The ex-post evaluation of PSD2 led the European Commission to propose legislative changes aimed at improving its functioning on June 28, 2023. Two new proposals have been presented: a directive on payment services and electronic money services (PSD3); and a regulation on payment services in the European Union (EU) (PSR1).
The European Union seeks, through these two texts, to address one of the main challenges of the EU payments market, namely, the risk of fraud to which consumers are exposed, as well as their lack of confidence in electronic transactions despite the success of PSD2. PSD3 and PSR1 aim, among other measures, to remedy this by adopting new fraud mitigation requirements.
We propose to review some of these measures.
Improvement in the implementation of strong authentication
Payment Service Providers (PSPs) will have to establish mechanisms to control operations that allow them to prevent and detect potentially fraudulent payment transactions, including transactions involving payment initiation services. These operational control mechanisms will be based on the analysis of prior payment transactions and access to online payment accounts.
Establishment of a legal basis for data sharing
A PSP can share the unique identifier of a beneficiary with other PSPs adhering to information-sharing schemes when the first PSP has sufficient grounds to presume that a fraudulent payment transaction has occurred. The existence of sufficient grounds for sharing unique identifiers will be presumed when at least two different payment service users who are customers of the same PSP have reported that a beneficiary’s unique identifier was used to carry out a fraudulent transfer. PSPs should not retain unique identifiers obtained from information exchanges longer than necessary.
Obligation to inform about fraud risks
In the event where new forms of payment fraud emerge, PSPs will have to alert their customers by any means and using any appropriate media, while considering the needs of their most vulnerable customer groups (customer categorization). Furthermore, they must give their customers clear instructions on how to identify fraudulent attempts and inform them of necessary measures and precautions to avoid falling victim to fraudulent actions that may target them.
Extension of IBAN verification
The beneficiary’s PSP must verify for free, upon request from the payor’s PSP, the match between the unique identifier and the beneficiary’s name as provided by the payor. The beneficiary’s PSP must then communicate the result of this verification to the payor’s PSP. If the unique identifier and the beneficiary’s name do not match, the payor’s PSP should notify the client of any detected discrepancy and inform them of the degree of this discrepancy. In terms of liability, the client initiating the payment transaction should not bear any financial loss for an authorized transfer if the payor’s PSP did not notify them of the detected discrepancy between the unique identifier and the beneficiary’s name that was provided.
Expansion of consumer reimbursement rights
Unauthorized payments
In the case of unauthorized payment, the payor’s PSP must reimburse their client for the transaction’s amount immediately after being informed of the unauthorized transaction or upon notification (and in any event, no later than the end of the next working day), unless the payor’s PSP has reasonable grounds to suspect that the client committed fraud. In the latter case, the payor’s PSP communicates these grounds in writing to the relevant national authority.
Identity theft
When a consumer, as a user of payment services, has been manipulated by a third party pretending to be an employee of their PSP – the latter having illegally used the PSP’s name, email address, or phone number – and this manipulation subsequently led to fraudulently authorized payment transactions, the PSP will reimburse the consumer for the full amount of the fraudulently authorized payments. This reimbursement is made provided the consumer has promptly reported the fraud to the competent national authorities and informed their PSP.
Improvement in the accessibility of strong customer authentication
PSPs must ensure that all their clients – including people with disabilities, elderly people, individuals with low digital skills, and those without access to digital payment channels or digital payment instruments – have at least one means, adapted to their specific situation, allowing them to perform strong customer authentication. For this purpose, PSPs should not condition the execution of strong customer authentication on the exclusive use of a single authentication means and should not implicitly or explicitly require a smartphone for strong customer authentication. Indeed, PSPs are required to develop various practical schemes for strong customer authentication to cater to the specific situations of all their clients.
Improvement of cash availability
When a consumer deposits cash into a payment account held by the PSP, in the currency of that payment account, the PSP must ensure that the deposited amount is made available to the consumer. The PSP must also ensure that the consumer receives proof of the transaction’s value date immediately upon receiving these funds.
Improvements to user rights and user information
PSPs must not prevent payment service users from using the services of an (external) payment initiation service provider to initiate a payment directly from their accounts. Similarly, PSPs must not prevent payment service users from using account information services that allow the collection and consolidation of information from multiple payment accounts held with different providers.
