PSD3/PSR - Improvements in consumer protection (fraud prevention, security and increased transparency)
- Financial Institutions
As already reported here at the start of our newsletter series on PSD3, the European Commission published the long-awaited Financial data access and payments package at the end of June 2023, consisting of, among other things, drafts for a new Payment Service Directive (PSD3) and a new Payment Service Regulation (PSR).
One of the four objectives of the package is to improve consumer rights: payment fraud shall be further combated and contained, and greater transparency and security for consumers shall be achieved overall.
In the second part of our newsletter series, we present the planned measures to prevent fraud and strengthen consumer protection.
The refund rights of consumers in fraud cases will be expanded: Thus, payment service providers will be liable for fraud if the fraudster identifies himself as an employee of the payment service provider by misusing the payment service provider's name, email address or telephone number (so-called "spoofing"). In this case, the payment service provider must refund the payment service user the full amount of money transferred as a result of the fraud, provided that the payment service user immediately reported the fraud to the police and informed the payment service provider. There is no liability of the payment service provider if the consumer acted with gross negligence or fraudulently. However, the burden of proof for such action by the consumer lies with the payment service provider (Article 59 PSR draft).
In addition, payment service providers will in future be able to exchange data with each other in connection with fraud cases (Article 82 PSR draft).
To prevent IBAN fraud, payment service providers shall also be obliged to check free of charge, if the IBAN of the payee matches the account name if transfers are made in an EU currency (IBAN-name check). Such a verification obligation does not currently exist under PSD2 (see the Austrian Supreme Court’s decision - OGH, 23.10.2014, 2 Ob 224/13z). This verification obligation shall apply to the payment service provider of the payee upon request of the payment service provider of the payer and shall be free of charge. A corresponding provision for euro instant payments is already provided in the Commission's proposal for a regulation for instant credit transfers in euro and is now to be extended under the PSR (Article 50 PSR draft). It can therefore be assumed that in practice, the payment service provider of the payer will request the IBAN-name check from the payment service provider of the payee in a standardized manner.
Since it has not yet been explicitly regulated whether the legal name or the commercial trade name of a payee has to be specified in payment orders, confusion occasionally occurs for payment service users if the legal name of the payee differs from the payee’s trade name. Thus, it is often impossible for the payment service users to identify whether the transaction is a possible fraud case. Therefore, the payment service provider of the payer shall, among other, specify the payee's commercial trade name (Article 16 (a) in conjunction with Article 25 (1) (a) PSR draft).
Stricter requirements for strong customer authentication
The central security concept of PSD2 is the procedure of strong customer authentication (SCA). Payment service users must identify themselves by (at least) two elements from the categories of knowledge (e.g. PIN), possession (e.g. payment card) and inherence (e.g. fingerprint) (also called "2-factor authentication").
With regard to Account Servicing Payment Service Providers and Account Information Service Providers, the requirements in connection with SCA will be expanded: the SCA process will have to be applied mandatorily upon initial application and at least every 180 days if account data is to be accessed (Article 86 (4) PSR draft).
In order not to financially exclude special customer groups (such as persons with disabilities or elderly persons), payment service providers will be required to provide application options for SCA that can also be used by these groups of persons (Article 88 PSR draft).
For payment transactions initiated by merchants, it is clarified that SCA is required when the mandate is set up for the first time but does not have to be applied for subsequent payment transactions (Article 85 (2) in conjunction with (3) PSR draft).
Regarding telephone or mail order transactions, it is clarified that a non-digital initiation of the payment transaction will not be subject to SCA. This is provided that the payer's payment service provider implements security requirements and controls that enable some form of authentication of the payment transaction (Article 85 (7) PSR draft).
More transparency for consumers
Pre-approval of payments / blocking of funds
From the EU legislator’s perspective, the interests of consumers are particularly at risk in card-based payment transactions where the exact transaction amount is not known at the time the payer grants permission for the payment transaction to be executed. Such prior consent, and the associated blocking of amounts, is regularly required for car rentals or hotel bookings. According to the PSR draft, for such transactions the payee shall inform his payment service provider of the exact amount of the transaction immediately after delivery of the service or goods. Furthermore, the blocked amount shall be in appropriate proportion to the amount of the pending payment transaction that can reasonably be expected at the time of blocking (Article 61 PSR draft).
Currency conversion fees
For payment transactions within the EU and from the EU to a third country, payment service providers shall in advance provide an estimate of the currency conversion charges. The fees are to be expressed as a percentage mark-up compared with the latest available euro reference rates. In addition, for transfers to third countries, payment service users shall be informed on a mandatory basis about the estimated time until the payee receives the transfer (Article 13 no 1 lit f PSR draft).
Depending on whether an ATM belongs to the payment service provider itself, to its network, or to a third-party network, different fees may apply for domestic cash withdrawals. In future, payment service providers shall be required to disclose any fees for domestic ATMs accordingly (Article 20 (c) lit. ii PSR draft).
Binder Grösswang's Financial Services Regulatory Team will be happy to assist you in preparing for the upcoming requirements at an early stage.
Please note: This blog is for general information purposes only and in no way constitutes legal advice from Binder Grösswang Rechtsanwälte GmbH. The blog cannot replace individual legal advice. Binder Grösswang Rechtsanwälte GmbH accepts no liability of any kind for the content and accuracy of the blog.