EUROPEAN COMMISSION

Brussels, 28.6.2023

SWD(2023) 231 final

COMMISSION STAFF WORKING DOCUMENT

IMPACT ASSESSMENT REPORT

Accompanying the documents

Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on payment services in the internal market and amending Regulation (EU) No 1093/2010

and

Proposal for a
DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on payment services and electronic money services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC

{COM(2023) 366 final} - {COM(2023) 367 final} - {SEC(2023) 256 final} - {SWD(2023) 232 final}

Table of Contents

1.Introduction: Political and legal context

1.1Retail payments in the EU

1.2Legal context

1.3Political context

2Problem definition

2.1What is/are the problems and the problem drivers?

2.1.1 Consumers at risk of fraud and lacking confidence in payments………………

2.1.2.    Imperfect functioning of Open Banking……………………………………...

2.1.3.    Inconsistent powers and obligations of supervisors…………………………

2.1.4.    Unlevel playing field between banks and non-bank PSPs …………………..

2.2.What are the consequences of the problems?

2.3.How likely is the problem to persist?

2.4.Problem Tree

3.Why should the EU act?

3.1.Legal basis

3.2.Subsidiarity: Necessity of EU action

3.3.Subsidiarity: Added value of EU action

4.Objectives: What is to be achieved?

4.1.General objectives

4.2.Specific objectives

5.What are the available policy options?

5.1.What is the baseline from which options are assessed?

5.2.Description of the policy options

5.2.1. Strengthen user protection against fraud and abuses………………………... 26

5.2.2.    Improve the competitiveness of Open Banking services……………………..

5.2.3.    Improve enforcement and implementation in Member States………………..

5.2.4.    Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs…………………………………………………………………………...

6.What are the impacts of the policy options and how do they compare?

6.1. Strengthen user rights and protection against fraud

6.2.Improve the competitiveness of Open Banking services

6.3.Improve enforcement and implementation in Member States

6.4.Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs

7.Preferred options

7.1.Effectiveness

7.2.Efficiency

7.3.Coherence

7.4.Summary of preferred options

7.5.Other relevant impacts

7.6.Application of the ‘one in, one out’ approach

7.7.Climate and sustainability

7.8.Fundamental rights

7.9.REFIT (simplification and improved efficiency)

8.How will actual impacts be monitored and evaluated?

Annex 1: Procedural information

Annex 2: Stakeholder consultation

Annex 3: Who is affected and how?

Annex 4: Analytical methods

Annex 5: Evaluation report

ANNEX 6: SCOPE OF PSD2

ANNEX 7: TECHNICAL CLARIFICATIONS AND OTHER CHANGES

ANNEX 8: Integration of the E-Money Directive 2 into PSD2

ANNEX 9: ACCESS TO CASH

ANNEX 10: USER RIGHTS MEASURES

ANNEX 11: EXPLANATORY NOTE ON OPEN BANKING

ANNEX 12: COHERENCE WITH OTHER COMMISSION ACTS AND INITIATIVES

Annex 13: SME TEST

Glossary

Table of Abbreviations

1.Introduction: Political and legal context

1.1Retail payments in the EU

Retail payments are the lifeblood of the European economy. Effective and efficient retail payment systems are essential for the smooth running of multiple sectors, the retail sales sector, payments for utilities and rent, and many others, as well as payments between individuals and between businesses. The second Payment Services Directive (PSD2) entered into force in 2018 (replacing PSD1 which dated from 2007) and lays down the EU legal framework for retail payments 2 ; since 2018, the retail payment services market has been undergoing key changes largely related to the increasing use of cards and other digital means of payment, and the growing presence of new players and services. The Covid-19 pandemic and the transformations it brought to consumption and payment practices has heightened the importance of secure, efficient digital payments.  

Payment Service Users (PSUs, consumers and businesses), receive payment services from Payment Service Providers (PSPs, mostly banks, but increasingly Payment Institutions and E-Money Institutions, neither of which is allowed to lend money, unlike banks, and also international remittance specialists). Some PSPs provide payment accounts (these are known as ASPSPs, Account Servicing PSPs), while others provide payment services without the need for an account (these include Open Banking providers, Account Information Service Providers and Payment Initiation Service Providers, collectively known as Third Party Providers or TPPs). Digital means of payment include credit transfers, direct debits, card-based payments, e-money stored in digital wallets, and newer innovative means of payment, such as using crypto-currencies. All digital payments require IT infrastructures in order to operate, including different phases of a digital payment, such as authorisation, initiation, execution and settlement. Some payment systems are entirely private, while public sector bodies such as the Eurosystem operate certain key infrastructures. While cash itself is not a digital means of payment, obtaining cash, for example from an ATM, is a digital payment service requiring an IT network. Non-digital means of payment, such as cheques, still persist in some Member States, despite high costs and inefficiencies.

Reaching €240 trillion in 2021 (compared with €184.2 tn in 2017), cashless payments in the EU have been in constant growth, both in number and value of transactions (see Figure 1). They are also increasing as a percentage of all payments, as shown in an ECB study 3 . According to this study, in 2022, cash was used in 59% of Point Of Sale (POS) transactions in the euro area, down from 79% in 2016 4 . While cards represented 34% of POS transactions (up from 19% in 2016), in terms of value, they accounted for a higher share of transactions than cash (46% compared to 42%), a change from 2019, when cash accounted for a higher share of value of payments than cards (47% compared to 43%).

Figure 1: Cashless payments in the EU

Source: ECB Statistical Data Warehouse; figures for EU (changing composition), all currencies combined

Amongst cashless payments, a number of important trends have occurred in recent years, resulting from digitisation of the economy, diversification in the supply of means of payment, changes in payment habits, etc. As illustrated below (Figure 2), despite the increase in both credit transfers and direct debits, the most noteworthy trends are the increasing use of cards (with a 55% increase in 2021 compared to 2017) and e-money (120% increase in 2021 compared to 2017).

Figure 2: Number of cashless payments in the EU 2017 - 2021 (in billions)

Source: ECB Statistical Data Warehouse; Payment Statistics 2021

In percentage terms, cards rose to 52% of total number of transactions (compared to 46.8% in 2017), and e-money payments to 5.2% (up from 3.3% in 2017), whereas the share of other payment instruments has fallen (see Figure 3) 5 . However, there are variations between Member States. Thus, for instance, the share of card payments stood well above 52% in Portugal (72,2%) and Romania (71,8%), where it has not changed significantly compared to 2017. The use of cards was also below the EU average in Germany (30,3%) and Bulgaria (35%), although in both cases these figures represent an increase of about 10 percentage points. when compared to 2017. 

Figure 3: Relative importance of various payment instruments (as percentage of the total number of payments) 2017 and 2021

Source: ECB Statistical Data Warehouse; Payment Statistics 2021

These trends have been influenced by changes in behaviour, but also by a growing diversity of providers of payments as well as technical services. COVID-19 accelerated the rise of e-commerce. In 2020, 22% of EU companies had e-commerce sales, with 19% of them reporting that online sales reached at least 1% of their total turnover, a 1 percentage point (pp) increase compared with 2019 and 6 pp up from 13% in 2010 6 . In 2021, card payments were the most used payment method in e-commerce: credit cards accounted for 25% and debit cards for 17% of the total e-commerce transaction value in the EU 7 . Card payments were followed by mobile wallets, which represented 27% of the transaction value in 2021.

New players enabled by digital technologies have become more widely available to consumers. For example, non-bank Payment Service Providers (PSPs) such as Payment Institutions (PIs) and E-Money Institutions (EMIs) are now widely present in the market, with the EBA’s register of payment and E-Money Institutions under PSD2 presenting 724 PIs and 275 EMIs in 2022 8 . In addition, more efficient payment systems have recently been developed, notably permitting instant credit transfers, taking place within seconds. According to data from the European Payments Council for Q3 2022, instant payments (IPs) account for about 13% of total volume of euro credit transfers in the EU. 9  

Finally, related to the growing use of mobile phones for payments, large technology companies (‘BigTechs’) have become more prominent in the payments sector as technology or payment service providers, particularly via pass-through digital wallets enabling access to tokenised versions of payment cards allowing contactless payments. Benefitting from significant network economies and from their large access to non-payments data, they can challenge established providers. Crypto-assets (including so-called ‘stablecoins’) may in future increase their role in retail payments by offering new payment solutions based on encryption and distributed ledger technology (DLT), although crypto-assets are not currently used on any significant scale for retail payments. 

1.2Legal context

The second Payment Services Directive (PSD2) since 2018 provides a framework for all retail payments in the EU, Euro and non-Euro, domestic and cross-border. The first Payment Services Directive (PSD1), adopted in 2007 10 , aimed at establishing a harmonised legal framework for the creation of an integrated EU payments market. By removing the legal and technical obstacles to a single payments market as well as by promoting market entry by a new class of financial institutions, namely payment institutions, PSD1 aimed at introducing more competition in payment systems and facilitating economies of scale. PSD1 also provided a set of rules with regard to information requirements and reinforced the rights and obligations linked to payment services.

The second Payment Services Directive (PSD2), adopted in 2015 and replacing PSD1, aimed to address barriers to new types of payment services and improve the level of consumer protection and security 11 . Most of the rules in PSD2 have been applicable since January 2018, but some rules on SCA and access to payment accounts data have applied only since September 2019. In particular, PSD2 aimed to:

·ensure a level playing field between incumbent and new providers of card, internet and mobile payments;

·increase the efficiency, transparency and choice of payment instruments for payment service users (consumers and merchants);

·facilitate the provision of card, internet and mobile payment services across borders within the EU by ensuring a Single Market for payments;

·create an environment which helps innovative payment services to reach a broader market;

·ensure a high-level protection for PSUs across all Member States of the EU.

The review clause of PSD2 (Article 108) required the Commission to report on the application and impact of the Directive by 13 January 2021, in particular on charges, scope, thresholds and access to payment systems. The review could not take place by the date provided for in the Directive due to its late transposition by some Member States and the delay in applying some of its rules, such as on Strong Customer Authentication. The PSD2 evaluation therefore took place in 2022, including a call for advice to the EBA (hereafter the ‘EBA Advice’) 12 , a study by an external contractor (hereafter the ‘VVA/CEPS study’) 13 , and various public and technical consultations (see Annex 2). The review report required by Article 108 is being submitted to the EU co-legislators together with the present initiative. 

Another key piece of legislation in the payments area is the Single Euro Payments Area (SEPA) Regulation of 2012, which harmonises credit transfers and direct debits in euro 14 . On 26 October 2022, the Commission proposed an amendment to the SEPA Regulation, to accelerate and facilitate the use of euro Instant Payments in the EU 15 .

A number of other relevant items of EU legislation exist in the payments area. Pricing of domestic and cross-border transfers in euro has been equalised by law 16 . Multilateral interchange fees for card payments have been regulated with maximum levels 17 . A legal framework for e-money has been laid down 18 . The Settlement Finality Directive 19 also covers certain payment systems and is relevant in the context of this impact assessment. Regarding crypto-assets, a Markets in Crypto-Assets Regulation (MiCA) was adopted by the co-legislators in 2023 20 , and a Digital Operational Resilience Act concerning cyber-security (DORA) has been adopted 21 .

For Open Banking (see Annexes 5 and 11 and section 2.1.2. below), which centres around the use of account data, which often constitute personal data, an important part of the legal framework is the General Data Protection Regulation (GDPR) 22 which provides for general rules and requirements to ensure free flow of personal data and ensures the protection of privacy and personal data of individuals in the EU. In February 2022, the Commission adopted a proposal for a Data Act, to regulate who can access and make economic use of data; when that proposal enters into force it will provide another key framework for Open Banking  23 , alongside the future EU legal framework for Open Finance, concerning financial data other than payments data, for which a proposal will be presented by the Commission in parallel with the revision of PSD2.

The European Central Bank and the Eurosystem play an important role in payment systems regulation and oversight. For the oversight of payment systems the standards are mainly laid out in the Regulation on Systemically Important Payment Systems 24 , and the oversight framework for retail payment systems (RPS), which are not systemically important. For payment instruments, schemes and arrangements the “PISA” oversight framework applies 25 .

See section 7.6 and Annex 12 for coherence of this initiative with existing legislation and initiatives.

1.3Political context

The proposed revision of PSD2 features in the Commission Work Programme (CWP) for 2023 26 , along with a planned legislative initiative on Open Finance, extending financial data access and use beyond payment accounts to more financial services. The same CWP includes a package to strengthen the role of the euro, including legislation providing a legal basis for a future digital euro, a Regulation regulating the legal tender status and accessibility of cash.

The Commission’s 2020 Communication on a Retail Payments Strategy (RPS) for the EU 27 laid down the Commission’s priorities for the retail payments area for the present Commission college mandate. It was accompanied by a Digital Finance Strategy, setting out priorities for the digital agenda in the finance sector other than payments 28 . The RPS announced the launch of a comprehensive review of the application and impact of PSD2, “which should include an overall assessment of whether it is still fit for purpose, taking into account market developments”. The RPS planned for the review to include, among other things, “an assessment of risks stemming from unregulated payment services, a stocktaking of the impact of strong customer authentication on the level of payment fraud, and an assessment of the development of new business models based on sharing payment account data, such as payment initiation and account information services”. 

In its 2021 Conclusions on the RPS 29 , the Council welcomed “a comprehensive review of the implementation of the Payment Services Directive 2 (PSD2), after its full deployment and taking into account the challenges encountered in its implementation, focusing in particular on assessing: i) the appropriateness of the scope of application (including as regards technical service providers), and the need for further clarification of existing concepts and rules; ii) the interplay with other sectoral legislation, notably the E-money Directive, the Anti-money laundering Directive, the GDPR as well as ongoing legislative developments; iii) the evolution to ‘open banking’, the handling of privacy-related risks, and the interplay with EDPB guidelines in that respect; iv) its impact on competition, including the increasing role of Big Tech and FinTech; v) its effectiveness in limiting fraud and enhancing consumer protection, including strong customer authentication (SCA)”. The Council also “supports an extension of the scope of the Settlement Finality Directive (SFD) to include e-money and payment institutions, providing that the potential risks are carefully assessed and adequately mitigated”.

The European Parliament did not adopt a report on the RPS, but on 17 March 2021 the Commission organised a webinar on the RPS with members of the ECON Committee. At that webinar, opinions of individual MEPs on the PSD2 review included the view that continued market fragmentation and obstacles to innovation must be addressed, that PSD2’s future-proofing be ensured and that its scope must be broadened to cover new types of market participants, where justified.

2Problem definition 

Based on its PSD2 evaluation the Commission services have identified certain areas where the objectives of PSD2 have not been fully achieved (see the Evaluation Report at Annex 5). For example, the evaluation analysis has identified the rise in new types of fraud as an issue of concern with regard to consumer protection objectives. Shortcomings have also been identified with regard to the objective of improving the market in open banking services by lowering market barriers faced by TPPs, while progress towards the objective of improving the provision of cross-border payment services has also been limited, largely due to inconsistencies in supervisory practices and enforcement across the EU. Finally, the evaluation has also identified factors stifling progress concerning the PSD2 objective of levelling the playing field between all PSPs. These issues have been grouped, for the purposes of this impact assessment, into four topics: i) payment user protection (notably against fraud); ii) functioning of Open Banking; iii) legal uncertainty and Single Market fragmentation due to imperfect implementation and enforcement of PSD2 and iv) access to key payment infrastructures by non-bank PSPs, leading to an unlevel playing field among PSPs.

Alongside these four areas discussed below in this section, a number of clarifications and technical changes to the Directive are also deemed necessary; these clarifications are described in Annex 7. No major changes to the Directive’s scope are planned; this is explained in Annex 6. With a view to addressing the external coherence issues raised in the Evaluation Report, it is considered that the legislative frameworks concerning E-Money Institutions and Payment Institutions (today covered by separate directives) should be brought closer together and that the e-money Directive should therefore be repealed and its contents incorporated, with appropriate adjustments, into PSD; this is explained in Annex 8. The implications of PSD2 for cash distribution by non-banks (independent ATM operators and retailers), and modifications planned in this area, are discussed in Annex 9.

2.1What is/are the problems and the problem drivers?

Given that the problem drivers are essentially regulatory (except for continuous development of new types of fraud), problems and drivers are discussed together in one section.

2.1.1 Consumers at risk of fraud and lacking confidence in payments

In the area of fraud, the major innovation of PSD2 was the introduction of SCA (Strong Customer Authentication). See Figure 4 below for the principles behind SCA, which involves two authentication measures, based on either knowledge (e.g. a password) or possession (such as a card) or inherence (such as a fingerprint). Article 97 of PSD2 requires PSPs to apply SCA where the payer accesses a payment account online, initiates a digital payment transaction, or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. The PSD2 regulatory technical standards on SCA and common and secure communication (hereafter, “the RTS”) 30 introduced further security requirements applicable to PSPs. The Commission’s evaluation (see Annex 5) concludes that SCA has already been highly successful in reducing fraud. However, a number of fraud-related issues remain.

Figure 4: Strong Customer Authentication (source: Bank of Portugal)

-New types of fraud not prevented by SCA

There are still fraud-related problems, despite the success of SCA in reducing fraud. One of the drivers of these is the fact that fraudsters are constantly adapting their techniques to get around regulatory frameworks. Such techniques can involve illegal impersonation (e.g. a fraudster makes the payment instead of a genuine payer as a result of a cyberattack or theft of a payment instrument), or a criminal activity which occurs before the payment is made by a genuine payer. Such “pre-payment fraud” can take the form of invoice fraud (where invoices are intercepted and the merchant account number is substituted for that of the fraudster 31 ), or more sophisticated “Authorised Push Payment” (APP) frauds involving social engineering of the payer through direct interaction (e.g. manipulation of the payer into believing s/he is dealing with a genuine payee or even with a bank representative). Cases of such APP fraud (phishing, vishing, smishing, spoofing etc.) cannot be tackled by SCA because, technically and legally, most of these fraudulent transactions have been authorised by the payer using SCA. The fraud is in fact taking place before SCA without the payer knowing that s/he is being defrauded. The consumer thinks in good faith that s/he is sending money to recipient X, whereas in reality s/he is sending money to a fraudster. According to the European Payments Council, social engineering attacks and phishing attempts are still increasing, often in combination with malware, with a shift from consumers, retailers, SMEs to company executives, employees (through “CEO fraud” or “impersonation fraud”), payment service providers (PSPs) and payment infrastructures and more frequently leading to APP fraud. These techniques have greatly evolved over the last years as the targets are users rather than technology. In Ireland for example APP fraud rose by 15.9% in volume terms year on year in 2021 with an average APP fraud transaction amounting to € 4,237 in 2021 32 . According to Banque de France, APP fraud in France corresponds to 59% of total fraud in value terms 33 . In the UK in 2021, scams involving the impersonation of police or bank staff were the second-highest category in terms of value, with £137.3mn lost to these forms of fraud. This represented an increase of more than 50 per cent on 2020 levels 34 . In the Netherlands in 2022, reported cases of impersonation fraud amounted to € 51mn of which 89% was reimbursed to consumers on a voluntary basis via a leniency scheme that four major Dutch banks have signed up to 35 .

Credit transfers have been found by the European Banking Authority (EBA) 36 to be the payment method for which APP fraud is the most prevalent, compared with other payment instruments (such as cards, for which the more common type of fraud involves making unauthorised payments, now substantially prevented by SCA). EBA stressed that credit transfers, due to the much higher average value of fraudulent transactions (€ 4 190), had the highest aggregate value of fraud (ca. € 310 million) in the second half of 2020, despite the lowest fraud rate overall; this generally translates to a significant impact on each affected customer, compared to other payment instruments. Based on fraud data collected by EBA 37 for 18 EEA countries, the average fraud rate for all credit transfers, in terms of value, in the second half of 2020 was 0.0011%, of which 43% was due to manipulation of the payer to initiate SCA-authorised transactions. On this basis the extent of APP fraud in 2020 for all SEPA euro credit transfers, including IPs, in the EU is estimated by the Commission at approximately € 323 million.

The problem is more common with respect to cross-border credit transfers (both inside and outside EEA), whose overall fraud rate exceeds that of domestic credit transfers by more than 20 times 38 . As a result, despite the fact that, according to the EBA analysis, cross-border credit transfers represented only around 2% of all credit transfers, their share in the total volume of credit transfer-related fraud reached 31% in the second half of 2020 for the 18 EEA countries.

Against this background, several stakeholders consulted in the context of the VVA/CEPS study on the application and impact of PSD2, including all types of market participants and national authorities, noted that there remain ways for fraudsters to circumvent security provisions. For example, fraudsters have found a way to slip into the SCA multiple layers, deceiving customers with false messages asking for personal information. EBA in its Advice considered that the legal framework does not fully mitigate the risks of social engineering fraud.

-Abuse of SCA exemptions and of uncertainty about the scope of SCA 

PSD2 does not provide explicit clarity on whether some types of transactions are included or excluded from the application of SCA. This is the case of Mail Orders or Telephone Orders (MOTOs) and of Merchant Initiated Transactions (MITs). MITs are implicitly excluded from SCA by the fact that Article 97(1) of PSD2 applies SCA to three actions performed by the payer, not mentioning any payee-initiated actions. The Commission confirmed this through an EBA Q&A. 39  Regarding MOTOs specifically, recital 95 of PSD2 (the only place in PSD2 where MOTOs are mentioned) states that “there does not seem to be a need to guarantee the same level of protection to payment transactions initiated and executed with modalities other than the use of electronic platforms or devices, such as paper-based payment transactions, mail orders or telephone orders”. 40

As stated by EBA in its Advice, 41 “the exclusion from the application of SCA for non-digital payment transactions has proved to be difficult to apply and supervise in practice based on the current formulation of Recital [95] since only cash payments would clearly fall outside the scope of SCA. All other types of payment transactions would in some part of the payment execution be handled electronically.” EBA also noted in its Advice that “the fraud levels and fraud risk related to the currently broad interpretation and application of MOTOs, based on feedback received from [competent authorities], are much higher than other payment transactions” and that there is still a need to introduce in the Directive a clear definition of MOTOs and the specific requirements clarifying the situations that fall under the MOTO exclusion. 42 The VVA/CEPS study also notes that “confusion has arisen whether MOTO is in or out of scope of the PSD2 SCA requirements”. 43  

EBA also notes in its Advice 44  the existence of issues of regulatory arbitrage between MITs and direct debits given the different regulatory approach between the two, notably in light of the ‘unconditional’ refund rights for SEPA direct debits, under Article 7 of the SEPA Regulation 45 . The Commission provided guidance on MITs via the EBA Q&As 46 , notably on the applicability of SCA to ‘card payments initiated by the payee only’. However, in spite of this Q&A, the VVA/CEPS study notes that “Merchants also seem to lack clarity on the fact that in order for the SCA exemption for MITs for recurring payments to apply, the first “on-session” payment initiated by the customer has to be authenticated through two-factor authentication”. 47  Some national authorities and trade bodies have also observed that “there is strong evidence that MITs are sometimes used to circumvent SCA requirements”. 

