PSD3 (together with the PSR) establishes a legal framework for providers of payment services, such as credit and debit card payments, credit transfers, direct debits, money remittances, alternative payment methods (including iDEAL), and issuers of e-money (such as PayPal). It also addresses other parties that play a role within the payment ecosystem, such as digital wallet providers (e.g. Google Pay and ApplePay) and online merchants who integrate various payment methods into their customer journey.
The key changes (compared to PSD2) will be discussed below.
Additionally, PSD3 introduces two technical changes:
the e-money Directive shall be merged into PSD3, which is solely done for ‘editorial’ reasons; and
certain rules laid down in PSD2 shall be moved into the PSR. This technical change aims to enhance the coherence of implementation in the EU member states and does not introduce any new rules.
the commercial agent is a self-employed intermediary who has continuing authority to negotiate the sale or the purchase of goods on behalf of the ‘principal’, or to negotiate and conclude such transactions on behalf of and in the name of that principal*;
the commercial agent is authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of only the payer or only the payee, but not both, irrespective of whether or not the commercial agent is in the possession of the client’s funds; and
such an agreement gives the payer or the payee a real margin to negotiate with the commercial agent or conclude the sale or purchase of goods or services.
The EBA will develop further guidelines to explain these requirements and will provide examples.
Key impacted parties
Impact
Collecting PSPs providing payment services to platforms/marketplaces that process payment transactions for their merchants
Collecting PSPs need to reassess whether the platforms/marketplaces can still rely on the commercial agent exemption and do not require their own PSD3 license
Platforms/marketplaces processing payment transactions for their merchants
Such platforms/marketplaces need to reassess whether they can still rely on the commercial agent exemption or need to change their way of handling payments for their merchants
3. Open Banking under PSD3 (new requirements)
The account servicing payment service provider (ASPSP) – typically a bank – will be subject to several new obligations:
The ASPSP must immediately after receipt of the payment order from a payment initiation service provider (PISP), provide or make available all information on the initiation of the payment transaction and all information accessible to the ASPSP regarding the execution of the payment transaction to the PISP. Where some or all the information is unavailable immediately after receipt of the payment order, the ASPSP shall ensure that any information about the execution of the payment order is made available to the PISP immediately after it becomes available to the ASPSP.
The ASPSP must provide the account holder with a so-called permission dashboard to monitor and manage any permissions provided to account information services providers (AISPs) on an ongoing basis. This also offers users a good oversight on which AISPs are obtaining their data for what purposes and an easy way to stop data sharing. There is no need to contact the AISPs as data sharing can be terminated within the ASPSP’s online environment. Obviously, early termination could have contractual repercussions vis-à-vis the AISP.
The AISP gets several new rights and obligations:
When an AISP obtains data, the ASPSP shall only apply strong customer authentication (SCA) for the first access to payment account data by that AISP. Unless the ASPSP has reasonable grounds to suspect fraud, SCA shall not be required for the subsequent access to that payment account by the AISP.
Unless the ASPSP has reasonable grounds to suspect fraud, AISPs shall apply their own SCA when the payment services user accesses the payment account information retrieved by that AISP at least 180 days after the last SCA was applied.
PISPs get new rights:
Prior to the initiation of a payment transaction, the ASPSP is required to provide the PISPs with the unique identifier of the account, the associated names of the account holder, and the currencies as available to the payment service user.
AISPs and PISPs
Except for the permission dashboards AISPs and PISPs positions which have been strengthened under PSD3, providing easier access
ASPSPs
ASPSPs need to implement several new technical requirements, including a permission dashboard
In PSD3 the definition of a payment account is further explained. This is particularly relevant because only payment accounts are subject to the PSD3 rules on open banking. A payment account is defined as ‘an account held by a payment service provider in the name of one or more payment service users which is used for the execution of one or more payment transactions and allows for sending and receiving funds to and from third parties’. Unfortunately, it’s still unclear whether an account which can only be used for sending funds, but not for receiving funds or vice versa, actually qualifies as a payment account. The text of the PSD3 and the recital point towards slightly different conclusions. This is, for example, relevant for credit cards.
The PSD2-as-a-service model (white-label solutions) for AISPs forwarding data to other parties, which has already been accepted by the DNB and EBA, is formally recognised in PSD3. This, therefore, leads to further certainty about the acceptability of this model across the EU.
EBA’s published opinion on obstacles to the provision of third-party provider services under the Payment Services Directive has been incorporated into PSD3, which thus strengthened the status of this opinion.
PSD2 data access and payment initiation are still free of charge and cannot be made conditional on entering a contract, but premium services in the context of the scheme can be charged for. This supports the initiative by the European Payment Council to develop as a premium service the SEPA Payment Account Access (SPAA) scheme rulebook.
PSD3 shows a clear preference for dedicated interfaces (APIs) and requires ASPSPs to have those in place. A permanent contingency mechanism (or fallback solution) is not required. The customer interface can only be accessed by AISPs and PISPs in the exceptional situation that the dedicated interface is not working properly or when an ASPSP has been granted an exemption by the regulator for building a dedicated interface.
ASPSPs shall ensure that their dedicated interfaces use standards of communication which are issued by European or international standardisation organisations including the European Committee for Standardization (CEN) or the International Organization for Standardization (ISO).
PSD3 sets detailed requirements on the technical information to be provided by ASPSPs about their dedicated interfaces to AISPs and PISPs.
ASPSPs shall ensure that, except for emergency situations which prevent them from doing so, any change to the technical specifications of their dedicated interface is made available to PISPs and AISPs in advance, as soon as possible, and not less than 3 months before the change is implemented.
ASPSPs shall publish on their website quarterly statistics on the availability and performance of their dedicated interface.
