The payments landscape has undergone significant changes over the past decade. Fast-paced technological advancements have mainly driven the changes. Electronic payments in the EU have steadily increased, reaching a value of €240 trillion in 2021 (compared to €184.2 trillion in 2017). The COVID-19 pandemic has accelerated this trend.
This shift to electronic and digitial payments was accompanied by a rise in increasingly complex types of fraud, putting consumers at risk and undermining trust in authorities and the financial system.
An investigation done by the European Parliament in early 2022 found that.
- persistent fraud risks undermine payment users’ confidence in the payment industry, especially among consumers;
- the Open Banking framework faces obstacles, hindering data access for Open Banking service providers and stifling innovation;
- Inconsistent powers and obligations among EU supervisors lead to a fragmented payment market due to varying regulations and costs across Member States. EU regulators lack the authority to establish a functioning level playing field.
- An uneven playing field exists between bank and non-bank PSPs due to uncertainties and regulatory disparities from PSD2 and national laws for non-bank PSPs
PSD3 and PSR
The drafted Payment Services Directive 3 (PSD3) is a new directive for payment services and electronic money services in the Internal Market. It amends Directive 98/26/EC and repeals Directives 2015/2366/EU and 2009/110/EC, serving as an updated version of the Payment Services Directive 2 (PSD2). PSD3 remains a directive, primarily focusing on the licensing and operation of payment service providers
The proposed Payment Services Regulation (PSR), which regulates payment services within the internal market and amends Regulation (EU) No 1093/2010, will be directly applicable in EU member states.
PSD3 reinforces the authorization and licensing process
PSD3 covers authorisation and supervision of payment institutions. One of the novelties in the PSD2 revision is that payment institutions now encompass the provision of electronic money services, as PSD3 merges with the Electronic Money Directive. According to the proposed legislation, only payment institutions will exist, and can be authorised to offer e-money services
Authorisation and supervision will remain within the competence of the National Competent Authorities; however, more coordination and alignment between member states are requested.
Consumer protection rules foreseen in PSR
The PSR establishes uniform requirements for the provision of payment services and electronic money services across the EU, including transparency of conditions, information requirements, and the rights and obligations of payment service providers and users.
The PSR will apply to payment services provided within the EU by various categories of payment service providers, including credit institutions, payment institutions, and electronic money institutions.
It includes rules to improve access to payment systems and accounts for payment service providers, preventing “regulatory arbitrage” where providers choose more favorable jurisdictions.
It aims to further harmonize the rules on payment services, minimizing margins of interpretation, to improve competition between providers and prevent distortionsIt introduces measures to improve fraud detection and prevention in credit transfers, allowing payment service providers to collectively share information on fraudulent activity and techniques.
It proposes allowing merchants to offer cash provision services without needing a full payment service provider authorization.
The rules on fraud prevention (authorised push payment fraud; unauthorised payments)
The drafted consumer-friendly rules on authorised push payment fraud and unauthorised payments reflect the EU Commission’s confirmation, specifically that of the Economic and Monetary Affairs Committee (ECON), for more consumer protection as well as for the fight against payment fraud. The new rules stipulate that payment service providers are unequivocally responsible for implementing effective internal fraud prevention and detection procedures.
Strict notification requirement is set
Proposed Article 54 (1) of the PSR sets a strict notification requirement for the payment service user to inform the Payment Service provider about any unauthorised, incorrectly executed payment transaction or authorised transaction regarding impersonation fraud without undue delay after becoming aware of any such transaction and no later than 18 months after that transaction.
Liability for unauthorized transactions
The drafted rules within Article 56 of the PSR mandate that PSPs refund unauthorised payment transactions (unauthorised transactions may occur when the debit or credit card is lost or stolen) immediately, by the end of the next business day, or within 10 days where payer fraud is suspected. ECON suggested extending the timeframe to five business days and the time to investigate suspected payer fraud to 20 days.
Liability for authorised payment transactions
New rules on liability in the event of fraud are introduced in Article
- The payer shall not bear any financial losses for any authorised credit transfer where the [PSP] of the payer failed to notify the payer of a detected discrepancy between the unique identifier and the name of the payee provided by the payer.
- Where the [PSP] of the payee is responsible for the breach of Article 50(1) PSR committed by the [PSP] of the payer, the [PSP] of the payee shall refund the financial damage incurred by the [PSP] of the payer. …”
Similar to the rules in Instant Payment Regulation (IPR) amending the SEPA Regulation and CBPR2, a requirement for a “confirmation of payee” system, referred to as “matching services”, is introduced in Article 50 PSR about regular (i.e. “non-instant”) credit transfers where the payer inputs himself the unique identifier and the name of the payee.
Liability of technical service providers and operators of payment schemes
According to the drafted Article 58 PSR, technical service providers (payment gateway providers) and operators of payment schemes that either provide services to the payee or to the payment service provider of the payee or the payer shall be liable for direct financial damage caused to the payee, to the payment service provider of the payee or the payer.
New liability rules for authorised push payment fraud
A new liability regime for authorised push payments in case of impersonation fraud is introduced in the drafted Article 59 PSR:
“1. Where a [PSU] who is a consumer was manipulated by a third party pretending to be an employee of the consumer’s [PSP] or any other relevant party entity of a public or private nature using the name or e-mail address or telephone number of that entity unlawfully and that manipulation gave rise to subsequent fraudulent authorised payment transactions, the [PSP] shall refund the consumer the full amount of the fraudulent authorised payment transaction under the condition that the consumer has, without any delay, reported the fraud to the police and notified its payment service provider [..]
Accountability of social media will be introduced:
Article 59 (5) PSR proposes an accountability rule for the electronic communication providers regarding the impersonation fraud.
Next Steps for the PSD3 and the PSR to get enacted
The “trilogue process” requires that the Council of the EU, the European Commission, and the European Parliament reach an agreement on the new set of rules and obligations.
Great approach by the European authorities, let us see what the banking lobby thinks about the new rules and how this develops.
