-
Position Paper "DSP3 PSR
MERGER AND SCISSION OF THE PAYMENT SERVICES LEGAL FRAMEWORK (about PSD3)
Written by : GT RED France Payments Forum
Authors: Marie-Laure Plessis, Alexandre Marion, Ludovic Vathelot and Corina Fontaine
The proposal, published on June 28, 2023 by the European Commission, to overhaul the legal framework governing payment services (which now include e-money) and their users and providers, consists firstly of merging two historic directives: the 2009 E-Money Directive (EMD2) and the 2015 Payment Services Directive (PSD2). Secondly, it consists in splitting legislative vehicles, by deciding :
- subject the licensing and supervision of payment institutions (PEs, which now include e-money institutions) to a (maximum harmonization) directive, known as PSD3; and
- To make the transparency of conditions and information requirements for payment/electronic money services, and the respective rights and obligations of their providers and users, subject to a (directly applicable) regulation known as thePSR.
The Commission justified this split by pointing to the excessive fragmentation of national transpositions on payment services/electronic money, while the licensing and supervision of providers of these services is best dealt with in a directive, since licensing and supervision remain the prerogative of the Member States.
Beyond the legislative "kitchen", which also includes a framework regulation on data access in order to bring the legal framework on payment services closer to the requirements of the RGPD, what challenges payment services practitioners are the Commission's expectations on various topics, which can be identified in the PSR:
- making the strong authentication system more flexible, in particular to encourage the inclusion of people who have "dropped out" of the digital world (people with disabilities, the elderly, etc.), who don't necessarily use smartphones;
- dispensing with strong authentication for a period of 180 days following such authentication, for account information providers;
- a legal basis for the exchange of information on fraud between payment service providers;
- extension of the IBAN verification service (consistency of the IBAN/beneficiary pair) to all transfers in EU currencies, given that this service is already mandatory for instant transfers under the proposed regulation on instant transfers;
- the possible inversion of liability for fraud in payment situations initiated by merchants(Authorised Push Payments), and a possible assumption of responsibility for fraud on credit transfers by the beneficiary's payment service provider.
- the extension of the historic ban on overcharging to transactions denominated in currencies other than the euro;
- stronger consumer protection on refunds related to transactions initiated by merchants ;
- the obligation for banks to provide their customers with a dashboard enabling them to revoke (or reactivate) the authorization given to anopen banking service provider to access their ;
- more information for consumers on how to handle their complaints;
- giving supervisors the power to temporarily prohibit the sale of certain payment products.
While the Commission has postponed the extension ofopen banking toopen finance to a forthcoming consultation in 2024, it tends to standardize the rules, without however prohibiting the subsistence of more protective national rules.[1]specifically on :
- transparency of conditions and information requirements governing payment services; and
- rights and obligations relating to the provision and use of payment services.
In this context, the RED WG wanted to detail the issues underlying these two major themes, through the evolution of :
- open banking;
- material and territorial scope ;
- consumer protection (fees, status of transactions outside the EU, freezing of funds);
- security and fraud prevention ;
- de-risking practice;
We examine these five themes below, in the hope of convincing the European co-legislator (the Council and the European Parliament) to improve on the major trends initiated by the Commission through the RSP.
- Open Banking
With the PSR, priority is given to Open Banking, rather thanOpen Finance, which has been deferred to another legislative vehicle. However, the measures set out in the new text are a key element of the reform. Having drawn the best lessons from PSD2, whose APIs were implemented in a highly heterogeneous way, with a global technical framework specific to each country (Berlin Group, STET, etc.), the Commission aims with this new reform to reduce all existing frictions.
The key elements of the PSR measures remain the quality, standardization and adoption of APIs, to enable interoperability and reconciliation between banks and the non-bank service providers concerned (payment institutions, electronic money institutions and third-party service providers).
Within this framework, banks are encouraged to provide quality APIs, facilitating the standardization of exchange functions, with rapid response times and multiple beneficiary management. This implies a strong commitment on the part of the banks, with regular publications on API availability and performance, and the anticipation of technical changes three months in advance. In the event of malfunctioning and lack of access to the APIs dedicated to them, TPPs may be authorized to ask their national competent authority (in France, the ACPR) to allow them to use the interface that the bank (ASPSP) provides to its customers until the specific API is available again.
