Voice of the Industry

PSD 1, 2, 3 – We are out of the starting blocks with a marathon ahead

Wednesday 27 July 2022 09:28 CET | Editor: Vlad Macovei | Voice of the industry

Nilixa Devlukia, founder of Payments Solved, shares her thoughts on the transition from PSD2 to PSD3, whether it should be a directive or a regulation, and future approaches

In September 2020 the European Commission (the Commission) announced the Retail Payments Strategy and the intention to review the impact of the second Payment Services Directive (PSD2) to assess whether this legislation remains fit for purpose. At the same time, the Digital Finance Strategy announced the Commission’s intention and ambition to propose legislation on a broader ‘Open Finance’ framework. Such a framework aims to allow the sharing of customer data beyond the limited scope of PSD2 so that the EU single market can innovate, compete, and provide new and improved services for consumers and businesses.

PSD2 itself contain a review clause in Article 108 and, even before it launched the general and target consultations, the Commission issued a call for advice to the European Banking Authority.

In the past three months, we have seen the EU regulatory bodies signpost the direction of travel for PSD3 and Open Finance. The Commission has published both targeted and a general consultation asking the expected questions and the EBA has published its response to the call for advice. The EBA’s response is comprehensive in its review of PSD2 and makes over 200 recommendations for changes that are needed for a framework that will support this ecosystem in the years ahead.  

Both the Commission consultations and the EBA opinion look to address the deficits in PSD2 and the known practical problems that exist in the market today. This is a necessary step to a revised regulatory framework; however, if the EU is going to continue to be market-leading and remain at the forefront of the regulatory framework for payment services and Open Finance then the focus of future legislation needs to address more than the deficits of PSD2 and bring together, in a holistic approach the vision of the Retail Payment Strategy, the Digital Finance Strategy and the overarching EU data strategy. If the end game for Europe is Open Data, then the foundation for that Open Data society and the interaction with financial services need to be laid now. Bearing in mind that it will be several years before PSD3 is transposed across the EU, an incremental journey from Open Banking to Open Finance and Open Data will not be achieved in a timely and coherent manner unless that vision is fully supported across regulators and industry from the outset.

The PSD and Open Data consultations raise some wider policy questions that need to be addressed at the very start of this journey. 

Should the next iteration of this legislation be a Directive, or should it be a Regulation?

The difference is set out on the EU website. A Directive allows the Members States some flexibility in the application of the legislation to their jurisdiction. This is important for many reasons given that the payments ecosystem across the EU is not one homogeneous market. Local customs, availability of financial products, cost of living, and, of course, personal preference all drive different payment behaviours. Within certain parameters, a Directive allows the Member States to tailor the legislation to their own local needs.

However, this flexibility leads to fragmentation and different approaches that result in detrimental consumer outcomes and impose considerable costs on firms in complying with such local requirements. There are many examples of this covering every aspect of the current legislation ranging from nuances in authorisation requirements, reporting obligations, the implementation of SCA, IBAN discrimination, access to payment systems, approaches to de-risking, the different views on what is a ‘payment account’, and the implementation of Open Banking requirements. The list could go on. All of this variance in implementation raises the question of whether this legislation should be a Regulation.

A Regulation is more prescriptive but does not necessarily solve the variations detailed above. A simple drag and drop to a Regulation will not remedy the above challenges in any meaningful way. Simply putting the definition of a ‘payment account’ into a Regulation does not change the divergent views of what a payment account is. What is needed is a better, more comprehensive definition that is future-proofed for an ecosystem where payments are made using stablecoins and/or a digital euro. 

IBAN discrimination is already prohibited under the SEPA Regulation (note it’s a Regulation) but differing interpretations across the Member States have the net effect of non-compliance, poor customer outcomes, limiting cross-border payments, and results in barriers for Open Banking firms. The solution here is to enforce existing Regulation.  

