Navigating the shift: How banks and PSP’s can thrive with PSD3 and PSR in the EU & UK

PSD3 and PSR will guide and inspire UK banks and financial institutions to react proactively to upcoming changes. They should invest in robust business and technology architectures to make sure they remain competitive and provide consumer centric solutions. In this environment, knowledge is key to future success and participants need successful solutions that cover the full payments value chain in order to remain both compliant and competitive.

The payments ecosystem in the UK and EU is in constant flux, driven by regulatory guidance and technological advances.

In the UK, consumers and businesses make around 1,500 transactions every second. The government aims to simultaneously boost the economy and drive innovation in payments, via the National Payments Vision and Strategy, which has been shaped by views and inputs of over 100 financial institutions.

The EU aims to harmonize payments, enhance transaction security, and promote competition within the European Economic Area. PSD3 and PSR are the latest initiatives driving these goals.

What are PSD3 and PSR?

PSD3 builds on PSD2 by clarifying regulations, expanding bank liability, and introducing stricter IT and risk standards. It emphasises strong customer authentication and transaction transparency.

The PSR (Payment Service Regulation) complements the Payment Service Directive, leading to directly applicable law in all EU states.

Although PSD3 won’t directly impact the UK, it’s expected to inspire UK regulators and industry leaders, fostering competition. Understanding these changes is key to keeping the UK competitive.

The objectives of PSD3 and PSR:

1. Strengthening consumer protection
2. Improved competition in payment
3. Harmonisation of EU-legislation

Where do PSD3 and PSR stand now?

The revised regulations on strong customer authentication and liability rules are significant. Ongoing negotiations between the European Parliament and Council will finalize the text by late 2024, with implementation expected in 2026.

PSD3 implementation schedule (2023-2026):

What does this mean for banks and payment service providers?

The new PSD3 requirements will particularly impact the following areas:

• Strong customer authentication (SCA): The regulations introduce stricter authentication requirements and expand options for low-digital-affinity and vulnerable groups. In April 2024, the European Parliament proposed broadening the inherence factor to include environmental and behavioural traits.

Following the UK’s adoption of SCA-RTS by the FCA in 2019, the EU regulations offer an opportunity to implement more secure and consumer-friendly standards.

• Extended liability for payment institutions: With stricter fraud liability rules, banks, payment service providers, and electronic communication providers face greater accountability.

In October 2024, the UK introduced new APP Fraud regulations, splitting reimbursement responsibility 50/50 between sending and receiving PSPs.

• Transaction monitoring and exchange of fraud-related data: To combat fraud effectively, banks and payment service providers must monitor transactions and share fraud-related data to detect early signs and respond swiftly.

In the UK, all PSPs need to mandatorily register in the Reimbursement Claims Management System (RCMS) for tracking and claim management.

CHAPS is also included with the rules aligning with CHAPS participants and a provision of 24/5 reimbursement for PSPs in the CHAPS System.

• Prohibition of fees for certain payment services: PSD2 introduced a surcharge ban, prohibiting extra fees for certain payment methods. The new PSR draft expands this by preventing providers from charging payment fees, though discounts or offers promoting specific payment methods are still allowed.

How can banks and PSPs get ahead?

To stay competitive and profitable, banks and payment service providers must proactively comply with new regulations to secure early compliance.

• Data sharing: Businesses will need to provide more detailed information to issuers to comply with SCA requirements.
• Fraud prevention: Decision-makers should exchange information on fraud issues to learn from each other and create synergies. The UK already has regulations for Authorised Push Payment (APP) fraud to address similar issues.
• Authentication: There will be stricter protocols to verify the identity of users during transactions. Under PSD2, Strong Customer Authentication (SCA) needed two factors from distinct categories: knowledge (something you know), possession (something you have), and inherence (something you are). With PSD3, it’s now possible to use two factors from the same category, such as a token and SMS OTP (both possession) or even two passwords (both knowledge). Automated IBAN-name checks will also be required to comply with the new regulations. The impact on transaction efficiency and security remains to be seen.

To summarise, PSD3 and PSR will guide and inspire UK banks and financial institutions to react proactively to upcoming changes. They should invest in robust business and technology architectures to make sure they remain competitive and provide consumer centric solutions.

In this environment, knowledge is key to future success and participants need successful solutions that cover the full payments value chain in order to remain both compliant and competitive.

About Projective Group:

Projective Group is a leading financial services change specialist with expertise in strategy, data, payments, risk and compliance, transformation, and talent. Our combined expertise ensures that clients are supported by domain specialists throughout all phases of their change journey. The Payments Practice addresses the latest banking sector developments, including building new market infrastructures, core banking replacement, and the introduction of instant and open banking.