On June 28, 2023 – dubbed “Super Wednesday” – the European Commission published its proposal for a revised payment services and e-money regime; a new data sharing regime which will form Europe’s open finance framework and aid in the launch of the digital euro.
The changes to the payments and e-money regime are an evolution rather than a revolution, but those changes require close review. PSD2 and EMD2 will be repealed and replaced by PSD3 and a new Payment Services Regulation (PSR). Accordingly, electronic money institutions (EMI) and payment institutions (PI) will operate and be authorised under one regime.
Existing firms will need to apply for re-authorisation, with a 30-month grandfathering period. There are interesting clarifications to safeguarding requirements, anti-fraud and strong customer authentication (SCA) obligations, as well as the narrowing of exemptions – with further detail to be published in level 2 texts.
Financial institutions holding client data will be required to share client data when requested by another financial institution, so long as the client granted permission.
The proposed open finance framework is contained in the new Financial Data Access Regulation (FIDA). It is ambitious and captures almost all financial institutions (credit and financial institutions, lenders, crypto firms and issuers, AIFMs, UCITS ManCos, non-life insurers etc). Financial institutions holding client data (data holders) will be required to share client data when requested by another financial institution (data user), so long as the client granted permission.
The Commission is looking to industry to design data standards and the scheme for data sharing (and therefore the costs are borne by industry). This is markedly different to the UK approach of setting up a dedicated body – the OBIE (Open Banking Implementation Entity) – to manage the process. It remains to be seen how the Commission will incentivize industry engagement as such engagement is not (currently) required by law.
The digital euro would be a “central bank digital currency” (CBDC) issued and directly backed by the European Central Bank (ECB). It is legal tender, aimed to act exactly like cash (albeit digital) and therefore can be exchanged at face value for euro cash, can be paid to anyone, anytime (24/7), across the euro area, and received instantly – even in the absence of an internet connection (eg via near field communication (NFC)). The ECB has powers to set holding limits, and design the fees and charges model for the use of the digital euro. Launch of the digital euro is not guaranteed and any launch would not be before 2028.
We set out the key things you need to know about each proposal below.
Payments and e-money
- This is part of the EU Retail Payments Strategy.
- There have been ongoing concerns about the non-uniform transposition of PSD2 across the Union and therefore regulatory arbitrage. To harmonise the rules, certain aspects of PSD2 will be replicated into the new PSR.
- PSD2 and EMD2 will be repealed replaced by PSD3. As a result, EMIs and PIs will operate under a single regime. E-money activities will be a subset of payment services, and EMIs will be a subset of PIs.
- The rules relating to licensing are mostly unchanged. However, EMIs and PIs will need to re-apply for their licenses under PSD3. There is a 30-month grandfathering period on the condition that re-application is made within 24 months of PSD3 coming into force.
- Issuers of e-money tokens will need to be licensed as an EMI under PSD3.
- EMIs / PIs will need to show a high level of digital operational resilience in accordance with Chapter II of DORA and submit a wind-up plan.
- Regulators can require the establishment of a separate entity for the provision of payments services or electronic money.
- There are various updates to available exclusions such as:
- to improve access to cash, shop merchants can offer cash withdrawal services (even in the absence of a purchase) without being licensed, subject to a 50 euro ($54.50) limit;
- the commercial agent exclusion will refer to the definition of a commercial agent in Directive 86/653/EEC, and conditions attached to the exclusion will be updated to require agents to be authorised via an agreement with either the payer or the payee, and guidelines of typical use cases will be published;
- the limited network exclusion will be clarified. For example, payment instruments which can be used for purchases in stores of listed merchants / a network of service providers cannot benefit from the exclusion; and
- there are minor clarifications to the electronic communications provider exemption.
- Changes are made to a number of definitions (eg “payment instrument”, “payment account”, “remote payment transaction”) and the process of executing a payment transaction (eg the various stages) will be clarified, which will also help clarify when strong customer authentication (SCA) obligations apply.
- Safeguarding rules are amended to introduce the possibility of safeguarding in an account of a central bank. Firms also need to avoid concentration risk and not hold all client funds with one credit institution. Further rules are going to be published in level 2 text.
- Changes are made to SCA rules including:
- SCA must be applied when a “merchant initiated transaction” (MIT) mandate is set up, but not for subsequent MITs (e.g. direct debits);
- SCA is only required for account information services the first time data is accessed, and if customers access aggregated account data, at least every 180 days; and
- PSPs must have transaction monitoring mechanisms for the application of SCA in order to avoid fraud.
- To tackle fraud:
- the PSP of the payer is liable for the full amount of a credit transfer where the PSP failed to notify the payer of a discrepancy between the recipient’s name and unique identifier (e.g. sort code, bank account number, IBAN); and
- an obligation for mobile telecommunication operators to cooperate PSPs is introduced.
