How will PSD3 & PSR1 change open banking?

Open banking, an innovative framework that requires banks to share data with licensed fintechs, has revolutionized the financial space. Previously, traditional banks held a monopoly over customer data. With open banking, fintech companies can innovate and create better, more personalized products for end users. 

PSD3 arrives to elevate open banking in Europe

Michael Bystrov - Global Banking | FinanceEurope is often called the cradle of open banking, as it was the first to materialize the framework into legislation. The Payment Service Directive 2 (PSD2), enforced in 2018, mandated banks open application programming interfaces (APIs) to drive open banking. Under PSD2, fintechs must obtain a PISP or AISP license to access the bank APIs. 

Yet the European open banking journey doesn’t end here. In June 2023, the European Commission published the drafts of the updated PSD3 and Payment Services Regulation (PSR1). 

The proposals support the existing principles of data sharing and security. “The proposed PSD3 and PSR1 bring several changes to the EU payments framework, building on the progress made under PSD2,” said Michael Bystrov, Chief Revenue Officer at Noda, an open banking provider.

“Some fundamental changes include strengthening the measures to combat payment fraud, granting non-bank PSPs access to all EU payment systems, and enhancing the operation of open banking,” he added. 

What’s different in PSD3 & PSR1?

The key area of improvement is the APIs. PSD2 pursues technology neutrality and does not mandate any technical API standards. The need for clear documentation proves challenging for member states to adopt open banking consistently.

PSR1 may change this. The proposals include new API requirements, minimum functionality, and availability on response times to curb high latency. Whether this will result in more harmonious API implementation across European countries will be seen as the regulation won’t be finalized until late 2024. 

Another crucial area covered in the drafts is cybercrime prevention. Under PSD2, Strong Customer Authentication (SCA) is a legal requirement. SCA is a security measure that involves multi-factor verification to authorize transactions. 

Yet, it’s been insufficient for some types of fraud, mainly “spoofing” or impersonation fraud. PSD3 and PSR1 propose to extend the SCA in scope, enforcing stricter rules on access to payment systems and account information. Additional measures include IBAN and name checks and simplifying the SCA user experience.

Non-bank payment service providers (PSP), like Noda, are promised to gain more access to EU payment systems in PSR1 & PSD3. Traditional banks, on the other hand, will have to thoroughly explain access refusal when providing account services to non-bank PSPs. For example, the rejection may be based on suspected illegal activities or a risky business model. 

Impact on open banking and fintech

The key impact of PSD3 and PSR1 is higher competition, according to Bystrov: “It will surely increase in the wholesale payments sector, which will benefit businesses by giving them more choices and lower prices for their payment services.” 

Advancements in efficiency and strengthened security are also expected within the fintech space. “The new framework for financial data access could improve infrastructure, which could benefit businesses by giving them access to more data and analytics and helping them make better financial decisions,” added Bystrov.

Yet the journey to PSR1 & PSD3 will be somewhat smooth. It poses challenges for open banking providers like Noda. Fintech firms will face difficulties adapting to the new regulations as they come with new technology requirements and additional costs. 

“We will be required to implement more robust fraud prevention measures, including risk-based authentication and real-time monitoring of transactions,” Bystrov explained, yet he remained optimistic. 

“This is great for the industry overall, as the trust factor will continue to rise. We will also have great flexibility and choice in our services, as we will not be required to obtain bank consent to access their payment systems.”

Final thoughts

PSD3 and PSR1 are an evolution rather than a revolution of the open banking infrastructure. They are posed to strengthen security and trust, foster innovation in the fintech space, and build on the core PSD2 principles. Although challenges lie ahead, optimism prevails for this new stage of open banking.