PSD3

PSD3: a closer look at the third payment services directive

Five years after the implementation of PSD2, the European Commission is embarking on the journey towards PSD3. The new mandate focuses on enhancing customer authentication and expanding the realm of open banking protocols. In this article you’ll discover:

  • A comprehensive understanding of PSD3
  • A comparison of PSD3 and PSD2
  • The anticipated impact on banking, insurance, and related industries.
  • How payment services providers can prepare for PSD3

What is PSD3?

PSD3 marks a significant milestone in the regulation of payment services and associated transactions within Europe. Its core aim is to eradicate identity fraud, reinforce and standardise cybersecurity in payment processes, expand citizen rights, and empower individuals to exert greater control over their personal data. 

The directive covers aspects like digital customer identification, open banking protocols, and standardised procedures within the Banking, Financial Services, Insurance, and related sectors (BFSI). PSD3 seeks to modernise and expand these regulations, with a strong emphasis on bolstering the security of electronic transactions, whether conducted within the realm of online banking or in broader financial contexts. 

On top of that, it envisions democratising access to banking services, transitioning from Open Banking to Open Finance. Another notable feature is its extensive geographic reach. While primarily applicable to EU member states, it also extends its jurisdiction to include countries such as Croatia, Iceland, Norway, and participants in the European Free Trade Association (EFTA). 

Overall, this new mandate represents a forward-looking approach to payment services regulation in Europe, reflecting the EU’s commitment to fostering innovation, security, and inclusivity in its financial ecosystem. 

PSD3 versus PSD2: the main differences

PSD3 represents a substantial upgrade from its predecessor, PSD2. It broadens and builds upon the foundation established by PSD2. The European Commission seeks to introduce new concepts to involve previously overlooked stakeholders. Here are some of the pivotal aspects and new features of PSD3: 

  1. Enhanced consumer protection and access: PSD3 reinforces consumer protection measures, focusing on security, transparency, liability, and rights. It strengthens security standards for payment transactions and emphasises customer data protection and privacy. It’s expected to introduce a maximum liability limit for customers in cases of fraudulent or unauthorised use of their payment methods, along with a more efficient dispute resolution mechanism.

     

     

  2. More stakeholders: While PSD2 primarily focused on payment services provided by traditional financial institutions, PSD3 extends its reach to cover all payment and non-payment services providers. Fintech companies and third-party providers will be compelled to adhere to Strong Customer Authentication (SCA) requirements. The directive also intends to clarify rules for independent ATM operators. This move aims to create a harmonised regulatory framework for all players in the payments landscape. 
  3. A broader geographic scope: PSD3 extends the directive’s reach to cross-border electronic payments between the European Economic Area (EEA) and third countries, encompassing both inbound and outbound transactions. Payment service providers will be required to adhere to the same rules that apply within the EEA, including SCA and Open Banking -or Open Finance- when dealing with customers or merchants outside the EEA.

  4. New concepts and broader functional scope: The concept of Open Banking evolves into Open Finance, which extends the type of data a customer can allow to share and enables financial service providers to access and initiate transactions not limited to bank accounts but also encompassing other financial products such as insurance, pensions, investments, and leasing. This paves the way for more integrated and personalised services. 

    Embedded finance offers a novel approach to integrating financial services into various platforms and applications, such as social networks, e-commerce platforms, and mobility solutions. This integration requires robust SCA systems, aiming to enhance the convenience and seamlessness of payments and financial services within these environments. 

  5. Increased oversight and interoperability: PSPs will operate under a common framework for oversight and control by competent authorities, fostering cooperation between these authorities, including those from third countries, in addition to those within the Common European Economic Area and its allies. PSD3 also promotes interoperability among different systems and technical standards used by payment service providers, facilitating market access and competition. 

New requirements in SCA and MFA

PSD3 introduces significant changes to the SCA and multi-factor authentication standards. It revamps SCA substantially by aiming to create a unified financial API for SCA across the EEA, SEPA, and partner countries. 

Many of the SCA enhancements in PSD3 focus on precisely defining “online” access under payment accounts and outline the obligation to apply SCA controls and applications for payment service users. Additionally, PSD3 allows SCA mechanisms to apply broadly to nearly all payment transactions, with only a few specific exceptions. 

Account Information Service Providers (AISPs) and Payment Service Providers (PSPs) will be required to implement their own SCA systems, that can then act as a delegated SCA for the financial institutions.

This shift in responsibilities streamlines payment gateways and eliminates the need for external systems. PSD3 introduces proprietary requirements for card, gateway, and eCommerce schemes, building upon the standards set by SCA. 

While PSD2 required MFA factors to belong to two different categories out of the following three: knowledge, possession, and inherence, PSD3 will allow the use of two of the same categories, like token and SMS OTP or even two passwords. This aligns with PSD3 aim to make SCA and MFA more accessible for none-digitally savvy users by providing them with authentication methods that don’t rely on smartphones.  

While we applaud the European Commission’s intent to make SCA more accessible, we deplore the lowering of MFA standards. The proposal stipulates that two-factor authentication systems may rely on two factors of the same category instead of different categories. Which defeats 2FA/MFA’s initial purpose. An attacker who acquired one of two knowledge (resp. possession, inherence) factors will also have access to multiple of the same factors.

Having two passwords, as compared to one is a marginal improvement in security, while having a password combined with a possession factor provides a big step forward in security.

Dates and approval process for PSD3

An official implementation timeline is yet to be established, however it’s plausible to expect the final proposal to be available by late 2024, with implementation deadlines likely to be set around 2026. PSD3 will come into effect twenty days after being published in the Official Journal of the European Union. This proposal allows companies to proactively adapt to PSD3 and to harness advantages and benefits ahead of implementation.  

How payment services providers can prepare for PSD3

First, assess your current processes. Review existing payment services to identify necessary adjustments or improvements to meet PSD3 requirements and ensure that your technological infrastructure can accommodate PSD3-mandated changes. Invest in robust security measures, advanced authentication methods, and fraud prevention mechanisms. 

Many fintech companies and third-party providers are looking to explore innovative payment solutions and develop strategic partnerships. Instead of shying away from exchanging ideas, we strongly recommend collaborating and co-creating.  

Although PSD3 can hardly be seen as a revolution it does have far-reaching PSD3 implications for PSPs. It’s key to identify champions within the organisation and have them communicate effectively with staff and customers on enhanced security measures and their benefits. 

Lastly, make sure to visit nextauth.com to keep up with regulatory updates and industry insights. Or contact one of our experts here to gain more insights on the technological implications on authentication setups.  

Book your personal demo