Post

The second wave of open banking: PSD3, PSR and FIDA – what we can expect

Open_Finance_PSD2_PSR_FIDA_Artikelbild 2

The Payment Services Directive PSD2 came into force on 14 September 2019, with the aim of improving consumer protection and the security of electronic payments. The regulation also aimed to promote competition on the one hand, and innovation on the other. In 2022, the European Commission put PSD2 to the test. To this end, there were several consultations on the success of the directive. After evaluating the feedback and insights, the European Commission has now presented a new draft in the form of PSD3, PSR and FIDA. The next step involves the new regulations going through a legislative process, which is likely to take until 2025. The plan for the PSR is for it to take effect 18 months after it comes into force.

What has PSD2 achieved so far?

PSD2 has enabled third party providers (TPPs) and FinTech companies to obtain legally secure access to account information and payment services throughout the EU. This has increased competition in payment transactions and encouraged the emergence of new, innovative solutions. For consumers, it means that they benefit from a wider range of payment services and better products.

PSD2 therefore laid the foundation for the practice of open banking. Banks and third-party providers can now exchange their services and data in a legally secure manner. This enables the seamless integration of financial services with digital partners and opens up new opportunities for them to offer consumers personalised products and services based on account data or payments. By opening up payment transactions, new partnerships and innovative services are created, in which the end customer can benefit from the resources and expertise of both players.

Third party providers (TPPs) that want to access accounts, were obliged by PSD2 to obtain a licence from the national supervisory authorities. This includes Payment Initiation Service Providers (PISPs) such as Klarna or Brite as well as Account Information Service Providers (AISPs) such as Qwist.

PSD2 has also brought improvements in terms of security. Stricter security requirements, particularly in the area of customer authentication with the mandatory two factors, significantly minimise the risk of fraud and unauthorised access.

By creating uniform standards and harmonised regulations for payment service providers in the EU, PSD2 has also ensured that consumers can use services more easily and securely across borders.

One becomes three: PSD, PSR and FIDA

Despite all these proven successes, the EU felt compelled to make improvements. With the planned successor directive PSD3, the EU Commission is taking a new approach and distributing the provisions of PSD2 and the e-money directive via PSD3 as an EU directive and PSR as an EU regulation. Some of the content of PSD2 will migrate to the PSR. This is intended to ensure a more standardised implementation within the EU. While there was still room for interpretation when PSD2 was transposed into national laws, the same wording applies to all countries in the new regulation – with the restriction that it will be translated into 24 languages.

At the same time, the Framework for Financial Data Access Regulation, abbreviated to FIDA, provides standardised rules for access to customer data for other financial services. These now go far beyond account products and also affect insurance data for the first time.

What all three regulations have in common is that they aim to further strengthen the end customer’s position as sovereign over the use of their financial data. For this reason, all three new regulations include the concept of consent management, which is intended to ensure greater transparency for the customer on the one hand and, on the other, offer the option of easily withdrawing access rights that have been granted.

The comprehensive evaluation process from 2022 also revealed that several key problems in the EU payments market have still not been resolved to satisfaction.

The question of security

As already mentioned, PSD2 has already taken important steps to improve security, such as the introduction of Strong Customer Authentication (SCA). Nevertheless, there is still room for improvement, for example in the form of the challenge of increasing security throughout the entire ecosystem.

One example is spoofing, when fraudsters fraudulently impersonate an employee or staff member using the name, email address or telephone number of a payment service provider. In this case, an extension of the refund rights for consumers deceived in this way is provided. The payment service provider must refund the payment service user the full amount of money transferred as a result of the fraud, provided that the payment service user has reported the fraud to the police immediately and informed the payment service provider.

In order to prevent IBAN fraud, payment service providers will in future also be obliged to check that the IBAN of the payee matches the account name (IBAN name check) free of charge for transfers in an EU currency. Such a verification obligation does not currently exist under PSD2. In practice, it can be assumed that the payment service providers of the ordering party will request the IBAN name check from the payment service provider of the payee in a standardised manner.

