DIGITALEUROPE’s response to Call for Evidence on Payment Services – Review of EU Rules
DIGITALEUROPE supports the policy option of limited legislative amendments to the PSD2 among those outlined in the Call for Evidence. These amendments could primarily clarify existing rules around Open Banking and Strong Customer Authentication (SCA) in order to facilitate their roll-out.
The second Payment Services Directive (PSD2) is a milestone in achieving an integrated payments market in Europe. It seeks to foster competition and innovation in retail payments, while ensuring a high level of security and consumer protection.
Four years after its entry into force, the PSD2 has already reached some of its main objectives. The Introduction of SCA together with continued investment and use of fraud-prevention technologies have contributed to reduce e-commerce fraud rates. However, strict implementation of the SCA mandate still poses some challenges that result in unnecessary friction. Such strictures do not allow to strike the right balance between security and customer’s convenience. Abandonment rates continue to improve but are still relatively high at a time where e-commerce is needed the most. DIGITALEUROPE’s membership includes credit card networks, financial institutions, and other emerging actors in the fintech ecosystem. Our recommendations for the revision of the PSD2 include:
- Maintaining payment processors and operators of payment systems and schemes out of the PSD2’s scope. They are already subject to the Principles of Financial Market Infrastructure (PFMIs) – a robust set of standards for the supervision and oversight of payment processors and system activities;
- Introducing a more risk-based approach to Strong Customer Authentication (SCA), focused on limiting re-authentication needs, exempting applications such as remote and connected environments in specific circumstances, and analysing whether a review of the threshold for contactless payments is necessary;
- Publishing EU guidance to improve the Open Banking experience and align further the PSD2 with the GDPR.
Below we offer more background on these and other recommendations.
Scope of the PSD2
We recommend maintaining payment processors as well as operators of payment systems and schemes out of the PSD2’s scope. These activities are markedly different from end-user services currently captured under the legislation. They are also already subject to the Principles of Financial Market Infrastructure (PFMIs), which are a robust, globally-agreed set of standards for the supervision and oversight of payment processors and system activities. PFMIs are an essential element to strengthening and preserving financial stability.
Adding such activities to the PSD2 scope may create risks of duplication with well-functioning supervisory and oversight processes already existing today. It would therefore undermine the smooth functioning of payment systems operating across the EU. Any possible decision to expand the scope of the PSD2 should be guided by a need for proportionality, and engage the ECB, national central bank overseers and industry participants in the process.
Strong Customer Authentication
Preparation for Strong Customer Authentication (SCA) implementation has required payment players to mobilise substantial investments and resources into compliance. As the implementation journey approaches the finish line, it clearly emerges there are areas for further improvement. We support creating a framework that enables the full use of innovative fraud prevention and authentication technologies while, at the same time, promotes a more outcome and risk-based approach. This is key for the industry to create customer-centric solutions that ensure the highest levels of security. A less prescriptive payments service legislative framework does not at all imply lower levels of security for consumers and businesses. As SCA in the PSD2 get reviewed, we call for focus on:
- Expanding the timeframe for SCA renewal for Account Information Service Providers (AISPs). Today’s requirements for the Payment Service User (PSU) demand it to authenticate at each access or every 90 days. The review of the PSD2 should expand to 180 days the time frame required for SCA’s renewal in order to align with the EBA’s Final Report on SCA published in April 2022.. These changes are important to ensure technology solutions are not unnecessarily restrained by over-prescriptive SCA mandates.
- Exempting specific applications from the scope. The targeted review of the PSD2 should lead to the exemption of the following applications under certain, carefully analysed, payment thresholds:
- Unattended terminals for electric vehicle (EV) charging. The exemption would help the EU meet its Green Deal goals and contribute to plugging the investment gap in EV infrastructure. Estimates say the EU would need to install 150.000 new electric vehicle charging points each year, or roughly 3.000 per week, to reach its 2025 target.
