Navigating the proposed Directive on Payment Services and Electronic Money Services (PSD3)
Josef Bergt
2023
The European Parliament and the Council are proposing a new directive on payment services and electronic money services in the Internal Market. This directive, which will amend Directive 98/26/EC and repeal Directives 2015/2366/EU and 2009/110/EC, introduces several key aspects and elements that existing payment institutions need to be aware of.
Key Aspects of the Directive:
- Risk Avoidance and Safeguarding of Customer Funds: The directive emphasizes the importance of risk avoidance, particularly concentration risk, in the safeguarding of customer funds.
- Payment institutions shall be allowed to engage in other activities beyond those covered by this directive, including the provision of operational and closely related ancillary services and the operation of payment systems or other business activities regulated by applicable Union law and national law to further diversify activities.
- Prohibition of Deposit-Taking Activity: The directive prohibits payment institutions offering payment services from accepting deposits from users and requires them to use funds received from users solely for providing payment services.
- Regulation of Credit Granting: The directive allows payment institutions to grant credit, but this activity is subjected to strict conditions. Credit can be granted in the form of credit lines and the issuance of credit cards, provided the credit is granted for a period not exceeding 12 months.
- Record Keeping: The directive requires payment institutions to keep all appropriate records for at least five years.
- Transparency and Exemptions for Small Payment Institutions: The directive requires Member States to communicate decisions regarding possible exemptions for small payment institutions to the Commission.
- Specific Prudential Regime for Account Information Service Providers: The directive provides for a specific prudential regime for account information service providers, with a lighter registration requirement.
- Outsourcing of Operational Functions: The directive requires payment institutions to inform competent authorities when it intends to outsource operational functions.
- The proposed directive also sets out specific rules on information and communication technology (ICT) security controls and mitigation elements for obtaining an authorisation to provide payment services. These requirements are aligned with the requirements under Regulation (EU) 2022/2554 of the European Parliament and of the Council, also known as the Digital Operational Resilience Act (DORA).
PSD3 is accompanied by a proposed Payment Service Regulation (PSR - COM(2023) 367 final; 2023/0210 (COD)) and a proposal for a regulation on a framework for open financial data access (COM(2023) 360 final; 2023/0205 (COD).
The proposed Payment Service Regulation (PSR) is another crucial element to consider. It provides a regulatory framework governing the conduct of payment services in the EU and European Economic Area (EEA), separating them from the rules on authorisation and supervision of payment institutions, which will be governed by PSD3 in the future.
In light of these changes, existing payment institutions may find themselves in need of expert legal advice.