What you really need to know about PSD3

by Endava

Share this post

The Third Payment Systems Directive (PSD3) is intended to continue the drive of European payments and its wider financial sector into the digital age. Primarily centring around authentication and supervision, what do you need to know about PSD3?

PSD3 is an evolution, not a revolution. It updates PSD2 with rules and guidance on the market efficiency and technical capability of electronic payments services across the EU. As yet, PSD3 has been published only for review. Of course, being aware of the direction of travel and implications will be essential for making headway and gaining an advantage.

Timeline

PSD3 was issued for consultation in June 2023 and is likely to be finalised either later this year (2024) or early next year. Individual member states will then have to turn the directive into laws in their own countries, which is predicted to take another 18-24 months. This process is called transposition. The Payment Services Regulation (PSR), effectively ‘pan-European law’, does not require transposition, but it will likely come into effect simultaneously.

So what are the key effects of PSD3 and what should banks, PSPs, marketplaces, information service providers, schemes/networks, API providers and merchants, retailers and anyone else involved the payments ecosystem expect?

Key effects of PSD3 include:

  • Merger of payment institutions (PIs) and e-money institutions (EMIs)
  • Stronger regulation of digital marketplaces
  • Clearer rules about delegated authentication
  • Much more specific requirements for open banking APIs

Let’s unpack.

Merger of payment institutions and e-money institutions

Formerly separate entities, these will now be one. These ‘bank-lite’ licences were designed to help improve European competition and kick-started Monzo, Revolut, and others, many of which have become fully-fledged banks. Of course, this is different from the US, where only banks are licenced. PSD3 will simplify what are similar regimes and extend what PIs offer, including e-money services.

Stronger regulation of digital marketplaces

Off the back of successes like eBay, Amazon and Etsy, everyone wants to have a marketplace or evolve into one. After all, this is precisely what happened with Spotify, as it brought recording engineers, producers and artists together in one place. One key function of marketplaces is to collect and disperse money to sellers, which has evolved into a whole new sector of payments. Being able to onboard faster, deal with smaller customers, and deploy more agile tech means they are attractive to sellers and can scale and make money from payments.

We’re also seeing manufacturers in the car industry getting involved. A good example is Mercedes using the car as an orchestration channel to access its electronic ecosystem, enabling drivers to add performance features, tolling, and parking and potentially expand these out to booking hotels, restaurants, and experiences. We recently worked with Lynk & Co. to redefine car ownership with their subscription-based business model that combines digital touchpoints with automotive functionality. It’s not hard to see the opportunities.

But making things easier, cheaper, and quicker exposes marketplaces to bad actors, and PSD3 will now tighten how things work. This means closing loopholes and narrowing the Commercial Agent Exclusion. This helps to illustrate the overall PSD3 theme, reducing regulatory arbitrage and differences, which may result in increased clarity and greater simplicity for licence holders

Clearer rules about delegated authentication

PSD2 introduced the responsibility for banks to strongly authenticate consumers. This was widely interpreted as meaning that the issuers had to perform the authentication themselves, and, as you’d expect, this resulted in some very clunky and poor consumer experiences.

PSD3 explicitly says that authentication can now be delegated to third parties. That could be a merchant, gateway/acquirer, marketplace or wallet, as long as the commercial and legal framework is clear.  Hopefully, this will bring innovation to the authentication experience, with providers delegating to those who can build low-friction flows that take advantage of the latest developments like passkeys and biometrics. Perhaps we’ll even see the end of SMS messages as the second factor, finally removing a frankly insecure legacy technology from the ecosystem.

Much more specific requirements to open banking APIs

PSD2 directed banks to provide access to third parties via APIs, but there was no formal mechanism. PSD3 spells out the need for formal technical APIs, which means the end of screen-scraping workarounds. The UK had this a decade ago with the Open Banking standard, but we don’t think PSD3 will go as far as this. This is likely because there are currently two competing camps in Europe, the Berlin Group and the French STET, which are not currently interoperable. Their APIs are different, not just in specifications but differences dictated by laws, background, market development, financial institutions’ decisions, monetisation strategies and technical capabilities.

We think PSD3 will set out what it wants to achieve but will be mindful that it can be interpreted or implemented in different ways.

Effects on payments innovation

As we said from the start, PSD3 is an evolution and not a revolution, and as with PSD2, it is fundamentally to drive competition and provide greater consumer protection. We may see changes as the consultation phase closes, but PSD3 outcomes will likely be:

  • Some consolidation
  • Better, slicker, lower friction UX
  • More consistent interpretation of the rules (hopefully).

What might this mean for the UK now that it’s no longer part of the EU? Well, the EU remains a critical market for many UK merchants, and payments businesses remain part of the Single Euro Payments Area (SEPA), so businesses will adhere to that standardised set of rules. We therefore expect to see regulatory alignment broadly mirroring, but likely lagging (wait and see), what happens in Europe.

More To Explore

Membership

Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.

Welcome

Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?