- Unconnected and remote environments. This is key to ensure aircraft and ship passengers can continue to make payments onboard.
- Mail Order and Telephone Orders (MOTO) transactions. The review of the PSD2 should bring further clarify on the existing regime for MOTO payments.
- Vending machines and donation terminals
- Carefully analysing whether a review of the threshold for contactless payments is necessary. This is in function of the success of contactless payment transactions during the COVID-19 crisis. The SCA framework has played a key role in reducing fraud levels. It has also showed ability to deal with evolving circumstances. When COVID-19 infections surged, payment service providers were granted the possibility to use provisions under Article 11 of the Regulatory Technical Standards (RTS) on SCA and increase the threshold for contactless payments to €50 in all EU countries. That represented a good example of striking the right balance between innovation and security. Citizens have now fully digested the new threshold.
- Addressing new types of fraud. We shine in particular a light on:
- Clarification of liability in authorised push scams (or APP scams). The review of the PSD2 should include new provisions to deal with liability in relation to this type of scams, in which a Payment Service User (PSU) is tricked into transferring money to a fraudster via a credit transfer, including through the use of an instant payment instrument. In these cases, there is no impersonation of the PSU. It is the PSU itself who authorised the transaction. Liability should be allocated according to the specific circumstances among PSUs, Payment Initiation Service Providers (PISPs), payer’s PSPs and payee PSPs.
- RTSs for Internet of Things (IoT) applications. The RTSs should cover those circumstances where transactions are autonomously initiated by the device.
- Clarifying the legal ground for processing of behavioural data. The targeted revision or the PSD2 should help secure a better legal ground for the processing of behavioral data for SCA. The use of behavioral data as second authentication factor would facilitate PSPs’ compliance with SCA requirements. The PSD2 is unclear today on the validity of sophisticated behavioral solutions to improve authentication methods. This lack of clarity has also created inconsistencies with the GDPR
- Providing guidance on SCA during technical incidents. Industry would welcome specific guidelines from the EBA on how to deal with SCA during technical incidents impacting the SCA infrastructure.
Open Banking and competition in the payment industry
There are important learning points from the challenging and difficult implementation of Open Banking. Articles 66 and 67 of the PSD2 should have already made it a reality, but there are lingering problems around it.
For example, there still lie obstacles in the user interface which continue to inhibit access to customer payment account data by third-party providers (TPPs) and, in turn, adoption of Open Banking by consumers and businesses. TPPs must be confident that they can build products based on an infrastructure that is reliable and will not cause issues such as cardholder abandonment and lower sales conversions. At the same time, consumers also need to trust that using APIs in Open Banking infrastructure will work.
We suggest focus on:
- Standardisation, access, and interoperability of APIs: one of the challenges for Open Banking’s adoption remains the quality of all the different APIs in the PSD2. We would welcome guidance for National Competent Authorities by the European Banking Authority (EBA) which would concentrate on improving API performance.
- Data management & interplay between PSD2 and GDPR: Regulatory harmonisation and clear rules for data management are key to ensure a smooth development of Open Banking. This is why it is key to ensure greater alignment of the PSD2 with the lawful grounds for personal data processing under the GDPR. This is evident for example in the notion of consent, on which the PSD2 remains still inconsistent with the GDPR. 
 Bank for International Settlements and International Organization of Securities Commissions, Principles for financial market infrastructures: Disclosure framework and Assessment methodology, 2012
 European Banking Authority, Draft Regulatory Technical Standards amending Commission Delegated Regulation (EU) 2018/389 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication, 2022.
 More background on this issue in our paper titled Contactless Payments: An enabler for e-mobility in the EU
 According to Directive (EU) 2015/2366 on payment services (PSD2), a third-party provider is an entity authorised to access accounts upon customer consent (while not operating those account itself). Payment initiation service providers and Account information service providers are examples of TPPs under the PSD2.
 The EPBD has also published guidelines on the interplay of the Second Payment Services Directive and the GDPR in December 2020