EU Payments Package: Problems, Revisions and New Directions

In June 2023, the EU released the revised payments package through three proposals: a proposal for a directive on payment services and electronic money services (PSD3); a proposal for a regulation on payment services (PSR); and a proposal for a regulation on a framework for financial data access (FDA).

The revision of the revised Payments Services Directive (PSD2) has been billed by the EU as an “evolution”, rather than a “revolution”, of the current payments rules. The changes span a wide scope, covering topics such as open banking and open finance, fraud, and simplification, harmonisation and application of most EU payments rules within a regulation. The EU has also released the Single Currency Package, looking into the future of physical and digital euro cash, although the decision to create a central bank digital currency (CBDC) is still to be decided by the European Central Bank.

Problems identified

Over the last few years, the European Commission has identified a range of issues around PSD2 that EU regulators considered would best be solved by new legislation. This includes:

• Certain types of fraud, such as social engineering becoming more prevalent, with these new types of fraud “not prevented by SCA” (strong customer authentication).
• A lack of clarity around rules arising in response to existing problems such as “abuse of SCA exemptions”.
• Diverging national approaches to rules resulting in a high concentration of payments firms in a few EU member states with companies “actively making use of passporting and establishment in different national jurisdictions”.
• This is also leading to “an unlevel playing field” among payment service providers (PSPs).
• “Mixed success in the uptake of open banking” (OB), with OB service providers continuing to “face obstacles to offering basic open banking services” and finding it “harder to innovate and compete with incumbent players”.
• This was leading to banks perceiving OB as a “pure regulatory burden”, and therefore not worth fully participating in.

The European Commission has tried to resolve these problems by considering changes that give each faction (i.e., banks, PSPs, national regulators and consumer groups) a solution to the specific problems they see as most important, which at the same time, does not conflict too much with the desires of other factions.

In doing so, several ideas were considered but were rejected as going too far:

• Removal of obligation to have a non-contractual basis for open banking, as well as to allow data holders to charge for the costs of maintaining OB infrastructure.
• Full liability on banks and payment firms for fraud via social engineering, i.e., impersonation scams.
• A specific open banking/finance enforcement body.

Given that these ideas were desired but rejected, they could form the basis for the next round of debates over how PSR could change.

This could happen when a review is conducted, five years after the implementation takes place. This review could also focus on whether data holders will be able to charge for open banking.

New fraud measures

The European Commission notes that despite the introduction of SCA, fraud continues to be a problem due to fraudsters “constantly adapting their techniques” to get around the system. In particular, certain types of social engineering fraud, including manipulation, impersonation or interception of a valid payment, “cannot be tackled by SCA” because, in most cases, the transaction has been authorised by the payer.

This has led to several problems, including consumer data/identity theft risk and a subsequent loss of confidence in digital payments, as well as costs to firms. The European Commission estimated that authorised push payment (APP) fraud was at €323m in 2020 for all Single Euro Payment Area (SEPA) credit transfers.

The commission has therefore proposed several additional anti-fraud measures, including:

• The extension of a confirmation of payee (CoP) requirement for the user’s name/IBAN number for all SEPA credit transfers, called an “IBAN/name verification service”.
• A change to the PSP’s liability to unauthorised transactions, so that the only “reasonable grounds” of refusal is suspecting fraud by the payer.
• A requirement to have a transaction monitoring system in place that would trigger SCA for potentially fraudulent payments which are not “typical” of the user.
• The option for PSPs to share fraud-related information between themselves, under a multilateral information sharing arrangement, such as the unique identifier of the payee.

To incentivise the adoption of the CoP requirement, the European Commission has proposed several measures to make sure it works as intended. Consumers can claim a refund if the verification fails or if they fall victim to "spoofing" fraud. This is in addition to fewer exemptions for unauthorised transactions.

However, certain conditions must be met for consumers to claim a full refund, including not being grossly negligent, not falling victim to the same fraud and the spoofing being convincing.

At the same time, the European Commission has made amendments around SCA, including:

• Clarity around what is exempt from SCA, i.e., digital payments not using an internet connection.
• Narrowing the scope of SCA exemptions in the case of direct debits.
• Allowing all account information services to only need to apply SCA once and then again in 180 days.
• New liability provisions for technical service providers (TSPs) and operations of payment schemes for failure to support SCA.
• Removal of liability for the payer when the payer’s or payee’s PSP has an exemption from SCA.

