New EU rules: increased liability of payment service providers
The European Commission has published a proposal for the Directive on Payment Services in the Internal Market (PSD3) and a proposal for the Regulation on Payment Services (PSR). Their aim is to revise current legislation to reflect rapidly changing trends in finance. In particular, the Commission focused on consumer and user protection, the open banking system, and the different positions of bank and non-bank payment service providers.
New obligations for providers
According to the Commission, a key problem of current legislation is a high risk of fraud and the subsequent consumer distrust in payments. PSR thus increases the liability of payment service providers in the event of fraud:
- Providers will now be obliged to check, free of charge, the consistency between the unique identifier (e.g., IBAN) and the name of the recipient (payee) provided by the payer. If the provider does not notify the payer of an inconsistency, the provider shall be fully liable for all financial losses of the payer.
- Where a consumer has been manipulated by a third party pretending to be an employee of the provider, the provider shall be obliged to refund to the consumer the full amount of the fraudulent transaction (if the third party used the provider's name, email address, or telephone number and the consumer reports the fraud to the police without undue delay).
- Providers will also be obliged to share fraud data with other payment service providers.
Increased user control over data
Within open banking, providers will be required to introduce a dedicated interface for users to provide an overview of previously granted access to open banking (permission overviews). The Commission considers it essential that users have full control over their data and receive clear information on data access permissions. On the other hand, some matters should also become simpler for payment services providers: e.g., the obligation to maintain a permanent fallback interface for the exchange of data with account information service providers and payment initiation service providers is to be abolished.
End of the differentiated position of bank and non-bank providers
Another important change is the abolition of the distinction between payment institutions and electronic money institutions. PSD3 and PSR will only regulate payment institutions. Licenses issued before PSD3 enters into effect will probably remain valid for 24 months after the directive’s effective date. Within that deadline, payment and e-money institutions will thus have to apply for a new license with the competent national authorities; in the Czech Republic, this should continue to be the CNB.
If everything goes according to the Commission's plan, the proposed regulation will enter into effect in the course of 2025. After that, PSD3 will be transposed into national law, in the Czech Republic most likely by an amendment to the Payments Act. However, it is important to prepare for these changes in advance.