-Consumer ignorance about fraud

Consumer ignorance about fraud can also be a problem driver. Various respondents to the targeted consultation, including public authorities, but also the EBA in its Advice 48 , note the importance of consumer literacy and education about fraud and the risks of certain payment instruments/methods, and that more effective awareness campaigns should be undertaken.

-Insufficient cooperation between PSPs on fraud mitigation

Another issue that has been recurrently flagged in the feedback received from stakeholders is inadequate cooperation between PSPs on their fraud mitigation strategies. ASPSPs and PISPs, for instance, have access to different data in the payment initiation process but do not necessarily share their insights with the other party in view of preventing fraud. The European Payment Council has argued 49  that an important aspect to mitigate risks and reduce fraud is the sharing of fraud intelligence and information on incidents amongst PSPs. Some ASPSPs have explained that hesitancy exists because of concerns relating to compliance with GDPR and of their interpretations of the current AML framework does not allow them to share relevant information with PISPs. In some Member States, such as France, as noted by the French Banking Federation in its reply to the targeted consultation, the rules on banking secrecy prevent banks from sharing information.  

2.1.2.Imperfect functioning of Open Banking

Open Banking (hereafter OB) is the term given to the process by which Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), collectively known as Third Party Providers (TPPs 50 ), provide value added services to users by accessing – with the user’s consent - their account data held by other Payment Services Providers. Although this activity existed before PSD2, it operated in an unregulated way. PSD2 gave it a regulatory framework and imposed an obligation on account servicing payment service provider (ASPSP – mostly banks) to facilitate the access to payments data without any contractual obligations (i.e. for free), with the objective of both providing greater security and protection to users and of stimulating the development of OB to the advantage of users. Access to data is usually made available via APIs (Application Programming Interfaces), or by allowing TPPs to access the payments data directly via the same interface that banks use to interact with their customers directly (the customer-facing interface). See Annexes 5 and 11 for more details; a simple OB operation is illustrated in Figure 5 and a more complex one in figure 6 (other examples can be found in Annex 11). 

Figure 6: Account Information Service (source: Bank of Portugal)

To ensure business continuity for TPPs, PSD2 mandates ASPSPs that decide to implement a dedicated interface to make another interface available to TPPS (a fallback interface) in case the dedicated interface (API) is not functioning correctly. ASPSPs can apply to their NCA for an exemption from having to develop such fallback interface. This report will use “API” as standard terminology when discussing the dedicated interface. See annexes 5 and 11 for more details.

AIS providers can provide a user with aggregated and/or analysed information on the basis of their payment accounts, helping users to manage their finances or enabling users to receive a service, based on the data accessed, from another service provider (accountant, auditor, credit scoring bureau, etc.). PIS are account-to-account, non-card-based payments and can be found in e-commerce as one of the payment methods offered by a merchant. AIS and PIS both require the consent of the “payment service user” (PSU) to access the data on the user’s payment account. Access, storage and use is limited to the data needed to perform the service explicitly consented by the PSU. AIS data can be particularly useful to help providers of PIS (PISPs) assess the risk of a payment initiated eventually not being executed.

As shown in annexes 5 and 11, the number of TPPs and the usage of OB has grown in Europe since PSD2 application, reaching almost 19 million in 2021 51 . Although consumer organisations and individual consumers have expressed concerns about data security in the context of Open Banking 52 , the growth in the number of AISPs and PISPs would seem to indicate the existence of substantial demand. The legal framework has prevented ASPSPs from blocking TPPs’ access to payment accounts (which was often the case in the pre-PSD2 era), and the security of users and their data has been achieved. PSD2’s contribution to safe and secure sharing of payment data is something the majority of the respondents (65%) to the targeted consultation agree on. However, 45% of the respondents considered that the OB framework in PSD2 has not been successful, against 29% who found it successful (others were neutral). This is due to the various problems the respondents encounter, in particular as regards effective and efficient access of TPPs to data held by ASPSPs or the fact that despite the availability of APIs TPPs often continue to use the customer interface. The APIs can vary in quality and functionalities, causing too many OB operations to fail or providing a poor user journey. These problems are also emphasised in bilateral feedback from TPPs, through expert groups and also evidenced in the EBA Advice 53 . 

As described above, the current PSD2/RTS interface regime is very complex, with ASPSPs often having to facilitate access to data via two interfaces (API and fallback). TPPs regularly complain to the Commission and the EBA that the PSD2 APIs are inadequate and of low quality. According to TPPs, banks’ APIs often do not return the information required, perform badly (e.g. returning many error codes and/or simply not being available), or banks block the TPP’s access to accounts, despite the TPP acting on the basis of a PSU’s consent. Furthermore, TPPs stressed that ASPSPs can take a long time to respond to a TPP’s request for help, or their reporting of a bug, and even longer to resolve the issue. Some TPPs resort to using the fallback (i.e. the ASPSP’s direct customer interface), to access the accounts, even though a PSD2-API is also available. This frustrates ASPSPs who do not observe high TPP traffic on their APIs created for PSD2 compliance purposes and still have to deal with a high request load on their direct customer interface 54 . This is illustrated by comparing the API calls by TPPs to UK banks 55 to the monthly website traffic/visits to the ASPSP’s website. For example, the number of successful API calls to Barclays API was about 200 mln in November 2022, whereas the number of visits to the direct interface, Barclays.co.uk, was 9.7 mln. TPPs using the fallback interface increase the traffic a lot, which is a cause of concern to ASPSPs. It causes problems for TPPs which would prefer accessing data through APIs which is a superior and safer technology than direct access, and, when functioning, cheaper than the fall-back solution. 56  There is a visible trend of banks offering more and more APIs, also beyond or unrelated to PSD2. By March 2022, about half of the APIs offered were for PSD2 compliance (25%) and account reporting (23%), the other half covered other domains such as foreign exchange, investments, and digital identity, for which such interfaces are not (yet) a regulatory requirement 57 .

ASPSPs report significant implementation costs for the development of APIs for OB 58  and the fact that the legislative framework provided in PSD2 59  and its RTS prevents ASPSPs from charging AISPs and PISPs for access to customer data and the relevant infrastructures that are in scope of PSD2 60 . This leads to OB being perceived as a pure regulatory burden (a mere compliance issue) by banks, 61  which claim that the free access does not incentivise them to offer the best possible API 62 . 

ASPSPs are also concerned and dissatisfied that some TPPs, acting as “API aggregator” pass on user data to unregulated “fourth parties” 63 . API aggregators specialise in developing interfaces with multiple ASPSP APIs, acting as intermediaries between ASPSPs and either licensed TPPs or unlicensed parties. This activity was not directly envisaged by PSD2. It emerged as a response to the multiplicity of bank APIs in the absence of an EU standard, but it can also be considered as a source of inefficiency in that it lengthens transaction chains and adds costs, as this ‘API connection’ service is not free to TPPs. Increasingly, one also sees AISPs that are not working directly for the end user (consumers, merchants etc) who gave them consent to access their data, but for “fourth parties” such as lenders wishing to evaluate creditworthiness, or companies wishing to provide a better service (e.g. an audit service) based on payment account data. 64  These fourth parties, not being licensed, are not allowed to obtain access to the account, but they receive the data from the licenced AISP. Although this is done with user’s consent (GDPR consent for the unlicensed party and both GDPR and PSD2 consent for the licenced party), this “license as a service” model is quite different from the traditional AIS business model that was envisaged by PSD2 65 , where a regulated party gathers and consolidates the payment account data and provides the AIS back to the end-user itself without other parties being involved. It is not however excluded by PSD2, as confirmed by the Commission in the EBA Q&A tool. 66  

PSD2 and its implementing RTS chose not to impose an EU unique API standard (so as to not “counter the objective of promoting competition and innovation 67 ”). Various market standards have nevertheless been developed. Stakeholders have spent resources and time on what should be provided via the dedicated interfaces (PSD2 APIs), what constitutes an obstacle to access etc. The situation has improved since EBA issued (non-binding) opinions on obstacles to OB 68 , but problems of access and obstacles to Open Banking still remain and are regularly reported by TPPs to EU authorities. 69 Neither ASPSPs nor TPPs are fully satisfied with the current situation.

The drivers of the inefficiencies in OB are linked to the complexity of the legal framework (various interfaces, fallback obligation, possible fallback exemption etc.), to the lack of sufficient detail and clarity in the legislation about the expected performance level, the nature of the data, and functionalities to be made available to TPPs through OB interfaces, and to divergences in the framework’s implementation and enforcement by the national competent authorities (NCA).

Regarding implementation of OB, it may be worthwhile to compare the EU to the UK, which for now still applies the same regulatory regime on OB deriving from PSD2. The UK has created a dedicated implementation body, the OB Implementation Entity (OBIE) and it has created and imposed a standardised API. As Annex 11 shows, the proportionate usage of OB and the variety of use cases is greater in the UK than in the EU, although there may be cultural factors at play also, the UK being therefore a more mature OB market. TPPs that are also active in the UK note that the implementation in the UK was less troublesome. However, it is not fully appropriate to make a direct comparison with the UK. The initial UK OB initiative had to deal with far fewer supervisors and ASPSPs, and no cross-border aspects. In the UK the OB process was driven by the Competition and Markets Authority (CMA), which, after an investigation into the UK’s retail banking market concluded that competition within this market was insufficient and decided to require the 9 leading banks to find solutions together, through the OBIE. The UK underestimated the costs of implementing OB. An independent report to the CMA of October 2021 found that CMA originally estimated OB costs at £20 mln, which at the time of the report had already gone beyond £150 mln (nearly £19 mln per bank). 70

2.1.3.Inconsistent powers and obligations of supervisors   

The Commission’s PSD2 review presented in the Evaluation Report (Annex 5) has revealed inconsistent application and insufficient enforcement of PSD2 provisions and found that many of the limitations to progress on PSD2’s objectives link to challenges related to varying powers and obligations of supervisors. Inconsistent application of the legal framework and insufficiently robust enforcement of rights and duties was often mentioned in stakeholders’ constributions on various topics, as well as noted by the EBA in its Advice. Specific examples in each area, enforcement and implementation, are given below.

·Enforcement insufficiencies

PSD2 currently contains only high-level rules regarding penalties, leaving discretion at national level to decide what kind of rules to be introduced for breaches of PSD2 provisions (including rules on the publication of an infringement) and how these rules will be applied. Whereas the application of penalties is currently governed by national administrative law provisions, this has resulted in diverse and often lengthy processes in each Member State. Relatively few PSD2 related penalties for OB breaches have been imposed by national competent authorities.

Slow or ineffective enforcement has often been brought up in the targeted consultation as a key factor linked to stakeholders’ general views that PSD2 provisions on OB have not been successful (only 29% of respondents find the framework has been successful, against 45% that find it has not). Regarding issues related to the implementation of data access interfaces in Open Banking, many TPPs stressed the ineffective enforcement by regulators. 71  EBA in its Advice highlights a number of challenges reportedly faced by national supervisors in relation to enforcement. These include the significant time, resources and specific skills needed to supervise technical specifications of innovative IT systems and solutions.

Certain consumer rules in PSD2 are barely enforced due to the lack of any designated competent authority; this is the case for example as regards independent ATM operators, which are not subjected to ongoing supervision, but which must apply transparency on pricing. Users have drawn attention to unpunished breaches of PSD2 in this area. 72

·Divergences in application

The evaluation has identified differences between national authorities in licensing requirements, the duration of the application process, and regulatory requirements of operating across borders. Besides making such activities more difficult, one effect is to introduce scope for regulatory arbitrage, as entities can passport their services across Europe after having established themselves in one Member State where licensing and supervisory practices might be deemed more favorable. With regard to opening and maintaining a payment account, some Member States impose higher requirements than others. Furthermore, PSD2 allows alternative methods of calculating the own funds requirement for Payment Institutions. Findings from the targeted consultation, as well as the EBA Advice, point to divergences between Member States in determining who is responsible for choosing the method for the calculation of own funds; in some cases PIs have been allowed to choose the method themselves, in others not.

One limitation to the success of the PSD2 framework on passporting notifications for agents and distributors has been the divergence in practices amongst NCAs in assessing whether cross-border activities carried out by licensed entities using agents or distributors fall under the right of establishment or the freedom to provide services.

An example of divergent implementation in the area of Open Banking is a lack of consistency in how the definition of “payment account” is interpreted across the EU. There is uncertainty in the market as to whether certain types of accounts, such as electronic money accounts linked to prepaid cards, savings accounts, reference accounts, credit card accounts and others, should be considered payment accounts. This has led to uncertainty regarding the different types of account data which can be accessed by AISPs and PISPs across the EU, with, for instance, AISPs being able to access credit card data in some jurisdictions but not in others. 73

Another case where divergent interpretation and application of provisions across Member States create opportunities for regulatory arbitrage concerns the list of exclusions, in particular the so-called ‘limited network exclusion’ under Article 3(k) of PSD2. Here the EBA has noted how the application of the requirements to fall under this exclusion have diverged significantly between Member States, which led the EBA to adopt Guidelines on this exemption. 74  

2.1.4.Unlevel playing field between banks and non-bank PSPs

The issue of interaction between PSD2 and the Settlement Finality Directive (SFD), with the consequence of preventing direct access of non-bank PSPs to certain key payment systems, is highlighted in the Evaluation Report. The SFD lists the participants that are allowed to participate directly in systems designated by Member States pursuant to the SFD 75 , but Payment Institutions and E-Money Institutions do not appear on the list.

The SFD protects a duly designated, notified and published system and its participants from the legal uncertainty and unpredictability inherent in the opening of insolvency proceedings against one of their participants. It does so by stipulating the irrevocability and finality of transfer orders entered into an SFD system, thus preventing them from being interfered with in such proceedings (settlement finality). It also provides for the enforceability of the netting of transfer orders, from the effects of the insolvency of a participant. Moreover, the SFD ring-fences collateral security provided either in connection with participation in an SFD system or in the monetary operations of the Member States’ central banks or the European Central Bank (ECB) from the effects of the insolvency of the collateral provider. SFD leaves to Member States the decision whether or not to designate and notify a system governed by the laws of that Member State; a large number of payment systems have been designated by various Member States under SFD, including EU-wide systems operated by the ECB and the ESCB, such as TARGET2 or TIPS. 76  

PSD2 currently does not contain any supervision or licencing regime for operators of payment systems 77 , and only article 35 contains high-level rules applicable to payment system operators. This article requires that the internal rules of payment systems, including access rules, must be Proportional, Objective and Non-Discriminatory (the “POND” principle). However, payment systems designated under SFD are excluded from this requirement under article 35.2(a). This exclusion was already in PSD1 of 2007 and was not changed or removed with PSD2. 

PIs and EMIs may alternatively access SFD-designated payment systems “indirectly” via an account held with a bank. Access to a commercial bank account is also essential to allow non-bank PSPs to safeguard customer funds, without which they also cannot provide payment services. In this context, it can be noted that Article 36 of PSD2 requires a bank to notify its competent authority, in writing and with explanation, where it refuses to grant an applicant non-bank PSP access to a bank account. However, article 36 of PSD2 does not require any notification or explanation in cases when the bank closes the PI or EMI account. This allows banks to grant PIs and EMIs access to a bank account but to subsequently withdraw that access with no consequences. In such cases, the non-bank PSP is also exposed to withdrawal of service by the bank, which is usually justified by a pretext of “de-risking” (for example on AML grounds). 78 A number of PIs and EMIs have informed the Commission that they are regularly “offboarded” by banks with only perfunctory or no explanation, thus causing interruption of service until a replacement commercial bank is found, requiring burdensome transferral of connectivity of their infrastructure to the new bank. Thus, even indirect access to key payment systems is uncertain, and there is a risk of periods with no access at all to payment systems and no ability to safeguard customer funds, both of which are essential for a PI or EMI to carry out its core business.

2.2.What are the consequences of the problems?

The consequences of the problems should be considered for each category of stakeholder: payment system users, PSPs, Open Banking providers (TPPs), and single market and macroeconomic consequences.

Users (both consumers and businesses, including merchants) may suffer detriment and lose confidence in payment services. Firstly, fraud is still seen by a significant number of users as a major threat to their trust in digital payments. The results of the open public consultation on the PSD2 review show that 17% of the respondents (11 out of 66) indicate they have been the victim of fraud recently. Out of those 11, 4 requested a refund with their payment service provider and received it in full. Three out of those 11 respondents filed a request but did not receive a refund.

A second consequence for users is that prices of payment services may be higher than necessary due to hindered competition. For example, the problems encountered by PIs and EMIs to offer payment account services in competition with banks reduces the competitive pressure on banks and can inhibit price competition between different categories of PSPs. Also, the lack of clarity regarding agents and distributors noted above creates difficulties for consumers in identifying the applicable consumer protection measures and the relevant authority for specific supervisory purposes and complaints handling.

The large potential savings for payees, particularly merchants, from PIS payments replacing more costly means of payment such as cards, anticipated in the impact assessment accompanying the PSD2 proposal in 2013, have largely not been realised. The inefficiencies in the functioning of Open Banking (OB) in the EU identified above limit the supply and usage of OB services and increase their cost, also hindering the development of innovative cost-saving services based on OB. The relatively low take-up of OB services in the EU described in Annex 11, despite the high numbers of TPPs created both before and after PSD2 (around 500), may well be linked to these factors, although causality is difficult to establish.

For PSPs, the consequences include uncertainty about their obligations due to lack of clarity in places in the legislation. The problems regarding divergent implementation and enforcement of PSD2 directly impact competition between PSPs, by creating different regulatory conditions in different Member States through different interpretation of PSD2 rules, encouraging regulatory arbitrage. Indeed, as evidenced in the VVA/CEPS study, 79 there is a concentration of licensing of payment fintechs (TPPs) in a number of relatively smaller Member States from which services are performed largely on a cross-border basis. The imbalances in numbers of TPPs across Member States can be seen in Figure 5 below. PSPs based in Member States with stricter interpretations of PSD2 rules face cross-border competition from PSPs based in Member States with ‘less strict’ interpretations/licensing regimes. PSPs, especially those which are OB TPPs, often report that complaints against other PSPs (for example for denial of access to user data with user consent) are not followed up, thus limiting their ability to provide OB services.

Figure 5 80

The impediments to access to payment systems for non-bank PSPs harm competition and innovation, by preventing non-bank PSPs from developing and offering payment services in competition with banks, for example instant payments, resulting in higher prices for consumers and less innovative payment services. The fact that, in order to connect to SFD-designated payment systems in the EU, non-bank PSPs must use an indirect connection offered by a bank or another SFD eligible participant as a commercial service, creates a dependency on banks. In addition, as non-bank PSPs are competitors to banks, and due to the access dependency, the banks might gain insight to the non-bank PSP’s confidential business information, which might raise concerns from a competition point of view. Furthermore, the service is charged by the bank to the PI or EMI, thus involving an additional cost and impacting their competitiveness on the payments market 81 . There is thus a level playing field issue, in so far as certain categories of participants in the payments market are dependent on their competitors in order to offer a basic payment service.

Open Banking TPPs may experience difficulties in providing their basic services due to inadequate OB interfaces and lose business as a result.

As for macroeconomic consequences, given the importance of payments for economic activity, any unnecessarily high cost or inefficiencies in payment instruments will inevitably dampen and slow down transactions, with consequences for GDP.

Regarding the single market, insufficiencies and inconsistencies in enforcement and implementation produce different operating conditions in different parts of the single market, causing legal uncertainty, fragmentation and distortions. For example, a large number of PIs and EMIs are authorised in certain smaller Member States and provide services cross-border throughout the EU. PSPs in other member States suggest that these PIs and EMIs benefit from more generous interpretations of certain PSD2 rules.

2.3.How likely is the problem to persist?

Fraud is in constant development, with fraudsters always adapting to new legal frameworks and operating environments and finding new techniques of fraud. Fraud will always exist, but it can be reduced in scale and its impacts mitigated by appropriate regulatory frameworks. As long as the legislation containing the identified issues remains in force, certain useful anti-fraud actions by PSPs will be hindered or prevented.

Regarding Open Banking, the problems could be mitigated to a certain extent by more vigorous enforcement. If not revised, the PSD2’s complex and costly regime (e.g. on interfaces, dedicated interface fall-back, exemption to fall-back etc.) and the large variations in what data can be accessed by TPPs under EU regulated OB rules will remain and the success of OB will therefore remain limited.

The identified problems which are regulatory in origin, including gaps and ambiguities in the rules, will persist in absence of amendment of the legislation in question. This applies for example to the issues identified in section 2.1.3 above and also to the issue of direct access of PIs and EMIs to payment settlement systems designated under SFD.

Section 5.1 (baseline scenario) provides a more detailed description of the expected evolution in the case of no new policy initiative by the European Union.

2.4.Problem Tree

3.Why should the EU act? 

3.1.Legal basis

The current legal basis of the PSD2 Directive is Article 114 of the Treaty on the Functioning of the European Union (TFEU), the single market article, due to the importance of establishing a true single market for payments in the EU. It follows that any amendments to PSD2, either in a new Directive or a Regulation, should also be based on this Article. Article 114 is also the legal basis of the Settlement Finality Directive. The Directive on E-Money Institutions 82  is based on articles 53 and 114, and it follows that any new legal act incorporating rules for authorisation of EMIs (see §7.8 and Annex 8) should follow such a dual legal base.

3.2.Subsidiarity: Necessity of EU action

As this is a review and revision of existing EU secondary law, this can only be done at EU level, taking into account the objectives of PSD2 to create a competitive and innovative single market for payments while protecting payment service users and ensuring security and ease of payments. The importance of performing this review at EU level is also highlighted in the Commission’s 2020 Retail Payments Strategy. 83 The strategy not only highlighted the strategic importance of a vision for European retail payments, but also concluded that the EU payments market remains fragmented along national borders, despite recent improvements. This fragmentation across the EU may hinder further innovation, and thus pose a risk to achieving the objectives of the Directive.

3.3.Subsidiarity: Added value of EU action

The demand for cross-border payment activities has always been a key factor justifying EU legislation in the field of payments, both as regards cross-border payments, and cross-border provision of payment services in the single market. Companies are actively making use of both passporting and establishment in different national jurisdictions. Payment service users (including consumers) are also making more use of cross-border service providers. Member States may take divergent approaches to supervise and enforce PSD2, which leads to entities active in different Member States being subject to different requirements for similar functionalities and/or services. This issue is best addressed at EU level to ensure more consistent supervision and enforcement of PSD2. Aligning EU rules further, taking into account recent developments in the payments market, would also support the further integration of an internal market for payment services.