Despite the changes, the new proposals on combating social engineering fraud do not go as far as the UK anti-fraud proposal in terms of reimbursement, which promises to “introduce consistent minimum standards to reimburse (UK) victims of APP fraud” for the first time. Instead, the EU has specifically called out the risk of creating “moral hazard” and incentivising poor customer behaviour by going too far in mandating reimbursement.

In the EU impact assessment, both full and conditional reversal of liability for fraudulent authorised transactions were discussed. The former would give consumers a right to a refund for fraudulent authorised transactions, even if SCA was applied, while the latter would introduce only “limited changes” where a refund was required if the PSP failed to notify when name/IBAN verification details did not match.

However, in Chapter 4 of the proposed regulation (Articles 49-63), which includes the proposals on fraud, only the limited proposal for conditional liability has survived.

In contrast, the UK proposal seeks to require PSPs to reimburse vulnerable customers even in the case of gross negligence and requires that the cost of reimbursement should be shared between both the payer’s and payee’s PSP.

For UK firms, that last factor would leave firms susceptible to fraud costs, even if they had robust anti-fraud procedures, as they would not be able to control the procedures of other firms, one of several issues that the UK’s Payments Association brought up in a response.

One reason for the UK proposals going further could be the bigger problem of APP fraud in the UK, versus the EU. APP fraud in the UK for 2020 was £479m, compared with €323m for APP fraud in the EU, for all SEPA credit transfers, excluding instant payments. APP fraud in the UK continued to rise from 2017-2021 and has only recently started to fall, in part due to actions taken by banks to reduce “targeted investment and impersonation scams”.

From directive to regulation

The creation of the PSR and FDA will mean that, for the first time, EU-based payment rules will mostly be encapsulated via a regulation, a decision “some member states were reluctant” to agree to. Unlike a directive such as PSD2 which has to be transposed by a national authority, a regulation automatically appears on the statute books of a government, giving the national government no room to make adaptations.

A regulation is expected to lead to harmonisation among the different EU member states and less chance for firms to choose a jurisdiction with lower compliance expectations, as well as a chance to clear up points, such as definitions, which were previously unclear or ambiguous.

For example, the European Commission notes that the exclusions to PSD2 “diverged significantly”, making some member states more attractive to firms. In another example, the lack of a standardised definition of “payment account” led to divergent rules on what accounts could be accessed via open banking, i.e., e-money accounts, savings accounts, etc.

These measures are also an attempt to increase the provision of cross-border payment services, which according to the European Commission have been limited due to “inconsistencies in supervisory practices and enforcement”.

Subsequently, the European Commission has proposed a standard definition of multiple payment terms, including payment account, payment instrument, funds, account information and payment initiation services and merchant initiated transactions.

The proposal also requires national authorities to enforce the rules for potential infringements, including a list of breaches, the size of fines and what sanctions should take place. National authorities are additionally required to establish “effective mechanisms” to “encourage reporting of potential or actual breaches”.

These measures have been combined with new product intervention powers for the European Banking Authority (EBA), allowing the regulator to “temporarily prohibit or restrict” payments or e-money products, in the following cases:

• Scenarios that could potentially “cause harm to consumers” or “threaten the orderly functioning and integrity of financial markets”.
• Threats that are not currently addressed in EU law.
• If a national authority has not adequately addressed the threat.

The result of these measures is likely to be more predictable enforcement actions from regulators. This could potentially stop examples such as what happened in the instance of payments firm Unzer in September 2022, where multiple national European authorities took action against the company for shortcomings in its money laundering due diligence, such as dealings with merchants that were revealed to be front companies.

In Luxembourg, the firm was fined, while in Germany regulators banned the company from taking on new customers, for the same issue. The regulation may also change the vociferousness of the enforcement actions firms receive, particularly in jurisdictions currently with low enforcement of the current rules.

For firms seeking a licence, given a more homogenised regulatory environment, factors such as receiving a licence more quickly or getting better service from a regulator may prove more enticing to firms seeking a home jurisdiction for their European operations.

Open banking / finance

The European Commission identified several problems in the current open banking framework. These include:

• A “lack of incentives” on banks to share customer data as the costs were “perceived to be higher than the expected benefits”.
• A sense of not being “in control” by consumers over how their data was used.
• Open banking firms facing numerous “obstacles to OB”, such as customers having to perform SCA every day rather than every 90 days.

