You can find the PDF version of this paper here.

Introduction
The European FinTech Association (EFA) welcomes the European Commission’s (Commission) proposals for a new
Payment Services Directive (PSD3) and Regulation (PSR). PSD2 has delivered a more innovative, competitive
payments landscape in Europe, allowing consumers to benefit from new products and services and more secure
payments. However, challenges remain, and while it is encouraging to see these addressed in the proposals, EFA
would like to encourage the co-legislators to pay particular attention to the following areas: safeguarding,
transparency in cross-border payments, open banking, access to payment systems, and consumer protection.

Key messages:
• The EFA is enthused about the levelling of the playfield between banks and non-banks by amending the
scope of the Settlement Finality Directive (SFD). However, to avoid further delay, the SFD should be
amended as quickly as possible via the ongoing negotiations on the Instant Payments Regulation (IPR).
• The EFA encourages the co-legislators to ensure that PIs ability to safeguard funds with the central bank
becomes available, preventing the encouragement to shop around for central bank safeguarding
accounts.
• We suggest several further adjustments to the SCA rules that could be made to foster innovation and
customer convenience while maintaining high standards of security, including future proving of SCA, SCA
in the corporate context, marketplaces/platforms, and outsourcing arrangements.
• The EFA brings forward several concerns and suggestions on improving open banking, including the
prohibition of contracts model, re-authorisation, dedicated interfaces, account access and permissions,
transparency and information about the execution of payments, and variable recurring payments.
• The EFA recommends further clarifying the definition of “agents” and harmonising it across Member
States to reflect market realities.
• The EFA is concerned that the proposed transparency provisions for cross-border and one-leg-out
payments will not lead to the envisioned results because consumers cannot effectively compare
providers when sending money abroad. Thus, a benchmark rate should be introduced.
• The EFA is convinced that IBAN discrimination should be further addressed and enforced by imposing
clear obligations, establishing a robust enforcement system, creating a user-friendly EU-wide platform
for reporting IBAN discrimination, and establishing a pan-European forum for regulators and
policymakers.
• The EFA welcomes the additional measures to protect consumers against fraud. These include measures
on fraud investigation and prevention, APP fraud, returning funds to fraud victims, and the responsibility
of online platforms and telcos.
• Regarding fraud-data sharing, the EFA calls for the co-legislators to clarify rules on such data-sharing and
include a clause for standardisation of fraud-data sharing arrangements.
• The EFA calls for the PSR and PSD3 to clarify the clauses of PSD2, which have led to fragmented
implementation across the Member States, and to ensure the two legislative pieces will respect the
“same business, same rules” principle, lifting the prohibition for EMIs to grant pass on interest to their
customers.

Direct access to payment systems for non-bank PSPs.

EFA welcomes the proposed changes enabling payment and e-money institutions (PIs/EMIs) to access payment systems designated under the Settlement Finality Directive (SFD). Despite this, EFA is convinced that these amendments to the SFD should be introduced via the Instant Payments Regulation (IPR) to avoid any delays in EMIs and PIs accessing the payment systems. Non-banks have been disadvantaged for too long – to reap the benefits of direct access, the deadline for transposing the SFD amendments in the Member States should be minimized to a maximum of 6 months.

It is reassuring that payment system operators will be required to set proportional and non-discriminatory risk criteria, reducing differences in access due to the regulatory license held by each institution. We encourage co-legislators to prevent de-risking, as PSOs may not explicitly discriminate based on license but may implicitly prevent PIs and EMIs from directly accessing payment systems by taking a very rigid approach to their access criteria.

EFA highly supports a risk assessment before granting direct access to the relevant payments infrastructure. However, it is worth highlighting that regulators should have a deep knowledge and understanding of the firms they supervise to ensure they appropriately calibrate risks to the payment system – whether firms connect directly or indirectly. Certain risks to the payment system may exist even when a non-bank is indirectly connected.

As an organization with many non-bank Payment Service Provider (PSP) members, the EFA offers to work with the co-legislators throughout establishing the relevant safeguards around direct access.

Safeguarding.

