The Sting in the Tail of Proposed PSD3 Legislation

A progression from PSD2, PSD3 aims to bolster payment security and customer authentication, address PSD2 deficiencies, and enhance access to banking infrastructure for Payment Service Providers (PSPs). The final version of the directive is scheduled for publishing later this year, and if approved by the EU, will become law in 2026 following a transition period.

Strengthening fraud protection

Based on the areas of PSD2 that the EU is looking to review, we can confidently begin to map some of the potential outcomes of its enforcement. One of the most interesting developments is around fraud protection.

Currently, secure customer authentication controls fail to protect against certain types of fraud, such as Authorised Push Payment frauds, where criminals pose as legitimate payees to trick people into sending them money. The European Banking Authority will roll out a ‘confirmation of payer’ system (similar to the UK’s), that will work across all IBANs and will help address this problem, but it’s likely PSD3 will include other anti-fraud measures too.

The strengthening of fraud controls will replicate schemes such as ‘contingent reimbursement.’ Contingent reimbursement is a model whereby financial institutions agree to reimburse customers for losses due to unauthorised financial transactions, under specific conditions. Some banks and financial institutions in the UK have already voluntarily adopted contingent reimbursement to refund victims of APP scams when neither the customer nor the bank is at fault. This arrangement is dependent, for example, on the customer meeting certain security responsibilities, such as safeguarding their banking credentials and promptly reporting any suspicious activity. The policy aims to protect consumers while encouraging responsible behaviour and security awareness.

For PSPs, the mandating of such controls will require firms to significantly increase their fraud controls and the levels of reimbursement that they pay to consumers. This is likely to result in many firms, which lack adequate controls and the capital reserves to hedge against fraud if targeted, going out of business.

Improving access

Another likely outcome of PSD3 will be enhanced access to banking infrastructure. Historically, commercial banks have been able to refuse to open accounts for PSPs, or have closed their existing bank account because of concerns over matters such as anti-money laundering controls.

PSD3 will change the rules governing that access, in the process creating a more level playing field for non-bank PSPs. What’s more, whereas under current rules national banks are able to offer safeguarding accounts, which are limited and do not have access to the underlying payment systems, PSD3 would allow direct access to the payment systems.

If these changes come to pass, they will help create broader access to payment services and allow non-banks to compete with banks. In other words, increased competition at various levels will allow fintech innovation to blossom. Something similar has already happened in the UK, where improved access to payments infrastructure via Faster Payments laid the rails for the Open Banking Initiative.

Preparing for PSD3

What can businesses do to prepare for PSD3 now? Based on our own experience, we would recommend the following:

  • Start increasing your fraud controls and boost your fraud funds. Work with external partners and providers to build out advanced fraud controls and engage with banking counterparties to build out confirmation-of-payer style controls. This will ensure senders of payments are completely aware of who they are paying. It is also worth bolstering AML controls in order to ensure that you are not creating accounts for fraudsters. Firms should also ensure they have sufficient funds to hedge against fraud.
  • Consider your approach to accessing different payment systems. PSD3 will only allow access to the individual underlying rails, and will not provide access to hedging or FX services. Unless you’re capable of building all of the connections, ledgers and other technologies needed to maintain a SWIFT Gateway and all of the required security for each of those payment rails, you should consider alternatives. One approach is a payments curation service that combines existing products and services from a range of providers into a single platform accessed via a single API and contract –  thereby giving businesses access to all of the services that they need without the complexity of managing countless relationships and contracts.
Mike Southgate, Chief Compliance Officer, Navro
Mike Southgate, Chief Compliance Officer, Navro

As the financial services sector continues to be disrupted by fintech innovators, PSD3 is taking shape as an important step in enhancing customer protection and levelling the playing field for non-bank PSPs operating in the EU market. But make no mistake, the directive may also be a significant strategic, operational, and technological challenge for businesses — and potentially a fatal one at that. Businesses that start now will give themselves plenty of time to prepare for the passing of the directive into law and unlock the benefits of PSD3 as soon as possible.

With a background covering payment operations, legal, settlements and IT, Mike is a practical and hands-on leader with a focus on execution. Before joining Navro Mike was Compliance Director and MLRO at Google, Founder of ERMI (a Transaction Monitoring service), and held a series of senior roles across multiple payments unicorns including Travelex/WUBS, and Ebury. ​​Outside of work he is also the AML and Tech lead, as well as the regulatory liaison to the FCA for AFEP (A trade body for payments firms) through which he has provided guidance and training to law enforcement and regulators across Europe. An expert in his field, Mike holds multiple degrees in: Law; Governance Risk and Compliance; A Postgraduate Diploma in Governance Risk and Compliance.