The final decision on a Directive or a Regulation rests with the Commission when it publishes its PSD3 proposal; but the Commission must be mindful that the EU payment ecosystem, for many understandable reasons, is not a single, one-size-fits-all market; and that necessary local variation and proportionality at all levels, for the Member States, industry, and consumers is an important consideration. A Directive may remain the better regulatory tool.

Should AIS provision remain in PSD3 or should this and wider access requirements be in a separate piece of legislation?

There is already an industry debate on whether the provision of AIS (account information services) should remain in a revised PSD3 or be carved out into separate wider legislation that also supports Open Finance.

It has always been an anomaly that data access has been shoehorned into legislation for the provision of payment services. Timing and necessity dictated that AIS landed in PSD2. It is now appropriate to consider if the better way forward is separate legislation for access to data for financial services and beyond. The industry is rightly concerned that the removal of AIS as a regulated activity out of PSD2 may result in a loss of rights or hard-earned functionality – it is incumbent on the EU regulators to ensure that this does not happen. 

Separate legislation focused on access to data be that payment account data, savings account data, pension data or insurance data provides a holistic solution to the ever-increasing sharing of data and aligns to the principle of “same activity, same risk, same outcome”. A regulated activity of access to data that can be read across to other industries is a possible solution to an otherwise piecemeal industry specific approach that is likely to result in a fragmented implementation across industries that will impact innovation and competition.

Should there be an API first or API only approach?

Before PSD2, firms that accessed financial services data did so via ‘screen scraping’. This is the method whereby users share their banking credentials with the accessing firm which then accesses the data via the user login for the online banking service. As such, it appears to the account-holding entity that it is the user directly accessing the account. Screen scraping access gave the accessing firm visibility of all data held in the online banking channel not just payment account data.

Two of the primary objects of PSD2 are security and consumer protection and so PSD2 required that access to this data was limited to only payment account data and that, ideally, this access was via ‘dedicated interfaces’. These dedicated interfaces have been implemented using application program interfaces (APIs).

To accommodate the change in the market, support firms and be technologically neutral, PSD2 permits access to payment account data via dedicated interfaces or screen scraping.  To mitigate the risk of API failure it also requires that firms that support API access maintain a ‘fallback mechanism”. This is costly for firms to implement and maintain and possibly drives firms away from implementing modern and secure API access to the payment account data.

APIs are the underpinning technology for an internet-enabled economy and allow for better control of data and more secure access to and transmission of data. A harmonised implementation of API access also mitigates barriers to entry.

Regulators across the EU have long made known their preference for firms to provide API access to data and so now is the time to decide on whether screen scaping has a role to play in Open Finance.

Moving forward 

All the above are in the context of the wider changes already in train with the EU. Several initiatives have links to a revised payment services and Open Finance framework including MICA, DORA, the Settlement Finality Directive, instant payments, cross-border payments, a digital euro and currency settlement in Target 2. 

This is an ecosystem with many moving parts that require careful choreography to bring them together in a framework that will support payment services and Open Finance into 2030 and beyond. 

The journey to PSD3 and Open Finance is not just a marathon it’s an ultra-marathon!

About Nilixa Devlukia

Nilixa is the founder of Payments Solved a regulatory consultancy advising on the regulatory framework for open banking, payment services, digital assets and fintech both in the UK and globally. Formerly with the FCA and the OBIE Nilixa is an experienced regulatory expert and lawyer with a Masters in European Competition Law. Nilixa sits on European Payment Systems Market Expert Group and ECB Digital Euro Market Advisory Group. Nilixa a well know public speaker and works with industry, regulators and legislators to drive changes that support an open banking and payments ecosystem this is secure, transparent and inclusive.

About Payments Solved

Payments Solved offers strategic advice on regulatory and policy issues. We advise firms and business leaders on how the law, regulation and the decisions and approaches of governments and regulators can impact their strategies. 

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: PSD2, regulation, Open Banking, Open Finance, API
Categories: Banking & Fintech
Countries: Europe
This article is part of category

Banking & Fintech