Evolution not revolution: European Commission publishes financial data access and payments package

As part of the European Commission’s 2020 Retail Payments Strategy and following its 2022 review of PSD2 and related consultations, it has published legislative proposals to improve the functioning of PSD2. The first is for a Directive on payment services and electronic money services, focussing on licensing and supervision of payment institutions. The second is for a Regulation on payment services in the EU. Some points of interest for banks and other payment service providers (PSPs) include introduction of additional refund rights for consumers beyond unauthorised transactions and streamlining of the current ‘complex’ requirement for account servicing PSPs to maintain two Open Banking data interfaces. As part of the legislative package, the Commission has also published a legislative proposal on a framework for financial data access, extending financial data access and use beyond payment accounts to more financial services (a financial data access (FIDA) framework).

Commenting on the Commission’s proposals, Lavan Thasarathakumar, Senior Advisor in Hogan Lovells’ Digital Assets and Blockchain Practice, said:

“The payments proposals come following the conclusion of the review of PSD2, which found that EU payments needed to improve and this was largely due to a lack of consistent application of the rules across EU member states and an unlevel playing field between banks and non-banks, which also led to increased fraud.

An area that may be of concern for clients is the merging of the e-money and payment services regimes. Whilst the rationale around this is sound, to streamline the process and close regulatory gaps, there will be concern and pushback from incumbents who will have to reapply for a licence under the new regime within 24 months of PSD3 coming into force. Whilst there is a grandfathering provision in place until then, there is concern at the administrative burden that this may pose and the costs involved in achieving this. Furthermore, there is a concern that a delay could result in having to pause activity in the EU until the new authorisation is given. Further information will no doubt be needed on this to reassure the industry. That being said, it is noted that should firms have their paperwork in place to show that they already meet the requirements for the new authorisation (including changes to initial capital and own funds and also winding up plans), this will be granted automatically without needing to reapply.

In FIDA, the European Commission has sought to open up financial data in the EU, beyond payment accounts. The Commission identified the promotion of data-driven finance as a priority in its 2020 Digital Finance Strategy. The idea of this proposal is that it builds on PSD2 which enables open banking but expands it to all financial services in scope through mandating a financial data sharing scheme. One thing that will no doubt come up is what impact this will have on the wider economy. With financial institutions being caught but other data industries outside of scope, will there be an unlevel playing field with other industries if/when this is expanded beyond finance? It will also be important to make sure that any development of this proposal remains consistent with other EU initiatives such as the Digital Market Act, Digital ID and future plans for Open Data. DG Connect were closely involved in the discussions on this proposals and they will no doubt be following this through the co-legislatures to ensure consistency.

Looking at this from a global perspective, the EU should ensure that it stays in step with global developments so as not to inadvertently ringfence itself off. The EU will want to make sure that it still remains open to global innovation and therefore this proposal should not be restrictive.

By way of a quick comparator to the UK, the Smart Data Bill which was recently laid before Parliament outlined what looks likely to be more of an open data approach which gives HM Treasury the ability to open up certain sectors to sharing their data with each other. The proposal goes beyond finance and looks to move away from the open banking model in the UK, but does look to develop some sort of trust framework, which could in some ways have some similarities.”

Below is a ‘quick glance’ summary of some key points from the Commission’s financial data access and payments package. Click here for our full form briefing which takes a more detailed look at the package.

Payments package: some key points

The 2022 PSD2 review concluded that use of a directly applicable Regulation for payments would enhance the coherence of implementation in the Member States. The Commission points out that this approach has already been used in various areas of EU financial services legislation (eg prudential rules for banks or rules on securities markets).

The Commission considers that a Directive is appropriate for licensing and supervisory rules, given that licensing and supervision of financial institutions in general (including payment institutions (PIs) and other categories of PSPs, such as credit institutions) remains a national competence of the Member States, and no EU-level licensing or supervision is being proposed.

The proposed amendments to PSD2 are therefore set out in two separate legislative acts:

  • A proposal for a Directive, containing in particular rules concerning licensing and supervision of payment institutions (PSD3); and
  • A proposal for a Regulation, containing the rules for payment service providers (PSPs) (including PIs and some other categories of PSPs) providing payment and electronic money services.
PSD3 legislative proposal
  • Merger of e-money and payment services regimes

    • The e-money and payment services regimes are brought together in one single piece of legislation and harmonised to the extent possible, while still leaving room for specificities where justified.