For competition reasons, banks will also have a duty to inform payment institutions (PEs) and electronic money institutions (EMIs) about failed account access and initiation. To complete these measures, the ACPR will be given supervisory and sanctioning powers.
Also of note is a new requirement for TPPs to make aDashboard available to their customers. This dashboard will enable customers to track the authorizations given to TPPs to access their data, with a two-year history. End customers will be able to revoke and reactivate their authorizations in real time. This system is designed to makeOpen Banking more secure for consumers.
Finally, the RSP includes a complete chapter on strong authentication (SCA), with in particular an extension of the time between two strong authentications from 90 to 180 days.
From this perspective,Open Banking benefits the entire ecosystem. For example, the benefits are distributed differently for :
- Banks, which will find it easier to take on the role of Trusted Third Party, based on a new, innovative model with a view to reducing costs;
- PSPs, in a context where European developments are giving a boost to non-bank players and the development of value-added services;
- Supervisory authorities, who will have greater capacity to control and deal with payment fraud, with support for innovation and the EP/EME ecosystem;
- Customers, who benefit from value-added services, with access to a competitive market and customized offers.
FPF RED WG OPINION
With Open Banking, the harmonization of the EU payments area is being given a real boost. This new framework broadens the concept of open banking, enabling wider access to data. The rules governing information sharing between banks and PSPs have been strengthened, and the scope for supervisory action has been extended.
However, all these requirements will have a major impact on banks, with major changes to their information systems unavoidable if they are to continue to develop services, provide dedicated interfaces (APIs) and adopt new technologies to keep pace with all the regulatory developments and requirements.
- Material and territorial scope
Whereas PSD2 contained a provision limited to the territorial scope of the rules, the PSR recasts the text to include the material scope, which includes but is not limited to the former list of activities excluded from the scope of application.
- Territorial scope
Essentially unchanged from the PSD2 :
- all the rules apply to two-leg transactions if the currency stipulated is from the European Economic Area (EEA) (both PSPs are in the EEA); some of the rules apply if the currency is from outside the EEA; and
- a narrower set of rules applies to single-leg transactions (only one of the two PSPs involved is located in the EEA), regardless of whether the transaction is denominated in an EEA/non-EEA currency.
This being said, it is regrettable that the content of the applicable rules is always listed in vague terms ("rules applicable except"), which is not conducive to an overall understanding of what is fundamentally expected of the PSPs concerned.
More simply, the PSR increases PSPs' requirements in terms of transparency and obligations regarding the execution of the payment transaction, and the increased requirements mechanically affect transactions (i) in non-EEA currencies or (ii) "one-legged".
It should be noted that in its preliminary work on the revision of PSD2, the Commission noted that it had received very few comments on the need to develop the territorial field, which may be explained by a certain lack of awareness of the issues and practical risks associated with it.
It should also be noted that the Commission is aware of the risks of circumventing European rules, particularly when it refers to situations where the strong authentication requirement is circumvented in e-commerce. It thus lays down the principle that the requirement cannot be " circumvented by practices such as the use of an acquirer established outside the Union in order to evade strong customer authentication requirements ".
Last but not least, it is regrettable that the scope of application has not been extended to take account of conversion operations into cryptoassets, whereas we might have expected the PSR to coordinate the new rules arising from the relevant European regulation (MiCA) on (i) operations to convert fiat currency into cryptoassets and vice versa (where one leg relates to EEA currencies and the other leg to cryptoassets) and (ii) the rules applicable to operations involving electronic money tokens (according to MiCA terminology), It is difficult to understand whether these tokens can be fully assimilated to e-money.
It is to be hoped that these clarification efforts will be undertaken by the European Parliament and the Council with a view to adopting the regulation.
