PSD3 and PSR: sharing data on fraudulent payment transactions
On 28 June 2023, the European Commission (EC) published legislative proposals on payment services, (exchanging) financial data and the introduction of a digital euro. The legislative proposals consist of, amongst others, a third Payment Services Directive (PSD3), a Payment Services Regulation (PSR) and a Regulation for Financial Data Access (FIDA). These proposed acts are part of the “Financial data access and payments” package which was launched by the EC to modernize the regulatory landscape in relation to the provision of payment services and sharing financial services data.
PSD3 and PSR
The PSD3 and PSR proposal modernize the second Payment Services Directive (PSD2) and will in addition thereto incorporate the regulatory framework for e-money institutions. Consequently, the E-money Directive (EMD2) will be withdrawn upon adoption of the PSD3. PSR, once adopted, will be directly applicable in all EU member states and is aimed at harmonizing the ongoing requirements in relation to the provision of payment services across all member states.
We will specifically elaborate on the possibility introduced by PSR to share payment fraud data amongst payment service providers.
Payment fraud requirements
An evaluation of PSD2 led to the conclusion that the directive has had a positive impact on the prevention of fraud via the introduction of Strong Customer Authentication (SCA). Despite these achievements, payment service users, in particular consumers, merchants and SMEs, remain exposed to fraud risk. The rise of new types of fraud has also been identified as an issue of concern. The number of ‘social engineering’ cases where consumers are misled into authorizing a payment transaction to a fraudster has significantly increased in recent years. ‘Spoofing’ cases where fraudsters pretend to be employees of a customer’s payment service provider and misuse the payment service provider’s name, mail address or telephone number to gain the customers’ trust and trick them into carrying-out payments, are unfortunately becoming more widespread in the EU.
Therefore, PSR introduces, amongst others, improvements to the application of SCA, a legal basis for the exchange of information on fraud, the obligation to educate customers about fraud, the extension of IBAN verification to all credit transfers, and a conditional reversal of liability for authorized push payment fraud.
The detection of fraudulent transactions and data sharing
PSR requires payment service providers to have transaction monitoring mechanisms in place to provide for the application of SCA and to improve the prevention and detection of fraudulent transactions. Such mechanism must be based on the analysis of payment transactions, considering typical elements of the payment service user in the circumstances of a normal use of the personalized security credentials, which includes environmental and behavioral characteristics. Examples of elements that must be taken into account are the location of the payment service user, the time of the transaction, the device being used, the user’s spending habits, and the (online) store where the purchase is carried out.
With regard to transaction monitoring, PSR introduces provisions that allow payment service providers to exchange, on a voluntary basis, personal data of their users, such as unique identifiers of a payee. These data are subject to information sharing arrangements, that must include details for participation and operational elements, including the use of dedicated IT platforms that are used to exchange the payment data. Considering the sensitivity of the data that may be exchanged, the payment service provider must conduct a data protection impact assessment in accordance with the GDPR before concluding information sharing arrangements and, if necessary, consult with the relevant supervisory authority.
Transaction monitoring and data sharing in the Netherlands
Payment service providers have already been subject to transaction monitoring requirements further to anti-money laundering and financing of terrorism (AML) requirements for quite some time.
In order to lower the burden of complying with AML transaction monitoring requirements, five Dutch banks (ABN AMRO, ING, Rabobank, Triodos Bank and de Volksbank) have established an initiative called Transaction Monitoring Netherlands (TMNL). The TMNL initiative is an addition to the banks’ individual transaction monitoring activities and focuses on identifying unusual patterns in payments traffic that individual banks cannot identify. By combining transaction data from several banks, the banks are able to generate (inter-bank) information that is useful in fighting financial crime. The banks believe that expanding cross-bank cooperation in monitoring transaction may help increasing the efficiency and effectiveness in combatting money laundering, also with the help of artificial intelligence.
PSR introduces the possibility for payment service providers to deploy similar initiatives with regard to reducing fraudulent payment transactions. Before being able to enter into data sharing arrangements, payment service providers must have some patience.
What is next?
The proposals of the European Commission will be reviewed by the European Parliament and Counsel. The exact timelines are not yet known, but as regimes for PSD3, PSR and FIDA will take 18 to 24 months to enter into force after the texts have been agreed upon, it is currently anticipated that the legislative proposals will enter into force in 2026.
We will review the proposals in further detail, monitor any developments and will share our observations and insights in following updates. If you have any questions about the PSD3 and PSR, our team is ready to help you.