4.Objectives: What is to be achieved? 

4.1.General objectives

As a reminder, there were five general objectives of PSD2, as expressed in the impact assessment of 2013 accompanying the Commission’s proposal for PSD2:

1.To ensure a level playing field between incumbent and new providers of card, internet and mobile payments;

2.To increase the efficiency, transparency and choice of payment instruments for payment service users (consumers and merchants);

3.To facilitate the provision of card, internet and mobile payment services across borders within the EU by ensuring a Single Market for payments;

4.To create an environment which helps innovative payment services to reach a broader market;

5.To ensure a high level of protection for PSUs across all Member States of the EU.

The evaluation (Annex 5) finds each of these general objectives to have been partially achieved, some to a greater degree than others.

4.2.Specific objectives

The specific objectives correspond to the elimination or mitigation of the identified problems, and are therefore four in number:

1.Strengthen user rights and protection against fraud (relating to general objective 5)

2.Improve the competitiveness of Open Banking services (relating to general objective 4)

3.Improve enforcement and implementation in Member States (relating to general objective 3)

4.Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs (relating to general objective 1).

Measures to clarify the scope of PSD2, other technical clarifications, and the integration of EMD2 into PSD2, covered in Annexes 6-9, are related to general objective 3 (Single Market). Measures to improve access to cash in Annex 9 are related to general objective 5 (protection of payment system users). Consumer rights measures, related to general objective 2 (efficiency, transparency and choice) and 5 (protection of payment system users), are covered in Annex 10 84 . 

5.What are the available policy options?

5.1.What is the baseline from which options are assessed?

In the baseline scenario the EU rules on payment services covered by PSD2 would remain as they are with no modifications (other than those stemming from other present or future EU initiatives having an impact on PSD2 such as DORA, instant payments, the Data Act or the future Open Finance or Digital euro framework). It should be emphasised that the evaluation (see Annex 5) has found that the EU payments market functions better now than before PSD2. There are more providers of payment services than before PSD2, including innovative fintechs, and a wider range of services is available, including on a cross-border basis. However, the PSD2 objectives concerning the EU payment market remain only partially achieved.

Regarding user protection against fraud, SCA would remain applicable with the current uncertainty about and misuse of certain exclusions from its scope (e.g. MOTOs and MITs), and PSP liability would continue to be limited to fraud concerning unauthorised transactions. Uncertainty would remain in certain cases as to which actor in a payment chain is responsible for performing SCA. IBAN/name verification will be required for instant payments only (based on the Commission’s proposal on instant payments – see Annex 12), not for non-instant credit transfers.

As regards Open Banking, the baseline would involve TPPs having continued free access to account data via interfaces provided by ASPSPs, either a dedicated interface solely for the purpose of PSD2, or via direct access to the interface the ASPSP uses to communicate with its customer as well (customer interface). Variations would continue as to what data TPPs can access. Provision of a fallback means of access to account data in case of API failure (heavily criticised by banks as a major source of costs, due to the need to maintain two OB compliant interfaces) would remain obligatory, with its complex, costly and resource-intensive (for both ASPSPs and supervisors granting the exemption) fallback exemption corollary. For TPPs, access to account data would remain free of charge as regards the data to which access is required by PSD2 and its RTS, but uncertainty would remain as to what the PSD2 free “mandatory” data is. The distinction between baseline and added-value services would remain unclear (as in PSD2), causing inefficiency for Open Banking itself, but also uncertainties for the outcome and workability of market driven OB initiatives 85 , which depend on a clear delineation between what is a PSD2 “mandatory” service and what is ‘value-added’. Nevertheless, private sector forecasts are for continuing growth in numbers of OB users, even on the baseline scenario.

The proposal for a Data Act, currently in discussion in the European Parliament and the Council should also be considered as part of the baseline. The Data Act Chapter III establishes obligations in business-to-business data sharing applicable to data holders legally required to make data available. The compensation rules under Chapter III of the Data Act would not apply in the baseline/no action scenario, as the Data Act “grandfathers” existing data access compensation regimes such as the Open Banking rules of PSD2. Payment data falling outside the scope of PSD2 rules (i.e. those not available to the PSU through the consumer banking interface) would not be subject to the Data Act, as the Data Act only applies where there is mandatory access to data.

As regards the divergences in interpretation and implementation including enforcement, the baseline scenario would amount to continuing with the existing EU rules on payment services as transposed by Member States but with their unclarities, and as interpreted and enforced often divergently by NCAs. Member States’ rules on penalties applicable to infringements of the national law transposing PSD2 would remain very different. The Commission would only be able to provide interpretative non-binding guidance, for example in the framework of questions raised by market actors via the Question-and-Answer tool provided by the EBA. 86 Supervision would be basically along national lines with national competent authorities responsible within their jurisdictions, although some rules on cooperation among national competent authorities (in case of cross-border services) including on exchange of information, would continue to exist. There would continue to be an uneven playing field with potential for regulatory arbitrage, with PSPs choosing those Member States that practise the application of EU rules on payment services that is advantageous for them and carrying out cross-border services in other Member States which apply different rules to PSPs established there.

As regards access to payment infrastructure, the baseline would involve non-bank PSPs lacking direct access to key payment infrastructures and remaining dependent on banks for access, involving higher cost, risk of withdrawal of service, and the possibility of banks gaining insight to their confidential business information. Banks would remain obliged to justify to competent authorities any refusal to provide account services to non-bank PSPs, but would remain able to provide brief “pro forma” justifications, and would also not be obliged to explain any withdrawal of service to PIs and EMIs (account closure). The negative effects on competition between PSPs, described above, would thus remain.

5.2.Description of the policy options

It should be noted that the options are largely independent and not inter-related, although the options to improve enforcement and implementation in Member States can reinforce and contribute to all the other objectives.

5.2.1.Strengthen user rights and protection against fraud

Other than the baseline, four options are considered in the area of fraud reduction, which are mutually compatible, with the exception of 1.d) and 1.e) which are mutually exclusive:

1.a)    Measures to improve the application of SCA 

In order to reduce improper use of the MOTO and MIT exemptions, this option first includes the introduction of clear definitions of MOTOs and MITs and clarification on the general treatment of these transactions in light of existing guidance 87 . In respect of MITs, this would involve the need to apply SCA at the set-up of the mandate (because this action is payer initiated), without the need to apply SCA for subsequent (merchant-initiated) payment transactions. There would be clarification of the regulatory approach to MITs in general and direct debits specifically aligning the applicable legal requirements to both transactions, which would logically mean applying the same consumer protection measures, such as refunds, to direct debits and MITs as being both transactions initiated by the payee within the meaning of article 76 PSD2. 88  In respect of MOTOs, since there is currently no definition in PSD2 (only a mention in recital 95), one would be added, along with provisions on the general treatment of MOTOs. In particular, legal clarity will be provided that transactions whose ‘initiation’ is non-digital are excluded from the SCA obligations even if the subsequent ‘execution’ is digital. Currently there is uncertainty as to whether both the initiation and the execution should be non-digital in order for SCA not to apply.  

1.b) Legal basis for PSPs to share information on fraud and obligation to educate customers about fraud

This option packages two components which, although not inherently related to each other, both concern anti-fraud actions by PSPs. They are therefore presented as a single option for simplicity.

There would be a provision allowing PSPs to share payment fraud data with each other to the extent necessary to comply with the legal obligation for PSPs to have transaction monitoring mechanisms (TMMs) 89 in place (as detailed in Annex 7 on technical clarifications and other changes). It would provide for lawfulness for such processing activity under the GDPR without creating an obligation for PSPs to share payment fraud data.

There would also be an obligation on PSPs to carry out customer ‘education’ and awareness programmes on fraud risks, with the aim of enhancing consumer awareness and education about fraud (especially the new types of fraud) and the risks of certain payment instruments/methods. Specific requirements would be introduced in the legislation on educational and awareness programs for fraud risks (also addressed towards employees of PSPs), as proposed by EBA 90 , building on the EBA Guidelines on ICT and security risk management. 91  In line with those EBA Guidelines, there would not be detailed prescriptive requirements, given the risk that such requirements would quickly become obsolete due to the ever-changing nature of fraud-related risks.

1.c) Extension of the requirement to provide IBAN/name verification by PSPs from instant payments to all credit transfers

Verification of concordance between the name of a payee and the bank account number (in IBAN format) is a service already provided domestically for example in the Netherlands 92  (and in the UK where it is called Confirmation of Payee 93 ), which ensures that before they authorise a payment, payers are informed of the degree of ‘match’ between the name and IBAN of the payee. The payer decides, based on the feedback received (divergence or close concordance; in case of total concordance there is normally no notification), whether to proceed with the credit transfer. The Commission’s legislative proposal on instant payments (IPs) requires PSPs offering IPs to offer this service to their users 94 . This option would extend that requirement from instant credit transfers in euro to all credit transfers, instant or not, in euro or other EU currencies. As in the proposal on instant payments, the service would be optional for the PSU and could be subject to a fee.

1.d) Full reversal of liability between users and PSPs for fraudulent authorised transactions

This option would introduce a refund right for PSUs in cases where a transaction was the result of fraud, even if the user authorised the transaction via SCA (APP fraud, as discussed in section 2.1.1.). Today such a refund right only exists for ‘unauthorized’ transactions under PSD2 (article 73 and 74), commonly understood (in the absence of a definition) as transactions where the payer could not have authorised the transaction via SCA as, for example, his card was stolen – unless there is for example gross negligence of the payer. This would be a significant departure from the current regime which only provides a refund right in case of unauthorised transactions. The objective of this option would be to motivate and incentivise PSPs, through their full financial liability if fraud does occur (both in unauthorised and authorised transactions scenarios), to undertake more effective anti-fraud initiatives, thus contributing to an overall reduction in fraud.

1.e) Conditional reversal of liability between PSUs and PSPs for fraudulent authorised transactions

This option 1e presupposes the selection of option 1c) on IBAN/name verification. Unlike the full liability reversal described under option 1.d), this alternative option would introduce limited changes to the liability regime between PSUs and PSPs for fraudulent authorised transactions. This would be done by the introduction of a refund right for consumers who are victims of APP fraud, but limited to cases where the payment service provider of the payer failed to notify the payer of a detected discrepancy between the unique identifier and the name of the payee provided by the payer.. In such a case the PSP(s) that did not apply the necessary preventive measures (payer and/or payee PSP) would bear liability if it turns out to be a fraudulent payment, even if it was authorised by the payer through SCA. The payer’s PSP would refund the payer, and could itself claim compensation from the payee’s PSP, if that PSP were at fault (for example, not responding to an enquiry regarding IBAN/name correspondence of the payee). Furthermore, this option would grant consumers (except in cases of gross negligence or where the consumer is himself the fraudster) a refund right when they were manipulated by a third party pretending to be an employee of the consumer’s payment service provider using lies or deception such as the bank‘s name and/or telephone number and this manipulation gave rise to subsequent fraudulent authorised payment transactions under the condition that the consumer has, without any delay, reported the fraud to the police and notified its payment service provider.

5.2.2.Improve the competitiveness of Open Banking services

Other than the baseline, four options are considered. Most of the options can be combined with any other, but options 2c) and 2d) are alternatives.

2.a)    Requirement for a dedicated data access interface

This option would impose on ASPSPs an obligation to make available to TPPs a dedicated Open Banking interface for the purpose of data access 95 , instead of keeping the current choice for ASPSPs between providing either a dedicated interface or an adapted customer-facing interface. This would mean that TPPs must only access data through this dedicated interface, and would no longer have the right to access the data ‘directly’ through the customer-facing interface, as many TPPs often do today even when a dedicated interface (usually an API) is made available to them. There would no longer be a requirement for ASPSPs offering an API to also maintain another interface (as a ‘fallback’ interface); consequently, the current possibility of an ASPSP obtaining a fallback exemption from a supervisor, allowing it to maintain only one interface 96 , would become redundant. Exemptions from the requirement to provide a dedicated interface could be considered for cases where it may be disproportionate to require the ASPSP to offer a dedicated interface. In this respect, EBA would be mandated to develop a set of criteria for granting such exemptions. 

2.b)        Permission dashboards

This option would involve the implementation of an Open Banking permissions ‘dashboard’, to help data owners have an overview of and easily manage the data access permissions that they have given to TPPs. The new OB permissions dashboard would be required to provide an overview of outstanding AIS and PIS permissions, including basic information such as the purpose and duration of the permission, and would allow the account holder to block payment account data access to a given TPP. The ASPSP would be obliged to inform the concerned TPP without undue delay if a data access permission is withdrawn.

2.c)    Impose a single, harmonised, API standard for TPP access to account data

This option would fully harmonise the current interfaces through the imposition of a single, EU-wide API standard. This standard would replace the existing market standards that exist in the EU (‘STET’ standard, ‘Berlin Group’ standard etc.), as well as the many individual bank declinations of these various market standards, and the APIs that banks have built without reference to any market standard. The standard would cover operational rules and implementation guidance including required data formats and technical specifications, and would also describe the use cases that are covered by the standard (e.g. single payment initiation, obtaining an account’s transaction history etc.). The API standard would need to be designed by industry and imposed by delegated legislation; it could be one of the existing standards or a new one. Stakeholders would have to adjust where necessary their existing APIs to implement this new API standard. As a whole, the standard would comprise everything which is required to be compliant with the rules on data access. Being a mandatory and ‘full’ standard, this option would leave no room for individual differences in the OB APIs.

2.d)    Specify in more detail minimum requirements for OB data interfaces

This option would make certain amendments and clarifications to the rules on access to payment account data and also move some of the specifications currently in the RTS to the Regulation. Currently the payment data to which access is mandated in PSD2 is the same data as that which the customer can access via the customer interface (“parity principle” 97 ) and thus varies from PSP to PSP and has sometimes led to disagreement between ASPSPs and TPPs as to which data was made to be available via the OB API and which not. It was not seriously considered to mandate access to all payment data of a user which a PSP might possibly hold, as this would have been a disproportionate open-ended requirement. It was not considered to remove the parity principle either, because the customer already has access to this data in the direct customer interface, and it would be a step back from what is currently required to be made available by ASPSPs. This option thus upholds the parity principle; the minimum requirements are not intended to narrow down the parity principle, but they will create a baseline that will be the same across all ASPSPs and provide a comparable minimum workable solution for TPPs. This option will in particular create clarity for Payment Initiation Services and the types of payment services they will be able to provide via the ASPSP’s OB APIs, and it will also clarify some of the data elements that AIS providers should be able to access (but only basic data like the name of the account holder, which is not always available under the parity principle, as not all customer interfaces show the customer’s own name).

What is made available via the OB interfaces could still vary between PSPs, as the parity principle can give different outcomes from ASPSP to ASPSP depending on what they make available in their customer facing interface, going beyond the minimum. The minimum requirements would include core elements which are considered to be indispensable to ensure a satisfactory OB journey, both in terms of data and what can be done with that data (“functionalities”). The option would thus define an absolute minimum to the OB API and provide more detail than the requirements currently contained in PSD and the RTS. The minimum requirements would be built on what is already in the RTS 98 , and be extracted from sources such as the EBA Advice, and TPPs’ input 99 . They would consist of data to be made available, payment services to be supported and the availability and performance of the interface. To limit the burden on ASPSPs, the number of these functionalities and data points would be kept limited 100 . The key such mandatory data points and services would be:

·the payee’s name and IBAN (not always included in customer interfaces);

·PISP-specific services, such as a confirmation from the ASPSP that the payment will be executed, status of the payment, allow the PSU to set up and stop a standing order or a future dated payment through a PISP.

2.e)     abandon the non-contractual/no charging default approach

This is the most radical option for Open Banking, as it would involve reversing one of the key principles of OB under PSD2, that access to the required payment data must be possible free of charge for TPPs. This principle is not stated explicitly in PSD2, but is implicit in the legal requirement in PSD2 that data access must not be conditioned on the existence of a contract between the parties (ASPSP and TPP), since any payment of fees necessarily requires a contractual relationship. This option would allow ASPSPs to require a contract and payment of a fee as a condition for access to payment account data by a TPP. The purpose of this option would be to respond to the argument often given (by banks) for low-quality APIs that the ASPSPs were not compensated for their expenses to design data access infrastructures and therefore had no motivation to invest in high quality interfaces.

5.2.3. Improve enforcement and implementation in Member States

Other than the baseline, three mutually compatible options are considered:

3.a)    Replace the greater part of PSD2 with a directly applicable Regulation 

In this option EU rules on payment services would be harmonised in more detail by incorporating more detailed rules in a directly applicable Regulation. The set of rules would be restructured to reduce and minimise Member States’ margins of interpretation and ability to add further rules. This further harmonisation would involve placing rules concerning payments in PSD2 in a Regulation in particular, those provisions of PSD2 addressed to individual payment services users and their relationship to PSPs or the rights and obligations of AISPs and PISPs. Only provisions on licensing and supervision of Payment Institutions, corresponding to Title II of PSD2 (and on licensing and supervision of E-Money Institutions, corresponding to the current Electronic Money Directive – See Annex 8) would remain in the form of a Directive. 101  This option would also involve a higher level of harmonisation in EU payments rules via reduction of ambiguity and lack of clarity, and an addition of greater detail. Numerous areas would benefit from clarifications and specifications, amongst others the list of definitions and exclusions, licensing and supervisory requirements and others. These adjustments would be based on inter alia replies provided by the European Banking Authority in the context of the Question-and-Answer tool. See Annex 7 for details of clarifications to be provided (Annex 6 for clarifications on scope) 102 .

3.b)    Strengthen provisions on penalties in PSD

This option involves measures to allow for improved and more harmonised powers regarding penalties in case the rules are breached. There would be a list of provisions for which National Competent Authorities must have sufficient sanctioning powers (for instance, in the areas of SCA application, Open Banking access to accounts, or bank account services for PIs and EMIs), accompanied by criteria on the level of penalties; however, levels of penalties such as fines to be imposed by Member States for specific breaches would not be fully harmonised. The power of EBA to temporarily prohibit certain products in case of risk to consumers would be operationalised in the area of payments 103 .

3.c)    Creating an EU-level supervisory body for Open Banking, like the UK OBIE

In this option a new EU-level supervisory body would be created to oversee and enforce the implementation of Open Banking. This body would be either a new regulatory agency or an additional task for an existing such agency, such as EBA. It would be inspired by the experience of the OBIE created in the UK, and would have direct enforcement powers in the OB area, including powers to impose penalties for non-compliance. Due to constraints in the EU budget, it would be funded entirely from fees and sectoral levies.

5.2.4.Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs 

Other than the baseline, three options are considered. Option 4a) can be combined with 4b) or 4c), while 4b) and 4c) are alternatives (as 4c) includes 4b) but with extra features also).

4.a)    Reinforcement of the right of PIs and EMIs to access to payment systems via an account with a credit institution

This option would involve strengthening the access of PIs and EMIs to accounts with credit institutions (i.e. banks), which allow inter alia, indirect access to payment systems to which the PIs and EMIs lack direct access. This would require amending article 36 of PSD2, which concerns PI and EMI access to accounts maintained with a credit institution. Currently, that article requires banks to provide the competent authority with duly motivated reasons for any rejection of access to PIs and EMIs, but does not require any explanation of withdrawal of existing account services and does not provide for a right of appeal. Article 36 could be modified to create a strongerentitlement to an account for EMIs and PIs 104  to cover also withdrawal of services, and also to place a stronger burden on banks, only allowing them to refuse or withdraw account access to PIs and EMIs if they have a material justification for such refusal or withdrawal (but with a possibility for a smaller bank to decline to manage an account for a PI or EMI where the high cost of servicing the account could have a significant impact on its overall profitability). Such justification could be for example breaches of law by the PI/EMI or reasonable grounds to suspect unlawful activity by or via that PI or EMI.  Finally, it would be made possible for central banks, at their discretion, to safeguard funds held by Payment Institutions, providing a further fallback solution in case a non-bank PSP still finds it impossible to obtain an account with a bank.

4.b)    Granting of direct participation of PIs and EMIs to all payment systems, including those designated by Member States pursuant to the SFD  

This option would involve making changes to both SFD and PSD in order to remove the barriers to participation by PIs and EMIs in payment systems designated under SFD, namely adding PIs and EMIs to the list of entities which qualify as “institutions” in SFD, and deleting the provision in PSD2 (article 35.2(a)), which exempts SFD-designated systems from the obligation to have admission rules which are “proportionate, objective and non-discriminatory”. It would not impose any specific requirements on payment systems, except the existing requirement in article 35 of PSD2 that the rules of payment systems must be “objective, non-discriminatory and proportionate, and that they do not inhibit access more than is necessary to safeguard against specific risks, and to protect the financial and operational stability of the payment system”. It would clarify that PIs and EMIs are not admissible to participation in SFD-designated systems which are not payment systems 105 . However – as is the case today for payment systems which are not designated under SFD – no further guidance or requirements would be placed on payment systems, which would be free to develop their own procedures for ensuring that this general requirement is respected. All procedures and possible risk assessments prior to admission to participation would be left to individual payment systems.

4.c) As option 4.b) but with additional clarifications on procedures for admission of new members to payment systems, including the carrying out of risk assessment

This option would go further than option 4b): in addition to changing SFD and PSD2 to make direct access to designated payment systems possible for PIs and EMIs as under option 4b), it would involve laying down rules for the pre-admission process for applicants for participation in payment systems, including for example the risks for which an assessment must take place (operational risk, credit risk, liquidity risk, settlement risk and business risk), while avoiding discrimination and disproportionality between different categories of applicants (credit institutions, PIs and EMIs) and reinforcing the rights of rejected applicants for participation, including an appeals process. The POND principle would still apply to such assessments 106 . This would require the designation of a competent authority to hear such appeals and, if appropriate, impose penalties on payment systems for breaches. This option would build on and develop further the current requirement in article 35 of PSD2 that the rules on access of PSPs to payment systems must be objective, non-discriminatory and proportionate, and not inhibit access more than is necessary to safeguard against specific risks, and to protect the financial and operational stability of the payment system.

6.What are the impacts of the policy options and how do they compare? 

.6.1. Strengthen user rights and protection against fraud

6.1.a) Measures to improve the application of SCA

Regarding current exclusions from the scope of application of SCA, it would be very effective to include in the legislative initiative a clear definition of MITs and MOTOs and clarification on the treatment of these transactions, as a clear delineation of the scope of application of MITs and MOTOs, resulting in SCA covering a greater number of operations, directly increases the level of consumer protection against fraud. Absent the introduction of a clear regime in the directive, there is a risk that lack of clarity for stakeholders and competent authorities and abusive practices would persist in respect of MITs and MOTOs, with operations being unjustifiably not subjected to SCA. At the same time, payment sector stakeholders, which largely asked for more clarity on the regulatory treatment of these transactions, would have the legal certainty that they needed to apply SCA at the set-up of the mandate, without the need to apply SCA for subsequent merchant initiated payment transactions (MITs), and that only the initiation (not the execution) of payment transactions should be non-digital in order to not be covered by the SCA obligations (MOTOs). There would be no costs to PSPs, as the necessary investments for implementing SCA have been made, and covering certain additional operations by SCA has almost no incremental cost; this measure would therefore be efficient. The Commission has no evidence that the transactions which would be brought back to the SCA scope through these clarifications would cause more frictions into e-commerce (or costs due to lost business, in case of frictions occurred) as, two years after its entry into force, end-2020, SCA seems to be increasingly accepted and understood by the EU population as surveys indicate 107 . This option would be coherent with existing Commission guidance and Q&A replies of EBA. Option 1a) should therefore be retained.