The PSD3 proposal includes the possibility for PIs to safeguard funds with the central bank at the central banks’
discretion. The EFA encourages the co-legislators to ensure that this option truly becomes available and avoid a
scenario where shopping around for central bank safeguarding accounts is encouraged.
Safeguarding at the central bank would add choice for PIs as they diversify their safeguarding options, especially
given the stronger requirements in the Commission’s proposal to ensure firms have a diversified way of
safeguarding funds. This would help reduce concentration risk, lower the risk profile of safeguarded funds,
mitigate third-party de-banking risks, and increase consumer trust in safeguarded funds.
The EFA suggests that safeguarding letters be harmonised, using the same or similar templates across the Union.
This template could also be used by central banks and would greatly reduce the administrative requirements for
non-bank PSPs. In addition, banks and central banks should be required to set out a reasoned explanation in
cases where they refuse a safeguarding account to PIs or EMIs to minimise safeguarding de-risking.

De-risking.

EFA welcomes the stronger language on de-risking in the Commission’s proposal and believes the provisions will
help avoid blanket de-risking of the non-bank sector. We encourage introducing a minimum timeline and propose
giving at least 6 months’ notice before off-boarding. This would also allow a non-bank to address the concerns
banks may have raised in their reasoning and might avoid off-boarding altogether. This will contribute to making
the non-bank payment sector more secure.

Strong customer authentication.

The EFA welcomes clarifications around the application of Strong Customer Authentication (SCA) rules to
merchant-initiated transactions (MIT) and mail and telephone orders (MOTO). In general, PSD2 and the
accompanying RTS on SCA and CSC have left too much room for interpretation by different counterparties
involved in a transaction, e.g., there is no agreed standard on the obligations TPPs have.

The EFA notes that further adjustments to the SCA rules could be made to foster innovation and customer
convenience while maintaining high standards of security. As such, there should be a structured approach to the
EBA consulting with industry to update SCA where necessary and to ensure the rules are still fit for purpose
considering market, technological, and economic developments since the introduction of SCA. As part of this, the
EFA stresses that the application of SCA in the corporate context, i.e., where the payer is acting in a corporate
capacity and not as an individual consumer, should be revised. Given the challenges of implementation (e.g., a
corporate employee using personal rather than company details to authenticate themselves) and significantly
lower fraud risk associated with corporate authentication (e.g., where a corporate employee should not have to
re-authenticate after 5 minutes of inactivity given the business context), the EBA should issue further guidance
and clarifications that ensure proportionate application of SCA in the corporate context. In addition, additional
exemptions for SCA should be considered for specific cases, such as using the same gateways to make recurring
payments or for merchants’ refunds. 

There should be more consideration given to SCA for marketplaces or
platforms, which are a common structure in Europe – exemptions could be applied at the platform level (treating
the platform as the payee) rather than requiring individual sellers on the platform to be identified as payees which
significantly decreases the usefulness of most of the SCA exemptions, e.g. recurring payments. SMEs should also
be subject to a more proportionate application of SCA requirements and could be allowed to use secure
alternatives to SCA. Furthermore, clearer guidance is needed regarding Transaction Risk Analysis (TRA) and
associated fraud ratio calculations. Additional thresholds could be introduced in TRA exemptions to increase the
use of TRA. The threshold for low-value transaction exemptions could be increased, and the approval process
regarding secure corporate payments with competent authorities should be accelerated.

Ideally, protecting merchants and consumers from fraud is best done through technology-neutral regulation
focusing on outcomes rather than prescriptive rules. The EFA welcomes the use of behavioral biometrics and
environmental factors in the provisions on transaction monitoring, and proposes considering their use as part of
the range of inherence factors that can be used for SCA. In addition, the flexibility introduced for the use of
categories in two-factor authentication (with the possibility to use two factors from the same category) should be
maintained. The no-mobile-only approach could also be problematic, particularly in the context of increased use
of such devices for everyday activities of EU citizens of all ages, including those with limited digital skills.
Furthermore, it should not be the back-end ASPSP, but the customer-facing TPP who decides which of the
available authentication methods should be used in a given context, e.g. at physical point-of-sale, where it is clear
that the payer is using a mobile.
Additionally, the EFA emphasises that technical service providers that participate in the authentication should be
obliged to provide all relevant details of the authentication to the PSP. In our view, the introduced outsourcing
arrangements would be almost impossible to implement as it would require providers of such solutions to
contract with a large number of PSPs and allow such PSPs to monitor them. Technical service providers do not
often consider these solutions their main business model and are, therefore, unwilling to go through these
processes with each PSP. 

