PSD1, PSD2, PSD3: 15 years of EU legislation in a nutshell

by Numeral
EU

Share this post

Who, at the beginning of the 2000s, could offer payment services in the European Union?

At that time, it was extremely difficult to answer the question. Companies which provide payment services could fall under extremely different legal requirements from one member state to another.

In some countries, one company needed to require authorisation. In others, the same activity would require to become a credit institution, obtain an electronic money institution (EMI) licence, a dedicated licence… or no authorisation at all.

In 2007, the EU ended this and harmonised the law across the continent with the first Payment Services Directive (PSD1).

Choice of a directive

In EU laws, two key terms often appear: “directives” and “regulations.” These are important tools that the EU uses to make and enforce laws, but they work in slightly different ways.

Directives are like guidelines that the EU gives to its member countries. When the EU issues a directive, it tells each country what the end goal or result should be.

However, it leaves the specific details of how to achieve that goal up to each country’s own laws and government. So, member countries have some flexibility in implementing these rules, as long as they achieve the intended outcome.

On the other hand, regulations are more like strict, one-size-fits-all rules. When the EU passes a regulation, it becomes the law in every member country, and each country has to apply it exactly as written. There is less room for individual interpretation or adjustment.

One of the main advantages of the directive is that the European legislator does not have to think about every single payment institution that may be affected by the new text. Each country can adapt the legislation to its own specific payment landscape.

On the flip side, the lack of standardisation of the rules on the day-to-day retail payments scope can be challenging, as discussed below.

PSD1: Foundation for a single European retail payments market

PSD1 was introduced in 2007 and enforced in 2009 with the primary objective of laying the groundwork for a unified European retail payments market.

This legislative framework was designed to serve as the legal basis for establishing a single European payments market, enhancing the safety and innovation of payment services throughout the EU. Its core aim was to make cross-border payments as seamless, efficient, and secure as domestic payments within any EU member state.

Another significant aim of PSD1 was to foster competition and diversity in the payment services sector, thereby reducing the exclusivity of traditional banks in this domain. This directive opened the door for new players to enter the market and introduce price competitiveness, beyond the traditional world of banking institutions.

An important consequence of PSD1 was the introduction of electronic money institution licences, which paved the way for non-traditional entities like Ayden to thrive in the European market. The landscape of payment service providers expanded as a result, with thousands of them settling in the EU.

PSD2: Open banking and strong customer authentication for groundbreaking legal innovations

The European Commission quickly proposed to revise PSD1 in July 2013. It was adopted in 2015.

PSD2 widened the scope of PSD1 by covering new services and players as well as by extending the scope of existing services, enabling their access to payment accounts.

Three major points were at play:

  • Extended geographical coverage of the directive.
  • Harmonisation of open banking on the continent.
  • Strong customer authentication for electronic payments.

Geographical coverage

While PSD1 had limited jurisdiction and only applied to payments occurring within the European Economic Area (EEA), it did not grasp payments involving third countries.

However, PSD2 brought about significant changes by including payments to and from third countries when one of the involved payment service providers operates within the EU. This extension of scope ensured that a broader range of international transactions is subject to EU regulations and information requirements, especially regarding information disclosure.

Open banking

Open banking allows individuals and businesses to securely share their banking data with third-party providers, such as fintech companies and other financial institutions.

This data gathered through open banking can include information about account balances, transaction history, and other financial details. The data comes through application programming interfaces (APIs), which enable the secure exchange of information between different financial service providers.

The revised PSD2 played a pivotal role in providing a stable regulatory framework for open banking in the EU. PSD2 constrained banks and financial institutions to open up secure access to their customer’s account information to licenced third-party providers.

PSD2 also introduced specific strong customer authentication measures to enhance security and protect the privacy of individuals engaging in open banking payments.

By establishing these regulations, PSD2 encouraged the development of innovative financial services and improved customer choice by enabling new players to enter the market. In this way, PSD2 provided a stable and secure regulatory framework for open banking, benefitting both consumers and the financial industry as a whole.

However, the picture is not fully bright. Open banking implies that a third-party provider (TPP) will connect to a bank through APIs. But all APIs are not the same and of the same quality.