6.1.b) Legal basis for PSPs to share information on fraud and obligation to educate customers about fraud

Under this option, the voluntary sharing of payment fraud data should become common practice. The key benefits for PSPs would be an increased ability to leverage their collective knowledge and experience to better combat payment fraud and make informed decisions about their capabilities, fraud detection techniques and mitigation strategies. Sharing information about payment fraud, such as suspicious IBANs and fraud trends, would increase awareness and responsiveness, making the financial sector more resilient. By including a legal basis in relation to GDPR this option would also increase legal certainty among PSPs. Respondents to the targeted consultation (mainly from the banking sector) and the Payment Systems Market Expert Group sub-group on consumer protection (see Annex 2) are in favor of including a legal basis that would allow PSPs to share specific information of attempted and realized fraud, which would improve the ability of PSPs to develop tools to further reduce fraud on the domestic and EU level. The costs for PSPs participation in payment fraud sharing schemes vary depending on the type of initiative and may include membership fees, travelling costs, staff deployed, IT costs for the installation and set-up of a payment fraud sharing platform, etc. On average, these costs which are recurring on a multiannual basis range between € 1 000 and 50 000, plus 1 to 3 FTEs 108 . Under this option, participation for PSPs would be encouraged but still remain voluntary, therefore no additional costs are foreseen as compared to the baseline.

Regarding consumer literacy and education about fraud and the risks of certain payment instruments/methods, various respondents to the targeted consultation, including public authorities, but also the EBA in its Advice 109 , note that awareness campaigns should be undertaken, in combination with other measures that could have a positive effect and further mitigate these types of risks. While awareness programmes will not be a panacea to the risk of social engineering fraud, they will certainly enhance consumer awareness about fraud and the risks of certain payment instruments/methods, at limited cost. In order to achieve this purpose, the option would be to introduce specific requirements in the legislation on educational and awareness programmes for fraud risks (also addressed towards employees of PSPs), as proposed by EBA, leveraging on those set out in EBA Guidelines on ICT and security risk management. 110 Similar to the EBA Guidelines on ICT and security risk management, the option would be not to include detailed and prescriptive requirements, as there is the risk that requirements would become obsolete very quickly due to the ever-changing nature of fraud related risks. The limited costs for implementing such programmes, which for the first time will have to be based on specific and harmonised requirements developed by the EBA would be recouped, even with a tiny reduction in fraud, given that total fraud losses have been estimated around €323 million per year and a substantial part of these costs are borne by the industry through refunds, through handling consumer complaints etc. 111

Option 1b) is therefore retained.

6.1.c) Extension of the provision of IBAN/name verification by PSPs from instant payments to all credit transfers

The costs and benefits of introducing an obligation for PSPs to ensure the availability for payers of an IBAN verification service was thoroughly and recently assessed under the impact assessment accompanying the Commission’s instant payments proposal. 112  The expectation underlying the introduction of an IBAN/name check for instant payments in that proposal is that it will reduce the rate of transactions sent to a wrong payee as a result of fraud or errors. Under that proposal, if adopted, IBAN verification will have to be offered by all PSPs providing euro instant payments, which will therefore incur the implementation costs for setting up such a service. Under this option, it is anticipated that the approach developed by EU PSPs for IPs would simply be extended to other transfers, without the development of an entirely new system. Therefore, only PSPs which do not offer euro IPs (for example, those operating exclusively in non-euro area Member States) will incur the full costs of developing such a new service; other PSPs will only incur the relatively minor costs of extending the IBAN verification service to non-instant or non-euro credit transfers. 

As reported in the impact assessment on instant payments, based on the feedback from the Netherlands and UK markets, where such systems exist domestically, it seems that an IBAN-name verification service would be highly effective in preventing errors and reducing certain types of fraud. Regarding the rate of transactions sent to a wrong payee as a result of fraud or errors, according to the provider of the IBAN-name check solution in the Netherlands, there has been an 81% drop in fraud/scams taking the form of invoice fraud, and a 67% drop in misdirected payments due to payer errors since the setup of the IBAN-name check service in 2017. 113  In the UK 114 between Q3 2019 and Q4 2020, on a trend-adjusted basis, for the largest PSPs offering the service to their clients, there has been a 31% drop of number of payments sent to a wrong payee. Given that the extent of APP fraud in 2020 for all SEPA euro credit transfers in the EU is estimated at approximately € 323 million, there is significant scope for reduction of losses incurred by EU citizens and businesses resulting from such solutions. The application of this measure to cross-border transfers (beyond euro instant payments) and non-euro transfers should contribute to mitigating the higher fraud rate for cross-border payments than for domestic payments identified in section 2.1.1, especially as regards invoice fraud.

The number of PSPs required to introduce IBAN verification for the first time (i.e. those not yet covered by the proposal on IPs as they do not offer euro IPs) is estimated as 1200-1300 PSPs 115 . For those PSPs, the implementation cost of this element is at the most the same as calculated in the impact assessment accompanying the Commission’s proposal on instant payments 116 . Estimates of implementation cost in that impact assessment were essentially based on experience in the Netherlands and varied considerably from PSP to PSP. With respect to the solution implemented in the Netherlands, the two main implementation efforts required from PSPs involved (i) integrating an API, allowing for account name verification, into the PSP’s online/mobile banking environment, and (ii) adjusting customer databases to ensure that the algorithm can match the payment data provided by the payer with the customer data of the payee’s PSP. The one-off implementation cost ranged between € 10 000 and € 2 million (an outlier figure), which can be explained by the fact that some of the larger PSPs tend to have many more legacy systems that require adjustments, while smaller newer PSPs have newer, more agile technological capabilities and hence lower cost. Recurrent costs in the Netherlands ranged between several thousand euro per year to € 350 000 per year (again, an outlier figure from one major bank), with fees paid to the service provider per check performed constituting the largest part.

Implementation costs for this measure are anticipated to be lower than those for implementing a similar measure for euro instant payments, since the legislative proposal on IPs will already require EU PSPs to collectively put in place an IBAN verification system for euro IPs, which will also be able to operate without major modifications for non-instant credit transfers in euro. Thus, the cost of collectively agreeing on parameters and rules for a pan-EU system, and other development costs, will not need to be repeated. For non-euro payments, the system selected for euro IPs can be replicated if desired. Thus, the main costs for the affected PSPs would be the implementation of an API to connect to the system, and the modification of customer interfaces to integrate the IBAN/name check feature. These factors point to a total one-off implementation cost near the bottom of the potential range, of the order of €50 million in total (1300 affected PSPs and an average implementation cost per PSP of €40 000).

Costs would also be partially offset by operational savings arising from a reduced number of complaints to be processed by PSPs, which are costly to investigate and may even involve goodwill payments (e.g. made by some PSPs to avoid reputational damage). Costs might also potentially be partially recovered from customer fees, but it is considered unlikely that many PSPs would charge for this service, as this would deter usage and obviate the potential fraud reductions (there is no charging for the service in the Netherlands and the UK). Moreover, the experience with the existing solutions (offered to EU PSPs by SurePay or SWIFT, or imposed on PSPs in the UK) demonstrates that such solutions can be designed in full compliance with GDPR. This option would thus be coherent with the EU data protection requirements, as well as with the proposal on instant payments. Option 1c) is therefore retained.

6.1.d) Full reversal of liability between PSUs and PSPs for fraudulent authorised transactions

Option 1d) would be in line with the expectation of consumer representatives. Some form of a refund right for the consumer was called for by BEUC in its response to the public consultation. In cases where the payer can provide evidence of being a victim of an APP fraud, the solution would be effective in providing adequate consumer protection, but without evidence, it would be difficult. It is unclear to what extent this option would result in a significant reduction in APP fraud; it might, only serve to reattribute the social cost of fraud without incentivizing payers to avoid taking unnecessary risks (moral hazard). Any reduction of fraud would be dependent on efforts from PSPs. Furthermore, a full refund right for all fraudulent authorized transactions could, in contrast to the principle of irrevocability enshrined in PSD2 (article 80), bring considerable uncertainty to payment systems and the finality of credit transfers. In terms of efficiency, this option would not require any major upfront implementation costs from PSPs. On the other hand, since in such cases the funds are unlikely to stay on the account of the payee long enough for the funds to be recovered, PSPs would incur ongoing losses, which could represent a substantial share of the estimated APP fraud for all SEPA credit transfers, estimated at € 323 million in 2020. Option 1d) should therefore be rejected as being disproportionate.

6.1.e) Conditional reversal of liability between PSUs and PSPs for fraudulent authorised transactions

This proposal builds on option 1c, on IBAN verification. The shift of liability for APP fraud to PSPs in cases of failure by PSPs to apply the necessary preventive actions to avoid fraud (i.e., no functioning IBAN/name verification service) would be a strong incentive for PSPs to ensure the good functioning of this particular fraud detection/prevention measure, which, in turn, is expected to have a mitigating effect on authorised payment fraud. This option would also provide incentives for payers to remain vigilant on fraud and to avoid taking unnecessary risks when making payments, as they would still bear APP fraud losses in all other cases where the bank was not negligent. Thus, this option would not require any major upfront implementation costs from PSPs and would reinforce the other chosen anti-fraud options. In cases of impersonation fraud, where the relationship of trust between customers and their bank and the bank’s name are abused by a fraudster, and only when the victim is a consumer (and not a business customer) and has reported the impersonation fraud to the police and to the bank, it is appropriate to grant a refund right to victims of such fraud against their PSPs, except where there is gross negligence or where the consumer is involved in the fraud. The compensation for impersonation fraud granted by four major credit institutions (on a voluntary basis) in the Netherlands amounted to €51 million in 2022, which based on the Netherlands having 4% of the EU population could mean up to €1 billion at EU level. It is a good compromise between consumer organisations which expect full PSP liability for all cases of fraud, whether transactions are authorised or unauthorised, and banks that do not consider it normal to bear any liability for cases where the payer technically and legally authorised a payment transaction. 117 Option 1e) is therefore retained.

Comparison of options aimed to strengthen user rights and protection against fraud 118

Selected options are a) b) c) and e). Option d) is rejected

6.2.Improve the competitiveness of Open Banking services

6.2.a)    Requirement for a dedicated data access interface

The effectiveness benefits of this option include data being by default shared in a more controlled and secure manner. In terms of security, banks maintain that APIs are a safer method to share data and would prefer TPPs to use APIs only. Through APIs ASPSPs can limit the data made available to TPPs to that which is legally required (only payments data, not for example savings), which they are not able to do if data is obtained by TPPs via the customer facing interface (fallback) due to the other technique applied for gathering the data – screen scraping 119 . This change would thus support data and consumer protection.

Regarding efficiency, this option would require capital investments from those ASPSPs that have yet to build such a dedicated interface. According to the VVA/CEPS study the development of the now-available PSD2 APIs cost on average about €2 mln per entity 120 , but this cost may be lower now, because since PSD2 came into force many providers of “off the shelf” OB APIs entered the market, so ASPSPs unable to develop a dedicated OB interface in house can acquire this expertise externally at competitive prices 121 , keeping in mind that the IT infrastructures of banks can be more intricate than that of other types of service providers. Most ASPSPs across the EU have in fact already built dedicated OB APIs 122 (and sometimes other value-added revenue-generating APIs), which would mean that, on an aggregated EU basis, the additional cost of this change would be limited. The total net one-off cost of this option for ASPSPs is estimated at €32 million 123 .

There should be no need for TPPs to make any new investment since TPPs are already supposed to use the dedicated OB interface, if available, and not use the fallback 124 . Most TPPs, especially those that were established post-PSD2 in any case prefer APIs over fallback interfaces. Some older TPPs (ETTPA members) have some reservations about removing fallback access, but also favour data access via APIs, provided that these are compliant and functioning.  

In terms of transaction cost, TPPs maintain that gathering data via an API call is normally cheaper (and five times quicker) than it is via a fallback interface, and also that the recurring cost of maintaining a connection to the fallback (maintenance) is 6 to 12 times higher than maintaining a PSD2 API connection 125 . Maintaining a connection to the fallback means continuous manual intervention and updating as the customer interface can be adjusted in small ways, but frequently and unannounced (unlike changes to the dedicated interface which have to be announced in advance 126 ). A large majority of TPPs, including those currently using fallback interfaces, would prefer Open Banking via APIs. TPPs would save resources on the maintenance of the connections to fallback interfaces due to the mandatory implementation and use of APIs. The VVA/CEPS study concluded the maintenance of API-based products costs TPPs about €53 mln a year 127 . If we assume that interface connectivity is about 20% of this amount (€10.6 mln) then the costs for maintaining the fallback connection could be between approximately €63.6 mln and €127.2 mln annually. These costs would be saved/reduced under this option.  

Mandating the implementation of dedicated interfaces has support from most stakeholders, from different sides. The removal of the fallback interface has much support from different stakeholders, including banks, NCAs, the EBA, and many TPPs too (although there are some TPPs that would like to keep the fallback as a contingency mechanism). Furthermore, the mandatory use of the PSD2 APIs would lessen the extra traffic on ASPSPs’ customer interfaces from TPPs also using the customer-facing interface (besides the ASPSP’s own customers, see Chapter 2.1.2), lowering the costs for maintaining that interface as well, as scraping bots (also used outside of Open Banking) make up about a quarter of internet traffic on such interfaces 128 .

This option also takes into account proportionality as niche ASPSPs (defined with criteria to be developed by the EBA) could obtain a derogation either not to develop an API (and thus only have their modified customer on-line banking interface and the obligation to provide an Open Banking permissions dashboard) or not to have any OB interface at all since it would be irrelevant to them as they are not (very) attractive for Open Banking TPPs. It is coherent with the choice for a dedicated interface in the initiative on Open Finance. Option 2a) is therefore selected.

6.2.b) Permission dashboards

Permissions dashboards would respond to concerns of consumers about their data under Open Banking, allowing them to manage their data permissions in a convenient way. TPPs would not be allowed to discourage their clients from using TPP services by, for example, insisting on the easiness of permission withdrawal via the dashboard. The annual costs of operating an Open Banking permission dashboard, a change supported by all stakeholders, are relatively low – consent management providers offer quotations between €3 000 and €12 000 annually) 129 . There are 4000 credit institutions in the EU 130 , which would bring the annual cost of operating/maintaining these dashboards to a range between €12 mln to €48 mln. The implementation of a permissions dashboard is supported by all stakeholders, including consumer associations. This option is coherent with the requirement for similar dashboards in the Open Finance initiative and is strongly coherent with GDPR. Option 2b) is therefore selected.

6.2.c) Impose a single, harmonised, API standard for TPP access to account data

Option 2c, which would naturally be combined with option 2a, could be highly effective by facilitating data exchange and reducing errors and failures of API calls. It would make it easier for future new TPPs to connect (i.e. lower market barriers due to standardisation). It would also require fewer regulatory resources to assess PSD2 compliance in the future. It is the choice made in the UK in its implementation of Open Banking. This option is backed mostly by NCAs, EBA and some non-EU-based stakeholders, whereas most EU-based ASPSPs and TPPs oppose this option, considering it to have high costs (but which they do not calculate precisely). It therefore scores relatively highly on effectiveness and coherence.

Regarding efficiency however, it must be noted that banks and other ASPSPs have already made very significant investments to put in place their current APIs 131 . Some are following one of the different market standards, which still allow for variation, and others are not following any market standard. This has led to variations among APIs. Imposing one single standard would involve choosing one of the existing standards or mandating market participants to develop a new one. If an existing standard were to be chosen, ASPSPs which currently follow that standard would not incur any adaptation cost, while those ASPSPs which, in good faith and without breaching PSD2, have not followed the selected standard would incur an adaptation cost, so the choice of standard would be highly delicate. Requiring a new standard would render the work done on all existing standards wasted. More fundamentally, imposing a single standard would mean abandoning the principle of technology neutrality and could risk being inflexible, not future-proof and hinder innovation, since new better standards for interfaces may arise in future. A majority of both banks and TPPs oppose the imposing of a standardised API. It should also be noted that this option would remove the business case for aggregators - as aggregators only exist in order to assist TPPs to navigate differing APIs of varying quality – but this is not a conclusive argument.

Costs of adaptation for ASPSPs would vary depending on the degree of divergence of existing APIs from the new or selected standard and would thus vary. As indicated by both ASPSPs and EBA 132 , it would probably require extensive resources and investments from most ASPSPs 133 , as they may have to build an entirely new OB API or fundamentally alter their current ones. For ASPSPs this could lead to the costs they have already incurred to develop an API being lost, if their current API does not correspond to the new single EU standard and cannot be easily adapted. The VVA/CEPS study estimated that the building of OB APIs has cost the ASPSP industry about €2.2 bn 134 . According to one of the most popular market standards currently available, NextGen PSD2 from the Berlin Group, over 75% of banks have implemented this standard 135 as of February 2022. Even if one were to select this most popular market standard as the one single standard to be implemented across the EU, which would be the least invasive route to take, but still not create a level playing field, costs would be high. Assuming an increased implementation of the standard over 2022 to 85% of all banks, approximately 15% would still have to change standards, implying a 15% of €2.2 bn, €330mln lost costs. Assuming 25% efficiency gains because of the new standard and improved API development expertise, the ASPSPs that would have to create a new API could incur another one-off cost of approximately €250 mln.

Even the 85% of ASPSPs that have already implemented the Berlin Group standard would still have to implement adjustments to remove the current variations, if that standard were chosen. Assuming a 90% coherence among Berlin Group users, 10% would have to be adjusted. Applying the same API-efficiency gain of 25%, this would amount to around another €140 mln of cost 136 , bringing the total to €330 mln lost costs and €390 mln additional one-off costs.

Bank API maintenance (recurring) is estimated to be about €280 ml annually. API standardisation does not necessarily lead to lower maintenance costs than banks are currently facing, although the API maintenance costs increase with usage of the API, and therefore would already increase as the demand for Open Banking grows organically (without any legislative intervention) resulting in more API calls, the driver behind the maintenance costs.

The biggest efficiency gain of this option lies with the TPPs, which would face a far simpler situation than they currently are with the different API standards and intra-standard differences. The TPP maintenance costs of €53 mln a year could thus decrease. However, TPPs would be faced with some adaptation costs as well to reconnect to the new standardised APIs, offsetting this saving. Although some TPPs would prefer standardisation, others prefer the status quo, fearing a costly transition to standardised APIs.

Another benefit of this option would be easier monitoring of compliance by NCAs. The API standard could even lead to less need for intervention by supervisors as ASPSP and TPPs can no longer have differing interpretations of what the API should or should not do. Supervision-related recurring costs are estimated at approximately 30 mln € by the VVA/CEPS study 137 and these costs would fall under this option, although it is not possible to estimate by how much because supervision related costs extend beyond just PSD2 API compliance.

This option would not be coherent with the choice made in the impact assessment on Open Finance, which is not to impose one single standard, but rather to require the development of different market standards (such as those which already exist in Open Banking).

Option 2c) is therefore rejected, despite high potential effectiveness, due to excessively high implementation cost for banks (ASPSPs) and limited coherence.

6.2.d) Specify in more detail minimum requirements for OB data interfaces

Option 2d) would be less effective than Option 2c), as it would not impose the implementation of an API standard, but it would be far more efficient, due to its much more limited implementation cost for ASPSPs which have already established varying interfaces (see below). It would not however be totally cost-free. ASPSPs, the large majority of which already have a dedicated OB API interface, would have to revise these APIs and make adjustments where necessary, e.g. by making more data points available, such as account-holder’s name 138 . TPPs would have to revise their connections to the interfaces as well and make necessary adjustments. Although most ASPSPs provide APIs already, there are still TPPs that choose to make use of the fallback interface, usually because, TPPs claim, the data made available in the OB API is not equal to the data they can obtain via the fallback interface (which would be breach of PSD2). This option would remove the time ASPSPs and TPPs currently spend on discussing what the OB API should provide, as the legislative text would clarify and specify which data is to be made available to TPPs. It would also facilitate easier monitoring and enforcement of the interfaces by NCAs. Furthermore, this option limits the changes that ASPSPs and TPPs have to make to some adjustments to the pre-existing APIs (instead of having to build entirely new APIs if  a (new) API standard were imposed). ASPSPs would still be able to adjust their interface individually as long as it complies with the requirements set in the legislation.

In terms of costs this option may increase maintenance costs (due to greater usage of APIs because of the better quality), but market research already indicates that the market and demand for OB – and therefore API usage - is likely to grow, regardless of legislative intervention 139 . This option is therefore not expected to significantly impact the recurring maintenance costs.

One-off adjustments costs to ASPSPs (which would come on top of those recurring maintenance costs) can differ per ASPSP depending on its current API compliance and/or quality. A conservative estimate is that the cost of required changes can be between 1% to 5% of the costs of the building of the interface (see previous option) – between €20 000 to €100 000 per ASPSP. The lower end, 1%, is assumed for ASPSPs that need to make very few adjustments, who are already compliant with PSD2 and/or have simpler IT infrastructures. The higher, 5%, is assumed for ASPSP that might not be compliant with PSD2 and have to make more adjustments, that are larger and/or have more complex IT infrastructures. Of the ASPSPs that have a PSD2 interface, most have also received a fallback exemption 140 which is an indicator of a well-compliant API and therefore low adjustment cost. Therefore, most of the APIs already provided by ASPSPs will only have to make incremental changes to become compliant. The total one-off adjustments cost for ASPSPs is estimated to be €190 mln 141 .

The recurrent annual maintenance costs for TPPs to maintain the connections to the PSD2 interfaces will probably decrease slightly, from the current amount of about €53 million annually for the entire EU TPP sector 142 . The one-off costs for TPPs to connect to new interfaces of ASPSPs which currently do not have them is estimated at a total of €24 million 143 .

To summarise, the estimated one-off costs required to implement option 2c are estimated to be around €280 million for ASPSPs and TPPs combined.

This option would create an identical data set for all ASPSPs to provide access to, and thus more coherence. By combining the minimum requirements with the current “parity principle”, this option would likely not result in a loss of Open Banking data options available to TPPs. Although ASPSPs might choose to lower the amount of available data by decreasing what is available in their customer-facing interface, “lowering” parity, in a way. As that would however also impact their own customers directly, this is not likely to happen.