Open banking

The PSD2 framework for open banking has successfully stimulated data-driven solutions to real-world financial
problems for EU citizens and businesses; EFA members are stoking competition and product innovation, an
improved banking experience, and new ways for consumers to engage with and manage their finances. There is
much more utility and value that open banking can drive, including in conjunction with parallel reforms to
broaden the coverage of SEPA instant payments. Therefore, the EFA welcomes the renewed focus on open
banking in the PSR and is convinced that several steps should be taken to achieve the full potential of open
banking in the EU.

● Prohibition of contracts model

Under PSD2, Account Servicing PSPs (ASPSPs) must provide access to their customers’ payment accounts to
Payment Initiation Service Providers (PISPs) at no cost and without needing a contract between the bank and the
PISP. This model has stimulated competition and market entry and has kept the cost base for open banking
providers low. In turn, these providers can offer merchants cost-effective payment initiation services.
The EFA is convinced that removing this prohibition on contracts will jeopardise the adoption of open banking
and create a system that replicates cards, hampering competition in the payments market. Therefore, we
encourage the co-legislators to keep the non-compensatory model for baseline open banking services. Beyond
the baseline open banking services outlined in the PSR, there is ample room for industry collaboration towards
added-value, commercial services, both bilaterally and through multilateral forums like the SEPA Payment
Account Access Scheme (SPAA).

● Re-authorisation

The EFA supports a streamlined process for PIs and EMIs to re-authorise under the PSD3 that does not create
unnecessary administrative bottlenecks. There should be a clear path to simple re-authorisation under PSD3 for
existing PIs and EMIs demonstrating compliance to their National Competent Authority (NCA) and a presumption
of automatic re-authorisation of firms that already have a very high level of regulatory oversight by their
competent authorities subject to firms’ compliance with additional PSD3 requirements. EMIs and PIs should only
have to satisfy new PSD3 authorisation requirements and not re-submit information shared previously with their
competent authority. This limits duplication in licensing processes and ensures a level playing field for all e-money
institutions. Furthermore, it should be clarified that AIS and PIS activities can be provided by the same legal entity
despite having different rules, e.g., regarding storing sensitive data.

● Dedicated interfaces

The EFA welcomes and supports the Commission’s proposal for additional performance and functionality
requirements for Application Programming Interfaces (APIs) and provisions on enhancing supervision and
enforcement practices and notes that they could be strengthened even further by involving the European and
National Competition Authorities in a decisive manner.
In addition, we believe it would be helpful to replace the concept of a “dedicated” interface with a “machine-tomachine” interface, i.e., any API-based interface, because it is the latter that counts and not having it dedicated
to Third-Party Providers (TPPs). On the contrary, the APIs quality would most likely improve dramatically if an
ASPSP could make it available to their own customers as well. Ideally, they should also use their mobile customer
interface API for TPPs.
If an API is dedicated to TPPs, then there must be a contingency, not only for the case of non-availability but also
for other non-performance, e.g., lack of any required functionality. Given that FIDA shall not cover any transaction
initiations, we believe that PSR should extend the scope of ‘payment accounts’ to saving accounts, as is already
the practice in some Member States.
We also welcome the focus on removing API and SCA barriers by including a list of prohibited obstacles to open
banking based on previous work carried out by the EBA. However, to future-proof the PSR, the list needs to be
non-exhaustive to cover current and future obstacles.