    • The Commission states that this will address concerns and challenges with delineating the two legal frameworks, in particular at the licensing stage. It also believes that this will ensure a higher degree of harmonisation, simplification and consistent application of the legal requirements for PIs and EMIs, preventing regulatory arbitrage, ensuring a level playing field and a future-proof legal framework.

    • The second Electronic Money Directive (Directive 2009/110/EC) will be repealed with effect from the date of application of PSD3 (as will PSD2) and there will be transitional provisions dealing with the move to the new licensing regime.

  • Safeguarding

    • On calculation of own funds for PIs not offering electronic money services, the rules now state that an increase of up to 20% in own funds may be required by competent authorities, based on an evaluation of the PI’s risk management processes, risk loss data base and internal control mechanisms. This is similar to the additional Supervisory Review and Evaluation Process (SREP) own funds requirements for banks.

    • PIs must avoid concentration risk to safeguarded funds by ensuring that the same safeguarding method is not used for all such funds and, in particular, by trying not to safeguard all consumer funds with one credit institution.

    • The EBA is mandated to develop regulatory technical standards on risk management of safeguarded funds.

  • Passporting

    • Specific provisions on so-called “triangular passporting” are introduced with the aim of enhancing clarity.

  • Non-bank PSPs’ access to payment systems

    • An amendment is made to the Settlement Finality Directive (98/26/EC) to add PIs to the list of institutions which have the possibility to participate directly in payment systems designated by a Member State under that Directive (but not to designated securities settlement systems).

Payment Services Regulation (PSR) legislative proposal
  • Authorised/unauthorised payment transactions – focus on tackling fraud

    • A new IBAN/name verification service is being introduced. The Commission proposal on instant payments in euro proposes a similar provision, so the PSR proposal applies to credit transfers which are not instant credit transfers in all currencies of the EU and instant credit transfers in currencies which are not in euro.

    • The PSP of the payer is to be held liable for the full amount of the credit transfer in cases where that PSP has failed to notify the payer of a detected discrepancy between the unique identifier and the name of the payee provided by the payer. A PSP is also held to be liable where a consumer has been manipulated into authorising a payment transaction by a third party pretending to be an employee of the consumer’s PSP (impersonation fraud). An obligation for electronic communications services providers to cooperate with PSPs is introduced, with a view to preventing such fraud. Exceptions to the refund right include gross negligence by the consumer or where the consumer is part of the scam.

    • Where the liability is attributable to the PSP of the payee, the latter is to refund the financial damage incurred by the PSP of the payer.

    • On strong customer authentication (SCA), points of interest include:

      • Addition of a new provision requiring PSPs to have transaction monitoring mechanisms in place to provide for the application of SCA and to improve the prevention and detection of fraudulent transactions;

      • On the dynamic linking obligation, clarification that it applies to electronic payment transactions for which a payment order is placed through a payer’s device using proximity technology for the exchange of information with the payee’s infrastructure, and for which the performance of SCA requires the use of internet on the payer’s device.

      • Addition of a provision requiring PSPs and technical service providers to enter into outsourcing agreements in cases where the latter provide and verify the elements of SCA.

  • Open Banking

    • The provisions on Open Banking (OB) contain a number of modifications compared with PSD2, and incorporate certain provisions currently contained in the SCA regulatory technical standards (RTS). Key changes include:

      • The removal (except in authorised exceptional circumstances) of the requirement on account servicing PSPs (ASPSPs) to maintain a permanent ‘fallback’ interface, but there is a requirement to have a dedicated interface for OB data access (except in exceptional circumstances);

      • Introduction of additional requirements on dedicated interfaces in relation to performance and functionalities;

      • To enable OB users to manage their OB permissions in a convenient way, there is also the introduction of a requirement on ASPSPs to offer them a “dashboard” allowing the withdrawal of data access from any given OB provider; and

      • Removal of the provision on confirmation on the availability of funds as a stand-alone OB service due to lack of market demand.

  • Extension of surcharging prohibition

    • Changes are introduced to extend the surcharging prohibition to credit transfers and direct debits in all currencies of the EU.

  • Alignment of rules for merchant initiated transactions (MITs) and direct debits

    • The rules for merchant initiated transactions (MITs) and direct debits are aligned, applying the same consumer protection measures, such as refunds, to direct debits and MITs as both are transactions initiated by the payee.

