Getting EU Payment Rules Right: Six Essentials

The fast-paced world of digital transactions demands a regulatory landscape that evolves with it, and the recent European proposals concerning the Payment Services Regulation (PSR) and Payment Services Directive (PSD3) are emblematic of this dynamism. The European Parliament’s vote on PSD3 and PSR marks a significant step toward further advancing open banking and fostering competition within the payments industry, promising a wave of innovative products and services for consumers. However, these changes also raise pivotal questions for European businesses, reshaping the payment landscape and prompting a critical examination of essential regulatory principles.

To forge a regulatory framework that is balanced, effective, and tailored to the digital age, six key elements are indispensable:

1. Align payment regulation with the digital services act for marketplace liability

Allocating liability, especially in fraud cases, poses a critical challenge. Holding online platforms responsible for fraudulent transactions would mark a significant shift, notably from the recently adopted Digital Services Act (DSA).

Impersonation fraud, a key concern, is difficult for platforms to track and prevent due to its reliance on manipulation techniques outside their ecosystem. While platforms implement anti-fraud measures within their scope, such as employing third-party services to detect fraudulent web shops and content, and issuing warning messages, they cannot entirely eradicate fraud in all its configurations, as suggested by the European Parliament.

Collaboration across all actors is essential, yet burdening platforms with excessive liability risks undermines the DSA’s effectiveness. New payment regulations must align with the DSA’s ban on general monitoring and acknowledge the distinct role of each actor in combating fraud. Policymakers should focus on concrete problems and be mindful of different tech business models. Instead of adopting a one-size-fits-all strategy, policymakers should tailor rules to suit different business models, ensuring that any proposed solution is not only effective but also proportionate to the scale of the problem it addresses. Expecting platforms to police external activities is unrealistic, and policymakers must avoid unfairly burdening any part of the chain with disproportionate liability obligations.

2. Protect consumers without encouraging fraud

The proposed rules granting customers unconditional refund rights within eight weeks of a merchant-initiated transaction (MIT) raise concerns about potential exploitation for fraudulent purposes. Allowing customers to request refunds without justification and preventing merchants from challenging these requests may inadvertently facilitate unlawful activities. For instance, it does not make sense for a consumer to seek a refund after they have already consumed a meal or digital content, such as music or video content. 

To address this, policymakers should follow the European Parliament’s approach and not extend an unconditional right for all MITs. Maintaining a balance between consumer protection and preventing abuse is essential to foster trust and security in the payment ecosystem.

3. Allow flexibility in methods to fight fraud

The proposed expansion of IBAN checks and verification services to all credit transfers raises questions about the necessity and effectiveness of such measures. While IBAN verification services play a role in fraud protection, they are not a silver bullet in addressing fraud, and mandating their use could impose unnecessary burdens on European businesses. 

Policymakers should afford companies the flexibility to choose the most suitable methods to prevent fraud for their operations. IBAN verification services should recognize the importance of mobile proxies, email addresses, and other identification elements in enhancing efficiency and reducing friction in payment processes. 

4. Maintain a risk-based approach

Some EU policymakers’ amendments suggest narrowing down exemptions which may compel marketplaces to obtain payment services licences. This will increase the burden for both marketplaces and regulators even when there is little risk. 

A more balanced approach would be to increase oversight on exemptions, rather than abolishing them, targeting real concerns while ensuring EU-wide consistency. This strategy can ensure the growth of marketplaces, without prescribing specific business models, and protect consumers and financial stability.

5. Improve PSD2 implementation for online transactions

Although Strong Customer Authentication (SCA) has made significant progress in combating online fraud, inconsistencies and inadequacies in its implementation have hindered the smooth functioning of online payments. 

PSR can play a crucial role by ensuring the consistent and equitable application of all SCA exemptions outlined in PSD2. This approach, characterised by non-discrimination, transparency, and mandatory adherence, holds promise in mitigating the negative impacts of SCA while preserving its anti-fraud benefits. Facilitating the delegation of strong authentication from issuers to companies or acquirers by creating a certification that is recognised by all issuers would also allow companies to choose this path and offer authentication methods better integrated into the customer journey.

6. Adapt SCA to empower businesses while protecting consumers

While SCA has undoubtedly benefited consumers, its implementation has also impacted how businesses authenticate themselves. It’s imperative that PSR addresses this by accommodating security protocols commonly used by businesses, such as single sign-on, in the review of SCA. A balanced approach is necessary, ensuring that businesses can authenticate themselves appropriately. This may involve smaller businesses selectively applying aspects of SCA while transactions made by larger companies or businesses simply managing business operations within their payments software pose a lower level of risk and should be granted exemptions from applying SCA. Recognising the distinct risk profiles between corporate and consumer authentication is crucial. We are encouraged by the European Parliament’s proposal for the European Banking Authority (EBA) to differentiate between consumer and corporate authentication in SCA revisions.

👉🏻 The review of payment rules presents an opportunity to shape a regulatory framework that promotes innovation, protects consumers, and fosters trust in digital transactions. By advocating for balanced liability requirements, fair treatment of merchants, flexibility in authentication methods, and a risk-based approach, businesses can contribute to the development of a payments ecosystem that is resilient and responsive to the needs of all stakeholders. 

As we navigate the complexities of payments regulation in Europe, collaboration between businesses, regulators, and other stakeholders will be essential in achieving positive outcomes for the entire ecosystem.