FPF RED WG OPINION
The European Parliament and the Council should endeavor to better coordinate the PSR with the interactions that payments and e-money may have with the cryptoassets of the MiCA Regulation, particularly e-money tokens, whose territorial scope would be hard to understand if it did not follow the principles set out by the PSR.
- Material field
PSD2 had opened up the material field to account information providers and payment service initiators.
First of all, the PSR changes the notion of payment institution to include e-money institutions. Unfortunately, even though the players concerned will generally apply the new rules, the difficulty of differentiating between e-money and payment services necessarily persists through national rules assimilating cash and e-money. In France, for example, non-anonymous e-money is partly assimilated to cash, and its use is limited to very low levels (€3,000 for residents, €10 or €15,000 for non-residents, depending on the beneficiary of the settlement), whereas such restrictions are in no way applicable to settlements via payment institutions. In addition, it is questionable whether national rules capping cash or e-money settlements will apply in the same way to MiCA e-money tokens.
For example, it intends to delegate to the Commission the task of defining the limits of exemption regimes, such as that associated with the "limited network of acceptors" or the "limited range of goods and services"(limited network exemption), which is currently set out in guidelines issued by the European Banking Authority (EBA).
This exclusionary regime raises questions about the expansionist tendency of certain national authorities (including the ACPR) when it comes to collecting funds on behalf of third parties for services rendered in sectors where they are less expected, either because the payment transactions carried out do not concern consumers, or because they have historically obeyed a social framework very similar to special payment vouchers. This is notably the case in the third-party payment market associated with the reimbursement of healthcare expenses, where the ACPR refuses to consider (i) that the players concerned fall within the scope of the authorization exemption regime, and (ii) that the healthcare providers in question can delegate the settlement of healthcare expenses to third-party players within the framework of subcontracting agreements.
The PSR also intends to ensure that some of the exclusion regimes are constrained by guidelines, such as the "commercial agent" exclusion, which caused debate in France when marketplaces were forced by the ACPR to take on the status of payment institution or agent of the latter.
The PSR also brings technical service providers within the scope of certain requirements, even though they appear in the exclusions regime. According to the PSD2 report, this development is linked in particular to the emergence of electronic wallets ( pass-through wallets) which, thanks to tokenization, make it possible to use a payment instrument via a mobile device to make online or contactless payments.[2] and even offer innovative services such as buy-now-pay-later (BNPL) or request-to-pay (RTP). However, suppliers of these technical services are excluded from the scope of application of PSD2. Yet these suppliers are sometimes payment system operators or major payment data processors, which have acquired quasi-systemic status in some Member States (including GAFAM). It is in this context that the PSR imposes on these providers certain requirements applicable to PSPs, particularly in their deployment of strong authentication solutions.
The limitation of requirements is questionable, although it should be noted that these technical service providers will eventually be subject to more or less stringent subcontracting rules, depending on their involvement in the provision of technical services, and that in the deployment of payment infrastructures, they are subject to rules issued by the European Central Bank (ECB).
In the same vein, we also note the inclusion in the PSR of players from outside the financial sector, when they contribute to the emergence of the cash distribution niche market.
Last but not least, the historical exclusions of what are known in France as "changeurs manuels" or "transporteurs de fonds" have been abolished.
FPF RED WG OPINION
As with the territorial scope of the payment rules, the final version of the PSR should define the material scope of the rules by better coordinating them with the rules applicable to cryptoassets (stemming from MiCA) so that users of electronic money-like means of payment or cryptoassets (cf. electronic money tokens) are aware of the applicable rules.
On the subject of exclusion regimes, the PSR would benefit from better addressing the issue of third-party fund collection (which was only clarified by the Commission in January 2023), notably by allowing Member States to recognize the right of certain already-regulated players to outsource these services to technical service providers who remain under their control.
- Consumer protection
Overloading practice
The practice of imposing additional charges for the use of a given payment instrument is sometimes referred to as " overcharging". Under PSD2, the prohibition on overcharging was based on a minimum set of rules, with Member States given wide latitude to reinforce the prohibition on circumventing the regulation on interchange fees (three- or four-corner payments, including Paypal) or those set out in the SEPA rules (credit transfers and direct debits).