Expandable – data protection

The General Data Protection Regulation gives consumers sovereignty over their personal data. The provision of account data to third-party providers requires comprehensive data authorisation from the account holder. Customers must give their consent prior to a transaction as part of consent management. However, this does not prevent the data from falling into insecure hands or being used for undesirable purposes.

The planned PSD3 is therefore intended to ensure that the rules for open banking harmonize better with the GDPR. Applying the principle of data minimization, it should be clarified that payment service providers are only permitted to access and process their customers’ personal data for information that is necessary for the provision of the specific payment services agreed with the customer.

The draft also provides clear liability rules in the event of data protection breaches and dispute resolution mechanisms.

Extension to other banking and insurance products

With FIDA, the concept of the payment directive is now being extended to various other financial services, including insurance. Customers now have the right to give other service providers access to their customer data. However, these other service providers must have a licence as a financial institution or be regulated as a financial information service provider. This takes what began as Open Banking to the next level: Open Finance.

The Commission’s understanding of customer data is also precisely defined in the framework for access to financial data: In addition to information on loans, savings and investments, company and private pension schemes, this also includes information on property insurance and data collected by companies for the purpose of credit assessment (scoring), for example by credit agencies such as Schufa. Customer data such as score values of natural persons as well as life and health insurance policies are to be excluded.

Mastering technical challenges

The implementation of PSD2 and future regulations such as PSD3, PSR and FIDA requires collaboration between banks, insurance companies, payment service providers and technology providers to provide the necessary interfaces and systems. This can be a challenge, especially for smaller financial institutions and companies that do not have the necessary infrastructure and human and financial resources.

Here is a small example from the PSR proposals: they call for SCA / 2-factor authentication to also be possible without the use of a smartphone, as older or other less technically savvy people would otherwise be excluded from the certification process. This would force banks to introduce and offer additional 2FA procedures across the board that are separate from the smartphone.

Competitive imbalance

Promoting competition is one of the declared aims behind the Payment Services Directive. However, there is a risk that larger technology companies and FinTechs will benefit more from the new regulations than smaller providers. As a result, smaller companies may not be able to compete with the resources and expertise of technology companies due to the expansion of the regulations.

Customer acceptance and trust

In finance, trust is the foundation of everything: the introduction of new payment services and the disclosure of account data require a high level of acceptance and trust on the part of customers. It is therefore going to be important to provide clear communication, transparency and education about the benefits and risks of open finance applications in order to gain and maintain consumer trust in the long term.

Conclusion

The PSD regulations were important first steps on the way to creating an EU-wide legal framework for EU-wide payment services. They have made a valuable contribution to improving consumer protection and the security of electronic payments and have promoted competition and innovation. However, the revision in 2022 has shown that the directive is too non-binding in nature and that there is still a need for improvements at the content level: security aspects, data protection and technical requirements are still critical points that are to be addressed by the upcoming PSD3. PSD2 is often described as the initial spark for open banking, whereas PSD3 is seen by many as a necessary adjustment rather than a revolutionary innovation. In fact, the real innovations of the new regulations will be promoted by PSR and FIDA.

FIDA in particular now creates a clear legal framework and in this way, if you like, becomes the catalyst for the next stage: open finance. However, all three building blocks – the third Payment Services Directive (PSD3), the Payment Services Regulations (PSR) and FIDA (Access and Use of Financial Data) – are driving the “Consent Driven Economy” forward and giving consumers more opportunities to use the data available about them. There is considerable growth potential in this, based on widespread acceptance in the mass market, the scaling of services and the development of new, exciting and, above all, monetisable use cases.

This is because standardised solutions now make it possible to offer highly personalised services on an extended database in a cost-efficient manner and in real time. FIDA in particular is helping to ensure that this will not only be the case in the banking sector, but will also work across all industries, thus taking an important step towards the open economy with open data.