- The PSR also amends the Settlement Finality Directive (SFD) to allow PSPs to have direct access to payment (but not designated securities) settlement systems.
Open banking
- This is part of the EU Digital Finance Strategy and broader EU Data Strategy, and designed to complement the EU Retail Investments Strategy (see our briefing MiFID III arrives as the retail investment package is unveiled).
- The Open Banking framework is contained in the PSRs (limited to PIs and banks), and the Open Finance Framework is contained in FIDA (applies to most EU financial institutions – see item four (4) below).
- It is difficult to provide open banking services as banks and payment firms require additional strong customer authentication or pre-registration or some other action before providing data to the requestor, which creates unfair obstacles in the open banking process. The new PSR includes a non-exhaustive list of actions which banks and payment firms cannot take to address these obstacles.
- FIDA applies to EU credit institutions, investment firms (including lenders), PIs and EMIs, cryptoasset providers and issuers, AIFMs, UCIT ManCos, non-life insurers and intermediaries, institutions for occupational retirement provision, credit rating agencies, crowdfunding service providers, PEPP providers, and “financial information service providers”.
- Financial information service providers is a new category of firms, and must be authorised under FIDA.
- Everyone in the list at item four (4) is a “data holder” where they collect, store, or otherwise process, customer data. Anyone in the above list will be a “data user” where they request customer data from a data holder to be used for a specified purpose.
- Customer data includes both personal and non-personal data and is wide reaching and includes customer data on:
- mortgage credit agreements, loans and accounts including data on balance, conditions, transaction data collected for the purposes of carrying out creditworthiness assessments and credit ratings; and
- savings, investments, insurance-based investment products, crypto-assets, real estate and other related financial assets, as well as the economic benefits derived from such assets, including data collected for the purposes of carrying out MiFID suitability and appropriateness assessments.
- Upon request from a customer, data holders must make customer data available to the customer without undue delay, free of charge, continuously and in real-time.
- Upon request from a customer, data holders must make customer data available to the data user, for the purposes for which the customer has granted permission without undue delay, continuously and in real-time (this can be at a charge).
- Under FIDA and the PSRs, data holders and account servicing payment service providers (ASPSPs – and generally banks and payment firms operating payment accounts) must provide customers with a “dashboard” which enables the customer to manage their permissions, withdraw and re-establish permissions, and give customers control over how their personal and non-personal data is used.
Digital euro
- This is a highly anticipated, and politically important development. However, the ECB will ultimately decide whether or not it will launch a digital euro, and any launch is a number of years away (not before 2028).
- Two regulations have been published: (a) the Regulation on the establishment of the digital euro; and (b) the Regulation on the provision of digital euro services by payment services providers incorporated in the EU.
- The digital euro would be legal tender and therefore acceptance will be mandatory. It will be a “central bank digital currency” (CBDC) issued and directly backed by the European Central Bank (ECB).
- The digital euro is aimed to act exactly like cash and therefore can be exchanged at face value for euro cash, can be paid to anyone, anytime (24/7), across the euro area, and received instantly – even in the absence of an internet connection (eg via NFC). However, loading or withdrawing digital euros from wallets would require an internet connection.
- A bank account is not required. Users will open a “digital euro account” at any commercial bank or PI or EMI or other public body designated by a Member State such as a post office. Consumers would receive digital euros in exchange for deposits or euro cash.
- Basic services such as opening and closing a digital euro account, consulting balances, funding and defunding a digital euro account, and making transfers and payments must be provided on a user’s request, and provided free of charge.
- Users can make payments in digital euro via the regular online banking interface of their bank or PI / EMI, a dedicated digital euro app, or via other means like cards, and pay while shopping on e-commerce websites, just like for other electronic money transfers and payments.
- Users can hold more than one wallet, but the wallet must be compatible with the European Digital Identity Wallets. Member States should issue European Digital Identity Wallets which facilitate digital transactions, include digital euro transactions, by enabling authentication, identification and the exchange of attributes including licenses and certificates.
- The ECB can set holding limits (3,000 euros ($3,270) is often cited), fees and charges for the use of the digital euro. It is likely that the ECB will set up a model in the form of merchant service charges or inter-PSP fees.
- The ECB would not be able to identify individual digital euro users, nor what users do with their money. They would only have access to encrypted data, and only to the extent that this is necessary to settle digital euro transactions, and support payment services providers in performing their tasks.
Bradley Rice is a partner and Emma Tran is a senior associate in the financial regulation practice at Ashurt.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Readers should take legal advice before applying it to specific issues or transactions.