Towards PSD3? The European Banking Authority publishes its views

21 Aug 2022 08:04 PM

Following 2018’s implementation of the European Union’s revised Payment Services Directive (PSD2), international and national supervisory authorities are producing extensive reviews following the European Commission’s Targeted Consultation of the revised payment services directive

The European Commission initiated in October 2021 a Call for Advice (CfA) to the European Banking Authority (EBA) following its targeted consultation, with the aims of better understanding the complex realities of the policy’s effects on suppliers, authorities and regulators, towards the path of amending the revised legislation.  

In this insight we will dissect key findings from the EBA’s opinion letter while acknowledging wider debates and points of interests for payment providers and international/national regulators. The opinion letter calls for four key actions:

• Clearer definitions of payment system provider (PSP), third party providers (TTPs) and strong customer authentication (SCA)
• Stronger Customer Authentication Extension
• Further regulatory E-Money Institutions Inclusion
• Further regulatory Open Banking/Open Finance Inclusion

Clearer definitions of the roles of PSPs, TTPs and SCA’s

While PSD2 saw the inclusion of several new services and instruments from PSD1, the EBA extends this effort to PSD2’s definitions with regards to payment services and their providers. This includes the clarifications between online/offline payment transactions, ‘sensitive’ customer data and Merchant Initiated Transactions (MIT).

Clarifications include ‘electronic payment transactions’ and ‘sensitive payment data’ –

• The uncertain delineations between what is regarded as ‘offline’ and ‘online’ initiated payments is important specifically in the case of remote transactions initiated by Payment Service Users (PSU) physically present at the Point of Sale (POS), in which the two parts of the process (payment instrument and point of interaction) are not technically physically attached to each other. However, this proposal was removed by the EBA due to contradictory occurrences of online devices opening an offline POS, which would have placed banks in potentially challenging legal situations.
• Unclear interpretations of ‘sensitive’ customer data affecting the Account Information and Payment Initiation Services Provider (AISP) model, the Single Euro Payments Area’s (SEPA) instant credit transfers scheme and Strong Customer Authentication’s (SCA) varying inter-PSP processes including ‘customer ID’ and its cross-PSP/AISP data sharing.
• Refining both the terminological remit and regulatory treatment of MIT’s can help clarify PSP-third party technologies in relation to SCAs and tighten up the mitigation and investigation of fraud.
• The application of Strong Customer Authentication (SCA) should be clarified in relation to customer exemptions, SCA’s applicatory role being either a ‘corrective’ or ‘preventive’ measure and its reliance on Third Party Providers (TTP) technology.

The response also included changing the details of the application of SCA, specifically regarding increasing the regulatory treatment of merchant-initiated transactions, third-party technologies and fraud mitigation and inclusion.

Merchant-initiated transactions

Focusing clarifications of merchant-initiated transactions, how they are regulated and their requirements on the setup of mandates is particularly important considering businesses’ growing usage of SEPA direct debits and New Payments Platforms (NPP).

The regulatory oversight between Account Servicing Payment Service Providers (ASPSP) and TPPs are called to clarify the exact delegation processes of technical service providers, specifically digital wallet providers. This also extends to clarifying liability regarding the granting of Payment Service Providers (PSP).

Fraud mitigation

Education, requirements, and awareness campaigns are included to ensure PSPs are appropriately investing, monitoring, and communicating in the exchange of information of best practice in fraud, known cases and known accounts used to carry out fraud. Indeed, reforms within cross-business best practice is key to tackling social engineering fraud risks.

Social inclusion

Ensuring effective education and communication to customers using PSP’s technologies including authentication solutions is vital in making sure the needs of specific groups, particularly vulnerable people are fully considered.

Click here for the full press release