EU payment services directive: from PSD2 to PSD3

IN THIS ARTICLE
Table of Contents
Like it? Share it

The new EU payments services directive (PDS3) will support financial institutions to reduce the success of payment fraud. Fraud Pattern Anomaly Detection (FPAD) will include a free IBAN check technology, in order to validate the name and unique identifier of the payee before payments are sent. Learn about how PSD3 will evolve from PSD2 and ultimately, protect your payments against cybercriminals.

And while PSD3 adds an extra layer of security for payments, it’s not foolproof. For 100% protection against payment fraud, choose Trustpair, your automated account validation solution.

New call-to-action

EU payment services directive: what is it all about?

The European Commission payment services directive (PSD) was a legislation to enable one single payments market across the EU. It guided how each country should participate, helped to innovate the payments market with widespread access to new technologies, and supported local authorities in dealing with payment crimes.

The PSD was adopted in 2007, and brought legitimacy to the Single Euro Payments Area (SEPA). Since then, there have been several reviews of this regulation, predominantly due to innovation because payment technologies have evolved so drastically.

For example, we now use contactless payments for transactions, QR codes, and deal with cryptocurrencies. None of these were popular or widespread payment options when the regulation was first formed in 2007. So in this piece, you’ll learn about how the PSD has evolved over time.

You might also be familiar with the term, PSR, which stands for payment services regulation. This has been proposed together with the third iteration of the payments services directive, because it focuses on the responsibilities of the banks. But more on that later!

EU payment services directive: a quick calendar

Over time, the EU authority board felt it was necessary to review the payment services directive because it required modernisation. New technologies (and weak links) had exposed parts of the PSD that were no longer fit for purpose.

Here’s the timeline:

  1. 2007: PSD introduced for the first time, leading to a collaborative approach to payments across the EU
  2. 2013: proposal to revise PSD based on new information and industry changes
  3. 2015: revised payment services regulation brought in (PSD2), but firms had three years to comply
  4. 2018: compliance deadline for PSD2
  5. 2021/2: review of PSD2 and it’s efficacy
  6. 2023: EU proposes new set of rules to meet further technology changes, known as PSD3
  7. Late 2024: PSD3 expected to be published

PSD2 explained: requirements, goal, application

PSD2 is the second iteration of the payment services directive, and companies were required to comply from 2018 onwards. PSD2 worked to bring all of a customer’s banking information into one digital place so that they could make payments without a physical card present. This is now known as open banking.

A technical requirement of PSD2 is that bank providers must share certain types of financial data with approved partners, known as third party payment providers (TPPs). Popular examples of these include money transfer service Paypal, and POS system Square. These third parties were not previously regulated in the same ways as traditional banks, which meant the move was fairly controversial.

But since the overall value of PSD2 was to increase both transparency and competition, the EU brought in third parties without the risk of security problems through authentication challenges. One of the regulatory requirements to manage security was the introduction of Strong Customer Authentication (SCA). Payments providers would have to verify the identity of the account owner when making online, electronic payments by meeting two of the following three criteria every 90 days:

  • Possession: a code sent to a mobile device or email account.
  • Knowledge: a password or answer to a personal security question.
  • Biometrics: a fingerprint or facial recognition ID.

PSD2 had four key objectives:

  1. Increase the efficiency of the payments market (faster and cheaper payments)
  2. Level the playing field for new providers
  3. Increase the safety and security of online payments
  4. Protect customers and businesses based in the EU

In terms of application and impact, institutions found themselves changing the way they dealt with the consumer and handled complaints. PSD2 was successful in building higher levels of trust between consumers and their payments providers.

PSD3 explained: requirements, goal, application

The third iteration of the payment services directive (PSD3) was drafted in June 2023 following various consultations and an impact assessment. It’s new objectives are to:

  1. Tackle fragmentation within the market by introducing stronger enforcement and implementation rules
  2. Protect payment services against fraud
  3. Increase competition within the market by protecting third party service providers against barriers set by incumbents
  4. Increase access to payment systems by fighting inefficiencies

PSD3 addresses areas of financial services that were not addressed in PSD2, such as blockchain, cryptocurrencies and digital currencies.

The Fraud Pattern Anomaly Detection program was piloted over the summer of 2023. It enabled payment providers to review their risk and detect suspicious activity before payments are made. Having been a successful trial, the program has now been confirmed for PSD3. It will support existing fraud prevention legislation, such as ultimate beneficial ownership regulation.

The proposal splits responsibilities between PSD3 and the PSR.

Particularly, open banking will continue under PSD3, as its focus will be on licensing and the strong regulating of payment service providers. In order to improve the customer experience further, consumers will be provided with a dashboard to see exactly which service providers they have previously granted access to. For example:

  • Metro Bank (mortgage provider): permission to access credit data
  • Klarna (BNPL): permission to share borrowing data with credit reporters
  • Tesco Bank (lender): permission to store personal information

This, alongside stricter rules on customer data sharing should increase the safety of online purchases. But PSR covers the responsibilities of the banks themselves. In particular, this means stricter technical standards for incumbents, tougher penalties for non-compliance and less of a difference between EU countries.

How to be PSD compliant?

Becoming PSD compliant will require both banks and service providers to assess their regulatory gaps. But there are different requirements for each participant within the payments ecosystem. So, some compliance measures include:

  • Holding the right amount of capital: capital requirements aim to reduce risk in terms of liquidity in spite of significant market shifts
  • Ongoing training for senior leaders: the EU can choose to assess whether a business’ leadership team has the knowledge and skills to operate the company with compliance
  • Transparent disclosures: make the terms of any financial products clear so that customers are well-informed to make their decisions (this is especially important in the lending and borrowing markets)
  • Implement secure online checkout: 3D secure is an authentication solution for transactions to protect both customers and merchants.

The incoming European regulation includes Validation of Payee (similar to Confirmation of Payee), but it has some limitations. For example, it requires manual payment review and is limited to only one method of fraud prevention control. However, Trustpair offers the added advantage of securing the entire supply chain.

With a more comprehensive correlation of data, Trustpair validates through multiple methods such as company ID, account activity and international blacklists. And by automating vendor bank ownership checks from procurement all the way through to payment, you’ll get instant evaluations for 90% of accounts. Demo Trustpair to see how you can protect your business from third party payment scams.

A quick recap of the payment services directive

The payment services directive was first introduced in 2007, and has since undergone two updates to ensure the regulation reflects current payment technology. Its newest changes aim to tackle market fragmentation and fraud, so compliant parties are expected to be transparent and include security checks. Trustpair can help organizations comply with PSD3.

You’d like these articles

FAQ
Frequently asked questions
Browse through our different sections and find the answer to your question.

PSR primarily takes over the regulations of PSD2 (alongside some new requirements), whereas PSD3 focuses on the bank licensing and payments supervision. The main differences between the two are the topics and boundaries they cover, with PSR providing the most natural follow-on from PSD2.

The EU AML directive came into force in summer 2024. It focuses on increasing transparency for financial transfers, in order to prevent criminal financing (such as terrorist financing) and money laundering across the borders of the EU.