1. Introduction
The adoption of the second Payment Services Directive (“PSD2” or “Directive”) has indeed unlocked the emergence of new fintech startups and services leading to greater competition, innovation, and consumer choice across the European Union. In particular, it brought the status of unregulated payment initiation services (“PIS”) and account information services (“AIS”) within the scope of PSD2. The account information service providers (“AISP”) and payment initiation service providers (“PISP”) that are collectively referred to as third-party providers (“TPPs”) mainly relied on the “screen scraping” technique to access bank accounts on behalf of customers using their credentials. There-fore, the Directive proposed the use of Application Programming Interfaces (“APIs”) that allow only licensed TPPs to access payment account information to protect consumers. In addition, the PSD2 introduced strong customer authentication (“SCA”) for electronic payment transactions to enhance the safety of payment accounts.
The PSD2 that addressed new players, new technologies, and the need for consumer protection has certainly contributed to a rapid increase in the use of new digital payments and innovative fintech companies. For instance, consumers are now able to get practical and convenient services such as a comprehensive financial overview and instant direct transfer of money from one bank account to another through TPPs. The increase in such services can be demonstrated by the number of licenses issued for AISP and PISP which has increased by 190 in the European countries between 2014 and 2020 .
Despite the positive changes brought by the PSD2, no regulation can foresee and be fully equipped to cover new market developments and advancements of technologies. One such development is the emergence of API aggregators who are licensed TPPs transmitting payment account information to either licensed or unlicensed parties. This creates unfair competition, risks on payment accounts, and new types of fraud . The above circumstances have exposed the limitations of the PSD2, highlighting the need for modernization. Thus, the European Commission proposed amendments to the PSD2, and the adoption of a Payment Services Regulation (“PSR”) on June 28, 2023 (Check the PSD Regulatory Timeline on the European Commission website). Hence, in this article, we will dig deeper into the new market developments, explore the limitations of PSD2, and shed light on the related amendments under PSD3.
2. New market developments and limitations of PSD2
The fintech market saw the potential of a new type of service – API aggregation where li-censed Third Party Providers (“TPP”) specialize in developing interfaces with multiple banks’ APIs, and act as intermediaries between banks and licensed TPPs or unlicensed Fourth Party Providers (“FFP”) (See Figure 3). According to Open Banking Exchange, 14 TPPs provided API aggregation services in 2022. One of the reasons for the emergence of API aggregation services is that both PSD2 and Regulatory Technical Standards (“RTS”) issued by the European Banking Authority do not impose a specific standard on bank APIs with an intent to promote competition and innovation in the fintech market. To enable access to payment accounts, the banks are required to create APIs but are not allowed to charge TPPs for access or for use of their infrastructure. Consequently, TPPs have no choice but to connect to each bank’s API which may vary in terms of quality and usability. Another reason is the wide margin of discretion in the interpretation of PSD2. It created diverging licensing and supervisory practices in Member States of the European Union. In fact, there is slower growth or a decline in licensing applications in some European countries such as France.
Generally, the unlicensed FPPs receive payment account information from the licensed TPPs who are acting as API aggregators with payment service user (“PSU”)’s consent: (i) GDPR consent for the unlicensed party and (ii) both GDPR and PSD2 consent for the licensed party. It was not directly envisaged by the PSD2 but not excluded, as confirmed by the European Commission in the EBA Q&A 2018_4098 which states ”AISP may transmit the consolidated information to a third party with the PSU’s explicit agreement”.
Although the unlicensed parties receive and consolidate such data with PSU’s consent, a number of issues may arise. To begin with, banks identify the API aggregators that are licensed TPPs as making the API calls and are not aware that if an unlicensed party is requesting the data or initiating the payment. Moreover, it is unclear if the customer is completely aware of which party they are giving consent to access their data . This could result in a higher risk of fraud, challenges in safeguarding customers’ accounts, and undermine the need to obtain a license. In the long run, a few PSD2 licenses could be used by a large number of players through licensed TPPs that provide API aggregation services. The above new market developments confirm the need for clarification and modernization of PSD2, especially in terms of the status of all players in the fintech market.