Hence, the absence of uniformity in the PSD2 APIs offered by various banks presents a significant hurdle for TPPs. It is impractical and demands substantial resources to integrate with a distinct API for every bank.

This fragmentation of APIs can result in unintended consequences. To streamline their operations, TPPs may opt to exclusively work with the APIs of the largest banks, potentially neglecting customers of smaller banks. This approach allows them to reach a maximum number of potential clients with minimal development efforts.

In response to API fragmentation, some aggregators came into play over the past few years in order to answer the need to uniformise API for TPPs.

Strong customer authentication

Under PSD2, all payment service providers, including banks, were mandated to adopt robust security measures.

A key requirement was the implementation of strong customer authentication (SCA) for electronic payments — with some exceptions — ensuring heightened security.

This measure aimed to strengthen the security of electronic payments and, consequently, provide greater protection for consumers.

SCA existed before PSD2, but PSD2 certainly enhanced electronic payment security for customers and harmonised these dispositions across the continent.

PSD3: “An evolution, not a revolution” of retail payments

In June 2023, the European Commission suggested new evolutions for the directive, after a year of consultations. The idea of a third directive, PSD3, is set.

The amendments suggested by the European Commission aim to represent “an evolution, not a revolution” of the EU payments framework. The amendments are meant to improve the functioning of EU payment markets and to solve some issues that were raised after PSD2 came into force, for instance, about open banking and technical implementation aspects of the directive.

A few objectives, though, particularly stand out as they did not appear in previous iterations:

  • Strengthening measures to combat payment fraud.
  • Allowing non-bank payment service providers (PSPs) access to all EU payment systems, with appropriate safeguards, and giving them a right to have a bank account.
  • Further improving consumer information and rights.

IBAN-name check to combat payment fraud

The European Commission has pushed forward a proposal for instant payments, introducing a service that identifies and alerts the payer about any discrepancies between the name and unique identifier of the payee before a euro-denominated instant credit transfer is finalised.

In an effort to create a consistent framework for all credit transfers within the EU, PSD3 aims to extend this service to cover all credit transfers. Importantly, this service must be offered to consumers without any additional charges.

Under this proposal, the payment service provider of the payee will have to, upon request from the PSP of the payer, verify whether the unique identifier (IBAN number) and the payee’s name, as provided by the payer, are in alignment. This measure aims to enhance security, thus consumer confidence, in credit transfers across the EU.

Redefine how PSPs access bank account services

Regulations governing bank account services provided to non-bank PSPs are set to become significantly stricter. Banks will face more severe obligations if they wish to refuse PSPs access to their services.

Banks are key to non-bank PSPs. They ultimately hold customer funds. They allow PSPs to access EU payment systems.

Hence, banks will be asked to provide extensive explanations detailing why they are preventing a PSP from this access. This could include compelling reasons to suspect illegal activities conducted by or through the PSP or concerns about the PSP’s business model and risk profile posing substantial threats to the credit institution.

Refund rights and GDPR to protect consumers

The European Commission’s proposed directive introduces two key refund rights for consumers:

  • Incorrect IBAN-name check: This provision offers protection to consumers who have suffered financial losses due to the failure of the IBAN-name verification service to detect a mismatch between the payee’s name and IBAN. In such cases, affected consumers are entitled to refunds.
  • “Spoofing” fraud: The directive addresses situations where consumers fall into “spoofing” fraud traps, where scammers impersonate bank employees and deceive consumers into taking actions that lead to financial harm. Victims of such fraud will be eligible for refunds, too.

Here again, in line with the will to harmonise several pieces of EU laws, the proposal also emphasises alignment with the General Data Protection Regulation (GDPR) to safeguard consumer data and privacy. It introduces clarifications and adjustments aimed at ensuring consistency with GDPR regulations, further enhancing consumer protection and data security.

Numeral and Payments:Unpacked

This article was originally published by leading bank orchestration platform Numeral and recently featured in the Payments:Unpacked newsletter from Mike Chambers – subscribe for free at: www.payments-unpacked.com.

More To Explore

Membership

Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.

Welcome

Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?