The European Commission’s new package on digital payments and financial data access (Part I): Payments Services

While the proposal on digital euro will leave wide discretionary powers to European Central Banks, National Banks and and Member States, the other draft legislative acts will be mostly decided at European level, falling within internal market shared competences of the European Union (Article 114TFUE), with a pivotal impact on companies and businesses active in the digital financial and smart payments services.

 

In this first article (1/2), we will focus only on the set of proposals for digital payments services in Europe, namely the revision of the current Payment Services Directive (PSD2) and the new Payment Services Regulation (PSR1). With these initiatives, the Commission aims at amending and modernising the current regulatory framework - which did not succeed in harmonizing rules across the Member States – as well as creating a level playing field for new companies and start-ups doing businesses in payments and digital payments services sector in the European Single Market. A second article (2/2) will then analyse the Commission’s proposal for a Regulation on Financial Data Access (FIDA) designed with the purpose to establish new rights and obligations for financial data and better enable data sharing between the financial sector and other ones.

 

Introducing the direct effect of European legislation will tackle European payment services system with relevant impacts on competition and consumers

​

Due to several issues related to the inconsistent application of the previous PSD2 across the EU, the Commission decided to make of use if its powers to put forward a regulation aimed at setting common and equal rules for all the Member States. The EU wants to tackle the unlevel playing field between banks and non-banks by improving access to payment systems and bank accounts for non-banks, also boosting competitiveness of different Payment Service Providers (PSPs) and other open banking services. The update of the PSD3 is certainly essential for a new regulatory framework, but eyes will be mainly on the second proposal for the first Payment Services Regulation (PSR1) which will incorporate most of the existing rules and obligations.

 

Opportunities of the new Payment Services framework

 

The Payment Services Directive proposal (PSD3) will introduce more compliance requirements for safeguarding customer funds and limits to cashback services; moreover, the updated directive will amend the Settlement Finality Directive (SFD) adding payment institutions, such as companies which provides only digital or smart payments services to the list of firms in the SFD, which may participate directly in payments systems. This answers to request of many payment institutions that cannot directly participate in payment systems, relying on potential bank competitors to gain indirect access. This proposal is likely to raise concerns among banking services providers, particularly worried about scams and fraud in an increasingly complex environment. However, at this stage, the PSD3 does not extend access to securities settlement systems, but changes might occur at later stage during the political negotiations.

 

Regarding the new Payment Services Regulation (PSR1), a key legislation of the package, the Commission intends to move rules on strong customer authentication (SCA), currently in regulatory technical standards, into this new regulation. Potential benefits for consumers and open banking services providers are expected to come from this proposal. On one hand, the PSR1 would improve consumer rights and transparency on their account statements, providing also more transparent information on ATM charges. On the other hand, the new regulation would boost the functioning of open banking, by removing remaining obstacles to providing open banking services and improving customers' control over their payment data.  This could enable new businesses and start-ups to launch new innovative services to enter the European Single market and force large, established banks to be more competitive with smaller and newer banks, ideally resulting in lower costs, better technology, and better customer service.

 

Finally, the PSR1 will extend the matching verification system of the payee’s name against their IBAN, now foreseen only for instant payments[1], to all intra-EEA credit transfers and to instant credit transfers which are not made in euros; moreover, the payer’s PSP will be held liable where it fails to flag a discrepancy. Consumers are likely to be better off from these new rules as well.

 

Challenges of the new Payment Services framework

​

However, this would not happen without costs, especially in IT and digital tools (such as dashboard to manage data access) which are likely to increase for banks and other account servicing payments service providers. The smaller actors, in particular smaller and local banks, might be affected in terms of potential costs related to the obligation of a transaction monitoring mechanism and refund guarantee for payment fraud. According to the proposal, Payment Service Providers will be obliged to compensate customers where they are tricked into making a payment by someone pretending to be an employee of the PSP. This would mean that PSPs could be considered liable of failing to monitor costumers’ transactions and to counter cyber-attacks or malicious threats due to potential pitfalls in their cybersecurity systems.

 

Digital payments and open banking services are not without security risks and it could pose threats to financial privacy and the security of consumers' finances, as well as resulting liabilities to financial institutions. For this reason, the compliance of banks, financial institutions, PSPs and start-ups to this new set of rules is crucial to build security and trust around a sector which could benefit both consumers and new businesses by increasing competition as described above. But this could also have the reverse effect and increase consumer costs and fear if it leads to consolidation in financial and banking services, due to the natural economies of scale from big data and network effects or to a widespread of data breaches due to poor security, hacking, or insider threats of certain players in the single market.

 

Questions also remain regarding the interplay between this regulation and the protection of personal data (e.g., GDPR), especially regarding processing of certain personal data where necessary to provide payment services, open banking services and regarding compliance and monitoring costs that banks and other payments institutions might sustain.

 

[1] https://ec.europa.eu/finance/docs/law/221026-proposal-instant-payments_en.pdf (Article 5c)