ASPSPs shall make available a testing facility, including support, for connection to the dedicated interfaces and functional testing.
PSD3 sets details on what functionalities the dedicated interface should offer to PISPs in terms of payment initiation, e.g. initiating and revoking a future-dated payment and initiating payments to multiple beneficiaries.
ASPSPs need to implement the technical requirements above
AISPs and PISPs get more certainty on the quality of APIs in terms of availability, technical access, and functionalities
A point of ongoing discussions was whether digital wallet providers and technical service providers would be regulated under PSD3. The PSD3 clearly establishes that this will not be the case.
Pass-through wallets (such as Google Pay and Apple Pay, involving for example the tokenization of an existing payment card, will not be regulated as a payment service. This could be different if the token itself can be used as a standalone payment instrument to initiate a payment order independently from the underlying tokenized payment instrument.
Operators of digital pass-through wallets that verify the elements of SCA used for payments are required to enter into outsourcing agreements with the payers’ issuing bank. The payer’s issuing bank should, under such agreements, retain full liability for any failure by operators of digital pass-through wallets to apply SCA and have the right to audit and control the wallet operator’s security provisions.
NFC on itself is also determined to be a no payment service.
The current position that other technical service providers do not offer payment services and do not need to be regulated has been confirmed.
Issuers
Issuers - to the extent not done so yet - need to enter into outsourcing agreements in line with the EBA Guidelines on outsourcing and/or DORA with technical service providers offering delegated SCA
The possibility for payment institutions to get access to financial markets infrastructure is enhanced. They will become less dependent on banks and their position vis-à-vis banks where they maintain a payment account is reinforced.
Payment institutions will be included in the settlement finality directive. This enables payment institutions to get direct access to settlement systems such as Target2 of the ECB.
Payment systems operators will need to accept payment institutions as customers and shall not prohibit access to their payment systems more than is necessary to (1) safeguard against specific risks, including settlement risk, operational risk, credit risk, liquidity risk, and business risk or (2) to protect the financial and operational stability of their payment system. This enables payment institutions to get direct access to processing systems such as equensWorldline NV.
It is made explicit that credit institutions may only refuse to open or shall only close a payment account of a payment institution if they have serious grounds to do so. These include serious reasons to suspect defective money laundering or terrorism financing controls or illegal activities, a breach of contract, insufficient information and documents received from the applicant, the risk profile of the applicant or its business model, or the possible serious impact such an opening may have on the profitability of the credit institution.
Payment institutions shall have the right to also safeguard client funds directly with the central banks, whereas currently based on client safeguarding rules funds need to be kept with banks or selected high-quality financial instruments.
Payment institutions
Payment institutions get better access to payment infrastructure, such as Target2 and processors
Payment fraud is a major topic in PSD3. As such, PSD3 introduces various new requirements and rights in this respect:
Payment service providers must offer confirmation of payee services to their customers. This is already market practice in the Netherlands and commonly referred to as IBAN-name check.
Payment service providers are liable versus their consumers in case of spoofing (fraudsters impersonating the bank). In the Netherlands payment service providers already compensate their clients in case of spoofing based on an agreement between the major Dutch banks.
Transaction monitoring will need to be strengthened and will be further detailed by EBA in a new RTS. These requirements should build on the added value stemming from environmental and behavioural characteristics related to the payment habits of the payment service user.
PSPs
PSPs will need to invest in additional fraud monitoring measures and enable for confirmation of payee to be offered
Now that the proposals have been published, they will undergo the legislative process involving the EU Parliament and EU Council. Realistically, this process is expected to take at least two years, with an additional 18 months for the proposals to come into force. Thus, the accepted proposals would become binding by the end of 2026. It is worth noting that certain sections of the proposals serve to explain existing requirements rather than introduce new ones. These explanatory sections may already be utilised by regulators when interpreting current laws, even prior to the formal implementation of the proposals.
Emanuel van Praag is an expert in financial law. He advises financial institutions on how to conduct their business while keeping their key stakeholders (the financial regulators and the customer) content. He also produces the required documentation for this purpose (e.g. policy documents and client contracts) and assists in communication with the financial regulators.
Next to his role as counsel at Kennedy Van der Laan, Van Praag is a professor of financial technology and law at the Erasmus University Rotterdam, where he researches topics like big data, Open Finance, and the payments industry (PSD2). As director of the FinTech course, he lectures on topics such as the law of payments, the utilisation of big data, blockchain and crypto assets, digital services, and crowdfunding.
Emanuel is not only academically grounded, but he also understands the financial industry inside out. He was an in-house lawyer at a variety of financial institutions for many years. He understands how financial markets and financial institutions operate.
Emanuel has written well over 35 articles on various topics in books and magazines. In 2020 he published a book on PSD2 and Open Banking. His most recent article (in 2023) deals with data use in the financial industry (Open Finance).
Kennedy Van der Laan was established in 1992, and since then our company has been driven by the ambition to serve as top-level attorneys and improve the world. We have always held to the principles of human standards and social impact, ensuring that every aspect of our work reflects these values. In our pursuit of excellence, we have remained dedicated to keeping things straightforward and transparent in our legal business. This commitment reflects our character as professionals – both resolute and refreshingly non-conformist, fostering an environment that is pragmatic, personal, and dedicated to collaboration.
At our company, we take pride in offering specialised legal expertise across a wide range of sectors, including the financial industry, IT, media, technology, healthcare, energy, IP, privacy, and insurance law. Our team possesses extensive experience in advising and supporting payments and technology providers, ensuring that we are well-equipped to navigate the complexities of this rapidly evolving landscape.
*The reference is made to Article 1(2) of Directive 86/653/EEC.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now