Welcome PSD3 and Open Finance
On 28 June 2023, the European Commission published its long-awaited proposals for the Third Payment Services Directive ("PSD3"), the Payment Services Regulation ("PSR"), the Financial Data Access Regulation and the Digital Euro Regulation. The aim of these proposals is to modernise not only the EU’s payments market but the financial service sector as a whole. Below is a summary of key regulatory developments that are expected in the EU following these proposals.
PSD2 Introduced Open Banking
The Payment Services Directive, adopted in 2007, established a legal framework for an integrated European payments market. The Second Payment Services Directive ("PSD2") was, when entered into force in 2018, aimed at enhancing competition, security, and innovation in the EU's payments market. PSD2 also introduced open banking that generally refers to the obligation under PSD2for banks to open access to their customers’ payment accounts to the so-called third-party service providers allowing customers to benefit from innovative payment solutions.
However, open banking only covers payment initiation and account information services, and the EU's plans are more ambitious. As part of the EU's Digital Finance Strategy in 2020, the Commission announced its intention to adopt an open finance regulatory framework that goes further than open banking.Accordingly, open finance is a broader concept that extends the scope of shared customer information to areas such as savings, investments, mortgages, lending, and insurance.
During the recent years, it has become clear that not only new regulation regarding open finance is needed, but also PSD2 needs to be revised as evidenced by an evaluation of PSD2 last year – and now the Commission has published its respective proposals.
Transition to PSD3 and PSR
According to the Commission, amendments proposed to the current payment services regulation represent an evolution not a revolution of the EU payments framework. The aim of the new amendments is to improve the functioning of the EU's paymentsmarket by:
- strengthening measures to combat payment fraud;
- allowing non-bank payment service providers access to all EU payment systems, with appropriate safeguards, and giving them a right to have a bank account;
- improving the functioning of open banking, especially as regards the performance of data interfaces, removing obstacles to open banking services and consumer control over their data access permissions;
- reinforcing the enforcement powers of national competent authorities and facilitating implementation of the rules clarifying various elements;
- further improving consumer information and rights;
- improving the availability of cash; and
- merging the legal frameworks applicable to electronic money and to payment services.
The Commission proposes to enact both PSD3 and PSR. In short, PSD3 will regulate the licensing and authorisation of payment institutions. PSR will in turn provide rules relating to, among others, information requirements for payment services, and rights and obligations relating to the provision and use of payment services (including provisions on open banking).
As a directive, PSD2 needs to be transposed into the national laws of the EU Member States. As PSR is a regulation, it will, once entered into force, apply directly in the EU Member States and create a single legal framework across the EU. Accordingly, uncertainty and differences between national payments legislation will be reduced.
In practice, many payment service providers must prepare well for the proposed changes and understand how such changes may affect their business. For example, the proposed PSD3 includes a requirement for all payment institutions and electronic money institutions to seek reauthorisation within 24 months of PSD3 coming into force. This may involve work and costs for the regulated entities to be able to keep their authorisation.
Towards Open Finance
In accordance with the Commission's previous plans, also aproposal for a new framework for secure and open access to customer data across a wider range of financial services has now been published.
According to the Commission, the Financial Data Access Regulation will establish clear rights and obligations to manage customer data sharing in the financial sector beyond payment accounts, namely:
- possibility but no obligation for customers to share their data with data users (e.g. financial institutions or fintech firms);
- obligation for customer data holders (e.g. financial institutions) to make this data available to data users (e.g. other financial institutions of fintech firms);
- full control by customers over who accesses their data and for what purpose to enhance trust in data sharing;
- standardisation of customer data and the required technical interfaces;
- clear liability regimes for data breaches and dispute resolution mechanisms; and
- additional incentives for data holders to put in place high-quality interfaces.
In practice, this proposal is expected to lead to more innovative financial products and services and increase competition in the financial sector. For example, consumers would benefit from improved personal finance management, and companies would be able to access a wider range of financial services and products, such as more competitive loans resulting from their creditworthiness data being more easily accessible (as long as also personal data protection and the General Data Protection Regulation ("GDPR") are taken into account).
While the Financial Data Access Regulation is currently only a proposal, some parts of open finance are already here. For example, many banks offer services which enable customers to share and use their data in various channels. Such services are likely to be within the scope of the open finance legislation in the future.
There is not yet a clear timetable for the legislative process in relation to the proposals regarding PSD3/ PSR and the Financial Data Access Regulation. The proposals will now be reviewed by the European Parliament and the Council of the EU. The final versions will likely not become available before the end of 2024or early 2025 – in particular, if the European elections will delay the process. After the adoption of the proposals at the EU level, the EU Member States will most likely have 18 months to transpose PSD3 into national legislation, while PSR will enter into application 18 months after its entry into force, and the Financial Data Access Regulation 24 months after its entry into force.
If you are curious about the future and would like to discuss any of the above proposals, please be in contact. I will be following the legislative process as the Parliament and the Council negotiate the Commission's proposals over the coming months.
Dittmar & Indrenius Attorneys Ltd
Chambers has ranked Hanna-Mari in Band 1 for fintech in Finland in Chambers Fintech Legal 2023.