This option, like option 2a), is likely to enhance the already anticipated growth of Open Banking. Regarding coherence, it should be noted that the Open Finance proposal does not choose to have any “parity principle” with customer interfaces, but this can be linked to the fact that in financial services outside banking and payment accounts, online customer interfaces are less common and much less frequently used.

Option 2d) with sub-option 1, is therefore selected.

6.2.e)    Abandon the non-contractual/no charging default principle

The choice for non-contractual relations by default between ASPSPs and TPPs aimed to avoid forcing ASPSPs and TPPs to agree thousands of bilateral contracts before OB operations can take place, or alternatively to agree a multilateral scheme with rules such as pricing. Furthermore, the data was already available via the direct interface (pre-PSD2 screen-scraping) and new, legally required contractual obligations would have increased the barriers to entry for (new) TPPs and have had an adverse effect on competition. This specific regime can remain in force after the application of the proposed Data Act, since the Data Act provides for sector-specific data access regimes.

Since PSD2 came into force, one argument given for low-quality APIs is the fact that the ASPSPs were not compensated for their expenses to design data access infrastructures. However, in the specific context of the existing PSD2 open banking framework, API structures have already been put into place by all operators, and it would appear unjustified to compensate them for past investments, which according to the study are estimated to be €2.2 billion, and ASPSPs have reported very differing amounts, ranging from a few million euro to “(far) in excess of 100M” 144  made to comply with PSD2. This needs to be balanced against negative impacts of this option: applying this option would seriously disrupt the current OB market, with ASPSPs and TPPs having to negotiate thousands of bilateral contracts (or else agree a scheme), which would almost certainly negatively impact TPPs’ ongoing service delivery to consumers. Furthermore, it would have increased market entry barriers by leading to charging for all data access. It would also mean that data access services provided by ASPSPs to TPPs hitherto for free would, suddenly, become subject to a charge, with a new extra cost to TPPs which would negatively impact their profitability and could oblige some of them to stop their business. There would be no guarantee from data holders (banks) that this new revenue would be used to upgrade APIs.

This would be a total reversal of the approach taken in PSD2 and applied since 2018, risking significant upheaval possibly with a detrimental impact on the OB sector. It could also harm competition as many smaller TPPs would probably be obstructed by this financial barrier. The free access to data also means TPPs can keep fees that they charge to customers low, allowing more consumers and small businesses to benefit from OB services. The analysis of this option did not yield any concrete, quantifiable benefits for Open Banking.

Regarding coherence, it should be noted that while a scheme will be required for the Open Finance (OF) initiative, the circumstances are very different as OF, being a new market, has no ‘legacy’ no-compensation regime, and no investments in APIs have yet been made. OF, starting as it does from a ‘blank sheet’ can choose to apply, from the beginning, an approach where data access is based on (multilateral) contracts and there is compensation for all data access, with a view to incentivising data holders to develop quality interfaces. OF data users will be accustomed to charging from the beginning. However, it should also be noted that under PSD2 today, and in future, voluntary contractual relations between ASPSPs and TPPs are not prohibited (even for prescribed data access), and they do sometimes exist. ASPSPs making available ‘commercial APIs’ (usually providing access to data that goes beyond parity with the direct interface, “value-added data”) subject to a contract are still required to provide a non-contractual PSD2 interface.

Option 2(d) is therefore rejected.

Comparison of options aimed to improve the competitiveness of Open Banking services

Selected options are a) b) and d). Options c) and e) are rejected

6.3.Improve enforcement and implementation in Member States

6.3.a. Replace the greater part of PSD2 with a directly applicable Regulation clarifying aspects of PSD2 which are unclear or ambiguous

Regarding effectiveness, Option 3a) would provide a better level playing field across the EU payments market. PSPs would have to apply the same, consistent and clear set of rules directly laid down at EU level irrespective of where they are operating in the EU. Improvements in terms of regulatory arbitrage and market fragmentation could be achieved. In terms of efficiency, it would be very beneficial for payments stakeholders to be able to rely on directly enforceable EU law to enforce their rights and corresponding duties and it would remove and/or limit late transpositions, divergent interpretations, gold-plating etc. Regarding efficiency, it is true that it would require Member States to repeal most existing national provisions regarding payments transposing PSD2, which would take up resources, but this downside is outweighed by the advantages. Supervised entities would benefit from improved and timely feedback provided by supervisors as the revised provisions would be clear, up to date and easy to apply. By incorporating further details in the legal text or by redrafting to reduce ambiguities and gaps, a more consistent application would be achieved (unlike the experience in rolling out the PSD2 requirements on Strong Customer Authentication). Circumvention or misapplication of the requirements would be reduced. This option would be coherent with what has been frequently done in the field of financial services legislation, where Directives when reviewed have often been replaced with Regulation or a combination of a Directive and a Regulation 145 . Most respondents to the targeted consultation who expressed a position also supported this option. In several meetings with Member States 146 , a majority of Member States expressed broad openness to this possibility and objections were expressed only by a small number (these objections were related to a desire to be able to adapt the rules to local circumstances rather than to concerns about the cost of repealing national implementing legislation). Option 3a) is therefore retained.  

6.3.b. Strengthen provisions on penalties in PSD

Option 3b) would be effective in so far as it would strengthen implementation of rules and give competent authorities the necessary powers to intervene to enforce PSD2. The list of breaches requiring penalties to be available to authorities would be a clear indication to Member States of the need to intervene actively to enforce the rules (which was not always done for example regarding the implementation of the PSD2 requirements on Strong Customer Authentication). The EBA power to temporarily prohibit certain products in case of risk to consumers can reinforce its work in helping Member States with implementation and enforcement. In terms of efficiency, the option would require greater resources to be committed by Member States to enforcement proceedings but this would be limited in proportion to the single market benefits. Consumers could be confident that the payments rules are adhered to by supervised PSPs and that measures including penalties are imposed in case of violation of those rules. Various stakeholders in the public consultations have pointed to weaknesses in the enforcement regimes of Member States and the need for reinforcement. This option would also be coherent with what has been done in various areas of financial services legislation 147 in recent years following the 2010 Communication on reinforcing sanctioning regimes in the financial services sector 148 . It would also be coherent with the EBA Advice, which recommends strengthening the current provisions on penalties notably by clarifying that infringements of prudential and conduct requirements must be penalised. Option 3b) is therefore retained.

6.3.c. Creating an EU-level supervisory body for Open Banking

Concerning effectiveness, the creation of a dedicated EU Open Banking body (option 3c) would have various upsides: by requiring the direct involvement of ASPSPs and TPPs (through funding and expertise) these parties would have “skin in the game” and are likely to cooperate better given their increased influence; this body would ensure that specialised supervisors can dedicate all their time to Open Banking, which is currently sometimes signalled as an issue within national supervisors, which are often already strained in terms of resources (and relevant expertise). The resource need on national supervisors would fall. As this body would also assure harmonisation across Member States there would be less fragmentation and more efficiency gains for ASPSPs and TPPs, especially those active across borders. Downsides are that the body would need time to integrate the legacy of all NCAs currently dealing with the topic, which might impede its effectiveness. Furthermore, ASPSPs and TPPs would have to deal with multiple supervisory bodies, with one solely for the purpose of Open Banking, and in the absence of any EU budget allocated to new resources for agencies, the body would have to be 100% funded by PSPs, so they would incur a cost for financial contributions.

As regards efficiency, estimating costs is difficult but the UK OBIE can be used as an indicator. Initially estimated to require approximately £20 mln per year, it had already surpassed £150 mln annual cost by 2021 149 , only a small percentage of which was recovered in fees and charges. The costs of an EU body would probably be much higher, also given 27 Member States and cross-border issues. The supervisory body might be made more effective by having enforcement or supervisory powers of its own, but that would mean division of supervision for PSPs between a new EU body (for Open Banking) and NCAs (for other aspects of PSD).

Regarding coherence, it may be noted that an EU OB body would fit best of all with Open Banking option 2.b (harmonisation of APIs), which has been rejected above. Furthermore, no such dedicated EU enforcement entity is proposed in the Open Finance initiative.

In summary, option 3c) would involve significant cost for EU PSPs in fees and charges, in the hundreds of millions of euro per year, given the need for 100% sectoral funding, and would face significant operating challenges which mean that it is not certain to achieve benefits outweighing the costs. This option is therefore rejected.

Comparison of options aimed to improve enforcement and implementation in Member States

Selected options are a) and b). Option c) is rejected

6.4.Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs

Option 4a) (reinforcement of the right of PIs and EMIs to access to payment systems via an account with a credit institution) would aim to remedy difficulties currently encountered by non-bank PSPs to obtain an account with a credit institution. It would come close to establishing a right to a payment account with a credit institution for PIs and EMIs, placing a burden on banks to explain rejection or withdrawal of service to a PI or EMI, with substantiated reasons. The establishment of an appeal procedure for rejected PIs and EMIs would constitute another deterrent to refusal or withdrawal of account service by banks. This option would aim to ensure that non-bank PSPs would always be able to find a bank to provide account services and not experience frequent disruption of service. Certain non-bank PSPs may prefer to have only indirect access to payment systems via a bank, because of specific costs, or liquidity or collateral requirements of payment systems for direct participation; non-bank PSPs need a bank account for the purpose of safeguarding customer funds. Non-bank PSPs strongly support this option, and many Member States also; most banks oppose it, but the cost for banks should be limited. Therefore, this option can be useful to PIs and EMIs in ensuring a means of access and is therefore retained.

However, access to payment systems via a bank, even where ensured, is still considered by many PIs and EMIs as inferior to direct access. First of all, the non-bank PIs must pay fees to their competitors, increasing their costs, and their competitors have access to information about their business volumes which may be useful to them. Access via a bank can also increase the time taken to execute transfers, which can be key in the area of instant payments, which must be executed within ten seconds of the order being received. Therefore, option 4a) cannot be a complete solution to the problem of access by non-bank PSPs to payment systems.

Option 4b) (granting of direct participation of PIs and EMIs to all payment systems, including those designated by Member States pursuant to the SFD) would allow PIs and EMIs the possibility of direct access to all payment systems, including those designated by Member States pursuant to SFD (which tend to be the key ones, essential to provide most retail payment services), under the condition that they fulfil the access requirements of the system. It would allow PIs and EMIs to offer instant payments as well. However, certain problems would remain, including the problem of recourse in case of rejection of an application for participation. It would also leave entirely in the hands of payment systems the exact nature of pre-admission risk assessment against specific risks. These drawbacks could hinder the full resolution of the identified problem, and at the same time could potentially increase risks in payment systems by allowing the participation of PIs or EMIs with particularly high-risk profiles.

Option 4c) (as option 4.b) but with additional clarifications on procedures for admission of new members to payment systems) would aim to achieve the benefits of option 4b) and at the same time to remedy these shortcomings. It would require payment systems to conduct a full and fair risk assessment before admitting new participants, whether they be banks or non-banks, and only assess risks which are applicable in the specific case (for example, non-banks are much less exposed to credit risk). It would also establish a right of appeal to competent authorities for rejected applicants for participation in payment systems. This option is similar to the approach which has been applied in the UK, where PIs and EMIs have been admitted to direct participation in key payment systems, both public and private, following a thorough risk assessment process; the first such non-bank participant was admitted in April 2018, several others have followed since, and no adverse consequences have been observed so far 150 . A large number of stakeholders of all categories, including many Member States and the Eurosystem, support this option (see Annex 2) 151 .

Only a combination of options can fully resolve the identified problem and ensure that potential risks are sufficiently mitigated. The selected option is therefore 4c) in combination with 4a).

Comparison of options aimed to improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs

Selected options are a) and c). Option b) is rejected

7.Preferred options 

The package of preferred options (summarised in §7.4 below) represents largely specific targeted amendments to PSD2, rejecting most of the more far-reaching options, which either are not backed by sufficient evidence of a problem (see Annex 6 on scope) or would be too disruptive and costly to implement for uncertain benefit (for example, options 2b or 3c). In addition to the individual impacts of the selected options discussed above, they should positively interact with each other in a number of ways. For example, the enforcement-related measures will also have a horizontal effect boosting the effectiveness of all the other selected measures in other areas. A reduction in fraud should contribute to the efficiency of payments in the EU, free resources in PSPs for use in other areas, and increase consumer confidence. On the other hand, the baseline path of not amending PSD2 at all would leave a number of genuine problems unaddressed. The package of selected options is analysed below in terms of effectiveness in tackling the identified problems, efficiency (cost) and coherence with other EU legislation and initiatives.

The flanking measures discussed in Annexes, such as the technical clarifications described in Annex 7, the simplifications arising from the greater alignment of the supervisory regimes for PIs and EMIs described in Annex 8 and the improvements to consumer rights and protection described in Annex 10, should also be understood as horizontal measures, part of all relevant combinations of options. Technical clarifications (including on scope), and the integration of EMD2 into PSD2, covered in Annexes 6-9, are related to general objective 3 (Single Market). Measures to improve access to cash in Annex 9 are related to general objective 5 (protection of payment system users). Consumer rights measures, related to general objective 2 (efficiency, transparency and choice) and 5 (protection of payment system users), are covered in Annex 10.”

7.1. Effectiveness

Regarding fraud, the effectiveness of IBAN verification in reducing fraud and errors in payments in the Netherlands and the UK, where such a system already exists, was highlighted in the impact assessment accompanying the proposal on Instant Payments 152 . IBAN verification has already been proposed to be introduced for euro instant payments, in the Commission’s legislative proposal on IPs, so its effectiveness in the framework of this initiative would concern other credit transfers and non-euro currencies. The conditional reversal of liability in cases where the IBAN verification service is not functioning, will reinforce this measure and encourage PSPs to avoid downtime of their IBAN verification service. The other selected anti-fraud options, measures to improve application of the SCA requirements and to facilitate PSPs’ sharing of fraud information, will have incremental but real impact against fraud. A clear delineation of the scope of application of MITs and MOTOs directly impacts the level of consumer protection against fraud and the rights and obligations of the customers and the relevant stakeholders, regarding transactions where SCA rules were not being respected. Exchange of information can be expected to produce the same benefits as in existing national schemes, but these have existed for too little time yet for the exact benefits to be quantifiable. The combined impact of all of these measures should be a measurable reduction in payment-related fraud, especially authorised or APP fraud. The impact assessment accompanying the Commission proposal on IPs found that the potential benefit of an EU-level IBAN verification system for euro IPs would be potentially up to €209 million per year, assuming 100% replacement of regular euro credit transfers by euro IPs. This would leave only non-euro credit transfers liable to experience benefits from the generalisation of IBAN verification, and the reduction in fraudulent or erroneous payments could be assumed to be in the range of €100-150 million per year, given the small total volume of non-euro payments in the EU than euro payments. The other measures in this anti-fraud package will further contribute to reducing fraud; if the amount of APP fraud would fall by 10%, that could represent a reduction of €32 million per year 153 .

The proposed changes and clarifications on Open Banking will provide important clarity on the applicable framework and in particular on what quality and functionality must be offered in PSD2 interfaces. They will also enable TPPs to provide better and more OB services, and facilitate a better customer experience (fewer bugs, errors and other technical issues) which will make OB more attractive to use, and as a result, the OB market to grow. However this result is indirect as the proposed changes and clarifications cannot immediately impact consumer demand; a clear and supportive legal framework can promote the success of OB but not guarantee it. For this reason, more radical options were rejected due to the high associated cost, without guarantee of success. Minimal disruption on the Open Banking market and facilitating extra growth than already projected by market research and the protection of sunk costs implementing PSD2, has been a priority. It is anticipated that the selected options will enhance the already predicted growth trend of Open Banking (by up to 10%), as APIs become of better quality and safer, TPPs will be able to provide more, better and reliable OB services and become more attractive to consumers. This would mean increased benefits to TPP revenues and to consumers making use of OB services.

Good functioning of the single market for payments will be facilitated by the clarification in the legislation of multiple points where space for differing national interpretations existed (see annex 7), by upgrading the greater part of PSD2 into a directly applicable Regulation, and by the reinforcement of available penalties which will improve the capacity of NCAs to effectively enforce the rules.

Regarding direct participation in payment systems for non-bank PSPs, the experience of the UK demonstrates that such direct access can effectively increase competitive forces in the payment sector and stimulate innovation, while not negatively impacting financial stability. A wide range of PIs and EMIs are active in the UK, not only offering payment account services to consumers, but also for example merchant acquiring and Open Banking services. Many of these PSPs are also active in the EU with a license from an EU Member State, but experience practical difficulties to offer competitive services in the EU due to their lack of direct participation in key payment systems in quasi all EU countries due to SFD restrictions. For those PIs and EMIs choosing indirect access via a bank, the more stringent requirements on banks will make such direct access more secure.

7.2. Efficiency

The package of measures identified has been calibrated to involve a minimum of disruption to the payment services market and to keep implementation costs to a minimum, while still achieving the specific objectives.

On fraud reduction, it can be mentioned first of all that the proposal on instant payments already requires EU PSPs offering euro instant payments to provide an IBAN/name verification service with such payments. For EU PSPs offering euro IPs, there will be minimal additional costs to extend such IBAN verification service to other types of credit transfer, non-instant payments in euro and to all credit transfers in non-euro EU currencies. Exchange of information on fraud incidents can be carried out between PSPs at relatively limited cost, and national level schemes already exist in certain Member States 154 . The proposed limited changes to the liability regime, linked in particular to IBAN/name verification, can be implemented via amendments to the general account terms and conditions between PSPs and PSUs, when these are due for renewal.

The amendments regarding Open Banking have been selected with a view to avoiding a need for significant new expenses for ASPSPs which have already developed APIs to allow data access by TPPs active in Open Banking. Another important factor which influenced the selection of options is the fact that the Open Banking market is predicted to grow 155 and significant changes could negatively disrupt this already projected growth. The additional revenue stemming from this baseline growth is estimated to be around €3.6 billion for 2024 and €6.7 billion by 2027 (cumulative revenue €12 bn by 2024 - see Annex 3). Existing APIs may have to be upgraded in certain cases, but will not need to be scrapped and entirely replaced with new interfaces. There will be the possibility of derogations for niche ASPSPs from having APIs or from having an OB interface at all. So, the one-off cost to the ASPSP sector of aligning existing APIs to the revised minimum performance requirements will be limited, and the ongoing recurrent operating and maintenance cost will not be significantly impacted. TPPs will incur lower recurrent costs as they will have to spend less resources on the manual-intensive fallback interfaces due to low-quality APIs. The removal of the obligation to have a fallback interface will involve savings for ASPSPs, offsetting the costs of upgrading APIs. More enforcement by NCAs could require more resources, but NCAs will no longer have to handle requests for fall-back exemptions, and TPPs’ complaints due to malfunctioning or poor API data access will be reduced in the future. Furthermore, the compliance assessment for NCAs will be simpler and more straight forward as legislation becomes clearer.  Moreover, it can be anticipated in the future that increasing numbers of added-value APIs, outside the scope of payment legislation, voluntarily providing additional data and services subject to a fee, will be developed, thus bringing some revenue to the ASPSP sector offsetting the overall cost of developing and maintaining APIs; although the basic PSD interface must continue to be provided free of charge by default.

The changes regarding penalties for breaches of PSD can be anticipated to lead Member States to devote more resources in national authorities to the investigation and sanctioning of breaches of rules by PSPs, and could generate recurrent costs for a few additional members of staff for those authorities. However, the clarifications on various elements of PSD can be expected to reduce staff time spent analysing such unclear elements, which can compensate for this. The same applies for the upgrade of the greater part of PSD2 into a directly applicable Regulation (although this will involve the cost to Member States of repealing much of current legislation transposing PSD2).

Regarding direct access to payment systems, there will be some one-off costs incurred by payment systems faced with a significant number of applications for membership, and given limited resources for risk assessment, this may require payment system operators to adopt a staged approach to implementation, with only a few new non-banks joining such payment systems each year (this has been the case in the UK). It is not expected that payment systems will need to increase their staffing levels for this task. The requirements on indirect access will be of limited cost for banks, unless they reject or cut off account services to many PIs and EMIs. PIs and EMIs will be able to offer payment services more efficiently and cheaply if they have direct participation in payment systems, thus enhancing price competition in the payments sector.

7.3. Coherence

The selected options are coherent with and reinforce each other. For example, strengthened enforcement will contribute to the progression of Open Banking under the new rules. Many PIs and EMIs are involved in offering both account services and Open Banking services to customers; better access to payment systems will facilitate this and provide synergies. Reinforced anti-fraud activity will contribute to smoother functioning of payment systems in general and increase the confidence of consumers in new innovative services.

Regarding the coherence of the selected options with existing Commission legislation and ongoing initiatives, a detailed account can be found at Annex 12, but key examples are given below:

·GDPR: a firm legal basis for PSPs to exchange information on fraud, in line with GDPR, is provided. Concepts of “explicit consent” for treatment of personal data, “silent party data” and “special categories of personal data” will be clarified, in a way which aims to assuage concerns expressed by many payments sector representatives about the effects on payments of Guidelines of the EDPB on PSD2 156 . See Annex 7 for more details.

·Markets in Crypto Assets Regulation (MiCA). MiCA categories e-money tokens (EMTs), as funds and therefore payment transactions made with EMTs fall within the scope of PSD2. However, given the very specific nature of EMTs as a type of crypto asset (use of Distributed Ledger Technology etc.), a certain number of clarifications are necessary in PSD2 in order to ensure certainty about the application of certain requirements (such as SCA) to payments using EMTs. Annex 7 provides more details about these clarifications. 

·Settlement Finality Directive (SFD). The targeted amendments to the SFD and PSD2 described in options 4b) and 4c) will maintain coherence, but with the positive effect of allowing potential direct access of non-bank PSPs to payment systems designated under SFD, instead of preventing such access, as at present.

·Data Act. The Commission proposal for a Data Act, once adopted and in force, will establish a horizontal framework for fair access to and use of data. However, the Data Act (article 40) allows different provisions in sectoral legislation, and the requirement for Open Banking mandatory access to payment account data to be provided without the need for a contract (i.e. for free) is an example of this.

·Commission legislative proposal on instant payments (amending the SEPA Regulation). The SEPA Regulation lays down harmonised rules and technical parameters for credit transfers and direct debits in euro. On 26 October 2022, the Commission adopted a proposal for an amendment of the SEPA Regulation promoting instant payments (IPs) in euro. PSPs offering credit transfers and direct debits in the meaning of the SEPA regulation, including instant payments, remain fully in the scope of PSD. A noteworthy element of the present initiative is the generalisation to all credit transfers in all EU currencies of the requirement in the Commission proposal on IPs regarding name/IBAN verification; this does not affect the proposal on IPs, as this initiative will not require IBAN/name check for instant payments in euro, only other credit transfers. Furthermore, direct access of PIs and EMIs to all EU payment systems would allow the extension of the scope of the proposal on IPs to include them (in a future review); currently, PIs and EMIs are excluded from the scope of that proposal because their lack of direct access to key payment systems, due essentially to SFD, prevents them from offering IPs.

