Cross-Border Payments
June 25, 2024
The Third Payment Systems Directive (PSD3) is intended to continue the drive of European payments and its wider financial sector into the digital age. Primarily centring around authentication and supervision, what do you need to know about PSD3?
PSD3 is an evolution, not a revolution. It updates PSD2 with rules and guidance on the market efficiency and technical capability of electronic payments services across the EU. As yet, PSD3 has been published only for review. Of course, being aware of the direction of travel and implications will be essential for making headway and gaining an advantage.
PSD3 was issued for consultation in June 2023 and is likely to be finalised either later this year (2024) or early next year. Individual member states will then have to turn the directive into laws in their own countries, which is predicted to take another 18-24 months. This process is called transposition. The Payment Services Regulation (PSR), effectively ‘pan-European law’, does not require transposition, but it will likely come into effect simultaneously.
So what are the key effects of PSD3 and what should banks, PSPs, marketplaces, information service providers, schemes/networks, API providers and merchants, retailers and anyone else involved the payments ecosystem expect?
Key effects of PSD3 include:
Let’s unpack.
Formerly separate entities, these will now be one. These ‘bank-lite’ licences were designed to help improve European competition and kick-started Monzo, Revolut, and others, many of which have become fully-fledged banks. Of course, this is different from the US, where only banks are licenced. PSD3 will simplify what are similar regimes and extend what PIs offer, including e-money services.
Off the back of successes like eBay, Amazon and Etsy, everyone wants to have a marketplace or evolve into one. After all, this is precisely what happened with Spotify, as it brought recording engineers, producers and artists together in one place. One key function of marketplaces is to collect and disperse money to sellers, which has evolved into a whole new sector of payments. Being able to onboard faster, deal with smaller customers, and deploy more agile tech means they are attractive to sellers and can scale and make money from payments.
We’re also seeing manufacturers in the car industry getting involved. A good example is Mercedes using the car as an orchestration channel to access its electronic ecosystem, enabling drivers to add performance features, tolling, and parking and potentially expand these out to booking hotels, restaurants, and experiences. We recently worked with Lynk & Co. to redefine car ownership with their subscription-based business model that combines digital touchpoints with automotive functionality. It’s not hard to see the opportunities.
But making things easier, cheaper, and quicker exposes marketplaces to bad actors, and PSD3 will now tighten how things work. This means closing loopholes and narrowing the Commercial Agent Exclusion. This helps to illustrate the overall PSD3 theme, reducing regulatory arbitrage and differences, which may result in increased clarity and greater simplicity for licence holders
PSD2 introduced the responsibility for banks to strongly authenticate consumers. This was widely interpreted as meaning that the issuers had to perform the authentication themselves, and, as you’d expect, this resulted in some very clunky and poor consumer experiences.
PSD3 explicitly says that authentication can now be delegated to third parties. That could be a merchant, gateway/acquirer, marketplace or wallet, as long as the commercial and legal framework is clear. Hopefully, this will bring innovation to the authentication experience, with providers delegating to those who can build low-friction flows that take advantage of the latest developments like passkeys and biometrics. Perhaps we’ll even see the end of SMS messages as the second factor, finally removing a frankly insecure legacy technology from the ecosystem.
PSD2 directed banks to provide access to third parties via APIs, but there was no formal mechanism. PSD3 spells out the need for formal technical APIs, which means the end of screen-scraping workarounds. The UK had this a decade ago with the Open Banking standard, but we don’t think PSD3 will go as far as this. This is likely because there are currently two competing camps in Europe, the Berlin Group and the French STET, which are not currently interoperable. Their APIs are different, not just in specifications but differences dictated by laws, background, market development, financial institutions’ decisions, monetisation strategies and technical capabilities.
We think PSD3 will set out what it wants to achieve but will be mindful that it can be interpreted or implemented in different ways.
As we said from the start, PSD3 is an evolution and not a revolution, and as with PSD2, it is fundamentally to drive competition and provide greater consumer protection. We may see changes as the consultation phase closes, but PSD3 outcomes will likely be:
What might this mean for the UK now that it’s no longer part of the EU? Well, the EU remains a critical market for many UK merchants, and payments businesses remain part of the Single Euro Payments Area (SEPA), so businesses will adhere to that standardised set of rules. We therefore expect to see regulatory alignment broadly mirroring, but likely lagging (wait and see), what happens in Europe.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
