PSD3’s Global Reach Brings US Financial Firms New Compliance Challenges

The newest update to the Payment Services Directive, PSD3, has been two years in the making, and final guidelines are expected to come this year.

While the changes will be sweeping in Europe, shifting how the directive impacts banks and payment service providers (PSPs), we may see its impact reach the U.S. within the next year and a half, after the draft for U.S. firms is finalized, particularly in the areas of data security and data sharing.

The third directive traces its roots to summer 2023, when the European Commission said it would seek to update PSD2, which was introduced in 2016. In addition, the European Commission also published its Payments Services Regulation (PSR), which focuses largely on technical standards. 

Permissioned Dashboards

In terms of consumer-related details, the proposals indicate that PSPs with online account features must create permission “dashboards” that enable users to consent to having their information shared with third parties, and where users can monitor who they’ve allowed that access.

Financial institutions (FIs) will be mandated to give payment firms (i.e. non-banking firms) access to holders’ account info. In addition, non-banking firms are allowed access to all payment systems operating across the EU, with the right of non-banks to have bank accounts tied to those systems.

At a high level, PSD3 will require a transition period of several months that will change the ways in which PSPs handle data and protect against fraud. The Framework for Financial Data Access (FIDA), which takes its place besides PSD3 and PSR, helps govern the actual sharing of customer level data.

A Collaborative Approach

There’s a collaborative approach inherent in the proposals, as PSPs will be able to share fraud-related data with each other “while increasing consumers’ awareness, strengthening customer authentication rules, extending refund rights of consumers who fall victim to fraud and making a system for checking alignment of payees’ IBAN numbers with their account names mandatory for all credit transfers.” Firms will be required to improve embrace “confirmation of payee” functions in an effort to add another layer of defense against fraud. Payment entities and FIs also must enhance their transaction monitoring and move to educate consumers about payment fraud. 

Strong Customer Authentication, initially introduced via PSD2, also is being fine-tuned through the latest iteration of the directive. Notably, the PSD3 may mandate that SCA be used at the point at which a card is enrolled in a digital wallet. 

US Firms Across Borders

The PSD3 would not be a game-changer for payments firms that operate solely within U.S. borders. But given the global reach of many of those companies, FIDA, as noted above, clarifies at least some of the ways and means in which open banking will be handled.

Interestingly, the data shared extends across providers as payments firms and FIs can glean insights on products that have been used and purchased by consumers — which might allow a bank, for example, to fine tune its offerings to compete with a FinTech (and vice versa). 

The post PSD3’s Global Reach Brings US Financial Firms New Compliance Challenges appeared first on PYMNTS.com.