·Regarding coherence with the Open Finance Initiative (OF) , it should be pointed out that this initiative (see section 1.3) has its own impact assessment, and builds on the lessons learned on Open Banking as identified in the review of PSD2. This is because the policy measures required to improve an already existing system of data sharing under PSD2 are not the same as those needed to design a regulatory system for a new activity in other parts of the financial sector. This has led to different approaches being adopted in certain areas. For example, for data to which access is mandatory this initiative proposes to maintain the current “contract-free/compensation-free” approach (see §5.3) while the OF initiative provides for compensation for access to mandatory data sets 157 . Different approaches can be applied in different circumstances while remaining coherent. However, other policy options selected in Open Banking are closely aligned with the choices in the Open Finance initiative; see the discussion under each option in §6.2 above. See Annex 6 for the question of whether Account Information Services and Payment Initiation Services more appropriately belong in PSD2 or the OF framework.

7.4.Summary of preferred options

7.5.Other relevant impacts

The selected options should also have a beneficial effect on the competitiveness of the EU payments sector. Within the EU a better level playing field between banks and non-bank PSPs should create more competitive pressure on banks to improve their payment services across the board, and assist innovation, thus contributing to the competitiveness of the EU payments sector. As a successful and efficient Open Banking sector is increasingly considered a sign of a modern and competitive financial sector, OB is becoming a feature of many jurisdictions (UK, Australia, Singapore, Japan etc.). The selected options will be at worst neutral as regards the competitiveness of EU payment service providers on any non-EU markets. Services like payment initiation compete with payment cards and contribute to lowering acceptance costs for merchants. Reduced fraud will lead to reduced costs for the EU payments sector and thus indirectly contribute to enhanced competitiveness. Overall, it is considered that a well-functioning competitive EU payment market will indirectly contribute to the overall competitiveness of EU businesses also in the international context.

Concerning the geographical impact of the selected measures, only one measure, namely the IBAN/name verification (option 1c) will have a very distinct impact in different Member States; both the costs of this measure and the benefits (in terms of reduction of fraud and of erroneously mistaken payments) will occur largely in non-eurozone Member States, as the great majority of PSPs in euro area Member States will already be required to implement the measure under the Commission proposal on instant payments (and in that case are free to voluntarily offer it for non-instant credit transfers).

Regarding impacts on stakeholders, see Annexes 3 and 13. Improved efficiency and competition in payment systems, together with reduced fraud, should benefit consumers and SMEs in their capacity as users of payments, while the improvements to Open Banking should benefit the many Open Banking fintechs which are SMEs.

7.6.Application of the ‘one in, one out’ approach 

By means of this principle the Commission has committed to offset administrative costs of new initiatives by reductions in administrative costs of other initiatives. However, the present initiative does not involve administrative costs for businesses or citizens, as the initiative will not lead to any increased oversight or supervision of PSPs, or to specific new reporting obligations above those already existing in PSD2. There are also no regulatory fees and charges arising from the initiative. It is therefore considered that this initiative does not generate administrative costs which require offsetting under the "One In One Out" principle (although it is relevant for “one in one out” in that it creates implementation costs). It may be noted that the bringing together of the legislative regime for E-Money Institutions and that for Payment Institutions will lead to reductions in administrative costs (for example, alleviating the requirement to obtain a new license in certain circumstances).

7.7. Climate and sustainability

No negative implications for climate of this initiative have been identified. The initiative will contribute to target 8.2 of the UN Sustainability Development Goals: “To achieve higher levels of economic productivity through diversification, technological upgrading and innovation, including through a focus on high-value added and labour-intensive sectors”.

7.8.Fundamental rights

The fundamental right concerned by this initiative is privacy. Privacy is enhanced by the clarifications described in Annex 7, to improve alignment between PSD3/PSR and GDPR.

7.9. REFIT (simplification and improved efficiency)

The present initiative is based on an evaluation, to be found at Annex 5. As part of the evaluation and review process, opportunities for administrative simplification were sought. The main such simplification contained in the present initiative is the integration of the Second E-Money Directive into PSD2 and the large-scale reduction in differences between the regulatory regimes for EMIs and PIs (with some residual remaining differences, such as own funds requirements) – this exercise will involve a repeal of the EMD2. More details about this approximation of the two regimes is contained in Annex 8. The removal of the “availability of funds” service, a facility which is not currently used, will also be a significant simplification (see Annex 6). The clarification of rules on SCA and other clarifications (see Annex 7), together with the removal of divergences arising from national transposition of a Directive, will also contribute to simplification.

8.How will actual impacts be monitored and evaluated? 

The initiative will provide for a review, to be completed five years after the entry into force. Regarding the specific objectives, the following can be said about monitoring and evaluation:

·Strengthen user rights and protection against fraud. Regarding payment fraud, the operational objective is a significant fall in fraud, both concerning unauthorised and authorised payments. On this subject periodic reports are produced by EBA.

·Enhance the competitiveness of Open Banking services. The objective as regards Open Banking is an increase in the usage of AIS and PIS services above the baseline predicted growth, and an increase in PIS as a percentage of all digital payments. However, no official statistics on Open Banking are produced in the EU, and information (of which the quality cannot be independently verified) is only available from private sector consultants. PIS-initiated payments are executed as SEPA or non-euro credit transfers; it is not currently possible in official statistics to distinguish the initiation method of a credit transfer. AIS does not generate any payment transactions, and is only traceable as an “API call”, but data on API calls for all PSPs is not collected systematically by supervisors. The Commission, together with EBA, will explore the possibilities for producing better quality data on EU Open Banking, but in the meantime, will be obliged to rely on the same private sector producers of data which have been used for the present evaluation and impact assessment.

·Improve enforcement and implementation in Member States. This should be detectable in a reduction in complaints received by the Commission and NCAs from citizens or PSPs, and an increased rate of active investigation of complaints.

·Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs. The objective is that all PIs and EMIs active in the EU should have access to all payment systems in the EU, including those designated under the SFD, and have access to a bank account. The success of this objective will be measured by the numbers and the percentage of PIs and EMIs with (and without) access to the most important payment systems operating in the EU, including TARGET2 of the ECB. As regards indirect access, the number of notifications by banks to competent authorities of refusal or withdrawal of account access to PIs and EMIs, and appeals by PIs or EMIs against such decisions of banks, will be important. This information will be obtained from PI and EMI representative bodies and national competent authorities.

Monitoring summary table

Annex 1: Procedural information

1.Lead DG, Decide Planning/CWP references

This Impact Assessment Report was prepared by Directorate B "Horizontal Policies" of the Directorate General "Directorate-General for Financial Stability, Financial Services and Capital Markets Union" (DG FISMA). The Decide Planning references are:

·PLAN/2021/12798 – FISMA - Payment services – review report on PSD2.

·PLAN/2022/892 - FISMA - Payment services – revision of EU rules (Directive).

·PLAN/2022/1630 – FISMA - Payment services – revision of EU rules (Regulation).

The initiative on review and revision of PSD2 was included in the 2023 Commission Work Programme published on 18 October 2022, as part of a package on “data access in financial services”, together with a legislative initiative on Open Finance.

2.Organisation and timing

One single Inter-Service Steering Group (ISSG) dealt with both this initiative and the Commission initiative on an Open Finance Framework, planned for adoption together with the present proposal, although the two impact assessments are distinct. Three meetings of the ISSG were dedicated primarily to the present initiative; those meetings, chaired by SG, were held on 11 November 2022, 13 January 2023 and 14 April 2023 (the first two meetings to discuss the draft impact assessment and the third meeting to discuss draft legislative text). The ISSG consisted of representatives from various Directorates-General of the Commission: CNECT, COMP, EMPL, ECFIN, ENV, HOME, INTPA, JUST, Legal Service, Secretariat General. The contributions of the members of the ISSG have been taken into account in this impact assessment.

3.Consultation of the RSB

The Impact Assessment report was examined by the RSB on 1 March 2023. The RSB issued a positive opinion with reservations on 3 March 2023 158 . The principal reservations (which have been addressed in this final version of the report) were the following :

“(1) The report lacks clarity on consumer demand for Open Banking and on the extent to which consumer confidence in data sharing and cybersecurity may affect uptake.

(2) The report does not provide sufficient impact analysis, in particular on competitiveness, SMEs, consumers and Member States as well as the impact of the proposed flanking measures.

(3) The report does not provide sufficient clarity, including granular analysis, on the costs and benefits for the preferred set of measures.”

Changes and clarifications introduced in this report following the RSB opinion and comments include the following:

·The problem analysis has been more aligned with the findings of the Evaluation Report; for example, it has been clarified that in Open Banking, passing on user data to unregulated fourth parties via API aggregators is not a problem as such, as long as there is explicit consent of the data subject, although it is perceived as a problem by banks (section 2.1.2.);

·Regarding Open Banking, it has been clarified that no reliable data on the size of the market or demand exists, and while consumers report concerns about security of data, the constant growth in the number of providers indirectly indicates strong demand (section 2.1.2.);

·Greater explanation of the impact (and the interaction with the problem definition) of the “flanking measures” described in Annexes 7 8 9 and 10;

·The scoring of options in the tables in section 6 has been reviewed in order to make the scores more useful in policymaking terms;

·Reports were introduced in Annex 2 of two further consultation events held in March 2023, of the Payment Services and Markets Expert Group (stakeholders) and of the Commission Expert Group on Banking Payments and Insurance (Member States);

·Regarding the generalisation to all credit transfers of the “IBAN/name verification” service, greater explanation of the cost impacts and the geographical distribution of the effects of the option has been provided, and more information has been provided about the coherence of this option with the Commission’s proposal on instant payments (section 6.1 and Annex 12);

·It has been explained why cross-border fraud is much higher than domestic fraud, and how the proposed solutions can contribute to reducing the difference (sections 2.1.1. and 6.1.);

·The distributional and competition-related impacts of the selected options have been discussed in greater detail in section 7; an SME test has been inserted (Annex 13).

·The specific objectives have been redrafted to be more precise and measurable, and more distinct from the general objectives (section 4.2).

4.Evidence, sources and quality

A number of inputs and sources of data were used in the preparation of this impact assessment, including the following:

·Evidence supplied in the various consultations described in Annex 2 and on an ad hoc basis by stakeholders.

·Evidence provided by the European Banking Authority in its Advice of 23 June 2022.

·A study carried out by a contractor, Valdani Vicari & Associati Consulting, delivered in September 2022, “A study on the application and impact of Directive (EU) 2015/2366 on Payment Services (PSD2). Contract reference FISMA/2021/OP/0002.

·Data obtained from private sector operators, especially in the field of Open Banking. Regarding Open Banking, it should be noted that in the EU (unlike in the UK for example) there is no public sector entity which publishes or centralises data on Open Banking, and complete reliable statistics on the EU Open Banking sector are therefore impossible to obtain.

Annex 2: Stakeholder consultation

1. Consultation plan

In order to ensure that the Commission’s proposal adequately takes into account the views of all interested stakeholders, the consultation strategy supporting this initiative was built on the following components:

1.An open public consultation, open from 10 May 2022 to 02 August 2022 159 ;

2.A targeted (but nevertheless public and open) consultation, with more detailed questions than the public consultation, open from 10 May 2022 to 5 July 2022 160 ;

3.A call for evidence, open from 10 May 2022 to 02 August 2022 161 ;

4.A targeted consultation on the Settlement Finality Directive, open from 12 February 2021 - 7 May 2021;

5.Consultation of stakeholders in a Commission-led group, the Payment Systems Market Expert Group (PSMEG);

6.Ad hoc contacts with various stakeholders, either on their initiative or that of the Commission;

7.Consultation of Member States’ experts in the Commission Expert Group on Banking Payments and Insurance.

The results of each component are presented below.

2. Open public consultation on PSD2 (and open finance)

Introduction

This annex provides a factual overview of all responses received. Therefore, any opinions expressed reflect the views of the respondents and do not reflect the position of the European Commission or its services.

Key messages

The key messages from the public consultation shows card payments are still the preferred methods of payment, both in-store and online. The choice in payment services has increased, and there is an overall positive stance towards new entities and Big Techs entering the field, although concerns about power and data privacy are expressed. Open Banking services (AISP and PISP) aren’t used a lot, due to a lack of awareness of their existence and data privacy concerns. Feedback further shows a discontent with a lack of transparency for cross border charges and fees, especially those including a currency conversion. SCA is regarded positively, but with some suggestions for improvements.

The key message from the EBA Advice, after a quality control check on the responses is about how the PSD2 review should pay attention to transparency with regard to fees and charges related to cross border money transfers.

Summary of Public Consultation responses

In total, 101 respondents (92% from the EU, 26 Member States, 93 replies) replied to the public consultation. EU citizens (52) formed the largest group of respondents, representing 50% of all respondents. Individual companies (20) and business associations representing their interests (11) formed the second largest group of respondents, representing together 30% of all respondents. There were also 5 public authorities, 2 consumer organisations (both EU-focused), 3 non-EU citizens, 2 trade unions (both EU-focused), 1 academic/research institution, 1 NGO (a charity) and 4 others who participated in the consultation (see Figure 1)

Many respondents indicate to be active in a non-defined field (Other – 43, Non-applicable – 20, total 62%), 28 respondents are active in Banking (28%) and 10 in Insurance (11%). Among those that labelled their activities as “Other” or “Non-applicable” are for example legal firms/lawyers, software vendors, EU-citizens involved in payments, associations for travel agencies, -vending machines and -telecommunications, and an association and an entity involved in electrical vehicle charging infrastructure.

Card payments are still the preferred methods for payment, both in-store (40%, cash being listed as the 2nd preferred method) and online (52%). Digital wallets on a mobile phone are only popular in-store (24%). Most respondents find the payment market innovative enough (51% yes – 48 replies, 30% no – 28 replies), and also find that the choice in payment services has increased over the last 5 years (70% yes – 66 replies). The overall sentiment towards new companies, including big techs, entering the market is positive, but there are concerns about power and data privacy, which is also reflected in the responses on the use of Open Banking (AISP or PISP) services.

A big point of critique regards unclarity about the costs and fees of making cross border payments (35% does not find these clear), especially those with a currency conversion (46% finds these unclear).

Overall there is support for the application of strong customer authentication (SCA), most finding it easy (in-store: 44%). It’s deemed more cumbersome in an online-setting but considered acceptable given the fact that is prevents fraud. Respondents also find that SCA has helped to make digital payments safer and more secure (50 replies, 76%). Some respondents suggest that more innovation should be allowed here, e.g. through the application of biometrics and behaviour, that PSPs should be required to offer non-mobile phone SCA solutions too, and that new security measures should be developed to counter new fraud methods such as social engineering and phishing.

For contactless payments without SCA most respondents indicate a wish for more control, in that users should be able to set their own (lower) limits, and that higher limits should be accompanied by a shift in liability.

Summary Call for Evidence responses

The Call for Evidence collected 195 responses in total, including one duplicate response. Further analysis showed that a large number of responses from Slovakia (72) and many responses not relating to the content of this CfE on the PSD2 review, but was in fact aimed against the Digital Euro (75, of which 62 from Slovakia). Another 3 responses were about tobacco. These responses were most likely meant for the separate consultations on the Digital Euro and on tobacco which ran at the same time as this one. A further 4 responses also did not appear to respond to the CfE on PSD2. Excluding these responses the final number of responses analysed is 113, of which 92 citizens (incl. 18 non-EU citizens, of which 8 from the UK), 12 business associations, 9 companies organisations and 1 consumer organisation.

The feedback from citizens mostly on cross border money transfers, and issues they are experiencing in terms of a lack of transparency. 74% (83/113) indicates they still face high fees when doing cross-border money transfers, with fees not always being clearly communicated upfront. Some citizens refer to money transfers with third (non-EU) countries, e.g. between the UK and the EU, but also within the EU between Euro and Non-Euro countries. Many responses were nearly identical, explicitly suggesting the including of a “mid-market rate” into article 45 of PSD2 (25 responses). Further analysis showed that one PSP providing cross-border money transfer services ran a campaign, encouraging its users to submit their feedback to the CfE on PSD2 regarding fees and transparency for these services. Their campaign included an explanation of the PSD2 review and a guide on how to respond, including some suggestions for responses.

Other topics included in the feedback are about SCA, on its impact (fraud prevention), its implementation (incl. the limited use of SCA exemptions and the need for a mobile phone to perform SCA) and suggestions on how to improve it, mainly from the travel sector who request separate provisions for business travel. One respondent shares concerns about SCA and Electric Vehicle charging, related to the upcoming Alternative Fuel Infrastructure Regulation (AFIR), expressing a fear that the regulations could lead to disproportionally high investments for the providers of EV infrastructure.

3.PSD2 targeted consultation 

Who responded?

The targeted consultation on PSD2 ran from 10 May to 2 August, 2022. A total of 169 parties responded to the consultation. There were 146 (86.4%) respondents from the EU (largest

contributors: 27 from Germany, 22 from Belgium, 15 from France, 12 from the Netherlands and 11 from Italy), 11 (6.5%) from the UK and 10 (6%) from the US.

To the right an overview of all contributions per stakeholders type, which included 7 consumer organisations (European and national ones) and 15 public authorities.

In terms of activity, most respondents labelled themselves as “Other” (98, 58%) and “Banking” (64, 38%). “Insurance” (5), “Accounting” (3) were also mentioned, among others. Among those labelling themselves as “Other” there were those active in Open

4.Figure 4 Contributions given per type of stakeholder

Banking and APIs, E-money, Payment Service Providers, Retail, Telecommunications, Treasury and more.

Two responses appear to be duplicates, and due to the similarity of some responses it is clear some member associations have coordinated a “main message” or “main response”. The duplicates have been controlled for during the analysis. Coordinated responses are considered unique contributions.

Key Messages

The targeted consultation (TC) comprised of 55 questions that covered stakeholders’ experiences with the PSD2, whether the PSD2 objectives were met, targeted questions per PSD2 Title, and offered respondents the option to provide suggestions for changes to the PSD2. It should be noted that, despite a high number of total respondents (169), many respondents skipped questions or responded “Don’t know”/No opinion/N.A. This is likely due various specific topics that were not directly applicable to all types of respondents.

It should also be noted that, with regard to the different questions and topics, views held within each stakeholder group are not always homogenous, meaning that drawing conclusions on group views is not always straightforward. Most noticeably, the group “ASPSPs” encompasses a heterogeneity of institutions, including credit institutions of different sizes and profiles, but also other types of non-bank PSPs which offer and service payments accounts, namely e-money institutions (EMIs) and payment institutions (PIs). One question where the views of ASPSPs have reflected this diversity (rendering meaningless an attempt to identify a group position) is, for example, on the level playing field. Here credit institutions’ reported concerns largely focused on the obligation to provide a mechanism for TPPs’ access to account data, whereas for non-bank PSPs a key issue concerned the dependence on credit institutions to access payment settlement systems. Similarly, within the TPPs group, one often finds contrasting views between TPPs which practiced Open Banking already before the PSD2 framework entered into force and those emerging after PSD2 162 . One case of such differing views within this group concerned the data access mechanisms, where pre- PSD2 TPPs tended to make more use of fallback interfaces (thus favouring keeping this option), whereas TPPs emerging after PSD2 favoured quality, performing dedicated interfaces (either through common API standards, or by not opposing remuneration for data access services beyond a baseline in order to improve API quality).

The below summary of responses is provided in the same order as the Targeted Consultation itself.

General questions

In terms of the objectives of PSD2 respondents say the following: the majority of respondents, 85%(112/132) (excluding the don’t knows/blanks) agree that PSD2 has been effective in making payments safer and more secure, in ensuring a high level of protection for PSUs across all EU (82%, 106/129), in increasing the choice between different types of payment providers (77%, 102/133), in strengthening consumer rights (78%, 98/126) and that it's been supportive in the creation of an environment that stimulates innovation in payment services (66%, 92/139). Especially regarding consumer and PSU protection, only a handful of respondents disagree (others are neutral/don’t know).

Respondents are less positive about PSD2 improving the level playing field (30% does not agree, 56% agrees, out of 136 respondents). Some also comment that the PSD2 requirements, like SCA, are more likely to be implemented via smart phones, favouring this technology over others. The views are more nuanced for market integration and competition. There is a wider choice of PSPs than before (86% agrees 106/123), and the EU payment market is more competitive than before (77% 96/125). Respondents agree that the internal payment’s market functioning has improved 62% (73/118). However, there is less support for PSD2 having contributed to the development of cross-border payments within the EU (43% agree, 50/115 and 37% are neutral 43/115). For remittances the number of responses was significantly lower (80 don’t know, blank), and a large group remains neutral – 35% (31/89), against 38% (34) positive, and 27% (24) negative.

In terms of payment options and innovation the responses are positive: payment options have increased (78% (102/130) and making digital payments has become easier 66% (87/131), although views are less optimistic for international payments (EU and non-EU) – 35% (39) agree this has become easier. 71% of respondents agree that PSD2 has met its innovation-related objectives for the development of innovative payment services, solutions and overall innovation. An often-cited example is the rise of so-called (data) aggregators. Some remarks stressing a potential obstruction of innovation are placed with reference to the Level 2 text (RTS on SCA), such as the restrictive approach to behavioural biometrics (in the context of SCA), and that most authentication flows are still controlled by the banks. Furthermore, it should be noted that the uptake of Open Banking services is still low, although growing month-on-month.

A central aim of the PSD2 was to ensure and improve consumer protection, which respondents find the PSD2 has contributed to (82%, 102/125), including in that it has contributed to the protection of consumers’ financial data (61%, 70/115). It has also led to a reduction in fraud in digital payments (74%, 86/116). However, all types of respondents identify the rise of new fraud methods that SCA cannot prevent (entirely), such as spoofing, phishing, etc. For surcharging (fewer responses), 62% of respondents (61/99) believe PSD2 has effectively removed these. Regarding clear information about payment services and terms and conditions only 50% of respondents (56/111) agree this now OK, whereas 29% remains neutral.

The costs and benefits are a more complex topic, with not much quantitative data, but many qualitative elaborations. Stakeholders agree that PSD2 has resulted in higher costs (89%, 72/81), often referring to the creation of PSD2 APIs and implementation of SCA. One level lower the PSD2 has mostly led to higher costs for merchants (66%, 52/79), and corporates (51%, 39/77). Less so for individual consumers (53% disagrees, 45/87). For the implementation of SCA the views are split: 36% (36/99) find the benefits related to SCA exceed the costs of its implementation, 38% disagrees (38/99). Concerning proportionality, the majority of respondents finds the investments to comply with PSD2 were disproportional to its benefits – 63% (64/101). Many banks (34) also find that the benefits of PSD2 do not outweigh the costs of implementation, often arguing the large costs placed on them to provide access to accounts for free. Lastly 71% of all stakeholders (65/91) disagree with the statement that PSD2 has simplified things (compared to PSD1).