The general aim of the new rules is to align the processing of all transactions initiated by the beneficiary (direct debits vs. so-called MIT transactions).
Secondly, the PSR aims to include in the aforementioned anti-circumvention regime the constraints dictated by the (future) instant transfer regulation. Above all, the PSR extends the prohibition on overcharging not only to cross-border credit transfers and direct debits within the EU (SEPA), but also to transactions outside the SEPA Regulation.
It remains to be seen whether member states will make use of the possibility left open in the PSR to adapt their national overcharging regimes. For the record, the French legislator had clearly chosen to prohibit the practice of overcharging (cf. articles 112-11 et seq. of the Monetary and Financial Code), without specifying whether derogations were contractually enforceable in the B2B sector. It is to be hoped that the distinction between corporate and consumer means of payment will be better dealt with in future national rules, to make way for more competition in this area of B2B commerce.
Rules for operations outside the European Economic Area (EEA)
The PSR fills a glaring gap in the transparency of payment transactions outside the EEA, in a context where the Regulation aimed at standardizing the rules on cross-border payments in the EU not only fails to deal with transfers outside the EEA, but also fails to address the specific situation of remittances.
In addition to the all-important issue of conversion into non-EEA currencies, the question of execution time was also poorly addressed by PSD2. The regulation therefore aims to better protect the interests of European users in these situations of transactions executed outside the EEA, without going so far as to impose a maximum execution time, insofar as this time may depend heavily on imponderables linked to the leg of the transaction located outside the EEA, concerning payment providers who do not have to suffer from European legislation that is not enforceable against them.
Telco exemption
The PSR does not modify the Telco exemption regime (which essentially refers to payment transactions settled via the telephone operator's bill for the purchase of digital content and voice services), and the Commission states that it has received no indication that users of payment services via telephone operators are poorly protected. We can only regret that there has been no increase in the ceilings provided for under PSD2 (€50 per transaction and €300 per month), particularly in view of the rise in inflation since 2022. The absence of indexation in the PSR tends to slow the development of this activity in the payment sector.
It is likely that the European legislator will raise these thresholds in response to the demands of the operators concerned, who today work effectively to protect their customers within the framework of national regulations agreed within this profession (in France, for example, we are thinking of the deontological recommendations of Af2m).
Blocking funds
We know that for payment transactions where the amount of the transaction is not known in advance (e.g. hotel reservations, car rentals or purchases of ), the PSPs of the payers can be led to block disproportionate provisions, which can then impair their customers' ability to use their payment cards for new transactions. In order to prevent such situations, the PSR aims to limit such blockages both (i) in time and (ii) in the proportion of the blocked amount.
The PSR thus adds the obligation (i) of the payer's PSP to contain the blocking at a level proportionate to what the " payer may reasonably expect" and (ii) of the payee to inform his own PSP of the amount actually paid, immediately after delivery of the service or goods to the payer. The payer's PSP will then have to release the funds immediately upon " receipt of information on the exact amount of the payment transaction ", rather than " after receipt of the payment order ".
In view of these developments, it is questionable how the payer's PSP is informed of the proportionate level of provision to be blocked, when this information is by definition only known when the paying customer has finished taking advantage of his hotel or car reservation.
FPF RED WG OPINION
The European Parliament and the Council should work to clarify certain aspects of the Commission's proposals on :
- the practice of overcharging;
- payment transactions outside the EEA ;
- Telco exemption;
- freezing funds.
- Security and fraud prevention
Enhancements to strong authentication (SCA)
We note that the PSR proposes a rather major evolution for SCA: strong authentication can be accepted as the component of two elements belonging to the same category (possession, knowledge or inherence), " provided that their independence is totally preserved ".
This seems to be contrary to EBA advice that the two authentication elements for SCA should belong to two different categories. However, EBA seems to have reversed its position in the 2020 Q&A, pointing out that EBA's RTS require authentication elements to be independent, but not necessarily to belong to separate categories.
The argument put forward is not to restrict innovation, development and adoption of new elements which, although they fall into the same category, meet all the security and independence requirements of EBA's RTS.
