On 28 June 2023, the European Commission (Commission) issued legislative proposals intended to bring payments and the wider financial sector into the digital age.

The legislative proposals consist of a proposed:

  • Directive that will amend the Payment Services Directive 2 (PSD2).
  • Regulation on payment services in the internal market.
  • Regulation on a framework for financial data access.

The first two legislative proposals fulfil a commitment in the Commission’s 2020 Retail Payments Strategy and complement the Commission’s proposal from 2022 for a Regulation to make instant payments in euro available to all citizens and businesses holding a bank account in the EU and in EEA countries. The third legislative proposal contributes to the 2020 Digital Finance Strategy to put in place a European financial data space.

The amendments being proposed to the PSD2 via the new Directive and Regulation represent an evolution not a revolution of the EU payments framework. The amendments are intended to improve the functioning of EU payment markets by:

  • Strengthening measures to combat payment fraud.
  • Allowing non-bank payment service providers (PSPs) access to all EU payment systems, with appropriate safeguards, and giving them a right to have a bank account.
  • Improving the functioning of open banking, especially as regards the performance of data interfaces, removing obstacles to open banking services and consumer control over their data access permissions.
  • Reinforcing the enforcement powers of national competent authorities and facilitating implementation of the rules clarifying various elements.
  • Further improving consumer information and rights.
  • Improving the availability of cash.
  • Merging the legal frameworks applicable to electronic money and to payment services.

In terms of strengthening measures to combat fraud, the revisions to the PSD2 will tackle new types of fraud like spoofing which blur the distinction between unauthorised and authorised transactions. The new proposed prevention measures include:

  • An extension to all credit transfers of IBAN/name matching verification services. These have been proposed by the Commission for instant payments in Euro. All consumers should benefit from them, for both regular and instant credit transfers.
  • A legal basis for PSPs to share fraud-related information between themselves in full respect of the General Data Protection Regulation (via dedicated IT platforms).
  • The strengthening of transaction monitoring.
  • An obligation by PSPs to carry out education actions to increase awareness of payments fraud among their customers and staff.
  • An extension of refund rights of consumers in certain situations.

As for strong customer authentication (SCA) the proposed amendments seek to make a number of changes including:

  • Clarifying in which circumstances certain types of transactions, such as merchant-initiated transactions, or transactions for which payment orders are placed by the payer with modalities other than the use of electronic platforms or devices, may be exempt of the obligation to apply SCA, while also introducing safeguards to ensure that payers remain nevertheless protected from fraud.
  • Clarifying that, for remote payments, the specific amount and the payee must be explicitly linked to the transaction which is to be authenticated by the payer.
  • Simplifying the application of SCA in respect of payment account information services. Banks holding payment accounts will only apply SCA for the first access to payment account data by open banking account information service providers unless there are reasonable grounds to suspect fraud. Account information service providers will then be responsible for SCA for subsequent data accesses.
  • Strengthening the use for payments of digital passthrough wallets (where a virtual payment card is stored on the wallet), by requiring that SCA must be performed at the moment of the enrolment of a payment instrument in the wallet under the responsibility of the PSPs that issued that instrument. 
  • Requiring payment services providers to ensure that all users can benefit from methods to perform SCA which are adapted to their needs and situations and, in particular, that those methods do not depend on one single technology, device or mechanism, for instance on the possession of a smartphone.

The proposed Regulation on a framework for financial data access seeks to establish a framework governing access to and use of customer data in finance. Financial data access refers to the access to and processing of business-to-business and business-to-customer data upon customer request across a wide range of financial services. This builds on the existing “open banking” provisions introduced by the PSD2 that regulate access to customer data held by account-servicing payment service providers.