● Account access and permissions

The EFA emphasises that whilst mandating an AISP and its initial access should require an SCA, any subsequent
access is secured by the Account Information Service Provider’s (AISP) eIDAS certificate and should not require
any customer action, let alone further SCAs, especially considering that the proposal enables customers to
withdraw any consent easily via the “permissions dashboard” which shall be offered by the ASPSP. However, it
should be clarified that the information displayed on the dashboard must be provided exclusively by the TPP, who
was given the permissions, not by the ASPSP, who was not involved and would not have such information.
Separately, merchant-facing PISPs contract with merchants and act solely on their behalf. Therefore, they should
not need any contract with the payer, not even a single payment contract. Any form of GDPR-legal ground for
processing the payer’s data (e.g. consent) should be sufficient.

● Information about the execution of payments

The EFA highlights that ASPSPs should be required to immediately confirm whether any initiated payment will be
executed or not so that PISPs can inform merchants in real-time and thereby compete on a level playing field with
other payment solutions, e.g. cards. For this, it is important to ensure that at least information exchange for
confirmation of the transaction execution and the reasons for transaction failure are standardised, and
enforcement measures are efficient. If an ASPSP is not able to do that, PISPs should be allowed to access account
information, e.g., the available balance and past transactions, prior to initiating a payment, so that it can be
stopped if the non-execution risk is deemed too high.

● Variable recurring payments

The EFA is convinced that PSD3 should make variable recurring payments clearly defined and mandated for
sweeping (automated money transfer between customers’ own accounts, e.g., to move any excess balance at the
end of the month from a checking to a savings account). This would be a huge step forward in delivering
competition and innovation to consumers and has already been successfully implemented in the UK. In the UK,
the implementation of sweeping variable recurring payments showed its effectiveness by allowing customers to
make smarter savings by automatically moving surplus funds out of current accounts into savings accounts,
avoiding overdrafts, and creating competition among ASPSPs.
Furthermore, the EFA suggests having more proportional requirements for AISPs and PISPs where no fund
handling is involved, therefore avoiding the imposition of cumbersome AML requirements. In addition, the EFA
notes that under PSD2, the regulatory treatment of online marketplaces and payment facilitators (Payfacs) –
increasingly important parts of the EU’s digital economy – is unclear and interpreted differently across the
Member States. For PSPs to better serve this market, a clearer and more consistent approach to regulating
marketplaces and Payfacs should be developed.

Definitions.

The EFA suggests further clarifying the definition of “agents,” which should be harmonised across Member States
in order to reflect evolving market realities. It should be reiterated that marketplaces and platforms supported by
PSPs, which remove them from control or possession of funds for third parties, are not, by default, agents of the
PSP. In addition, there is an increasing prevalence of multi-processor set-ups for payment acquiring services,
where, in particular, large businesses rely on the services of several acquirers. When acquirers use agents to
deliver their services, it should be noted that every agent only acts on behalf of one acquirer as their principal
(PSP) and not in respect of all payment services provided to the payment services user.
Transparency provisions for cross-border and one-leg-out payments.
It is encouraging to see that the PSR acknowledges that too much money is lost to hidden FX fees in remittances
and cross-border payments more generally. The EFA agrees that including one-leg-out payments into the scope
of the PSR will ensure that the EU has better tools available to tackle their high cost. However, we observe that
today, people and businesses are unable to effectively compare providers when sending money abroad. While we
are very encouraged by the fact that charges for currency conversion and foreign exchange rate mark-ups are now
explicitly recognised as charges that must be clearly disclosed, we are concerned that the proposed disclosure
will not address the problem. Therefore, the EFA calls for the co-legislators to introduce a benchmark rate – an
aggregated mid-market rate provided by neutral, independent actors – to ensure consumers can accurately
compare the cost across providers. Relying on a stale European Central Bank (ECB) rate will not account for
intraday movements.

IBAN discrimination.

