Dr. Carlos Nasher, Managing Partner at Thede Consulting, analyses the impact of PSD3/PSR and DORA on the payments industry, exploring what it means for merchants and banks.
Between the dynamic poles of regulation, cyber security, and digitalisation, future drivers are having a major impact on today’s payment industry. This article, the second in a three-part series, takes a closer look at current and planned regulatory adjustments. The first article presented the current initiatives shaping payment digitalisation in Europe – the digital euro.
The payment industry is continuously evolving, driven primarily by technological advancements and regulatory changes such as PSD3/PSR, FiDA, Instant Payment, and DORA. These developments present significant opportunities but also pose substantial challenges that require thorough preparation. What impact will these new directives and regulations have on the payment industry, and what do they mean for banks and payment service providers?
Figure 1: Triangle of digitalisation, regulation, and cyber security in the payment industry
With the currently discussed directives PSD3 (Payment Service Directive 3) and PSR (Payment Service Regulation) the European Commission sets out a specific vision for harmonised and secure payment transactions and fair competition within the European Economic Area.
The upcoming directive PSD3 builds on the previous directive PSD2. The main focus is on Strong Customer Authentication and the transparent organisation of payment transactions. PSR supplements PSD3 and leads to a directly applicable law in all EU member states.
The drafts for PSD3 and PSR were published in 2023. Since then, the regulations are under review. Both directives are expected to take place in the second half of 2025.
Banks have the chance to offer new services by integrating innovative technologies and partnering with different fintechs. By digitalising and automating processes, banks can reduce their operating costs and increase efficiency. Beyond that, banks have the opportunity to increase customer trust and loyalty through improved security measures and innovative services.
For payment service providers PSD3 and PSR encourage competition and allow them to enter the market more easily. They have the chance to develop new technologies and services while meeting customer needs and gaining the trust of business partners. For e-money institutions PSD3 and PSR means that they are required to obtain a licence under the Payment Services Supervision Act (ZAG) and are therefore under the control of stricter regulations. In addition, the shifting of fraud losses from customers to banks increases the risk and poses a challenge for fraud management.
For end users, the PSD3 and PSR directives enhance security through improved authentication processes. They benefit from increased transparency about fees and other costs, leading to better decision-making when choosing banks and payment providers.
Figure 2: Schedule of PSD3/PSR Implementation until 2026
The Digital Operational Resilience Act (DORA) is considered a highly influential EU regulation and aims to strengthen the digital resilience of the financial sector. DORA sets IT security standards, particularly in the areas of risk management for information and communication technology (ICT), the reporting of ICT incidents, and the monitoring of risks by third-party ICT service providers.
The DORA regulation came into force on January 17, 2023, but will not be fully applied until January 17, 2025. In this 24-month transition period, banks and other financial institutions have time to prepare their businesses for the actual DORA enforcement by January 2025.
Banks and payment service providers can improve the resilience of their systems and processes against cyber-attacks and other digital threats. By ensuring compliance with DORA regulations, banks and payment service providers can strengthen the trust of their customers and position themselves as trustworthy and reliable partners in the market. Improved risk management and emergency plans help banks to minimise potential financial damage.
End users can rely on more secure and reliable financial services. Beyond that one can expect less downtime and fewer interruptions, allowing them to access their financial services continuously.
Figure 3: Management of third-party ICT risks with DORA
The Financial Data Access Regulation (FiDA) aims to create a unified ‘Open Finance’ space across Europe. By giving authorised third-party providers access to financial data and offering innovative, customised financial products and services, the aim is to increase transparency, promote competition and give consumers more control over their financial data. The decision to implement FiDA is scheduled for the beginning of 2025.
FiDA offers great opportunities for banks and payment service providers to strengthen their customer relationships by developing personalised products and services. Increased transparency will improve fraud management and claims processing. In addition, FiDA aims to promote cooperation between traditional financial institutions and new fintech companies to improve the service offering and reach new customer segments through strategic partnerships.
End customers benefit from greater transparency, easier financial management, and personalised financial products such as embedded finance solutions.
The implementation of FiDA presents a challenging task, particularly for banks and payment service providers. The preparation includes developing scalable and resilient interfaces for data transmission and creating a consent management dashboard. The potential entry of big tech into financial services adds competition to the market.
The Instant Payment Regulation (IPR) aims for real-time payments within the Single Euro Payments Area (SEPA). Adopted on March 13, 2024, the IPR requires that payment service providers facilitate instant payments by 2025, ensuring transactions are processed within seconds, 24/7, throughout the whole year. The regulation aligns with the European Commission’s objective to enhance the efficiency, speed, and security of the payment system.
For banks, instant payments offer the opportunity to work with real-time cash flow transparency and rely less on outdated forecasting methods. Corporates benefit from a better overview of funds, which can lead to more accurate decision-making and lower operating costs.
The shift to real-time payments also comes with significant challenges. The speed of instant payments leaves little room for error or recovery, which makes transaction and data fraud easy. Processing transactions 24/7 demands significant investment in upgrades, including cloud-based solutions for scalability and sophisticated fraud detection mechanisms.
Beyond that, payment service providers must comply with real-time sanctions screening and transaction monitoring. Meeting regulatory standards requires integrating advanced monitoring tools into payment systems.
End users gain immediate access to funds, making financial management more flexible and convenient.
How can banks and payment service providers take advantage of the opportunities presented by these regulatory changes? Here is some key advice.
Advanced authentication: implement secure and user-friendly authentication technologies;
Fraud detection: integrate fraud detection and risk management systems, and train staff to identify suspicious transactions;
ICT governance: adapt internal policies and processes for continuous risk assessment and management.
Technology investment: upgrade IT infrastructure and develop secure, real-time data sharing APIs;
Scalable IT infrastructure: invest in scalable cloud solutions and advanced IT systems to handle high transaction volumes for instant payments.
Digital resilience testing: conduct annual baseline tests and threat-led penetration tests (TLPT);
Incident management: develop an internal reporting system for ICT incidents and synchronise all ICT systems with a reliable reference time.
Fintech partnerships: form partnerships with fintech companies to expand service offerings and facilitate the transition to instant payments;
Third-party risk management: review and update outsourcing policies and contracts, and conduct regular due diligence.
Banks and payment service providers need to act now in order to keep up with current trends to remain competitive in the payment market. This includes analysing current business processes, identifying gaps in terms of regulatory requirements and new customer expectations to effectively shape existing business models for the future. Moreover, banks and payment service providers should incorporate regulatory aspects into their business strategy and consider the selection and implementation of new technology solutions and suitable third-party providers.
In the next article of this three-part series, we will take a closer look at the increasing importance of cyber security in the payment industry. Why is it important to include a sophisticated cyber security strategy and what are the possible consequences of disregarding cyber risks in today’s world?
About Dr. Carlos Nasher
Dr. Carlos Nasher is a managing partner at Thede Consulting. As an industrial engineer with a PhD in Data Science and over 10 years of experience, he is an expert in the innovative creation of digital payment processes and the development of cross-industry platform solutions, as well as in the areas of loyalty and programmable currencies. With comprehensive expertise in business models, products, and technology in payment and banking, his team delivers innovative ideas for decision-makers.
About Thede Consulting
With over 30 years of experience within payments, Thede Consulting supports banks, payment service providers, and customers from industry, service as well as retail and wholesale as a first-class strategy and management consultancy. With our expert team, we advise both nationally and internationally active clients. We convince with our expert knowledge in the strategic development and implementation of innovative business models as well as digital processes and product concepts.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now