Share this post
The Third Payment Systems Directive (PSD3) is intended to continue the drive of European payments and its wider financial sector into the digital age. Primarily centring around authentication and supervision, what do you need to know about PSD3?
PSD3 is an evolution, not a revolution. It updates PSD2 with rules and guidance on the market efficiency and technical capability of electronic payments services across the EU. As yet, PSD3 has been published only for review. Of course, being aware of the direction of travel and implications will be essential for making headway and gaining an advantage.
Timeline
PSD3 was issued for consultation in June 2023 and is likely to be finalised either later this year (2024) or early next year. Individual member states will then have to turn the directive into laws in their own countries, which is predicted to take another 18-24 months. This process is called transposition. The Payment Services Regulation (PSR), effectively ‘pan-European law’, does not require transposition, but it will likely come into effect simultaneously.
So what are the key effects of PSD3 and what should banks, PSPs, marketplaces, information service providers, schemes/networks, API providers and merchants, retailers and anyone else involved the payments ecosystem expect?
Key effects of PSD3 include:
- Merger of payment institutions (PIs) and e-money institutions (EMIs)
- Stronger regulation of digital marketplaces
- Clearer rules about delegated authentication
- Much more specific requirements for open banking APIs
Let’s unpack.
Merger of payment institutions and e-money institutions
Formerly separate entities, these will now be one. These ‘bank-lite’ licences were designed to help improve European competition and kick-started Monzo, Revolut, and others, many of which have become fully-fledged banks. Of course, this is different from the US, where only banks are licenced. PSD3 will simplify what are similar regimes and extend what PIs offer, including e-money services.
Stronger regulation of digital marketplaces
Off the back of successes like eBay, Amazon and Etsy, everyone wants to have a marketplace or evolve into one. After all, this is precisely what happened with Spotify, as it brought recording engineers, producers and artists together in one place. One key function of marketplaces is to collect and disperse money to sellers, which has evolved into a whole new sector of payments. Being able to onboard faster, deal with smaller customers, and deploy more agile tech means they are attractive to sellers and can scale and make money from payments.
We’re also seeing manufacturers in the car industry getting involved. A good example is Mercedes using the car as an orchestration channel to access its electronic ecosystem, enabling drivers to add performance features, tolling, and parking and potentially expand these out to booking hotels, restaurants, and experiences. We recently worked with Lynk & Co. to redefine car ownership with their subscription-based business model that combines digital touchpoints with automotive functionality. It’s not hard to see the opportunities.
But making things easier, cheaper, and quicker exposes marketplaces to bad actors, and PSD3 will now tighten how things work. This means closing loopholes and narrowing the Commercial Agent Exclusion. This helps to illustrate the overall PSD3 theme, reducing regulatory arbitrage and differences, which may result in increased clarity and greater simplicity for licence holders
Clearer rules about delegated authentication
PSD2 introduced the responsibility for banks to strongly authenticate consumers. This was widely interpreted as meaning that the issuers had to perform the authentication themselves, and, as you’d expect, this resulted in some very clunky and poor consumer experiences.
PSD3 explicitly says that authentication can now be delegated to third parties. That could be a merchant, gateway/acquirer, marketplace or wallet, as long as the commercial and legal framework is clear. Hopefully, this will bring innovation to the authentication experience, with providers delegating to those who can build low-friction flows that take advantage of the latest developments like passkeys and biometrics. Perhaps we’ll even see the end of SMS messages as the second factor, finally removing a frankly insecure legacy technology from the ecosystem.
Much more specific requirements to open banking APIs
PSD2 directed banks to provide access to third parties via APIs, but there was no formal mechanism. PSD3 spells out the need for formal technical APIs, which means the end of screen-scraping workarounds. The UK had this a decade ago with the Open Banking standard, but we don’t think PSD3 will go as far as this. This is likely because there are currently two competing camps in Europe, the Berlin Group and the French STET, which are not currently interoperable. Their APIs are different, not just in specifications but differences dictated by laws, background, market development, financial institutions’ decisions, monetisation strategies and technical capabilities.
We think PSD3 will set out what it wants to achieve but will be mindful that it can be interpreted or implemented in different ways.
Effects on payments innovation
As we said from the start, PSD3 is an evolution and not a revolution, and as with PSD2, it is fundamentally to drive competition and provide greater consumer protection. We may see changes as the consultation phase closes, but PSD3 outcomes will likely be:
- Some consolidation
- Better, slicker, lower friction UX
- More consistent interpretation of the rules (hopefully).
What might this mean for the UK now that it’s no longer part of the EU? Well, the EU remains a critical market for many UK merchants, and payments businesses remain part of the Single Euro Payments Area (SEPA), so businesses will adhere to that standardised set of rules. We therefore expect to see regulatory alignment broadly mirroring, but likely lagging (wait and see), what happens in Europe.