In terms of enforcement most respondents, including NCAs and most banks and PSPs, consider that NCAs are sufficiently empowered to ensure the correct application of PSD2 (66%, 64/97), and to impose penalties (66%, 61/93). However, consumer organisations do not agree the provisions are adequate, and neither do some TPP respondents. A majority, including most banks and PSPs, (68%, 65/97) finds the EBA should conduct mandatory peer review analysis of the NCAs’ supervisory activities, including the consumer organisations and TPP respondents. Most NCAs are against this.

Respondents could also provide suggestions for changes to the PSD2. 71% of them (95/133) believe PSD2 should be amended to cater for market developments, and that it should be complemented by self-regulatory measures and industry-led initiatives (72%, 91/126). Many also believe PSD2 could be simplified to reduce compliance costs (70%, 86/122). When asked if the PSD2 should rather be a Regulation, the majority of respondents remained neutral, didn’t provide a response or doesn’t know (43%, 73/169). Many respondents note that a full review of the PSD2 is still too premature, but that targeted amendments would suit better, such as behavioural biometrics being allowed as an SCA element or allowing banks to charge for the access to accounts (banks largely in favour, TPPs only for “value-added services”). Many stakeholders also note burden of the many different reporting obligations and request alignment between various pieces of legislation (e.g. DORA).

Title 1: subject matter, scope and definitions

This section covered questions about the scope (art. 1, 2) of the Directive, exclusions to the scope (art. 3) and definitions (art. 4). Most respondents (55%, 66/120) agree that the scope of PSD2 is adequate. However, 48/92 (52%) respondents believe the scope should change, which includes some that previously responded the scope was adequate. Some explanations refer to a merger of PSD2 and EMD2 and a closer look at the GDPR and access to accounts.

With regard to exclusions, many respondents believe these need to be modified (64/144 respondents, 56% disagree with the statement that article 3 exclusions are adequate). Those in favour of modifications (61/98, 62%) are largely active in banking (27/64, 42%). There is also more support for including more exclusions (68% agree, 47/69, 110 respondents do not have an opinion/no answer). Most of the respondents in favour of exclusions argue to be explicitly excluded themselves (e.g. a corporate bank suggesting an exclusion for a corporate card), but various stakeholders also report NCAs are applying exclusions differently (specifically the commercial agent, art. 3(b), limited network exclusion (art. 3(k)(i) and intra-group payments (art. 3(n)). Stakeholders that would rather see the exclusions narrowed down provide the argument that the PSD2 should reflect market developments and increasingly important positions some players are occupying (referring to certain technical service providers, such as wallets or TSPs processing large transaction volumes) and a level playing field. Some exclusions that received more attention over the last years were singled out in the TC: as regards the exclusion for telecom operators (art. 3(l)) the views are mixed: 23/89, or 26% find it adequate, 34/89, or 38% disagree. Concerning the same exclusion, the views are similarly mixed regarding the referenced limit to transaction values (€50).

On the question whether definitions are still adequate and do not need to be modified, the responses are mixed: 41% (46/111) agree and 42% (47/111) disagree. Specifically for art 4 – 66% (66/100) believe the definitions are adequate), but 5/7 consumer organisations believe something should be modified – but do not say what. Most public authorities are OK with the definitions (10/12 – 3 do not answer), but companies (52) have more difficulty (over 60% is OK with the definitions, 35% is not. Some suggestions to be reconsidered are “(remote) payment account” (should credit cards be included or not), “account information services” (clarify as the definition is only a subset of what is possible in AIS),

For Annex 1, the views on the adequacy of the list of services are mixed: 44% agrees (50/113), 38% disagrees (43/113). However, when asked about the specific 8 services the most frequent response is that no change is needed (approximately 83/122, 68%). Most noteworthy is the desire to change the description of account information services (17%, 21/122). A dedicated question was included on ‘cash-in-shops’, currently considered under cash withdrawals, and whether it deserved its own authorisation regime. Views were limited (many are unfamiliar with the service, it does not exist in all Member States), the majority has no opinion (55%, 63/115) and the others are evenly split (yes: 26/115, no: 26/115). Those in favour (mostly stakeholders active in banking and public authorities) argue it should be included in definitions, and that this service is important for access to cash in view of the continuous closing down of bank branches and ATMs. Those against argue that adding more regulation might discourage the provision of the service and that the service presents less risk and/or that the current regime is already proportionate.

In terms of expanding Annex I, some support is found for including the ‘issuance of e-money’ (41% agree, 52/126; 26 or 21% disagree), ‘payment transactions using crypto assets (including stable coins)’ (50% agree, 63/126, 25, or 20% disagree) and ‘digital wallet services (e.g. mobile apps for payments)’ (43% agree, 54/126; 39, or 31% disagree). Some arguments provided in favour of adding issuance of e-money and digital wallet services are services are: creating a level playing field and simplification of regulation (concerning inclusion of e-money) and the fact that wallet providers have become increasingly interwoven with the provision of payment services, e.g. SCA depends on technical elements in mobile devices. No clear arguments are provided for the inclusion of payment transactions using crypto assets, although this may be related to the MiCA Regulation.

Stakeholder feedback also shows a reluctance to include certain services to the Annex, such as ‘payment processing services’ (24%, or 30/126 agree; 40% or 51 disagree), ‘operating payment systems’ (15% of 19/126 agree; 46%, or 58, disagree), and ‘operating payment schemes (18%, or 23/126 agree; 40%, or 50/126 disagree) arguing that Oversight (ECB) already covers both of these services, and that the PSD2 is about services provided from a PSP to a PSU.

Title II: payment service providers

This section covered questions about authorisations and supervision. The level of responses was significantly lower for these questions, on average approximately 39% (66) of respondents provided a response, with 61% (103) of respondents leaving questions blank or “don’t know”. This could be related to not all respondents being regulated entities, but even regulated payment institution entities and third party providers and -associations provided “don’t know/no opinion/not applicable” to e.g. the authorisation questions (e.g. Q15: PSD2 is sufficiently clear in determining whether a service must be authorised or not) or left the question blank. However, of those respondents that did provide a response, the majority find that the PSD2 is sufficiently clear in determining whether a service must be authorised or not (66% - 54/88), although there are 4 public authorities that disagree with this statement. 65% (51/78) finds the requirements to apply for an authorisation are adequate. Some respondents, including NCAs point out a need for clarifications, e.g. regarding the professional indemnity insurance, comparable guarantee, safeguarding requirements and ancillary credit, or suggest an introduction of e.g. a threshold regarding the amount of business to be provided in the home Member State (related to article 11) with the caveat that these thresholds should not be too rigid. Some authorities suggest changing the EBA Guidelines on authorisation to be converted into an RTS.

Regarding the dedicated authorisation and supervisory regimes for PIS and AIS the responses are mixed. Most find that the AIS regime is adequate (45%, 31/68), but 30% (23/68) disagrees, including some public authorities. There is no clear distinction in type of stakeholders, it’s both public authorities, banks and TPPs that agree and disagree. Those that agree that the AIS regime is adequate mostly find the PIS regime adequate as well, and vice versa. A member’s association of TPPs is of the opinion that the authorisation regime for these providers should be even more risk-based and suggests a lighter regime should be in place, arguing that these providers are not payment institutions, but providers of software tools.

The questions regarding capital and own funds received few responses, and proportionately many neutral responses too (between 35-45%). Most respondents find the capital and own funds requirements in article 7, 8 and 9 adequate. Some respondents point out that some Member States deviate in terms of capital requirements, such as France requiring TPPs (AISP and PISP) to have the same ‘capital projections’ as Payment Institutions, although the provisions in article 9 do not apply to parties that only provide AIS or PIS, and some note that some Member States allow institutions to choose their own method of calculation, whereas others prescribe which one should be used. Various respondents request “payment volume” to be better defined.

A relatively large group of respondents found that PSD2 leads to regulatory arbitrage (47%, or 35 over 74), including some public authorities. Various respondents point out the authorisation process should become more harmonised across the EU, attributing the concentration in a few Member States to diverging national approaches. This point is also closely linked to another topic mentioned more frequently: agents, (triangular) passporting and home/host supervision (linked to article 19). Commercial stakeholders note that some host supervisors go beyond the passporting regime and impose requirements on entities passporting in their jurisdiction, although NCAs themselves do not indicate they deviate from any of the PSD2 requirements. In terms of triangular passporting, a large group of respondents (65%, 32/49) find it should be regulated with clear expectations and a division of responsibilities, shedding light on who is allowed to passport and who is not. A large consumer organisation is of the opinion that triangular passporting should not exist at all. Stakeholders in favour and not in favour of a triangular passporting regime are in favour of a register that allows NCAs to share data on an entity’s passporting arrangements (maybe even including their use of agents), which would enable a host NCA to contact a home NCA and improve transparency.

Another grievance of payment institutions and EMIs is that they currently do not have direct access to SFD-designated payment systems, the result of a carve out (art. 35). A majority (38/55, 69%) would like to see this carve-out removed, mostly non-banks and public authorities. Those against are mostly stakeholders with direct access, often quoting financial stability risks and alleging PIs/EMIs are subject to “light” supervision and that non-banks already have access via intermediaries. There is no clear feedback on conditions or rules non-banks should be subjected to in exchange for direct access, except that it should be proportionate. There is also large support for the modification of article 36 (38/64, 59%), as many non-banks are not only having trouble getting bank accounts, but those with bank accounts are the victim of banks’ efforts to de-risk (usually for the purpose of AML). 65% (47/72) are in favour of a mandate to the EBA to develop technical standards or guidance on art. 35/36.

Title III: Transparency of conditions and information requirements for payment services

This section covered questions about transparency; one of the objectives of PSD2 was to improve the transparency of conditions for providing payment services. Here too the level of responses dropped, although somewhat less than for Title II: approximately 58% of all respondents responded to the higher-level questions on transparency (the remaining 42% left questions blank – 48- or “don’t know/n.a.” – 23), where still fewer specific responses, i.e. yes or no, were received for the more specific- or in-depth questions. This could be attributed to not all respondents being subject to the transparency requirements.

A majority of respondents still found the requirements adequate and fitting current payment needs and methods (53%, 52/98; 32%, or 31/98 disagree) also finding the requirements contributing to making digital payments more secure (56%, or 52/93; 24% or 22/93 disagree). In terms of whether these requirements have led to a more informed user choice between different payment products the views are split: 41% agree, but 37% disagrees (39 vs 35 out of 95). Views from consumer organisations in this regard are mixed (5/7 responded to these questions) but lean towards a more negative side (somewhat disagree and neutral).

In terms of changes to the requirements stakeholders from the banking sector call for a reduction of “information overload”, which is a result also of other pieces of financial services legislation. In this regard a reconsideration or removal of the two-month notification period is mentioned. Respondents also call for clarifications, additional information and/or updates: for ‘durable medium’ a link to contractual terms should be sufficient, the inclusion of a benchmark mid-market exchange rate, informing the PSU in a framework contract under which circumstances funds can be blocked and released, clearer information relating to the name of the payee (related to commercial name) and more. Regarding the disclosure of currency conversion costs for one-leg transactions, most banks respond negatively to this requirement, arguing this adds complexity (as PSPs also have to comply with third-country regulations) and that this would go beyond the PSD2 geography, where most consumer organisations and public authorities are in favour.

Title IV: Rights and Obligations in relation to the provision and use of payment services

Title IV covers the rights and obligations of all parties involved within PSD2. This includes, inter alia, certain rules on applicable charges, irrevocability, the rights to refunds, rules for liability, and the requirements regarding access to payment accounts (who has access, how and under which circumstances). Furthermore, it contains requirements on operational and security risk and on strong customer authentication. Given the length and number of detailed articles in this Title the below analysis focuses on the larger topics of liability, access to accounts (Open Banking) and operational and security risks (incl. SCA).

A majority of respondents (between 57%-67%) finds the rights and obligations in PSD2 clearly written for both PSUs and PSP, but a relatively large group disagrees (20%-28%). Consumer organisations are not in agreement: some find the provisions are clear and adequate, some do not. Most public authorities find that these provisions are clear and adequate. A key topic mentioned by many stakeholders is “gross negligence”, and that this must be clarified. The rules on applicable charges, one of the topics of the review clause (art. 108) are deemed adequate by most respondents (59%, 46/78). 7 respondents propose a complete prohibition of surcharging for all payments (not just cards) and a few others criticise the different application in Member States (art. 62(5)), both stakeholders suggesting the Member State options should be removed. Regarding the ceiling for contactless payments (56%, or 30/54, find art. 63 adequate) a majority finds this should stay the same (the cumulative limits of 150 euros and should remain: 46% or 44/96 and the total of 5 transactions 60%, 56/92), although a large group is in favour of higher limits. But consumer organisations argue two things: that consumers should have control and be able to (de)activate this function, or choose their own ceiling (max. 50 €), whereas another organisation argues limits are not needed given new payments means and COVID19-experiences and suggest that PSPs could

For refunds and liability, the views are more mixed. A large group of stakeholders finds the provisions on liability in PSD2 inadequate (35%, 33/95), mostly banks and banking associations, but also including 3 consumer organisations. For refunds 5 out of the 7 consumer organisations find these are inadequate (in total 42% disagree these provisions are adequate; 39/92). A large group also finds that the allocation of responsibility is currently not adequate (51% agree, 47/93, but 27% disagree, 25/93), including 3 consumer organisations (2 others are neutral, 2 others agree). Another review topic was on the blocking of funds (art. 75) in case the final exact amount of the payment is not yet known at payment initiation: views are mixed and it is noteworthy that the largest group of respondents, which includes consumer organisations, banks, TPPs and public authorities indicates they don’t know (45 respondents). A few respondents (6) explicitly request a maximum ceiling be introduced, whereas 21 other respondents emphasise that the introduction of such a ceiling would not work in practice. 3 respondents suggest to introduce a maximum time limit for the release of the payer’s funds.

For access to accounts (Open Banking, OB), many stakeholders do not the regime successful (29% deem it successful; 32/110; 45% does not, 50/110), with no clear pattern or trend by stakeholder or country. On the other side most stakeholders do find that PSD2 ensures safe sharing of payments data (65%, 72/110), although some noteworthy respondents such as 4 consumer organisations (data protection concerns) and some banks disagree. The provisions on consent management and who is liable once consent is given leave room for improvement (51/108 or 47% and 47/103, or 46% are not content with the current provisions). Many respondents, including consumer organisations and banks request for banks to be allowed to provide a consent dashboard in their own interface to allow PSUs to have insight into consents given and the option to remove a consent. Stakeholders are also in favour of further clarifications on key concepts such as ‘obstacle’ (RTS on SCA & CSC, 77% - 64/83 in favour) and “objectively justified and duly evidenced reasons” (art. 68(5), 76% - 64/84). Those against clarifications are mostly active in banking (15/19 and 16/20, respectively). Many stakeholders suggest the confirmation of availability of funds (CAF, art. 65) should no longer be mandatory (or even removed), as this service has not taken off – this was also reported in CEGBPI. A similar request, for the removal of the mandatory requirement, is made for corporate payments (and corporate payment accounts), a request which overlaps with some reports of small or niche ASPSPs that have hardly seen any (or no) traffic on their PSD2 interfaces. When asked whether a common API standard should be included in EU legislation the views were split: 53% (49/92) is in favour – most public authorities and consumer organisations view this positively, 47% is against, consisting of a mix of banks and non-banks (incl. TPPs). In explanations many TPPs explain that APIs, even when following a market standard, still deviate somewhat and do not always work, nor provide the data fields necessary to provide the Open Banking-service. A few respondents also report a reliance of TPPs on technical service providers who provide the service of connecting to PSD2 APIs. Respondents also criticise the (lack of) enforcement in this area. Another important topic in this debate is remuneration (50% (47) in favour, 50 % against (47)), currently not allowed for Open Banking access. Banks are all largely in favour of changing this entirely, requiring a commercial incentive. TPPs appear to be OK with remuneration, but on the condition that only value-added services can be remunerated and that PSD2 “baseline” services remain available without contractual obligations. Many banks demand direct access (screen-scraping, or fallback) should be completely forbidden, whereas various TPPs require this should remain given the current quality of the PSD2 APIs, and require the removal of the fallback exemption too.

For operational and security risks, the majority of respondents finds the current provisions adequate (on average 75% agrees – on average 92 respondents provide an answer) and agrees with the statement that the framework has made payment service providers more resilient (74/97, or 76% agree). Noteworthy is that some public authorities are neutral (16%) and some don’t know/left the questions blank (35%), with one public authority pointing out that many of PSD2’s security requirements had already been implemented by the industry or through national legislation before the PSD2 went into force. Consumer organisations are less positive and remain either neutral or refrain from answering. With regard to fraud stakeholders indicate to be in favour of tools to enable better fraud detection, such as a data base or by enabling data sharing between PSPs.

PSPs also mention frequently that regulatory fraud reporting and operational/security reporting should be better aligned and harmonised internationally as they pose a large burden, also with an eye on DORA. Much feedback is provided on strong customer authentication (SCA): many stakeholders agree SCA has made digital payments safer (83%, 98/116), but do report it negatively impacted their business (51/93, 54%, or 56% report adverse impact), that it led to obstacles in the provision of services towards PSUs (52/77, 68%), including the exclusion of categories of customers/citizens (48/96 – 50%) and request SCA to be changed to a risk-based or outcome based model, to allow for behavioural biometrics and an inherence element and to provide clarity on which factors can be used to make up two-factor authentication. Concerns are reported about the newer types of fraud that SCA does not protect against, such as social engineering and phasing fraud and that Bigtechs and social media platforms should take responsibility too, as they allow malicious parties to use their platforms for fraud, e.g. by including links to those parties in their search engine results. It is deemed important to invest in consumer education and to consider how to deal with these new types of fraud.

Title V: Delegated Acts and Regulatory Technical Standards

Title V (art. 104, 105 and 106) covers the adoption of delegated acts and the obligation to inform consumer of their rights. These questions also returned a low response rate: between 56 and 66 respondents left these questions blank, and 43 to 66 respondents did not know/no opinion/n.a. (average response rate to yes/no: 52 respondents). Most examples and arguments provided in this section are anecdotal unless indicator otherwise.

Overall, 34% (38/113) of the respondents believe the requirements on delegated acts and regulatory technical standards to be adequate and 29% do not (33/113). Some suggestions for improvements were more precise and detailed RTSs, specifically referring to API requirements and SCA (and the related RTS and subsequent guidelines and opinion linked to this), for this type of delegated regulation to be more outcome-based and less prescriptive, to be reviewed more often, and to avoid fragmentation in implementation across Members States. Various stakeholders also comment on the work of the EBA in the field of harmonisation and the proceedings surrounding Q&As.

In terms of other field in which the EC could or should adopt delegated acts the responses were very limited (8/108 agree, 34/108 disagree and 60%, or 65/108 don’t know). Arguments against include that relevant requirements should rather be set out in Level 1 text, that further delegated acts would only make things more complicated (mentioned multiple times), to review relevant EBA opinions, guidelines and Q&As and consider to incorporate those in a future PSD3.

Concerning the informing of consumers of their rights (art. 106) the majority of respondents (excl. blanks and don’t knows) is not in favour of changing these requirements, arguing that consumer rights are already covered by the PSD2, and that if any work on this should be done, it should be done at a higher level of EU legislation and ensure harmonisation across Member States to improve on the patchwork of local consumer protection requirements.

An additional remark was provided on consumer rights leaflets in paper (art. 106(3)) that was already shared with the Commission before the targeted consultation by various stakeholders. The paper leaflets are considered outdated and should be reviewed.

Title VI: Final provisions

The final provisions in Title VI include, amongst others, the provision on full harmonisation (see also question 8), the review clause, transitional provisions and amendments to other pieces of EU legislation. Between 103 and 129 respondents provided a response to these questions (incl. don’t know/no opinion/n.a).

Regarding full harmonisation (art. 107) views are split – most stakeholders don’t know or don’t have an opinion (33%, 33/115 – mostly payment institutions, TPPs and 3 consumer organisations), an equally large group finds the provisions adequate (32%, 37 – a mix of largely banking-stakeholders, 18, payment institutions, TPPs and 8 supervisory and regulatory authorities), but a large group does not agree (19%, 22), of which most (11) are active in banking. In additional commentary some of the disagreeing stakeholders stated that PSD2 should become a regulation, others note the importance of ensuring harmonisation and the monitoring thereof across Members States.

Concerning the review clause of art. 108, 24 stakeholders indicated to have further items to be added to this clause (of which 16 unique responses). Items mentioned include the importance of level playing field (mostly by banks), (another review of) the rules on surcharging of article 62, access to payment systems, key payment infrastructure also having to capture providers of mobile devices, gateways and browsers given the changes in payment needs and methods, reviewing the interrelation of other regulations (like GDPR, DORA and AMLD). A consumer organisation finds the review should address the use and commercialisation of consumer data by intervening agents, but does not provide more detail. A large banking association stresses here, as also mentioned before under other titles by other (banking) stakeholders, the particular case of corporate payments and corporate payment service users, and how these differ from retail payments- and users, specifically for the (non-)application of SCA – arguing that corporate clients are more professional and both clients and payments subject to more security anyway.

With regard to the provisional provisions of art. 109 most stakeholders refrain from responding (56 don’t knows -50%- and 58 blanks), similar to the question concerning amendments (art. 110, 111 and 112). The small group that responds deems the provisions adequate (29 respondents, 26%).

Finally, some other topics stakeholders deem important (besides repeating many points already shared in their response) and would want to highlight are the importance of cash to remain available, proportionality (banks vs. payment institutions and EMIs), a proper consideration the implementation time schedules or regulation given past experiences with the PSD2 and the RTS on SCA and CSC, continuously increasing (overlapping) reporting requirements

4. Targeted consultation on the settlement finality directive

To support an ongoing review of the SFD, a targeted consultation was conducted between 12 February 2021 and 7 May 2021. It covered a number of aspects of SFD, including participants in systems governed by the law of a Member State 163 . Only this element of the consultation is covered here. The Commission received 72 responses to the targeted consultation (of which 62 covered the topic under discussion here). The majority of respondents were company/business organisation (41 respondents) and business associations (20 respondents). Together they represented 85%. In addition, nine public authorities and two academic/research institutions replied to the targeted consultation. No consumer organisation or citizen responded to the targeted consultation.

A majority of respondents agreed to add payment institutions and e-money institutions to the list of eligible (direct) participants in systems governed by the law of a Member State, at least as far as payment systems are concerned, although views varied as to under what conditions and requirements.

