PSR – Draft ECON report proposals
Ensuring better anti-fraud protection for consumers
The proposed PSR's anti-fraud provisions show a clear liability shift in favor of consumers, and the provisions include an obligation on electronic communications services providers (ECSPs) - such as mobile network operators and internet platforms - to cooperate with payment service providers (which includes the newly expanded definition of PIs as well as banks) (PSPs) in the fight against fraud. The ECON draft report goes a step further by proposing an explicit Recital reference to joint responsibility of the PSP and the ECSP in the event of fraud where the latter fails to cooperate.
New provisions are proposed regarding the PSP’s liability for impersonation fraud, including an obligation on ECSPs and PSPs to ensure that all required technological safeguards, particularly those relating to the security of the communication between PSPs and payment service users, are in place and provided free of charge. In addition, ECSPs would be required to have in place certain technical safeguards in order to prevent fraudulent activities, including verifying the legitimacy of all calls and messages that are routed through telecommunication networks, preventing the use of a specific telephone number in violation of its attribution, authorisation, or allocation, and preventing the creation of fraudulent websites and preventing internet search engines from displaying those websites in their list of results. Failure to establish the technical safeguards would mean that the ECSP would be financially liable towards the payer’s PSP for the amount that the PSP has refunded to the customer.
In relation to transaction monitoring mechanisms and fraud data sharing, it is proposed that exchange of information on fraudulent unique identifiers should become an obligation rather than just an option. A new provision requiring the EBA to set up a dedicated IT platform to allow PSPs to exchange information on fraudulent unique identifiers with other PSPs is also inserted, along with another new provision stating that where a PSP fails to block a unique identifier which was reported to it as fraudulent or involved in fraudulent transactions, the payment service user shall not bear any resulting financial losses.
The obligations of PSPs in relation to payment instruments would be extended to include provision of a free of charge telephone line allowing for 'personal human support' for payment service users to, among other things, notify a fraudulent transaction and receive feedback when they suspect fraud.
The draft report also proposes new provisions on fraud education which would require Member States to allocate 'substantial means' to invest in education on payment-related fraud, either in the form of a media campaign or lessons at schools. PSPs and ECSPs would be required to co-operate in those educational activities free of charge.
Enhancing transparency measures
The June 2023 proposal did not contain any significant changes concerning transparency requirements. However, as experience with PSD2 showed, apparently small amendments can turn out to be very complicated to implement from an IT perspective in particular.
With regard to credit transfers and money remittances from the EU to a non-EU country, the June proposal introduced an obligation for PSPs to provide payment service users with certain information, in particular: (i) the estimated time for the funds to be received by the PSP of the payee located outside the EU and (ii) (in an effective extension of the revised Cross-Border Payments Regulation to this type of transaction) the estimated currency conversion charges must be expressed, for comparability purposes, as a percentage mark-up over the latest available ECB euro foreign exchange reference rates. Here, the ECON draft report proposes further changes aimed at providing better information, for example to stipulate that estimated currency conversion charges should be disclosed transparently in a monetary value as a mark-up over the latest available applicable foreign exchange reference rates issued by the relevant central bank.
Another evolution in the PSR proposal is that fee information will have to cover any charges to be debited for domestic ATM withdrawals. This proposed new obligation is the result of concerns from the EBA and the Commission over the fee that can be debited for a domestic ATM withdrawal operation. For example, in France some banks currently debit fees if a consumer makes a cash withdrawal from an ATM at a different bank. The ECON draft report suggests widening the new obligation to remove the reference to domestic ATMs, although this change is only shown in the related Recital where there is also clarification that 'more transparency' of ATM charges also means 'better information' from the PSP as regards currency exchange.
Strengthening the EBA's role
The draft report advocates for the role of the EBA to be strengthened in recognition of the very technical nature of the subject matter and the constantly changing payments landscape. In particular, the report suggests mandating the EBA to develop various additional RTS or guidelines including:
- in relation to the new anti-fraud provisions, guidelines on how the concept of 'gross negligence' is to be interpreted for the purpose of the PSR, taking into account that the term is interpreted in very different ways across the EU;
- draft RTS setting out a standardized list of data categories of information to be disclosed on the dashboard that banks and other account servicing payment service providers will be required to offer to their Open Banking customers to allow them to see at a glance what data access rights they have granted and to whom and to cancel TPP access to their data (this is also relevant to enhancing transparency); and
- draft RTS setting out an exhaustive list of the methods that can be used as a unique identifier (taking into account relevant market practices), which will be relevant to the proposed new IBAN/name verification service to tackle payments fraud. The draft ECON report proposes that the verification carried out by PSPs should not focus solely on the IBAN number but also encompass other proxies defined by the EBA. Again, these proposed amendments are also relevant to enhancing transparency.
What's the timeline for the PSR and PSD3?
There are a number of elements to take into account here, not least the EU legislative process to reach agreement between the Council of the EU and the Parliament on final texts and the effect of the 2024 European elections on this process. In addition, the EBA is mandated to develop several RTS and implementing technical standards (ITS) and guidelines under the proposals – a list that, as outlined above, the draft ECON report on the PSR suggests should be increased.
Even when finalised, for the PSR there will be an 18-month implementation period and in relation to PSD3 there will be grandfathering of the licensing process which means 24 months for implementation and re-authorisation (albeit hopefully not such an onerous process for the latter in relation to existing payments and e-money firms in light of the ECON draft report's proposed clarifications).
Given the European elections and the European Commission having to be sworn in before trilogues can start again, our current view is that the PSR could take effect in H2 2026, with PSD3 taking full effect in early 2027.
Looking for more insight into the proposals?
We recently ran a series of three webinars where members of our Financial Services Regulatory practice took each of the PSD3, PSR and FIDA proposals in turn and considered their potential implications for new and existing PSPs. If you have any questions arising from this article or the other topics discussed in the webinars, please get in touch with one of the people listed below or your usual Hogan Lovells contact.
PSD3 client webinar series – Episode 1: The PSD3 Proposal
PSD3 client webinar series – Episode 2: The PSR Proposal
PSD3 client webinar series – Episode 3: The FIDA Proposal