Banks, non-banks and fintechs have just one year to prepare for some of the biggest regulatory upheavals that will fundamentally impact the way they do business.
Alex Reddish, Tribe Payments CEO delves into the intricacies of PSD3, PSR and FIDA – regulations set to reshape open banking, data access and security in the financial sector.
Banks, non-banks and fintechs have just one year to prepare for some of the biggest regulatory upheavals that will fundamentally impact the way they do business.
The upcoming Payment Services Directive (PSD3), the Payment Services Regulation (PSR) and the Financial Data Access Frameworks (FIDA) are expected to transform the way fintechs and financial services companies work with customer data on a pan-European scale.
Originally proposed in June 2023 by the European Commission (EC) and now on the road to approval, the expected outcome of these regulations, which are expected to come into force from 2025, is to evolve existing regulations and structure new ones to align with the transformational changes we have seen in the use of payments, as well as the emergence of open banking and the shift to a digital economy.
These changes will also further level the playing field between banks and non-banks, notably by giving non-bank payment service providers access to all EU payment systems, with appropriate safeguards, and by guaranteeing the rights of these providers to a bank account.
The PSR
The PSR aims to update and replace parts of PSD2 that are not covered by PSD3. Once adopted and implemented, the PSR will apply to all EU Member States.
The main objective of the PSR is to improve consumer protection and it will introduce changes to the existing open banking framework to improve access to these services. Under the PSR, payment initiation service providers (PISPs) and account information service providers (AISPs) will be allowed to create custom APIs that can connect directly to banks and other payment service providers. On the face of it, this should improve the adoption of open banking.
Banks and payment entities will also have to publish quarterly statistics on the performance and availability of their APIs. This should stimulate competition in the market, promote better quality of API design to interface with banks and direct businesses to the best-performing providers.
PSD3 and the push towards open banking
Now let’s move on to PSD3. The European Commission is clear that PSD3 is an improved version of PSD2, with a broader scope and taking into account new challenges in fraud, digital transformation of payments, access to payment systems and benchmarks for systems such as open banking.
But it’s the push to open up banking that’s generating the most discussion around PSD3. The launch of PSD2 made the vision of open banking a reality, with banking APIs allowing customers to consent to sharing their data with third parties. The proposed text of PSD3 states that there will be no fees for using open banking interfaces and no requirement to use standard APIs.
But has PSD2 made open banking a success? In the UK at least, the number of active users of open banking reached eight million by the end of 2023, a record high 9.7 million payments were made in June 2023, an increase of 88% compared to the same month in 2022..
But overall, only 10% of the UK population uses open banking, and this pales in comparison to the tens of billions of card transactions processed by the major international payment systems. It would take a long time for open banking to take a larger share of these volumes, and this is reflected across continental Europe, but IFAD could have a positive impact.
FIDA and the fight for real-time data
Unlike PSD3, FIDA has no prior or legacy legislation to rely on, but it does have some points of interaction with PSD3. FIDA proposes to give financial information service providers (FISPs) the right to access real-time customer data from almost all financial services data, including current and savings accounts, credit cards, mortgages, loans and retirement accounts.
What will the increase in customer data mean for banks and fintechs? Consider lenders, BNPL providers and other credit providers. With FIDA, they will have more and better data to make better lending decisions.
To give you a glimpse of what this might look like, depending on Experian 2022 data, More than five million so-called ‘credit invisible’ people in the UK have been shut out of the best rates and credit offers due to insufficient data on their financial history.
Changing needs
Today, credit decisions are still largely based on risk-scoring models developed decades ago. The way people access credit has undergone a profound change. Fifty years ago, or even 10 years ago, most people still used their credit cards to make high-value purchases. But today, fintechs have adapted to the generational need for immediacy, with services like BNPL gaining more market share every year.
In the era of real-time digital finance, by leveraging real-time transaction data from a broader range of consumer account products, fintechs and banks can make much better data-driven decisions that reduce risk, lower default rates (and therefore reduce credit losses), and improve financial inclusion.
Rather than relying on blurry, incomplete static snapshots of a single point in time, real-time Open Banking and Open Financial data could produce a moving, high-definition panoramic view of an individual’s true financial situation – and enable fintechs to hyper-personalise products and services to capture more market share.
Here at least, FIDA could give open banking and open finance the boost it needs to gain popularity.
PSD3 will remove SCA friction, but will raise liability issues
PSD2 mandates the implementation of strong customer authentication (SCA) for certain transactions to reduce fraud, by requiring users to provide two or more different authentication factors. PSD3 will allow consumers to use two factors of the same category, for example two passwords or two tokens. In addition, certain merchant-initiated transactions (MITs) will be exempt under PSD3, such as subscriptions. Only the first transaction requires SCA, with recurring transactions being exempt. Similarly, mail order and card-to-phone (MOTO) transactions will also be exempt from SCA.
PSD3 will also contain updated provisions to combat new types of payment fraud, including social engineering fraud and authorised push payment (APP) fraud. PSD3 promises to strengthen fraud prevention by allowing more fraud-related data to be shared at the industry level. One element that will pique the interest of payment service providers is that the European Commission is opening up redress rights for consumers in the event of fraudulent payments, including, in some cases, APP transactions.
In this respect, the PSD3 proposal appears to mirror the APP refund requirements recently imposed in the UK. This is a potential battleground for the EC on the one hand and banks and payment service providers who could find themselves liable for refunding customers for authorised transactions that are found to be fraudulent at a later date. European stakeholders will be watching closely to see how the UK payments industry responds to this situation. Application Fraud needs over the next 12 months.
As European elections approach, implementation of regulations could be slow
The European Commission has optimistically put forward the first half of 2025 for the final adoption of PSD3 and IFAD. But as life often does, unforeseen events, unintended consequences and unforeseen obstacles disrupt the process.
The outcome of the upcoming European Parliament elections in June 2024 could have a significant impact. Regardless of their political leanings, most lawmakers are broadly supportive of the proposed frameworks, which have so far encountered little opposition during the legislative process. But the possibility of surprising election results should not be ruled out. If MEPs find themselves at odds, it could slow down the adoption of any pending legislation and leave the payments industry in limbo.
It remains to be seen whether these regulatory updates will strike a balance between consumer protection and commercial concerns. Clearly, policymakers have good intentions, but it is critical that new regulatory frameworks do not restrict the ability of ecosystem players to innovate and compete, and do not inadvertently reduce consumer choice and convenience in payments.
What these changes mean for fintechs: act now
With so many updates in these interrelated regulations, it is imperative that banks, non-banks and fintechs ensure that their technology platforms and processes can adapt to the required changes. Investing in anti-fraud measures, risk monitoring and a technology platform that can adapt to changing regulations will provide many opportunities for innovation, collaboration and unbeatable competitive advantages.