Banks, non-banks and fintechs have just one year to prepare for some of the biggest regulatory shake-ups to fundamentally impact the way they do business.
Alex Reddish, managing director of Tribe Payments, delves into the intricacies of PSD3, PSR and FIDA – regulations set to reshape open banking, data access and security in the financial sector.
Banks, non-banks and fintechs have just one year to prepare for some of the biggest regulatory shake-ups to fundamentally impact the way they do business.
The forthcoming Payment Services Directive (PSD3), Payment Services Regulation (PSR) and the Financial Data Access (FIDA) frameworks are set to transform the way fintechs and financial services firms work with customer data on a pan-European level.
Initially proposed in June 2023 by the European Commission (EC) and now on their journey to approval, the intended outcome of these regulations, set to take effect from 2025, is to evolve existing regulations and structure new ones to align with the transformational shifts we’ve seen in payments usage, along with the emergence of open banking and the move to a digital-first economy.
The changes will also be further levelling the playing field between banks and non-banks, in particular by giving non-bank payment service providers access to all EU payment systems, with appropriate safeguards, and securing those providers’ rights to a bank account.
The PSR
The PSR is intended to update and replace the parts of PSD2 not covered in PSD3. Once adopted and implemented, PSR will apply to every EU member state.
The PSR’s chief aim is to improve consumer protection, and it will introduce changes to the existing open banking framework to improve access to these services. Under PSR, payment initiation service providers (PISPs) and account information service providers (AISPs) will be allowed to build custom API interfaces that can connect directly to banks and other payment providers. On the face of it, this should improve uptake and adoption of open banking.
But banks and payment entities will also have to disclose quarterly statistics on their API performance and availability. This is bound to spur competition in the market, galvanise better API build quality to interface with banks, and direct businesses towards the better-performing providers.
PSD3 and the push for open banking
Let’s turn to PSD3. The EC is clear that PSD3 is a jacked-up version of PSD2 that’s wider in scope, taking into account new challenges in fraud, digital payment transformation, access to payment systems, and baselines for the likes of open banking.
But it’s the push for open banking that is drawing much of the conversation around PSD3. The launch of PSD2 made the vision of open banking a reality, with bank APIs enabling customers to consent to their data being shared with third parties. The proposed PSD3 text states there will be no charging for the use of open banking interfaces, and there will be no mandating of standard APIs.
But has PSD2 delivered in making open banking a success? In the UK at least, the number of active open banking users in the UK reached the milestone of eight million users at the end of 2023, and a record 9.7 million payments were made in June 2023, an increase of 88 per cent on the same month in 2022..
But altogether, just 10 per cent of the UK population is using open banking, and usage pales into insignificance when compared with the tens of billions of card transactions processed by the major global card schemes. It would take a long time for open banking to take a bigger share of those volumes, and that situation is mirrored across mainland Europe, but FIDA could make a positive impact.
FIDA and the fight for real-time data
Unlike PSD3, FIDA has no predecessor or legacy legislation to build on, but there are some points of interaction with PSD3. FIDA proposes to give financial information service providers (FISPs) the right to access real-time customer data arising from nearly all financial services data, including current and savings account, credit cards, mortgages, loans, and pension accounts.
What will more customer data mean for banks and fintechs? Let’s take lenders, BNPL providers and other credit providers as an example. FIDA means that they’ll have more and better data available to make better lending decisions.
To give you a snapshot of what that could look like, according to Experian data from 2022, over five million so-called ‘credit invisible’ people in the UK were excluded from the best credit rates and deals due to insufficient data about their financial track records.
Changing needs
Today’s credit lending decisions are still mostly relying on risk-scoring models built decades ago. The way people access credit has undergone a profound shift. Go back 50 years, even 10 years , and most people still reached for their credit cards when making larger value purchases. But now, fintechs have adapted to the generational need for immediacy, with services like BNPL taking more market share with every year.
In the age of real-time digital finance, by leveraging real-time transaction data from a wider range of consumer account products, fintechs and banks can make far better data-driven decisions that reduce risk, lower default rates (and therefore reduce credit losses) and improve financial inclusion.
Instead of relying on blurry, incomplete static snapshots of a single point in time, real-time Open Banking and open finance data could produce a moving, high-definition, panoramic view of an individual’s true financial circumstances – and enable fintechs to hyper-personalise products and services to grab more market share.
Here, at least, FIDA could give open banking and open finance the big push they need to gain meaningful traction.
PSD3 will remove friction from SCA but pose liability challenges
PSD2 mandated the implementation of strong customer authentication (SCA) for certain transactions to reduce fraud, requiring users to provide two or more different authentication factors. PSD3 will allow consumers to use two factors from the same category, for example two passwords or two tokens. What’s more, some merchant-initiated transactions (MIT) will be exempted under PSD3, such as subscriptions. Only the first transaction requires SCA with recurring transactions exempted. Likewise, card-based mail-order and telephone transactions (MOTO) will also be exempted from SCA.
PSD3 will also contain updated provisions for fighting new types of payment fraud, including socially engineered fraud and authorised push payment (APP) fraud. PSD3 promises to beef up fraud prevention by enabling the sharing of more fraud-related data at an industry level. Something that will prick up the ears of payments providers is that the EC is opening redress rights to consumers in respect of fraudulent payments including, in some cases, APP transactions.
In this regard, the proposed PSD3 appears to mirror the UK’s recently mandated APP reimbursement requirements. Here is a potential battleground for the EC on one side and the banks and payment service providers who could find themselves liable for reimbursing customers for authorised transactions deemed fraudulent at a later date. European players will be keeping a close eye on how the UK payments industry responds to APP fraud requirements over the next 12 months.
With European elections looming, regulation implementation progress could be slow
The EC has optimistically put forward the first half of 2025 for the final adoption of PSD3 and FIDA. But as life has a habit of doing, there are always curveballs, unintended consequences, and unforeseen spanners being thrown into the works.
Much could hinge on the results of the forthcoming European Parliament elections, set to take place in June 2024. Regardless of political leaning, most legislators are broadly in favour of the proposed frameworks, which have met little opposition so far on their way through the legislative journey. But don’t discount the possibility of surprise election results. If European parliamentarians find themselves at loggerheads, this could slow the passage of any pending legislation and leave the payment industry in limbo.
What remains to be seen is whether these regulatory updates will effectively balance consumer protection with commercial concerns. It’s clear that policymakers have good intentions, but it’s vital that new regulatory frameworks don’t squeeze the ability of ecosystem players to innovate and compete, and inadvertently reduce payment choice and convenience for consumers.
What the changes mean for fintechs: take action now
With so many updates across these intertwining regulations, it’s imperative that banks, non-banks, and fintechs ensure their technology platforms and processes can adapt to the changes required. Investing in anti-fraud measures, risk monitoring, and a tech platform that can bend and flex in response to changing regulations will offer numerous opportunities for innovation, collaboration and unbeatable competitive advantages.