Many of EFA’s members’ customers still face IBAN discrimination daily. As open banking was increasingly taken
up by the EU citizens, discrimination also happens via these newer payment methods. While the EFA is glad to
observe the inclusion of the ban on discrimination based on domestic identifiers in the open banking context
within the PSR, we are convinced that the co-legislators should go further to prevent the lack of enforcement on
which IBAN discrimination has thrived. To fight IBAN discrimination, EFA proposes several key actions that could
be included within the PSR:

•   Imposing clear obligations on PSPs, merchants, and public entities to accept non-local IBANs, whilst:
•  Establishing a robust enforcement system, granting NCAs the authority to impose fines and sanctions on
  those failing to comply with anti-IBAN discrimination rules.
•  Creating a user-friendly EU-wide platform for reporting IBAN discrimination to address the
  underreporting of IBAN discrimination cases and some NCAs only investigating cases reported through
  official channels. This centralised reporting system could ensure prompt forwarding of cases to the
  relevant NCAs and allow tracking of IBAN discrimination instances at the EU and national levels.
• Establishing a pan-European forum for regulators and policymakers to exchange information and share
  best practices to make progress in combating IBAN discrimination.
  Additionally, EFA members see a certain level of discrimination on the level of the national alternative payment
  methods. For certain schemes, to become a direct participant, PSP needs to be connected to the national
  infrastructure of the particular Member State. We believe such practices restrict competition, hinder the
  development of a truly Digital Single Market and directly contradict EU legislation.
  Consumer protection.
• Fraud investigation
  The current refund timeline for unauthorised transactions is immediately or no later than the next business day
  and is only extended to 10 days for highly suspicious cases. EFA is concerned that this creates an easy way for false
  claimers to obtain refunds as the PSP does not have appropriate time to make an informed decision or conduct a
  proper investigation. To make a reasoned judgment as to whether there could be fraudulent behaviour or gross
  negligence by the customer, the PSP should be given the opportunity to appropriately review the case. The strict
  timelines can incentivise the PSP to automatically approve or decline a part of the oncoming claims just to meet
  the deadline. This, in turn, can create a vulnerability that false claimers can abuse and reduce the quality of
  responses received by legitimate customers.
  Additionally, the PSR should clearly indicate that the PSP should be able to further investigate the claim or refuse the refund to the customer in cases of gross negligence by the customer. But to do so, the concepts of ‘gross
  negligence’ and ‘high suspicion of fraudulent behaviour’ should be further expanded. It would be beneficial to
  further clarify the parameters for establishing a gross negligence case or when a PSP can deem there is a high suspicion of fraudulent behaviour or introduce a concept of customer standard of caution.
• APP fraud
  With Authorised push payment (APP) fraud becoming one of the most challenging and complex issues, the EFA
  understands the need for rules around reimbursement for impersonation fraud. However, the mitigating
  measures for APP fraud are frequently outside the control of the PSP, and there is no direct causal link between
  the actions of a PSP and a customer falling victim to APP fraud. At the same time, the PSR creates a new liability
  regime for APP fraud without proven responsibility on the PSP side and the establishment of a causal link. We also
  see several unintended outcomes for such a regime, such as risk to competition and the sustainability of FinTech whose focus is on instant payments. Therefore, EFA believes that PSPs should be liable for impersonation scams
  only if the PSP had control over the specific impersonation scam that took place.
  In case co-legislators agree with the proposed option for strengthening protection against fraud, we suggest clarifying the rules to minimise the costs for PSPs and encourage users to take greater precautions before authorising a payment. On average, users make several transactions before a fraudster receives the full desirable amount. Therefore, we believe that it is important to introduce an upper and lower threshold for reimbursement
  to ensure that customers work with their PSPs to conduct due diligence and take time to consider any transfer considered risky. If customers were aware of this, they would take much greater precautions before authorising a payment. To avoid different application of rules across Member States, we also call for more clarity on what is
  considered to be bank employee impersonation fraud. For instance, current provisions give rise to the question
  of whether it is enough for a fraudster to use the name of a company in communication or if the email address and telephone number need to be exploited. Additionally, we believe it is important to provide an obligation on
  the users’ side to cooperate with a PSP, and provide sufficient and truthful evidence.
