Nilixa Devlukiafounder of Payments resolvedshares his thoughts on the transition from PSD2 to PSD3, be it a directive or a regulation, and future approaches
In September 2020, the European Commission (the Commission) announced retail payments strategy and the intention to examine the impact of the second Payment Services Directive (PSD2) in order to assess whether this legislation remains fit for purpose. At the same time, the Digital finance strategy announced the Commission’s intention and ambition to propose legislation on a broader ‘open finance’ framework. Such a framework aims to enable the sharing of customer data beyond the limited scope of PSD2 so that the EU Single Market can innovate, compete and deliver new and improved services to consumers and businesses.
PSD2 itself contains a review clause in Article 108 and, even before it launches the general and targeted consultations, the The Commission has launched a call for advice to the European Banking Authority.
Over the past three months, we have seen EU regulators point the way for PSD3 and Open Finance. The Commission has published the two target and one general consultation ask the expected questions and The EBA has published its response to the call for advice. The EBA’s response is comprehensive in its review of PSD2 and makes over 200 recommendations for the changes that are needed for a framework that will support this ecosystem in the years to come.
Both the Commission’s consultations and the EBA’s advice aim to address the shortcomings of PSD2 and the known practical problems that exist in the market today. This is a necessary step towards a revised regulatory framework; however, if the EU is to continue to be a market leader and remain at the forefront of the regulatory framework for payment services and open finance, future legislation must focus on more than PSD2 deficits and bring together, in a holistic approach, the vision of the retail payment strategy, the digital finance strategy and the overall EU data strategy. If the end game for Europe is Open Data, then the foundations for this Open Data society and the interaction with financial services must be laid now. Bearing in mind that it will take several years before PSD3 is transposed in the EU, a gradual journey from Open Banking to Open Finance and Open Data will not be achieved in a timely and consistently unless this view is fully supported by regulators and industry from the start.
The PSD and Open Data consultations raise broader political questions that need to be addressed at the very beginning of this journey.
Should the next iteration of this legislation be a directive or should it be a regulation?
The difference is shown on the EU website. A directive gives Member States some flexibility in applying the law to their jurisdiction. This is important for many reasons given that the payments ecosystem in the EU is not a homogeneous market. Local customs, availability of financial products, cost of living and, of course, personal preferences all lead to different payment behaviors. Within certain parameters, a directive allows Member States to adapt legislation to their own local needs.
However, this flexibility leads to fragmentation and different approaches that result in detrimental outcomes for consumers and impose significant costs on businesses to comply with these local requirements. There are many examples of this covering all aspects of current legislation, ranging from nuances in authorization requirements, reporting obligations, SCA implementation, IBAN discrimination, access to payment systems , risk reduction approaches, different views on what a ‘payment account‘ is and the implementation of Open Banking requirements. The list could go on even longer. All of these gaps in implementation raise the question of whether this legislation should be a regulation.
A settlement is more prescriptive but does not necessarily resolve the variations detailed above. A simple drag and drop to a settlement will not significantly solve the above challenges. Merely including the definition of a “payment account” in a regulation does not change the differing views on what a payment account is. What is needed is a better, more comprehensive and future-proof definition for an ecosystem where payments are made using stablecoins and/or a digital euro.
IBAN discrimination is already prohibited under the SEPA regulation (note that this is a regulation), but different interpretations across member states have the net effect of non-compliance, poor results for customers, limitation of cross-border payments and obstacles for Open Banking businesses. The solution here is to apply the existing regulations.
The final decision on a directive or regulation rests with the Commission when it publishes its PSD3 proposal; but the Commission should bear in mind that the EU payment ecosystem, for many understandable reasons, is not a single, single market; and that the necessary local variation and proportionality at all levels, for Member States, industry and consumers, is an important consideration. A directive may remain the best regulatory tool.
Should the provision of AIS remain in PSD3 or should that and wider access requirements be in separate legislation?
There is already debate in the industry as to whether the provision of AIS (account information services) should remain in a revised PSD3 or be incorporated into wider separate legislation which also supports the OpenFinance.
It has always been an anomaly that access to data is enshrined in legislation relating to the provision of payment services. Timing and necessity dictated that the AIS landed in PSD2. It should now be considered whether the best way forward is separate legislation for access to data for financial services and beyond. Industry rightly fears that removing AIS as a regulated activity from PSD2 could lead to loss of hard-earned rights or functionality – it is up to EU regulators to ensure this does not happen. not produce.
Separate legislation focused on access to data, whether payment account data, savings account data, pension data or insurance data, provides a holistic solution to ever-increasing sharing data and is aligned with the principle “same activity, same risk, same result”. A regulated data access activity that can be read to other industries is a possible solution to an otherwise piecemeal industry-specific approach that is likely to result in piecemeal implementation across industries that will impact on innovation and competition.
Should there be an API first or API only approach?
Prior to PSD2, companies that accessed financial services data did so via “screen scraping”. This is the method by which users share their banking credentials with the accessing business who then accesses the data through the user’s online banking login. Thus, it appears to the account holder entity that it is the user who directly accesses the account. Access to screen scraping gave the acquiring business visibility into all data held in the online banking channel, not just payment account data.
Two of the primary goals of PSD2 are security and consumer protection. PSD2 therefore required that access to this data be limited to only payment account data and that, ideally, this access should be via “dedicated interfaces”. These dedicated interfaces have been implemented using application program interfaces (APIs).
To adapt to market developments, support businesses and be technologically neutral, PSD2 provides access to payment account data via dedicated interfaces or screen scraping. Mitigating the risk of API failure also requires companies supporting API access to maintain a “fallback mechanism.” This is costly for businesses to implement and maintain, and perhaps keeps them away from implementing modern, secure API access to payment account data.
APIs are the underlying technology of an Internet-based economy and enable better data control and more secure data access and transmission. A harmonized implementation of API access also mitigates barriers to entry.
EU regulators have long made known their preference for companies to provide API access to data and so it’s time to decide whether screen capture has a role to play in Open Finance.
To advance
All of the above is in the context of the broader changes already underway with the EU. Several initiatives are linked to a revised payment services and open finance framework, including MICA, DORA, the settlement finality directive, instant payments, cross-border payments, a digital euro and in-target foreign currency settlement. 2.
It is an ecosystem with many moving parts that require careful choreography to bring them together into a framework that will support payment services and open finance through 2030 and beyond.
The journey to PSD3 and Open Finance is not just a marathon, it’s an ultra-marathon!
About Nilixa Devlukia
Nilixa is the founder of Payments Solved, a regulatory consultancy which advises on the regulatory framework for open banking, payment services, digital assets and fintech in the UK and globally. A former member of the FCA and the OBIE, Nilixa is an experienced regulatory expert and a lawyer with a Masters in EU competition law. Nilixa sits on the European Payment Systems Market Expert Group and the ECB’s European Digital Market Advisory Group. Nilixa is a well-known speaker and works with industry, regulators and legislators to drive change that supports an open, secure, transparent and inclusive banking and payments ecosystem.
About resolved payments
Payments Solved provides strategic advice on regulatory and policy issues. We advise companies and business leaders on how law, regulation and the decisions and approaches of governments and regulators may affect their strategies.