In other words, authentication with two elements of the same category will be accepted if these elements are independent, as for example :
- For "knowledge": web-banking password and unique token;
- For "possession": cell phone (number) and usual computer (IP/MAC address);
- For "inherence": face recognition and RFID chip under the skin.
Check that IBAN/Beneficiary name matches
To ensure the security of payments, and in particular credit transfers, the PSR provides for verification of the match between the IBAN and the beneficiary's name by the originator's PSP, in line with the Commission's proposal for the SEPA instant credit transfer regulation. The aim is to give the originator an indication of potential fraud or incorrect entry of the IBAN before executing the transfer.
The main features of this new service are as follows:
- It applies to SEPA and international transfers,
- It will be offered to both private and business customers,
- It can be PAID for (although, as the commission points out in its impact study, it is generally offered free of charge to private individuals),
- The request for verification of the IBAN/name correspondence made by the beneficiary's PSP at the request of the payer's PSP will be FREE of charge (no interchange possible),
- Notification of non-matching will be in near-real time to ensure a smooth customer experience,
- If the service fails (or is simply not available), the burden of proof of fraud or input error lies with the ordering party's PSP, and the ordering party may demand reimbursement of the full amount of the transfer within 10 working days, even if it had authorized the transaction,
- The customer can unsubscribe at any time ("opt-out" mechanism).
FPF RED WG OPINION
The service for checking the match between the IBAN and the beneficiary's name represents a major step forward for individual and corporate customers. This service is a first step in the fight against authorized transfer fraud, even if it will not eradicate it.
The reversal of the burden of proof will encourage PSPs to implement this new service.
However, the technological construction of this service remains to be done, and that's where the problem lies:
- The proposed rules and principles need to be clarified. For example, it is not defined at what threshold the payer's PSP must notify the payer. Or the calculation of the degree of concordance must be homogeneous, otherwise it could be misinterpreted; this would ultimately lead to confusion or inconvenience for the payer, who would too often be wrongly notified;
- Corporate beneficiaries should also be able to be identified by their identifier (SIREN, LEI, intra-Community VAT number) in addition to their name, as is currently offered by the French SEPAm@il Diamond service;
- By letting the market organize itself to propose a solution, we are likely to see several market initiatives, likely to intervene at different points in the payment chain (e.g. at order initiation or clearing), which will eventually pose a problem of interoperability between these different initiatives.
For these reasons, the GT RED of France Payment Forum recommends :
- mandate the ERPB and the EPC to define and develop a Scheme with Rulebooks and implementation guides for exchange messages, based on existing solutions such as SEPAm@il Diamond;
- create a brand and communicate globally around that brand;
- manage and monitor the implementation of this new service in order to correct any problems;
- to implement this service gradually. For example, first locally for private customers, then for businesses, and then cross-border.
- The need to objectify de-risking policies
Since PSD2 came into force, non-bank PSPs ( Third Party Providers or TPPs) have become more numerous and more important. In order to offer payment services, these players (payment institutions, e-money issuers, payment service initiators) must have an account with a commercial bank for the purposes of the ring-fenced account and for access to the payment infrastructures that process and settle payments.
The reality on the ground shows that banks often refuse access to commercial bank accounts without substantiated justification, or grant access but then withdraw it, as PSD2 does not require them to explain their apprehension of their own risks.
Non-bank PSPs are therefore dependent on commercial banks, not only for the protection of customer funds, but also for the execution of payments.
Recall the letter of Article 36 of PSD2 (DIRECTIVE (EU) 2015/2366) which deals with "Access to accounts held with a credit institution":
Member States shall ensure that payment institutions have objective, non-discriminatory and proportionate access to the payment account services of credit institutions. Such access shall be sufficiently extensive to enable payment institutions to provide payment services efficiently and without hindrance. The credit institution shall inform the competent authority of the reasons for any refusal.
Article 36 of the PSD2 has been the subject of successive opinions:
- In June 2022, the EBA issued an opinion on risk reduction (EBA/Op/2022/01).
