Could EU and UK payments law diverge?

The EU directives on which UK payments regulation is based will soon be replaced by a third Payment Services Directive (“PSD3”) and a Payment Services Regulation (“PSR”), to take effect during 2027 or 2028. This means that payment firms face the possibility of significant differences between the UK and EU regulatory regimes.

Broadly, the new EU regime:

• regulates both e-money and payment services;
• improves payment service providers’ access to payment systems and bank accounts;
• better facilitates ‘open-banking’ and consumer control;
• enhances enforcement powers; and
• improves consumer information, rights, and access to cash via retail shops and ATMs.

Changes introduced by PSD3

Initial capital increases to €150k (from €125k) for most payment service providers, but reduces to €250k (from €350k) for e-money business (these are added together for firms that do both types of business separately).

PSD3 seeks to avoid the double regulation of e-money tokens that are covered by the Markets in Cryptoasset Regulations (“MiCAR”), particularly on safeguarding.

Changes introduced by the PSR

Activities in-scope but benefiting from an exclusion (often with conditions):

• Commercial agents: commercial agents must have “real scope to negotiate with the payer or payee or conclude the sale or purchase of goods or services”, which suggests the authorities are aware of some that do not. The European Banking Authority (“EBA”) is tasked with publishing interpretive guidelines.

• Technical service providers: while open to a broader interpretation, service providers will have liability for direct financial damage up to the value of each affected transaction for any failure to support the application of ‘strong customer authentication’ (multi-factor authentication) and will face the same restrictions on termination fees as for the related payment services.

• Limited networks: the exclusion no longer mentions ‘used in a limited way’ and, confusingly, the reference to ‘payment instruments’ includes ‘electronic money-based instruments’, while ‘premises’ include both physical and online stores (as some regulators allow).

• Several new exclusions: retail stores will be able to dispense cash even where the customer is not obliged to buy any goods or services; and there’s an attempt to avoid dual MiCAR authorisation for a crypto-asset service providers intermediating between a buyer and a seller where electronic money tokens are exchanged.

Activities in-scope but carried out by people not required to be authorised or registered:

• Operators of payment systems and payment schemes: must allow regulated PSPs fair access; have specific rights to process personal data; and must be transparent on fees imposed on PSPs providing acquiring services.

• Original manufacturers of mobile devices and electronic communication service providers: must grant fair access to PSPs and technical service providers acting on their behalf.

• Providers of electronic communication services and very large online platforms/search engines: must establish anti-fraud communication channels, educational measures and alerts, including the exchange of information with ‘providers of hosting services’ (who may also be subject to direct obligations in due course).

• Currency conversion: all charges and the exchange rate used for converting the transaction must be disclosed to the payer as both a monetary amount and a percentage mark-up over an “aggregated mid-market exchange rate” provided by “a trusted administrator who meets applicable governance and control requirements, such as the IOSCO Principles for Financial Benchmarks”.

Activities in-scope and requiring authorisation:

• ‘Electronic money’: no longer includes the words “as represented by a claim on the issuer”.

• ‘Initiation of a payment transaction’: there appears to be some attempt to more clearly demarcate payment initiation and payment execution, with limited success.

• ‘Account information service’ (AIS): a revised definition now seems to catch both an interim service provider as well as the service provider who provides the AIS to the payment service user (as opposed to scenarios where the data is being provided to an entity providing ‘another service’). It will be up to the customer’s account servicing PSP to maintain a dashboard showing the names of other PSPs who have been granted access to the customer’s payment account and the ‘purpose of the consent’ which may reveal any third-party service provider to which payment account data is flowing.

Operational issues:

• Strong customer authentication: definitions of “merchant initiated transactions” and “mail order, telephone order” transactions have been introduced for the purpose of clarifying how and when SCA should be applied.

• Periodic penalty payments: regulators may impose a daily fine to be paid until compliance is restored for up to 6 months of at least 3% of the average daily turnover (annual divided by 365) for a legal entity and €30k for a natural person, though member states can increase these amounts.

• Derogation for low-value instruments: the threshold has doubled to €300 for these instruments generally but remains at €500 for prepaid.

• Where the payee’s payment service provider is located outside the EEA: the payer’s PSP must give an estimated time by which funds will be received by the payee’s PSP via credit transfer or money remittance.

• Additional information on the payee: the information needed for the payer to unambiguously identify the payee must include the payee’s commercial trade name and (where available and different from the commercial trade name) the payee’s legal name.

• Among the information to be included in the framework contract (service agreement) is how a user can modify a spending limit, how long it takes an increase to take effect, and how to adjust or opt out of any delay.

Other changes include:

• reducing the period in which a consumer can terminate without charge, from 6 to 3 months;

• increasing the notice period for the PSP to terminate an open-ended framework contract, from 2 to 3 months;

• there are extensive transparency requirements relating to charges by payment card schemes, processing entities and acquirers;

• new availability and performance requirements for ‘open banking’ interfaces;

• more support for PSPs’ access to bank accounts, including the reasons for refusal;
• a transaction will not be deemed to be authorised where it was initiated or modified by a third-party acting without the user’s consent, including where the user’s personalised security credentials were fraudulently obtained;

• the time for notifying a PSP of unauthorised or incorrect transactions increases from 13 to 18 months after the date of debit, with greater clarity around burden of proof and evidence that can be expected;

• various anti-fraud measures, including APP fraud reimbursement on certain conditions;

• there are advertising restrictions for very large online platforms; and

• more detailed transaction processing times, including for e-money tokens.

If you have questions or concerns about the Payment Services Directive and/or the Payment Services Regulation, please contact Simon Deane-Johns.