techUK news and views
19 Aug 2022

Towards PSD3? The European Banking Authority publishes its views

Following 2018’s implementation of the European Union’s revised Payment Services Directive (PSD2), international and national supervisory authorities are producing extensive reviews following the European Commission’s Targeted Consultation of the revised payment services directive

The European Commission initiated in October 2021 a Call for Advice (CfA) to the European Banking Authority (EBA) following its targeted consultation, with the aims of better understanding the complex realities of the policy’s effects on suppliers, authorities and regulators, towards the path of amending the revised legislation.  

In this insight we will dissect key findings from the EBA’s opinion letter while acknowledging wider debates and points of interests for payment providers and international/national regulators. The opinion letter calls for four key actions:

  • Clearer definitions of payment system provider (PSP), third party providers (TTPs) and strong customer authentication (SCA)
     
  • Stronger Customer Authentication Extension
     
  • Further regulatory E-Money Institutions Inclusion
     
  • Further regulatory Open Banking/Open Finance Inclusion

Clearer definitions of the roles of PSPs, TTPs and SCA’s

While PSD2 saw the inclusion of several new services and instruments from PSD1, the EBA extends this effort to PSD2’s definitions with regards to payment services and their providers. This includes the clarifications between online/offline payment transactions, ‘sensitive’ customer data and Merchant Initiated Transactions (MIT)[1].

Clarifications include ‘electronic payment transactions[2]’ and ‘sensitive payment data[3]’ –

  • The uncertain delineations between what is regarded as ‘offline’ and ‘online’ initiated payments is important specifically in the case of remote transactions initiated by Payment Service Users (PSU) physically present at the Point of Sale (POS), in which the two parts of the process (payment instrument and point of interaction) are not technically physically attached to each other. However, this proposal was removed[4] by the EBA due to contradictory occurrences of online devices opening an offline POS, which would have placed banks in potentially challenging legal situations.
     
  • Unclear interpretations of ‘sensitive’ customer data affecting the Account Information and Payment Initiation Services Provider (AISP) model, the Single Euro Payments Area’s (SEPA) instant credit transfers scheme and Strong Customer Authentication’s (SCA) varying inter-PSP processes including ‘customer ID’ and its cross-PSP/AISP data sharing.
     
  • Refining both the terminological remit and regulatory treatment of MIT’s[5] can help clarify PSP-third party technologies in relation to SCAs and tighten up the mitigation and investigation of fraud.
     
  • The application of Strong Customer Authentication (SCA) should be clarified in relation to customer exemptions, SCA’s applicatory role being either a ‘corrective’ or ‘preventive’ measure and its reliance on Third Party Providers (TTP) technology.

The response also included changing the details of the application of SCA, specifically regarding increasing the regulatory treatment of merchant-initiated transactions, third-party technologies[6] and fraud mitigation and inclusion.

Merchant-initiated transactions

Focusing clarifications of merchant-initiated transactions, how they are regulated and their requirements on the setup of mandates is particularly important considering businesses’ growing usage of SEPA direct debits and New Payments Platforms (NPP).

The regulatory oversight between Account Servicing Payment Service Providers (ASPSP) and TPPs are called to clarify the exact delegation processes of technical service providers, specifically digital wallet providers. This also extends to clarifying liability regarding the granting of Payment Service Providers (PSP).

Fraud mitigation

Education, requirements, and awareness campaigns are included to ensure PSPs are appropriately investing, monitoring, and communicating in the exchange of information of best practice in fraud, known cases and known accounts used to carry out fraud. Indeed, reforms within cross-business best practice is key to tackling social engineering fraud risks.

Social inclusion

Ensuring effective education and communication to customers using PSP’s technologies including authentication solutions is vital in making sure the needs of specific groups, particularly vulnerable people are fully considered.
 

E-Money Institutions Inclusion

The call for advice also includes the further legislative inclusion of E-Money Institutions (EMI), regarding the development of regulatory oversight of ‘white label’[7] relations, de-risking practices[8] and data divergences between the EBA and national registers. 

The EBA’s consultations found Credit Institutions (CI) have been ‘refusing’ relationships or ‘terminating’ existing ones with EMIs due to issues regarding the institutions’ Anti-money laundering (AML)/Counter-Terrorist Financing (CFT) systems, leading to ‘increased’ risks. However, as stated within 7/21.1/423-430, issues are occurring due to EMI’s lack of access due to CI’s needing to conduct all activities via their settlement accounts, leading to delays within less established EMI’s due to established Payment Institutions (PI) and EMIs obtaining appropriate de-risking checks. As the CfA states, this leads to many EMI’s facing discriminatory competition, leading to their ‘innovative payment solutions’ facing difficulty accessing the market.
 

Open Banking/Open Finance Inclusion

Following PSD2’s ground-breaking implementation of Open Banking via the interlinking of CIs including Payment Initiation Services (PIS), Account Information Services (AIS) and TTPs.

The CfA suggests the tightening of cross-institution PSU data-sharing, including the standardisation of Application Programming Interfaces (API) and better data transfers between the providers of PIS, AIS and PSP’s. This will allow for clearer regulation between the relations of the institutions that make-up Open Banking, further protecting customer data and setting-up appropriate conditions for new products.
 

Towards PSD3?

As observed by many within the banking and financial regulatory sector, the EBA details many of PSD2’s potholes, forming a much clearer path towards building a more productive framework between international and national supervisory authorities, financial institutions, and suppliers.

As the EU is moving at pace on Open Finance, and other areas such as crypto, it is essential that the United Kingdom develops its own framework and build on the success of Open Banking. techUK looks forward to engaging with members and key stakeholders to develop an innovative and inclusive open data ecosystem. We will work closely with Parliament, Government and regulators on the smart data initiatives, including the next steps for Open Banking.

[1] Article 1.8/47, PSD2

[2] Article 1.7, EBA’s CfA

[3] Article 1.10, EBA’s CfA

[4] Although left within the contents of Articles 56-57 for point of further reference

[5] Article 28, EBA’s CfA

[6] Article 28-32/EBA’s CfA

[7] Article 3.2/88/EBA’s CfA

[8] Article 7/21.1/422, PSD2

Return to listing