EBA suggests that the general nature of " Article 36 of PSD2 and the lack of guidance for credit institutions on the circumstances in which account closure must be notified have led to divergent application across the EU and divergent interpretations across certification authorities."
- EBA recommends extending the notification process for the PSP integration phase to include decisions taken by credit institutions to exclude payment institutions from existing business relationships.
- The technical standards relating to the process of notifying refusals could be the subject of a mandate entrusted to the EBA in order to guarantee the consistent application of article 36. For example, when credit institutions decide to close an account, a compulsory form with detailed explanations should be sent to the competent authorities. Regulators at EU level would be able to obtain more solid information on the most common reasons for closure, and take targeted measures to remedy them.
- Then in February 2023, the study " Study on the application and impact of Directive (EU) 2015/2366 on Payment Services (PSD2) FISMA/2021/OP/0002" returned to the pitfalls of de-risking.
Risk reduction, AML and RGPD concerns are at the heart of the rejections experienced by non-bank PSPs (from credit institutions, which indicate that these new players present poor control and compliance frameworks.
On the other hand, EP/EME argue that banks too often usede-risking provisions as an alibi to restrict access to accounts in order to prevent competition. General" reasons, alluding to vaguely defined inherent risks, are too often invoked with the aim, according to EP/EME, of thwarting or restricting innovation or market entry.
Although measures exist to ensure that access is proportionate and non-discriminatory, this is not the case in practice.
Refusals lead to interruptions in service for non-bank PSPs until a replacement commercial bank is found, and after a transfer of connectivity from their infrastructure to the new commercial bank. As a result, there is a risk of periods with no access to payment systems and no ability to protect customer funds, both of which are essential for non-bank PSPs to operate.
The study supports EBA's view that it should be given a mandate to develop regulatory technical standards to clarify the interactions between AML/CFT requirements and the application of Article 36 of PSD2, limiting unwarranted risk reduction by banks. In addition, the idea is put forward that the European Commission could consider extending this requirement to also include decisions taken by credit institutions to withdraw payment institutions from existing business relationships.
- Finally, in June 2023, the first draft of the PSR delivered a set of de-risking measures.
It includes measures to remedy shortcomings and make competition rules fairer:
- Stronger requirement to explain refusal, also covering, unlike PSD2, withdrawal of service:
- The payment system participant must provide any requesting payment service provider with full reasons for account closure (e.g. reasonable suspicion of illegal activity or risk to the credit institution). A generic reason is no longer sufficient;
- the PSP can appeal to the appropriate authorities;
- The EBA draws up technical regulatory standards specifying the harmonized format and mandatory information to be included in the notification and statement of reasons.
- Central banks will be authorized to provide account services to non-bank PSPs, at their discretion;
- The Commission also proposes to include payment initiators among the possible participants in payment systems - with reinforced controls for their admission and appropriate risk assessment.
In conclusion, the provisions of the PSR regulation are in line with the EBA's recommendations, and take account of the alerts raised by proposing measures that also open up bypasses to access via commercial banks, so as to be able to operate in spite of refusals, provided the PSP satisfies the risk controls. This will reinforce our determination to impose a level playing field for competition.
FPF RED WG OPINION
These proposals to authorize direct access to payment infrastructures for PPTs raise a number of operational issues. At this level of connection, resilience and high-level guarantees are essential.
In addition, the severe restrictions on the grounds for refusal of access and the reporting requirements for such refusals are likely to upset commercial banks, which will seek legitimate compensation for this virtual obligation to deal with PSPs that compete with their business.
France Payment Forum's RED WG questions the effectiveness of these measures in resolving exchanges and tensions between TPP and banks.
[1] The Commission therefore accepts that market fragmentation continues to exist despite its decision to adopt a Regulation.
[2] The importance of this qualification was seen in a September 2019 ACPR position on the payment order acquisition service, as technical service providers involved upstream or downstream of this service are not concerned by the obligation to be approved as PSPs.
Download version ⤵️
Dossier Paiements de la Revue Banque de Décembre
Découvrez tous les articles rédigés par nos membres