scores or provide advice on managing money.

• Payment initiation service providers (PISPs): These can connect to a customer's bank account and initiate payments directly from that bank account on their behalf, without the need for a credit or debit card.

When will PSD3 take effect?

The draft proposal for PSD3 and PSR was published by the European Commission on 28 June 2023 and a meeting was held to start pushing things forward the following month. It is not yet clear when these new rules will be enforced, and estimates vary, but it has been credibly suggested that PSR could take effect in 2026 and PSD3 in 2027.

After PSD3 is passed, each EU or EEA country will be provided with a deadline to transpose it into their national law. PSR, on the other hand, will be directly applicable within 18 months from its publication, without the need for transposition by Member States at national level.

How can your business remain compliant with regulations?

Businesses that accept electronic payments can ensure they remain compliant with new regulations by working with a reliable, modern, state-of-the-art payments platform, like Airwallex.

Airwallex is a global financial platform designed to help businesses grow and safeguard their global revenue by offering payments services and Global Accounts. Businesses of all shapes and sizes – from eCommerce stores and subscription businesses to online marketplaces and platforms – use Airwallex to reach new global customers, eliminate unnecessary currency fees, and protect against fraud, while staying compliant with regulations all over the world.

3D Secure authentication with Airwallex

Balancing compliance with a frictionless user experience is important to optimise conversions and grow as a business. Airwallex ensures this balance is always maintained through its advanced 3D Secure engine, which supports both 3DS1 and 3DS2.

This software automatically chooses the best risk strategy based on applicable regulatory exemptions and policies, no matter what type of card your customer is using or what device they are on. Low-risk transactions are carried out seamlessly, while additional forms of authentication are required where necessary.

Advanced risk management

The Airwallex Risk Dashboard helps businesses gain better visibility and control over their fraud strategy. This ensures that processes are optimised and customised as required.

The dashboard will allow you to examine the performance of Airwallex’s real-time fraud protection model, which displays fraud metrics and illustrates how the performance of the risk engine affects the payment success and fraud rates of your business. You can also track historical key risk metrics, identify fraud patterns through time, and compare fraud and dispute rates to similar businesses to benchmark your current performance.

An additional level of control is offered through the Risk Watchlist section, which allows you to configure exceptions and create customised watchlists. These allow you to trigger Allow, Request 3DS, or Block decisions based on various data variables, such as email or card fingerprint.

Sign up for an Airwallex account today

No matter where you, your customers, or suppliers are based, Airwallex will help you ensure your customers are safe and your business is secure, while optimising risk strategy for success. Airwallex is up-to-date with all the requirements of PSD2 and is working with regulators to ensure that everything is ready for PSD3. Find out more about Airwallex Payments here, or get in contact with our team.