PSD3/PSR: Improved competitiveness of Open Banking services
- Financial Institutions
As already reported here at the start of our newsletter series on PSD3, the European Commission published the long-awaited Financial data access and payments package at the end of June 2023, consisting of, among other things, drafts for a new Payment Service Directive (PSD3) and a new Payment Service Regulation (PSR).
In addition to improving consumer rights, which we recently reported on here, another aim of the package is to improve competitiveness of Open Banking services.
Open Banking has already started a new era in the financial industry. Open Banking as a term stands for the opening and use of banking services that can be used outside the scope of offered service of the Account Servicing Payment Service Provider (ASPSP) - for example on platforms of Third Party Providers (TPPs). Open Banking also describes services that are offered by the Payment Service Provider itself.
Open Banking thus allows Third Party Providers to offer additional functionalities to Payment Service Users by directly accessing account data - with the Payment Service Users’ consent. PSD2 has already created the legal framework for such Open Banking services by introducing regulations for Account Servicing Payment Services Providers.
Since the introduction of PSD2, the Open Banking market has grown significantly - but numerous difficulties in practical application have also become apparent. In particular, the lack of a uniform standard for interfaces (Application Programming Interfaces - APIs) has led to a multitude of different API solutions on the European market. However, these API solutions are varying in quality and performance and cause difficulties for Third Party Providers in accessing data. To strengthen the competitiveness of Open Banking in the EU, the European legislator therefore wants to ensure improved standardisation and interoperability.
Harmonisation, provision and improvement of interfaces (APIs)
One of the biggest innovations in the PSD3 regulatory package therefore concern the APIs for data exchange between Third Party Providers and Payment Service Providers. The requirements will be regulated in the PSR to ensure uniform application across Europe. However, there will still be no legally prescribed technical description of an API.
However, the PSR will provide mandatory minimum requirements for APIs. Certain requirements for APIs already existed in the framework of PSD2 and in the Regulatory Technical Standards (RTS) stipulated by the European Banking Authority (EBA), but these will now be further embedded and specified by the EBA. The aim of these adjustments is to achieve a standardisation of APIs (Article 36 PSR draft in conjunction with recital to 59 PSR-draft).
The PSR will also introduce new performance requirements for APIs and their minimum functionalities. Furthermore, for the first time, the PSR sets specific regulations on the availability and response times (latency) of APIs. The latency of Open Banking APIs should not be longer than the latency of the online or mobile banking application (Article 37 PSR draft).
Account Information Service Providers shall also be obliged to provide at least one API for access to Open Banking services in the future (Article 35 no 1 PSR draft). However, an Account Servicing Payment Service Provider should not be allowed to require a contractual agreement with the Third Party Provider for account access, so that the service remains free of charge for users of the APIs. On the other hand, a permanent fallback interface should no longer be required.
Account Servicing Payment Service Providers will in future also be subject to comprehensive obligations to prevent the unavailability of APIs (Article 38 PSR draft).
Introduction of permission dashboards
To improve the functionality of Open Banking for Payment Service Users, Account Servicing Payment Service Providers will be required to provide a dashboard for users. This dashboard should provide Payment Service Users with an overview of the data access permissions they have granted to TPPs, including the purpose and duration of the permissions as well as pending permissions. The Payment Service Users shall be able to manage and, if necessary, block the granted permission via the dashboard. The Account Servicing Payment Service Provider is obliged to inform the Third Party Providers concerned without delay if a data access permission is withdrawn (Article 43 no 1 in conjunction with no 2 PSR draft).
According to the proposal of the European Commission, the costs of the planned changes to the APIs shall be borne by the Third Party Providers and the Account Information Service Providers. However, these costs shall be compensated by savings, such as the elimination of the fallback interface.
Binder Grösswang's Financial Services Regulatory Team will be happy to assist you in preparing for the upcoming requirements at an early stage.
Please note: This blog is for general information purposes only and in no way constitutes legal advice from Binder Grösswang Rechtsanwälte GmbH. The blog cannot replace individual legal advice. Binder Grösswang Rechtsanwälte GmbH accepts no liability of any kind for the content and accuracy of the blog.