The payment market in transition – regulation, liberalisation and digital business models

European payment transactions are currently undergoing a transformation process. The new regulatory initiatives PSR (Payment Services Regulation) and PSD3 (Payment Services Directive 3) are part of a package of measures by the European Commission to modernise, liberalise and strengthen the payment transactions market. PSR regulates directly applicable market conduct rules, such as payment processing and customer obligations, while PSD3 covers the regulatory framework that must be transposed into national law. The initiatives aim to ensure greater uniformity, better consumer protection and greater security in digital payments across Europe. In addition to the challenges associated with implementing the directives, new opportunities for innovative business models are also emerging in the payment system: open banking and open finance are gaining momentum. In this blog post, I examine the impact of the new regulatory changes on the industry.

The European plan – harmonisation and security as drivers

The new directives are the EU's response to the digital era in payment transactions. It supports the financial sector in its transformation by setting uniform rules for the transition. This is because the market for payment services has changed significantly in recent years. Electronic payments have grown steadily, reaching a value of €240 trillion in 2021 (compared to €184.2 trillion in 2017). New payment service providers have entered the market, digital technologies in payment transactions have experienced a new hype, and innovative business models such as open banking and open finance have highlighted the need for a new set of rules. The emergence of more complex types of fraud that endanger consumers and imply systemic risks is another reason for Europe-wide action.

The new regulations are intended to improve the framework for consumer protection and competition in electronic payments and to strengthen security and trust in the European payments market. The liberalisation and opening up of the payments system to improve supply and stimulate competition are also cited as motives. A closer look at the two terms provides a clearer understanding.

PSR & PSD3 – The new directives regulate payment transactions

PSR serves as a framework and regulation for payment services. It regulates how payments are processed and what obligations must be fulfilled towards consumers. The aim is to standardise market behaviour, protect consumers and promote open banking as an innovative business model.

PSD3 is an EU directive that covers licensing and supervisory requirements. These must be transposed into national law by the Member States. While PSD3 replaces PSD2, PSR is a regulation that applies directly in all EU countries for the first time. PSR is therefore directly applicable EU law that does not require any further national directives. With these new regulations, the EU is setting the framework for payments in Europe and aims to achieve the following objectives:

• Combating and reducing payment fraud: Payment service providers should be able to exchange fraud-related information with each other. Furthermore, consumers should be made more aware, customer authentication rules should be tightened and the refund rights of fraud victims should be extended. A system for checking that the IBAN numbers of payees match their account names for all transfers must be set up on a mandatory basis.
• Improving consumer rights and transparency: The creation of uniform transparency rules should protect consumers and increase security, for example in cases where consumer funds are temporarily blocked. In addition, account statements and information on ATM fees should become more transparent.
• Levelling the playing field between banks and non-banks: This will be achieved in particular by granting non-bank payment service providers access to all payment systems in the EU with appropriate safeguards and by securing their rights to a bank account. This will promote the liberalisation of the payments market by lowering barriers to entry for non-banks.
• Promoting innovation to create digital financial services: Open banking and open finance as a business model will be improved by specifically removing remaining barriers to the provision of open banking services, allowing new innovative services to enter the market.
• Improving the supply of cash: This concerns in particular the availability of cash in shops and at ATMs. For example, retailers should be allowed to provide cash services to customers without requiring a purchase. In addition, the rules for independent ATM operators should be clarified.
• Strengthening, harmonising and enforcing payment services: This will be achieved by incorporating most payment rules into a directly applicable regulation and strengthening the provisions on implementation and sanctions.

Banks and financial service providers are on the hook!

The European Commission presented the Payment Services Regulation (PSR) and Payment Services Directive 3 (PSD3) on 28 June 2023. Final adoption by the EU Parliament and Council is expected in 2025, with implementation in 2026–2027.

This will make the regulations mandatory as a regulatory measure. The introduction of the new regulations will impose numerous new and extended obligations on banks and payment service providers. These relate to technical and organisational requirements as well as obligations towards customers and authorities. Banks and financial service providers will be subject to greater accountability, particularly in the areas of fraud prevention, liability and infrastructure. The following aspects should be noted as immediate consequences:

• (1) Fraud prevention and security: This implies real-time monitoring of transactions to detect fraud, including the obligation to cooperate with other payment service providers and authorities to combat and contain fraud. It requires the offering and provision of security standards for authentication and the obligation to publish fraud statistics and security measures.
• (2) Protection and strengthening of consumer rights: Financial service providers are required to ensure faster refunds for unauthorised payments (e.g. phishing). In cases of obvious fraud, they must prove that the consumer has acted with gross negligence in order to be released from the refund obligation.
• (3) Greater transparency and information requirements: The directive requires the clear and transparent disclosure of exchange rates, fees (especially for international payments) and processing times. The introduction of standard formats for the provision of information must be observed, for example for SEPA or card payments.
• (4) Provision of infrastructure for open banking and access to payment accounts: Financial service providers must grant access to third-party service providers such as account information services and payment initiation services. To this end, improved API interfaces must be offered that do not hinder the provision of payment initiation and account information services.
• (5) Compliance with licensing and organisational requirements (PSD3): Further requirements include stricter licensing requirements for payment service providers, a duty to provide evidence and a clear separation of payment services from other business areas. Financial service providers are obliged to ensure the regular review of internal control mechanisms and to comply with reporting obligations in the event of security-related incidents or significant risks.
• (6) Close cooperation with supervisory authorities: It is important to proactively report security-related incidents to national and European supervisory authorities (BaFin, EBA, etc.) while complying with new reporting and documentation standards. Financial service providers are also required to participate in EU-wide monitoring mechanisms (such as market analyses coordinated by the EBA).

How adesso supports banks in payment transactions

The implementation of the PSR and PSD3 requirements presents many financial institutions with complex technological and regulatory challenges. adesso provides banks and payment service providers with comprehensive support on their path to compliance and digital transformation in payment transactions. Our services at a glance:

• Banking consulting: Together, we analyse which PSR and PSD3 requirements are relevant for you and develop concrete action strategies for timely implementation.
• Technology consulting and system integration: Whether real-time monitoring, API management or security architecture – we modernise your IT landscape and integrate new solutions into your existing systems.
• Open banking enablement: We support you in developing and delivering innovative, regulation-compliant open banking offerings – including API design, consent management and third-party integration.
• Change and project management: With experienced project teams, we ensure the structured implementation of all measures – agilely, efficiently and with an eye on regulatory deadlines.
• Data and fraud intelligence: Our experts help you set up powerful monitoring and fraud detection systems, including reporting to supervisory authorities.

With adesso, you not only implement regulatory requirements, but also lay the foundation for sustainable innovation in the payment transactions of the future.

Conclusion

The new regulations in the payment transactions market present banks and financial service providers with new challenges. Efficient systems and IT landscapes must be provided to comply with the high standards and measures. Transparency and real-time monitoring place the highest demands on internal systems and processes. To remain competitive in the payment industry, it is essential to provide API landscapes and develop innovative business models based on digital ecosystems and open banking. At the same time, internal processes for reporting, compliance and reporting must be optimised and measures for fraud detection and prevention must be ensured at the highest standard. This requires significant adjustments to the IT landscape. These affect technical security, interfaces, system architecture, data protection and processes for compliance with regulatory requirements.