Of the respondents in favour of adding payment institutions and e-money institutions to the list of participants, the larger part (22 for payment institutions and 23 for e-money institutions) said that they should be allowed to be direct participants or indirect participants who may be considered direct participants if that is justified on the grounds of systemic risk. A smaller part (13 respondents for both payment institutions and e-money institutions) replied that they should only be allowed to be direct participants. One respondent said that they should only be allowed to be indirect participants. One respondent was against payment institutions being direct participants.

More than half of those that replied to the question (28 respondents) were against limiting participation to where it is warranted on grounds of systemic risk; 21 considered that such a limitation would be appropriate and 23 respondents were neutral, did not reply or did not express an opinion.

For both payment institutions and e-money institutions, a broad majority (35 respondents) rather or fully agreed that payment institutions and e-money institutions should be subject to a risk assessment; a smaller part (15 respondents) rather did not agree or disagreed with a specific risk assessment; four were neutral and 18 did not reply or did not express an opinion.

Moreover, a majority (29 respondents) rather did not agree or disagreed that payment institutions and e-money institutions should be subject to a particular risk assessment, adapted to their particular risk profiles; 11 agreed with such a particular risk assessment; 13 were opinion and 19 or did nor reply or did not express an opinion.

5. Consultation of stakeholder groups

The Payment Systems Market Expert Group (PSMEG) discussed PSD2 on 16 December 2021, 5 April and 3 October 2022, and again on 30 March 2023 164 . A summary is provided by meeting, but topics that were discussed multiple times are not repeated.

In the meeting of 16 December 2021, members observed regulatory revisions should not be too prescriptive (focus on the “what”, not the “how”) and should be “time-neutral”. They also found that PSD2 has increased competition, but has not yet reached all its objectives, e.g., the regulatory framework still appears to favour card-based payments over non-card-based payments and more standardisation is needed in terms of APIs, although members are not in favour of full standardisation. Members suggested that EMD2 and PSD2 should be merged and that AIS should be removed from PSD2 as this is data-related (GDPR). It was observed that PSD2 scope review should consider additional services such as Buy Now Pay Later, as well as wallet providers and custody services that are outside the scope of PSD2 currently. As regards technical service providers, some members found that they need not be in the scope, as they do not handle actual payments and only push data (and are covered by GDPR), while other members argued that their inclusion in the scope should depend on the type of their activity. Various members referred to difficulties with implementing and enforcing SCA and to the fact that enforcement varies across the EU and more harmonisation would be necessary (the same applies to AMLD and KYC). Members concurred that PSD2 needs to have sufficient protection measures in place to allow for safe and secure transactions, also in light of new market developments. Retailers observed that the contactless payment limits could be increased.

Several members observed that SCA has decreased the level of fraud, but whenever fraud occurs, the amount of money that is stolen is higher than before, especially in the access-to-accounts business (via social engineering, not card-based transactions). Many members agreed that PSUs need to be educated on fraud and fraud prevention and that collaboration within the industry would also be important. Members found that behavioural metrics should be considered as an inherence SCA-factor. Members also thought that SCA should not be too prescriptive as fraudsters use the requirements to base their workarounds on. If the framework were to allow for PSPs to determine the best combination of authentication methodologies, this could avoid a single point of failure.

The meeting of 5 April focused more on access to payment accounts (Open Banking), authorisation, transparency and rights and obligations. Next to issues already noted on 16 December, members note data-sharing issues within Open Banking related to the GDPR (e.g. data minimisation vs parity between online banking and PSD2). Furthermore, most issues members have encountered are grounded not in Level 1, PSD2, but in Level 2, the RTS on SCA and CSC. Overall members experience few issues with regard to authorisation, although clarity on some topics, e.g. safeguarding requirements, would be welcome. Concerning transparency some members note how difficult it is to inform the payer upfront of the ultimate costs in case of a cross border payment with currency conversion, due to hidden fees in (inflated) exchange rates. Members support the implementation of IBAN checks to avoid potential mistakes made by the payer, and also warn that a right balance must be found between transparency and information overload for consumers. Also, members stress that framework contracts are not suitable for AIS and PIS. Under rights and obligations low value payment instruments (art. 63) were discussed and the blocking of amounts (art. 75), which leads to issues as funds sometimes take a long time to be released. Additionally, a consumer organisation argued that the limit of 50 euro (for not applying SCA during a contactless payment) should not be further increased and that consumers should be able to control this limit.

The meeting of 3 October 2022 was dedicated in its entirety to the PSD2 review. A number of subjects were covered:

·Regarding the scope, the discussion was about the exclusion of technical service providers, specifically pass-through wallets and payment processors, as they are becoming or have become important players (even when covered by outsourcing rules), and as consumers can confuse the user-facing-TSPs (like wallets) for being a PSP. For cyber resilience, specifically, DORA has a mechanism to allow critical TSPs to be brought into scope. Operators of payment infrastructures pointed to the ECB/Eurosystem oversight, both SIPS and PISA (still new), and stressed the need to avoid duplicate regulation. Entry into possession of funds was regarded as a clear criterion (for being in scope), and any other criterion should be equally clear, to avoid grey zones. It is important to clarify where liability lies and who must perform SCA. Trust is a key issue, but for the moment consumers seem to trust the providers with which they interface; there are few complaints.

·Regarding open banking, a majority of PSMEG participants, including many TPPs, opposed a single standardised API for Open Banking purposes, noting that PSD2 should be technology neutral and avoid regulating technical issues in great detail. Enforcement should be more proactive and effective. The absence of a dedicated enforcement body was pointed out. Regarding criteria on minimum performance and functionalities, bank PSPs tended to oppose excessive prescriptiveness in the legislation while TPPs tended to support more clarity about essential, or baseline, functionalities. Bank PSPs expressed discontent with the requirement to provide both an API and a fallback access, pointing out that APIs rarely crash; however other speakers challenged this and also added that APIs are not always complete, missing functionalities and/or data needed for AIS/PIS. Regarding possible compensation for access, particularly for value-added, or premium, features, many speakers referred to the SPAA discussions in EPC, and the challenges of both defining baseline and value-added features and determining compensation (while respecting competition rules but avoiding monopoly pricing). The risk of double charging for the same access (to TPPs and to customers) was mentioned. The importance of the Data Act was emphasised.

Regarding fraud and consumer protection, the subgroup chair reported on the outcome of discussions on a number of consumer-related topics. No consensus had been found on the user of the commercial or trade name of merchants in statements to users (complicated to implement), the IBAN verification system (costs to implement vs. its potential to reduce fraud), a common definition of “gross negligence” for social engineering fraud (although there was agreement on a public awareness campaign, relieving uses of liability could lead to moral hazard issues), blocked amount on payment instruments. Consensus was reached on financial inclusion and SCA (alternative methods of confirmation), increasing the upper limits for contactless payments but subject to user control and that imposing a maximum transaction time on one-leg out transactions would be extraterritorial and unrealistic.

The Commission asked about SCA circumvention, for example via the MIT or MOTO exemptions. The subgroup had not found examples of circumvention, but had looked mainly at non-EU operations. It was noted that the MOTO exemption was widely used, for example in the travel sector. On direct access for non-banks to payment systems, the lack of direct access of PIs and EMIs to SFD-designated payment systems, is considered problematic in terms of level playing field between banks and non-bank PSPs. The report made recommendations concerning direct access: to amend SFD article 2b and expand the catalogue of institutions following a risk-based approach and adjust article 35 PSD2 to align, and to explore the right for PI and EMI to safeguard client funds at central banks.

There were also three recommendations concerning indirect access:

oAmend article 36 as suggested by EBA: clarify offboarding and refusal to onboard. EBA should receive mandate to develop technical standards to determine criteria.

oCover client funds at PI/EMA with DGS guarantee.

oEstablish additional measures in safeguarding options that would create a more level playing field. Investing in low-risk assets, insurance, or a comparable guarantee.

oNo opposition was expressed to direct access for PIs and EMIs, as long as risk-based access criteria are in place. A number of members considered that the existing risk assessment of credit institutions should form the basis for assessment of PIs and EMIs, mutatis mutandis. Non-bank PSPs tended to consider their credit and liquidity risk lower than that of banks (operational risk being the same) but were content to be assessed on the same terms.

In the meeting of 30 March 2023, in addition to a presentation by VVA/CEPS of its study, and updates from the different subgroups, the Commission presented the options under consideration, but without indication which options were preferred. Stakeholders expressed the following positions:

·On access to bank accounts for non-bank PSPs, those stakeholders who spoke were in favour of a combination of all the options. One stakeholder mentioned the need to introduce the possibility of safeguarding of funds with central banks. Another asked if there is any data available on bank refusals of accounts to PIs or EMIs. Another pointed out that PIs and EMIs tend to rely on the same bank, which involves risk in case of failure of that bank.

·On open banking, one TPP representative strongly supported the use by TPPs of the customer interface and condemned many APIs as being deliberately designed as unfriendly to TPPs. A different TPP representative expressed a different view, that well-functioning API access is essential and there is a need to move away from fallbacks and modified customer interfaces; there is a need for a resolution process in case an API is down, in their view. A banking sector representative opposed mandatory dashboards and supported a generalised move to use of APIs away from customer interfaces. Another PSMEG member pointed out that many smaller ASPSPs spend money on an API which is not used, and was against full API standardisation but in favour of more rules for APIs.

·On fraud, there was a presentation of a national initiative in one Member State to compensate consumers, with conditions, where they have been victims of Impersonation of Bank Employee fraud. Various different views were expressed on the appropriate balance of liability between PSPs and users in case of authorised fraudulent payments, and the usefulness of IBAN/name verification as a tool against fraud.

·The consumer subgroup considered that for contactless transactions, allowing consumers to set an individual threshold from 10 to up to EUR 50 would be complex and very expensive and not sustainable to implement (however, some PSMEG members expressed disagreement with this position). On Merchant Initiated Transactions (MIT), it was considered that these transactions should fulfil the following three criteria: (i) transaction with a fixed or variable amount and interval, (ii) governed by an agreement subject to SCA, (iii) that allows merchants to initiate subsequent transactions in the absence of the payer who is not available at the PoI (physical or online) to initiate and authenticate the transaction.

6. Bilateral contacts with stakeholders

A wide range of bilateral contacts were held with various stakeholders during the preparation of this initiative, essentially by videoconference, including BEUC - the European consumer organisation), payment services providers (banks, banking associations, European Payments Council, FinTechs, third party providers (TPPs)), Euro Retail Payments Board (ERPB), ECB, National Payments Committees, national central banks and supervisors, etc.

7. Consultation of Member States

National authorities were consulted in the framework of the Commission Expert Group on Banking Payments and Insurance (CEGBPI), which discussed IPs in a number of its meetings and provided input on the positions of Member States on specific elements. The CEGBPI discussed PSD2 in its meetings of on 30 November 2021 7 April 2022, and 16/21 March 2023 165 . CEGBPI members also provided over 260 pages of written commentary, mostly repeating points made during the meetings at a greater level of detail.

During the session of November 2021 CEGBPI members were asked how they viewed the developments in the payment market. Members reported an increased level of digitisation, which was considered to be reinforced by the COVID-19 pandemic. Many saw a rapid change in the speed of payments/transactions. Concerning the newer regulated Open Banking services members report new licences have been issued to AISPs and PISP, but the uptake of the services remains limited. All members agreed that a thorough review, and even revision of the scope of PSD2 was needed. Members reported that the differences between certain types of payment services have become more difficult to identify, reporting difficulties in assessing whether an entrant needs a licence or falls under an exclusion (in particular referring to TSPs and limited network providers). There was overall consensus that the EMD2 and PSD2 should be merged and the need for alignment of PSD2 with other pieces of legislation such as AMLD, MICA, DORA, Data Act, GDPR, DMFSD, etc. Some questioned whether PSD2 should cover also savings accounts, and others suggested to analyse the necessity of a group supervision similar to the CRD approach and considering a recovery and resolution framework for payment institutions and E-Money Institutions.

The introduction of the PSD2 has led to banks creating APIs and various members expressed the view that the Regulatory Technical Standards have not always facilitated an easy and sound convergent development of Open Banking across the EU. Some members agreed that having an EU API standard would have been useful. It was pointed out that between the implementation of PSD2 and now, banks have also started to use APIs for purposes other than laid out in the PSD2. Members remarked on the many challenges related to the implementation of the Strong Customer Authentication (SCA) and while it was considered still too early to fully assess its impacts, members have seen a decrease in the fraud rates. However, members remarked that new types of fraud (such as social engineering fraud) are popping up that are not captured by the SCA. Some members saw the need to consider additional SCA exemptions, e.g. if the payer uses an unattended terminal at charging stations for electric vehicles.

The session of 7 April was almost entirely dedicated to PSD, discussing scope, the supervisory framework, fraud prevention (SCA) and Open Banking. Members stressed the importance that a new PSD-framework would need to be future-proof and cover risks posed to consumers, and that various things could be clarified. Members sometimes struggle to qualify whether an entrant provided a regulated or non-regulated service, so precise definitions on the services of Annex I would be welcomed, as well as a clear definition on “payment account” and on “funds” and by including criteria, e.g. from the EBA Guideline, for the limited network exclusion. Regarding TSPs members are cautious – the PSD should focus on the provision of payment services, not ancillary technical services and referred to Oversight already covering operators of payment systems and schemes. Some members suggested a taxonomy of technical services could be helpful, and to consider targeted requirements (e.g. strong customer authentication). The review should consider any risks coming from new payment solutions, such as digital wallet solutions or Buy-Now-Pay-Later, and if these should be included in PSD2 (members believe BNPL should be covered under the consumer credit directive).

As regards the adequacy of supervisory framework members agree that it is overall adequate, also agreeing that the rules for small payment institutions should be maintained, but some improvements/changes could be considered, for example on passporting (this should be timely) and on the professional indemnity insurance required for PISPs and AISPs. Feedback was also received in written form, where members stressed that the licensing process should not be subjected to a one-month deadline due to complexity and the quality of applications. From a supervisory point of view the removal of AIS to another framework (instead of PSD2) could lead to difficulties in supervision as different authorities may be in charge.

Regarding fraud, members require clarifications to the provisions on SCA, also discussing the new fraud methods (social engineering) that SCA does not protect against. Moreover, members request clarification on mail order/telephone order (MOTO) transactions and the need for legislation to clarify that the use of a mobile phone should not be a prerequisite for SCA and to prevent financial exclusion. Furthermore, it was discussed if the exemptions to SCA should not be moved to Level 1 (currently in RTS) and if more exemptions should be considered, for example for electronic vehicle charging stations.

For Open Banking many members suggest that having one API standard would be beneficial and, in the long run, facilitate competition, although members acknowledge the implementation might be costly and either designing a new unform standard or selecting one of the existing standards would be challenging. Issues with the amount and type of data to be made available, while remaining compliant with GDPR, were discussed (data minimisation, silent party data, processing of special categories of personal data).

It was furthermore considered by CGBPI members that a renewed payment framework might be in the form of a regulation as this might be beneficial for the market, needs a short implementation period and would be in line with other frameworks (e.g. MiCA).

In the CEGBPI sessions of 16 and 21 March 2023 (two half-day sessions), broad support was expressed by Member States for the extension of IBAN/name verification to all credit transfers in the EU, and to strengthened transaction monitoring and exchange of information on fraud among PSPs. Certain Member States felt that attribution of liability for fraudulent authorised transactions is a delicate matter, and moral hazard must be avoided. On Open Banking, only seven Member States took the floor, with a wide range of views expressed. Four Member States wished to maintain consumer protection rules in national law, not an EU Regulation, on the grounds that the possibility of adapting the rules to national circumstances is desirable. There was broad openness to the incorporation of rules for e-money institutions and payment institutions together in one legal instrument.

Annex 3: Who is affected and how?

1.Practical implications of the initiative

1.1Introduction

The costs of the initiative have been kept to a minimum, via the rejection of the most costly options. Costs are mainly one-off implementation (adjustment) costs, and fall largely on ASPSPs (essentially banks). The most costly elements of this initiative, but potentially the ones with the greatest potential for social benefit, are those related to reduction of authorised (APP) fraud and to Open Banking. In Open banking, costs are offset by savings (such as the removal of the fall-back interface and of its exemption procedure) and by the adoption of proportionality measures (possible derogations for niche ASPSPs). The cost of improved enforcement and implementation will be limited and fall on Member States. The costs of direct access to key payment systems for Payment Institutions and E-Money Institutions will again be limited, and fall on the payment systems in question.

The benefits, on the other hand, are ongoing benefits and accrue to a wide range of stakeholders, including users of payment services (consumers, businesses, merchants and public administrations) and also PSPs themselves (especially non-bank fintech PSPs). They are harder to quantify, as they involve greater innovation and competition, with potential for lower prices and a greater variety of services on offer, plus reductions in APP fraud. As with PSD2 itself, the benefits are recurrent, while the costs are mainly one-off adjustment costs, therefore the cumulative benefits should exceed the total costs over time.

1.2 Payment Service Providers (PSPs) and other businesses

PSPs which do not offer euro IPs will be impacted by the cost of offering an IBAN verification service, averaging a few hundreds of thousands of euro per PSP in one-off costs (the cost is higher the bigger and more complex is the PSP), with annual maintenance costs averaging a few tens of thousands of euro per PSP. These costs can be offset by charging users for the use of this facility, and by reduced numbers of fraud-related complaints to deal with.

The increases in user rights and information (see Annex 10) will involve a small one-off adjustment cost (adaptation of standard contracts etc.) and limited ongoing costs, for example for provision of information in cases of ATM withdrawals on other networks and one-leg out operations.

Certain PSPs will incur a one-off cost for improving their API interfaces for Open Banking TPPs or creating one where one is not in place yet. The total cost of this for the ASPSP sector is estimated at €160 million. This will be offset by the saving of no longer having to make available a fallback interface or suffering additional traffic on the direct customer interface (see Chapter 2.1.2). Ongoing maintenance cost for APIs will not be directly impacted by the proposed changes.

PSPs which are Open Banking TPPs will experience the benefits of having defined quality and functionalities for APIs, thus enabling them to offer a better service to their users and supporting consumer adoption of OB. The TPP sector will experience a small cost around €24 million for adapting to new rules on interfaces.

PSPs will benefit from greater legal certainty due to a more detailed and coherent set of rules on payments which will be applied in a more effective way across the EU e.g. regarding criteria for penalties. They will be exposed to lower compliance costs over time as the rules on payments will be to large extent clear, up to date and self-explanatory and therefore easier to apply by PSPs.

PSPs which are PIs or EMIs (non-bank PSPs) will experience the benefits of direct participation in key payment systems and/or secure indirect access, thus enabling them to offer better and cheaper payment services to their users.

Operators of certain payment systems, those designated under SFD, whether in the public sector or private sector, will experience a one-off burden of a significant number of new applications for participation from PIs and EMIs, which will have to be processed, including full risk assessment.

1.3 Consumers and other payment service users

Payment service users will benefit from this initiative both directly and indirectly. As direct benefits, they will enjoy greater rights in the area of information concerning fees for specific transactions and estimated execution times, and improvements as regards blockage of funds (see Annex 10). Another direct benefit will be the generalised availability of IBAN verification services for all credit transfers, not only instant payments, and the resulting reduction of fraud losses.

The measures to improve enforcement and implementation of the payments rules will increase the level of protection of consumers and other users, who can be more confident that PSPs adhere to the EU rules and that measures including penalties are imposed by NCAs in cases of breaches.

Indirect benefits for users will include a wider range of competitively-priced payment services, including better account services from PIs and EMIs and improved Open Banking account information and payment initiation services. For Open Banking market research already predicts

Consumers will benefit from the possibility to obtain cash in shops without making a purchase, though this is not a right and will depend on the willingness of the shopkeeper and the availability of cash (see Annex 9).

Consumers with disabilities and other challenges to use SCA will enjoy greater financial inclusion as a result of the measure to facilitate their use of SCA described in Annex 10.

There are no specific direct costs for users associated with this initiative, other than possible fees for IBAN verification services (which will be optional for users). Competitive forces between banks and other ASPSPs should prevent any increases in general account fees.

1.4 SMEs

SMEs are concerned by this initiative in two capacities, as users of payment services (such as merchants or business users) and as PSPs, including payment fintechs (smaller PSPs, start-ups etc.). They are thus on both the supply and demand side of the payments market.

Benefits for SMEs as merchants and other corporate users of payment systems will be the same as those for users identified in the section above.

SMEs which are PSPs or payment fintechs (Open Banking TPPs or else PIs/EMIs offering payment account services) will experience the benefits for those categories noted above.

It should be noted that implementation costs for ASPSPs which are SMEs (for example for IBAN verification or for implementing an API for data access) are often lower than for larger PSPs, since larger PSPs often have a complex internal structure (e.g. resulting from mergers) or old legacy IT systems, which can significantly increase implementation costs and require ad hoc solutions. Smaller, more modern or simpler PSPs can often buy in off-the-shelf IT solutions.

Overall, SMEs are expected to be among the net gainers from this initiative, whether as users of payment services (non-financial SMEs) or as PSPs/Open Banking TPPs. Many PIs/EMIs are SMEs, and will benefit from direct access to payment systems; many Open Banking TPPs are SMEs and will benefit from an increased and better defined dataset with mandatory access. Most costs will fall on banks, and relatively few banks are SMEs.

SMEs - in both capacities as PSPs and users - will moreover benefit as will all actors in the payment market from a detailed and coherent set of rules on payments which will be applied in a coherent way across the EU, e.g. regarding criteria for penalties.

For further details about impact on SMEs, see Annex 13.

1.5 Public authorities

National competent authorities will need to devote more resources to enforcement of PSD as a result of this initiative, with potential extra staff costs as a result, although some NCAs may be able to improve PSD enforcement within current staffing levels. This will especially be the case as regards Open Banking, as each NCA will need a specialised enforcement team with knowledge in the area of APIs. This could cost in the hundreds of thousands of euro per year per NCA, which can be offset with charges to PSPs for specific services (licensing, authorisations, derogations etc.).

NCAs will furthermore benefit from a detailed and coherent set of rules on payments which will lead to easier and more cost-effective implementation of the rules.

Public authorities should benefit from improved payment services in their capacity of payment system users.

1.6 Geographical dimension of impact

The requirement to offer an IBAN verification service will proportionately have a greater cost in non-euro area Member States, since in those Member States there are fewer PSPs offering euro instant payments, and therefore fewer PSPs which have already incurred the cost of implementing IBAN verification, in line with the Commission legislative proposal on euro IPs. No other specific elements regarding the geographical impact have been identified.

2.Summary of costs and benefits

The tables below summarise the costs and benefits described above, based on the package of preferred options.

3.Relevant sustainable development goals