  • Non-bank PSPs’ access to bank accounts

    • The PSD2 rules relating to access (opening and closing) by a PI to an account with a credit institution are reinforced. Given the importance for PI licence applicants to have a bank account to obtain their licence, they are also covered, as well as PIs’ agents and distributors.

    • Any refusal or withdrawal of access must be based on serious grounds, for example reasonable suspicion of illegal activity or risk to the credit institution. Reasons for refusal or withdrawal of access must be provided in writing and justified in detail with regard to the specific situation of the PI in question.

  • EBA product intervention powers

    • The EBA will be able to temporarily prohibit the sale of certain payment products which would present certain risks, subject to certain criteria.

Proposed Regulation on a framework for Financial Data Access (FIDA): some key points

The proposed FIDA Regulation establishes the rules in line with which certain categories of customer data in finance may be accessed, shared, and used, including the rights and obligations of data users and data holders, and of a new category of authorised ‘financial information service providers’ in relation to the provision of financial information services as a regular occupation or business activity.

  • Scope

    • The scope of the Regulation is limited to specific (exhaustive) sets of customer data including in relation to: mortgage credit agreements, loans and accounts (except payment accounts as defined in PSD2); savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets as well as the economic benefits derived from such assets; certain pension rights; certain non-life insurance products; and data which forms part of a creditworthiness assessment of a firm which is collected as part of a loan application process or a request for a credit rating.

    • The list of firms to which the Regulation applies, when they are acting as data holders or data users, includes: credit institutions; PIs, including AISPs and PIs exempted under PSD2; electronic money institutions, including those exempted under EMD2; investment firms; crypto-asset service providers; issuers of asset-referenced tokens; managers of alternative investment funds; insurance and reinsurance undertakings; institutions for occupational retirement provision; crowdfunding service providers; and financial information service providers.

  • Financial information service providers

    • There are provisions relating to the authorisation and operating conditions of financial information service providers. According to the Commission, introduction of this new category is aimed at ensuring that only trusted and secure providers are eligible to access and process customer data in the financial sector.

    • The scope of DORA is amended to include financial information service providers.

  • Legal obligation on data holders

    • There is introduction of a legal obligation on data holders to make data within the scope of the Regulation available to a customer ‘without undue delay, free of charge, continuously and in real-time’, following a request from that customer ‘submitted by electronic means’. The customer has the right to request that the data holder shares this data with a data user.

  • Financial data access permission dashboards

    • Financial data access permission dashboards are established to ensure that customers can monitor their data permissions by being able to access an overview of them, grant new ones and withdraw permissions if necessary.

  • Financial data sharing schemes

    • The Regulation provides that the data falling within its scope must be made available only to members of a financial data sharing scheme, making the creation and membership of such schemes mandatory.

    • Provisions on scheme governance and on the development of common standards for data sharing and the creation of technical interfaces to be used for data sharing are included.

    • Data sharing schemes must be notified to the national competent authorities, they must benefit from a passport for operations across the EU, and the schemes must be included on an EBA register which will also cover financial information service providers (see below).

Click here for our full form briefing which takes a more detailed look at the European Commission’s financial data access and payments package.

Next steps

These are not the final texts. These are the proposals that have been sent to the European Parliament and the Council of the EU. They will now amend this text to be able to pass it through their respective houses. Whilst a lot of this has already been discussed by the institutions, it is highly political and we can expect there to be quite significant push back and modifications. After the amended text is agreed, there will be inter-institutional negotiations (trilogues), where the Commission, Council and Parliament negotiate on a compromised text.

In terms of timelines, the fact that the European elections take place next year complicates things. It reduces the time in which negotiations can be had before attention turns to campaigning in home member states. As such, there will have to be a tight timeline if we are to see this concluded in this legislature. It remains a tall order for this entire package to run through each house, be voted on and for successful trilogues.

That being said, as long as the relevant proposal is not rejected and sent back to the Commission, the key is that it has been published. Therefore it leaves two options on the table: an accelerated timescale with a conclusion by March 2024 or a delayed timescale with negotiations restarted under the new parliament which will take its seat in September 2024. Either way, we still have a long way to go to see the final text and then even further for this to enter into force.

If you would like to discuss the potential impact of any aspect of the Commission’s legislative proposals on your business, please get in touch with one of the people listed above or your usual Hogan Lovells contact.



Authored by Lavan Thasarathakumar and Virginia Montgomery.


This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.