3. The amendments under the PSD3
In the previous section, we explored that the lack of EU standards on bank APIs, a margin of discretion in PSD2 interpretation, and unharmonized licensing and supervisory practices across Member States resulted in new market developments such as API aggregation that allowed unlicensed parties to operate in the European retail payment market. To address the limitations of the PSD2, the European Commission introduced the Payment Services Package consisting of the third Payment Service Directive (“PSD3”) and Payment Service Regulation (“PSR”).
Firstly, to resolve issues related to unstandardized bank APIs, the proposal for the PSR re-quires banks to set up one dedicated interface by using standards of communication which are sued by the European or international standardization organizations including the European Commit-tee for Standardization ( CEN) and the International Organization for Standardization (ISO) . To avoid any uncertainty as to which party is accessing the payment service user (“PSU”)’s data, the dedicated interface will enable an account information service provider (“AISP”) and payment initiation service provider (“PISP”) to identify themselves to the banks. By doing so, the banks will have a clear overview of which parties are accessing the payment account data improving the safety of payment accounts. Moreover, for consumer protection, the PSR requires banks to provide a ”permission dashboard” that would provide a PSU with full control of their data and access to clear information including the purpose of permission and whether data will be transmitted to other parties. It would enable consumers to become fully aware of which party they are giving consent to access their data and reduce the risks of fraud.
Furthermore, to ensure harmonized interpretation and implementation of the PSD2, the European Commission is replacing the greater part of PSD2 with directly applicable regulation – PSR. It is aimed at clarifying the definitions provided by the PSD2, strengthening the registration and supervision by the National Competent Authorities, and ensuring legal certainty of the status of entities accessing payment account information. Under the PSR, only regulated entities on the basis of a license would have access to payment accounts even if the data is ultimately transmitted to another party. The European Commission permits AISPs to act as API aggregators or access bank account information through another AISP.
In short, PSD3 and PSR will set out more detailed minimum requirements for dedicated interfaces provided by the banks to bridge the quality gap between each bank’s APIs. With the introduction of a permission dashboard, both banks and PSUs would have information on which parties are accessing account information giving more control over data. In terms of the status of all entities, the directly applicable PSR will ensure more harmonized interpretation and implementation in all Member States. The above mentioned amendments are expected to ensure fair competition, legal certainty, and consumer protection.
4. Conclusion
In this article, we attempted to explain the new market developments, limitations of PSD2, and the related amendments under PSD3. The PSD2 has been deemed essential in enabling access to payment accounts for new fintech services namely AIS and PIS, leading to greater innovation, consumer choice, and safer transactions in the European retail payments market. Since the enforcement of PSD2, new market developments such as API aggregators that are licensed TPPs transmitting payment account information to either licensed or unlicensed parties began to emerge. It became evident that the unlicensed parties receive and consolidate account information with PSU’s consent without the need to obtain a license. This new type of business model raises several problems including uncertainty on which parties are ultimately accessing customer data, lack of control over data, and reduced need for obtaining a license under the PSD2. Hence, the European Commission is not only proposing PSD3 but also replacing most of the PSD2 with a directly applicable PSR to bring more harmonized interpretation and implementation in all Member States. These regulatory changes will have far-reaching effects on AISPs and PISPs, and the broader fintech market. The amendments include more standardized dedicated interfaces, a permission dashboard ensuring control over data, and limiting access to payment accounts to only regulated entities. For the above reasons, the fintech companies that had relied on the license of API aggregators will be subject to registration and authorization under the PSD3 and PSR. The application for registration and authorization can be a resource-intensive process for prospective TPPs. Thus, fintech companies need to stay abreast of regulatory changes, understand their implications on their businesses, and prioritize compliance with upcoming regulations. Our law firm supports fintech companies in navigating the evolving regulatory landscape introduced by the PSD3 and PSR. Therefore, we will strive to keep all fintech players up-to-date about future amendments and explain complex regulatory requirements in simple terms through a series of articles on the subject. Follow our website and LinkedIn page for the next article on the interplay between PSD2 and GDPR.