• Telcos’ role in fighting fraud
  EFA welcomes that telcos should play a part in addressing fraud but does not believe the current provisions go far
  enough. There is no liability for electronic communication or online platform services, and the full liability for
  refunding the customer rests with the PSP. This is problematic as data from other jurisdictions shows that 70% of
  authorised push payment scams started on an online platform, defined as emails, social media, websites
  (including auction sites), and apps (including dating apps). Looking into specific scam categories, most
  investment (96%), romance (96%), and nearly all purchase (98 %) scams originated online. Often, these are paidfor advertisements, meaning that social media companies are profiting from fraudulent ads while the finance
  sector bears the brunt of the cost. The co-legislators should ensure that consumers are adequately protected and
  ensure online platforms, as well as telcos, share in the responsibility.
• Rules on blocking and retrieving stolen funds
  Additionally, to protect customers from the loss of funds, we believe it’s important to ensure that there are clear
  rules on blocking and retrieving stolen money to return it to fraud victims. Currently, EFA members encounter
  issues when, after identifying a case of fraud and blocking the funds that the customer acquired from illegal
  activities, there is no legal option to return these funds to the victim. Some jurisdictions have developed market
  practices (e.g., France, Ireland, Belgium, Netherlands, Italy, and Germany) where funds can be repatriated after
  the information has been provided by the payer’s PSP. However, such practices do not have a pan-European
  reach. In some Member States, the lack of clarity around repatriation not only prevents PSPs from returning back
  stolen money to the victims of scam but also creates obstacles to cross-border cooperation.
• Alignment with the Instant Payments Regulation
  Finally, the provisions on extending payee verification to SEPA credit transfers should ensure alignment between
  the Instant Payments Regulation and the PSR, and that information used for verification can include unique
  identifiers in addition to IBANs. This ensures that an EU verification scheme can account for different types of
  account identifiers, including where a unique IBAN is not assigned.
  Fraud data sharing.
  PSR takes a huge step towards enhancing fraud prevention mechanisms by allowing PSPs to voluntarily enter the
  information-sharing arrangements to better detect fraudulent payment transactions and protect their customers.
  According to the Explanatory Memorandum to the PSR, such information should include personal data such as
  unique identifiers of a payee. The EFA emphasizes the importance of clarifying such intent in the text, as sharing the names of account holders involved in fraudulent activities would increase the capacity of PSPs to prevent unlawful transactions. We are also concerned that these provisions will have a declarative character unless industry-wide standards for fraud data-sharing arrangements are established. Without a certain level of
  standardisation, PSPs would need to enter multiple information-sharing arrangements and adapt their systems
  to each one, as PSPs operate differently.
  Additionally, data sharing just among PSPs would limit the effectiveness of such arrangements. The ecosystem should at least include public entities, telcos, and online platforms to stop potential fraud before it happens and
  minimise the number of payments stopped unnecessarily.
  Legal certainty.
  PSD2 has been interpreted and implemented inconsistently by individual Member States, which is skewing
  competition and working against creating a single market for payment services. This can, for example, be seen in
  the different interpretations of the definition of “agent”. In certain Member States, the definition of agent has been interpreted as including promotional activities, and have consequently asked for a central contact point to be set up. PSD3 can avoid such shortcomings by clarifying those definitions that have proved to be a source of regulatory
  fragmentation.
  We welcome the transition of the key regulatory framework in PSD2 into a Regulation through the introduction of the new Payment Services Regulation. This will ensure a more consistent application across EU Member States and strengthen the regulation’s role in driving payment innovation.
  Same business, same rules principle
  Despite the Payments Package’s general aim to harmonise the regime for all PIs, it still upholds the prohibition for EMIs to pass on interest to their customers. This puts them at an unjustified competitive disadvantage
  compared to other PIs while not respecting the “same business, same rules” principle.

About us:
The European FinTech Association (EFA) is a not-for-profit organization representing leading FinTech companies of all sizes from across the EU. It brings together a diverse group of 40+ FinTech providers ranging from payments, to lending, banking, robo-advice, investment as well as software-as-a-service for the finance sector, with a clear
focus on enabling a single market for digital financial services. For more information, visit www.eufintechs.com
or follow @EFAssociation on Twitter