At the start of May 2022, the EU Commission opened consultations into revisions for the Second Payment Services Directive – better known as PSD2.

Since PSD2 started to come into effect in January 2016, a lot has changed in the payments industry. The pandemic saw the pace of digitisation in the financial sector increase rapidly, with a massive shift to online and digital payments.

As a direct result of PSD2, new entrants could take advantage of the more open payments ecosystem, developing new products and services. Thanks to open banking initiatives, which were allowed to thrive under this new legislation, embedded finance has started to accelerate. As a result, increased collaboration between financial institutions, that would have previously been excluded, has become the norm.

As for the impact on end users, consumers and businesses found themselves able to consent to share data from their bank with third parties (banks and non-banks) via the Access to Account (XS2A), to easily initiate payments from bank accounts and retrieve account information. This resulted in the creation of new third-party providers (TPPs) known as Payment Initiation Service Providers (PISPs), Account Information Service Providers (AISPs) and Card Issuer Service Providers (CISPs).

Strong Customer Authentication (SCA), which aimed to reduce fraud and provide an added layer of protection to those making payments online, was also rolled out.

What has changed since PSD2, and why were these consultations needed?

The consultation papers are very early steps in the European Commission’s review of PSD2, which may ultimately result in revisions, leading to the creation of new legislation (PSD3), or heavily revised updates and additions to PSD2 (PSD2 2.0).

The ‘Targeted consultation on the review of the revised payment services Directive (PSD2)’ collected responses from key stakeholders working within the payments industry, including PSPs, regulators, and EU authorities, as well as industry experts, with the aim of assessing whether the current legislation remains fit for purpose.

In parallel to this, further consultations – ‘Open finance framework – enabling data sharing and third party access in the financial sector’ and ‘Payment services – review of EU rules’ opened to consumers and businesses across the EU on 10 May 2022, closing on 2 August 2022.

All consultations were designed to measure and review the impact of PSD2, while taking into account developments in the payments landscape in the past 6 years, which have evolved rapidly.

Several areas were highlighted as areas that needed to be reviewed and improved upon.

• Review of how well PSD2 had met its objectives:
  • Making it easier and safer to use online payment services
  • Better protection for payment services users against fraud, abuse, and payment problems
  • Promoting innovative payment services
  • Strengthening the rights of payment services users
• Costs and benefits of PSD2 for payment providers and their underlying clients
• The possible extension of regulation to currently unregulated or under-regulated activities such as:
  • Crypto payments
  • Buy-Now-Pay-Later (BNPL)
  • Operating payment systems or payment schemes
  • Digital wallet services (including mobile apps used for payments)
  • Triangular passporting
• Feedback on digital payments
  • Perceived trust around the use of AISPs and PISPs
  • Increased transparency around cross-border payments and fees
• The impact of SCA
  • Barriers for end users
  • Decrease in merchant conversion rates
• Changes to safeguarding requirements
• Review of whether exemptions should be added, updated, or removed
• The need to create a more precise specification of API standards
• Review the use of existing open finance services (i.e. PISPs/AISPs), understand what financial data respondents would also like to share via TPPs (mortgage, insurance, pensions, savings and investments), and take into consideration how this data is protected

Feedback on the PSD2 consultation

After reviewing some of the responses to the consultation, the main points raised by payment providers, associated organisations, businesses, and members of the public included:

• SCA has been mostly successful in reducing fraud. However, concerns were raised (including by the EBA) about how it impacts merchants due to increased friction as a result of SCA creating a poor user experience, as well as excluding users who do not have access to smartphone devices. Additionally, some PSPs reported an increase in other types of fraud, such as phishing and Mail Order/Telephone Order (MOTO) payments as criminals try to find workarounds
• PSD2 opened up the ecosystem, increasing competition, and has generally allowed for greater innovation and collaboration, resulting in more choice for end users and the ability to deliver more value-added services to them
• APIs have played a huge role in providing access to products, services and data sharing between financial institutions and other regulated entities, but a lack of standardisation, access, and interoperability, as well as technical issues, need to be addressed
• A lack of coherence with other EU legislation, such as GDPR, has muddied the waters around the rules of data protection for consumers under PSD2. In addition, some respondents raised concerns about PSD2 overlapping or conflicting with AML/CFT regulation across different jurisdictions. There has also been a call to merge PSD2 with the E-Money Directive
• When it came to safeguarding, some respondents commented that the current PSD2 safeguarding requirements work well and are fair and balanced, but there were calls for the provisions to be further revised and elaborated upon in several areas, including clarification of the obligations of credit institutions, and safeguarding across different jurisdictions. Other concerns were raised about how to safeguard crypto-assets, and de-risking
• From the Open Finance consultation, a call for transparency around cross-border payment fees was the primary concern for respondents
• Data sharing has worked well in principle. Access to data (especially if extended to non-FIs) via TPPs is more convenient but this needs to be weighed up against increased risk. This could be good for BNPL providers, who can assess affordability before approving lending

How might PSD3 change the payments industry?

Whether PSD2 will see an update, or be completely replaced by PSD3 is yet to be confirmed. Although the general consensus is that PSD2 has been successful, there are clearly still a number of areas for improvement.

When PSD2 was first rolled out, crypto payments had not yet become as widespread, and BNPL, embedded finance, and other payment methods, such as Request to Pay were in their infancy. Additionally, the UK had not exited the EU and new data privacy legislation, GDPR, was not yet in place. The advent of PSD2 opened up new possibilities with new players emerging, and with it, grey areas and gaps within some aspects of the legislation started to become more apparent.

Nobody could have predicted the impact the COVID-19 pandemic was going to have on the payments industry, and the acceleration of digitisation as a whole.

To address the challenges and opportunities PDS2 presented, a more flexible approach may be required to ensure innovation is not stifled, while maintaining robust requirements around data security and privacy. The benefits of collaboration are clear, but more standardisation may need to be introduced to improve interoperability, particularly when it comes to APIs. ISO 20022 works alongside PSD2 and may help to meet this goal as it simplifies the processing language behind transactions between financial institutions.

Finally, a more joined-up approach is needed across jurisdictions to address concerns around safeguarding, and to meet the needs of end users who are calling for more transparency when making cross-border payments.