Legal Developments in the EU Financial Sector
On June 28, 2023, the European Commission published regulatory packages concerning payment services, electronic money, and open finance (open finance1), as well as a separate package regarding the digital euro2. The aim of these new regulations includes enhancing the security of payment services, developing the existing legal framework for open banking, introducing CBDC (central bank digital currency) under the auspices of the European Central Bank (ECB), and eliminating separate regulations and licenses for providers solely offering payment services or issuing electronic money.
The published regulations cover three areas:
- Payment services and electronic money – according to the legislative initiative presented, two directives that respectively regulate both areas (PSD23 and EMD24) will be replaced by the PSR regulation and the PSD3 directive (these provisions will also encompass the current regulation of open banking in terms of access to payment account information),
- Open finance – the package includes adopting the new Financial Data Access Act (FIDA), which will apply to a broad range of data,
- Digital euro – The European Commission has proposed adopting two regulations aimed at introducing a new form of money within the European Union, known as the central bank digital currency (CBDC).
Prior to the publication of the new legal regulation drafts, public consultations were held involving nearly 200 entities (including a key input from the European Banking Authority), and a team of experts commissioned by the European Commission prepared an impact assessment report regarding the application of the PSD2 directive.
Payment Services and Electronic Money
Contrary to appearances, the key regulation in the payment package will not be the PSD3 directive, but the PSR regulation, which will incorporate most issues previously covered by PSD2. This move by the European Commission follows a long-standing trend where successive financial regulation packages are published in a “directive + regulation” model.
PSD3 and PSR will leave the existing catalog of payment services virtually unchanged from PSD2, except for the elimination of the distinction of executing payment transactions on credit (although payment credit will still require maintaining a higher level of own funds by payment institutions).
However, the new directive anticipates changes regarding excluded services – the biggest surprise being the registration requirement for independent ATM operators (despite significant supervisory approach variations across different states). The Commission also proposes, again, to narrow the exclusion for commercial agents. To utilize this exclusion, it will be necessary to ensure that the authorization provides a real possibility to negotiate contractual terms with the provider.
One of the most significant changes introduced by PSD3 is the merging of the existing licensing regimes defined within EMD2 (i.e., the electronic money directive) and PSD2. Consequently, PSD3 eliminates distinction between payment institutions and electronic money institutions, maintaining only one license for payment institutions.
Payment service providers will need to prepare for changes in the amount of required initial capital, which will partially increase and will be:
- EUR 25,000 – for institutions providing exclusively money remittance service (previously EUR 20,000)
- EUR 50,000 – for institutions providing exclusively payment initiation service (unchanged from PSD2)
- EUR 150,000 – for other payment institutions not issuing electronic money (previously EUR 125,000)
- EUR 400,000 – for payment institutions providing electronic money services (the previous requirement for electronic money institutions was EUR 350,000).
PSD3 will also introduce certain simplifications for PIS (payment initiation services) and AIS (account information services) providers; in particular, these entities will be able to replace the current requirement of having an insurance contract or other appropriate guarantee, with holding initial capital of EUR 50,000 (the amount already required for PISP). The rules for calculating the amount of security will be specified in regulatory technical standards.
New regulations will also introduce an additional premise for the loss of authorization to operate as a payment institution as a result of committing serious breaches of anti-money laundering and counter-terrorism financing rules.
The directive itself contains few changes regarding the granting of licenses or entries into the register (all licenses and entries to the register are obtained only after the company formation). However, PSD3 does include the authorization to issue RTSs concerning documents and information that must be presented to the relevant supervisory authority during the procedure.
Significant changes are anticipated in the requirements related to strong customer authentication (SCA). As part of the review of the PSD2 directive, it was decided to regulate directly in the definition of strong authentication that SCA can utilize two elements belonging to the same category. This approach is thus different from that previously presented, in particular by the European Banking Authority, which both in the opinion concerning the implementation of RTS SCA and in Q&A sessions, indicated that for security of the process, it is necessary to use two elements belonging to different categories. Another important proposal in terms of SCA is specifying the liability for the lack of SCA, specifically for using the exclusion from the obligation to apply SCA (up to now based on dedicated regulatory technical standards).
The new regulations could not also lack reference to issues related to unauthorized payment transactions. The new regulation will require payment service providers to demonstrate the payer's consent, not just authentication, converging with the approach that has been operative in Poland resulting from incorrect implementation). The new regulations will specify the procedure for providers in case they suspect fraud by the payer by, among other things, granting 10 days to return or deny the refund, with the necessity to notify the client along with stating the reasons for denial and appellate bodies.
The European Commission also proposes to grant non-bank payment service providers similar access to payment systems currently used by banks. This idea has been widely discussed for years, and in some countries, it is common practice. However, it should be noted that mere participation in the payment system is not sufficient for the provider to handle a payment transaction on the same terms as banks do. Access to the necessary infrastructure is also required, which – despite the adoption of new regulations – may remain a significant impediment for some providers.
Progress Made: Adopted Regulation (EU) 2024/886
The European financial landscape witnessed a significant transformation with the enforcement of Regulation (EU) 2024/886 on April 8, 2024. This regulation changes the way credit transfers are handled across the European Union, introducing stringent and unified requirements for instant credit transfers in euro, which are expected to be complied with starting January 9, 2025.
Regulation (EU) 2024/886 amends several existing frameworks, including Regulations (EU) No 260/2012 and (EU) 2021/1230, as well as Directives 98/26/EC and (EU) 2015/2366. These amendments are targeted at improving the efficiency, security, and competitiveness of the European payments market by promoting instant credit transfers in euros.
The need for this regulation stemmed from the relatively low uptake of instant credit transfers despite their availability since 2017 under a Union-wide scheme managed by the European Payments Council. The regulation aims to address market fragmentation and high compliance costs that arise from varying national regulations, thereby fostering a more integrated financial market.
Key Provisions of Regulation (EU) 2024/886
- Scope and Implementation: All payment service providers (PSPs) in the EU are required to support instant credit transfers in euros, ensuring that all payment accounts capable of sending and receiving traditional credit transfers are also equipped to handle instant transactions.
- Accessibility and Integration: The regulation mandates that instant credit transfers must be accessible 24/7, ensuring funds are credited to payees' accounts within seconds, any time of the day. This feature is pivotal in enhancing the fluidity and convenience of cross-border transactions within the EU.
- Compliance Requirements: PSPs must meet specific operational standards to support the seamless execution of instant credit transfers. These include immediate transaction processing and real-time funds availability, which are crucial for maintaining the integrity and reliability of instant payments.
- Inclusivity of Non-Eurozone States: Member states whose currency is not the euro are given provisions to adopt equivalent rules to facilitate domestic instant credit transfers in their respective currencies, ensuring a broader applicability of the regulation across different monetary regimes within the EU.
- Consumer Protection and Market Competitiveness: The regulation also places a strong emphasis on protecting consumers from erroneous payments and ensures that charges for instant credit transfers are not higher than those for traditional credit transfers. This approach not only protects consumers but also promotes fairness and competition among financial institutions.
- Technical and Operational Adaptations: Significant technical adaptations are required from PSPs to comply with the new regulation. These include adjustments in their systems to handle the real-time processing demands of instant credit transfers and ensuring interoperability across different payment systems within the EU.
The implementation of Regulation (EU) 2024/886 is expected to dramatically increase the efficiency and speed of payments across the European Union, benefiting both consumers and businesses by providing a more reliable and swift mechanism for transacting in the digital age. The regulation is also seen as a strategic move to enhance the EU's financial infrastructure, promoting greater economic integration and supporting the digital economy.