There have, therefore, been changes to open banking focusing primarily on giving incentives to banks and consumers to be more positively involved in open banking, combined with removing barriers for open banking firms. Notable mentions include:

• Banks will no longer need to maintain a dedicated “fallback interface” for OB data transfers.
• Consumers will have access to dedicated financial data access permission dashboards, which will allow them to decide exactly which entities get access to their data and to what extent.
• Open banking providers can use alternative interfaces to the bank’s if they need to and can sue for lost business if the bank tries to take it away from them.
• There will be fewer exemptions that banks can use to refuse to grant access to payment firms for bank account services, including where banks try to de-risk for commercial or regulatory compliance reasons.

For open banking firms, the transition from directive into regulation is also likely to smooth out some issues in certain countries where requirements set by national regulators were seen by the European Commission as going beyond the scope of PSD2. For example, in France, third-party providers are currently required to have the same capital projections as payment institutions, which was not the intention of PSD2.

In addition to open banking changes, the FDA proposal extends the principle into open finance, going beyond payments to loans (excluding credit checks), savings, investments, occupational and personal pensions, and non-life insurance.

The expansion into open finance has also meant the creation of a new licence type, a financial information services provider (FISP), which will allow firms to become data users of open finance data.

However, unlike open banking, the open finance framework will allow data holders, typically banks, to charge “reasonable compensation” for the maintenance of the API infrastructure, as well as agree contractual terms with data users. This will likely emerge via a financial data sharing scheme, a collective contractual agreement between data holders and users.

Although this proposal has already received some backlash from Klarna for “allowing banks to charge for accessing consumer data”, the proposal on only allowing compensation for infrastructure costs will allow the European Commission to claim that access to customer data continues to remain free of charge, while implementing charges into open finance.

In particular, contractual terms and charging for costs mark the first step towards what “banks broadly desired” in terms of a commercial incentive for open finance. Given the dichotomy between open banking and open finance, the current proposal may be a transitory measure towards allowing banks to charge for maintaining open banking infrastructure further down the line, although the commission rejected it this time on the grounds it would cause too much “market disruption”.

Payments e-money merger

The expected merger of payments and e-money institutions is not a full merger, but rather an alignment of conduct of business rules where appropriate. E-money is to become a subset of a payments institution, although will still retain a distinct nature, due to the European Commission wanting to keep e-money services and payment services separated due to their different risk profiles, particularly the “higher risks of deposit-taking activity”.

Licensing rules, particularly initial capital, will stay the same for both types, although the initial capital required will increase in line with inflation since 2007, calculated as 23.1 percent. This is because PSD2 did not take inflation into account. In most instances, this is an increase of around €25,000. For example, firms seeking a payment institution licence will now need €150,000 in initial capital instead of €125,000.

Other rules, including own funds, and rules particular to e-money, such as issuance of e-money, e-money distribution and redeemability, will remain distinct.

Payments and e-money firms will need to submit a new licensing application to their national authority within 18 months from the directive becoming effective. Firms should, therefore, start preparations for the re-licensing process, including deciding which licence/licence combinations are best for them and whether they will be able to comply with the updated rules, such as higher initial capital or own funds requirements.

As with fraud, a payments e-money merger is an area where the UK is also proposing to change, although this is at an earlier stage, with the Payments Association in April 2023 suggesting a merger of the rules should be done to remove complexity.

Levelling the playing field

Related to these measures is a proposal to allow payment institutions to gain access to designated payment systems, provided they successfully carry out the appropriate risk assessment. Research from the European Commission found that 69 percent of respondents, comprising mostly non-bank firms and public authorities, from the consultation on PSD2 were in favour of this change.

In contrast, banks were reluctant to let this happen, with the impact assessment citing “financial stability risks”, “light supervision” of non-banks and that non-banks already had access via third-party intermediaries. However, on this issue and related issues of giving payment firms better access to banking services, non-bank providers have won out, with EU member states having been given six months to transpose this law, suggesting a will to make this happen quickly.

Conclusion

In conclusion, the new payments proposals represent a lot of small changes, with the EU attempting to satiate various factions within the payments sector. However, at the same time, the EU has prioritised reducing fraud and incentivising consumers to use open banking.

The change from a directive to primarily a regulation for EU payments rules, coupled with new product intervention powers from the EBA, may provide for wider investment and more payments licence applications, given less discrepancy from national authorities on allowing low enforcement.

However, several proposed changes, such as the payments e-money merger or the changes from open banking to open finance, leave the potential for future changes. In particular, there is likely to be a continued discourse on the rules governing open banking and open finance, and whether these frameworks should be harmonised and to what extent data holders can earn revenue from either.

Finally, firms should expect national implementation of the rules sometime in the next few years once the final texts of the proposals have been agreed with the other necessary parties.