Author
Published
5 September 2024
Reading time
Required knowledge
In 2015, the EU Commission adopted and introduced the second Payment Services Directive EU 2015/2366 (PSD2). The aim was to regulate technical innovations in the retail payments market, the increasing number of electronic and mobile payments, and new payment services.
Revision
As part of the 2020 work program, the Commission has presented a package of measures as the third priority under the title “An economy that works for people”.
This includes the revision of the existing PSD2 regulation. In its analysis, the Commission identified four fundamental problems in the market:
The following actions, among others, can help address the issues identified:
This resulted in two proposals to revise the PSD2 Directive, which the Commission published on 28 June 2023: the Payment Services Directive (PSD3) and the Payment Services Regulation (PSR). In a directive, the European Council specifies certain results to be achieved. It is up to the member states to decide how to transpose the directive into national law with regard to the results. A regulation, on the other hand, is directly applicable in the EU member states. This ensures harmonized implementation throughout the EU.
EEA states, such as Liechtenstein, must incorporate directives and regulations into the EEA Agreement. This is done via the EEA adoption procedure. The EEA Joint Committee, which consists of representatives of the EU and the EEA/EFTA states of Norway, Iceland, and Liechtenstein, examines the legal acts to be incorporated. Formal adoption takes place through the inclusion of the acts in the list of protocols and annexes to the EEA Agreement. After incorporation into the Agreement, the EEA/EFTA state concerned must implement the act into national law in accordance with national provisions. This is a formal process that only allows for technical adjustments. In Liechtenstein, this is the responsibility of the EEA Unit. In cooperation with experts from the Liechtenstein national administration and the ministries, the EEA Unit prepares biennial EEA Working Lists, which the government adopts in a government decree, together with the implementing measures and implementation schedules specified therein.
The development of the PSD Directive
Key Changes
Even before the revised PSD2, different EU member states had national regulations for payment and e-money institutions. However, these were not always consistent, leading to fragmentation and differing requirements. PSD3 aims to create a single legal framework. With PSD3, e-money institutions will be able to obtain authorization as payment service providers (PSPs) throughout the EU, making the Electronic Money Directive (EMD2) redundant. In addition, third parties will be able to overcome existing barriers to accessing customers’ bank accounts.
An important innovation is the verification of the IBAN and the name of the beneficiary for non-immediate transfers: The payer’s PSP must offer its customers a service to verify that the IBAN matches the beneficiary’s name as provided by the payer. The PSP may request this verification free of charge from the beneficiary’s PSP. If the IBAN and the name do not match, the PSP must inform the payer of the discrepancy. Instant payments are explicitly excluded from the verification of the beneficiary in PSD3, as this is already included in the new Instant Payment Regulation (IPR).
In order to strengthen customer confidence, the Commission has tightened the liability rules. If a PSP denies having authorized an executed payment transaction, the use of a payment instrument recorded by the PSP (e.g., a bank) alone is not sufficient to prove that the payer authorized the transaction or acted fraudulently or with gross negligence in breach of one or more of his obligations. The onus is on the PSP to prove that the payment service user acted fraudulently or with gross negligence. If they are unable to do so, they must refund the amount of the unauthorized payment transaction to the payer no later than 14 days after notification of the transaction. In addition, the Commission has extended the payer’s right to a refund in cases of fraud. Suppose someone pretends to be an employee of a PSP, using the employee’s name, e-mail address, or phone number, and induces the payer to authorize a fraudulent transaction. In this case, the PSP must compensate the loss in full, provided that the payer immediately reports the fraud to the police and notifies the PSP.
An electronic communications service provider is obliged to cooperate closely with PSPs. They must immediately take appropriate organizational and technical measures to ensure the security and confidentiality of communications. This also applies to the transmission of phone numbers and e-mail addresses. If the service provider does not remove the fraudulent or illegal content after becoming aware of it, they must reimburse the PSP for the full amount of the fraudulently authorized payment transaction, provided that the payer has immediately reported the fraud to the police.
PSPs may exchange the IBANs of their beneficiaries with each other if they have sufficient evidence of fraudulent payment transactions.
Schedule
On 23 April 2024, the European Parliament adopted the EU Commission’s proposals for PSD3 and the related PSR Regulation at the first reading.
Following the Council’s decision, expected this summer, the final versions could be available by the end of 2024. Member states will be granted a transitional period of 18 months, meaning that the regulation could come into force in 2026.
Romano Ramanti Certified Ethical Hacker, Zürcher Kantonalbank
Focus
AI has become indispensable in everyday banking. High-quality payment data is critical for personalized experiences and efficient AI applications. Payment enrichment improves data quality and optimizes key processes.
8 July 2026
Experts
The PCI DSS 4.0 standard protects credit card data with enhanced security measures such as multi-factor authentication and risk-based approaches. These measures increase the security and transparency of payment transactions.
Service bureaus have been central players in Swiss payments since the 1990s. They transmit payment orders and ensure data integrity. The SNB has published formal requirements to ensure security and efficiency.
Panorama
Only one country operates both a CBDC and an instant payment system to increase financial inclusion and efficiency. However, different standards and technologies make interoperability difficult. Some countries are considering wholesale CBDCs instead.
Talk
Helge Kraas, PPI AG, talks about artificial intelligence in payments. The focus will be on fraud detection, instant payments, e-invoices, Request to Pay, personalized financial services, regulation, financial crime and judicious AI decisions.
Professor Thomas Ankenbrand of the Lucerne University emphasizes the importance of security in payment solutions. In a study, his team shows that eBill scores well in all eleven criteria examined. The closed system of eBill avoids media breaks and thus makes fraud more difficult.
5 December 2024
PAY NEWSLETTER
Join our community and never miss an update!
Categories