Work is already ongoing on developing an EU QR standard for payments
29 September 2024
•
8 minutes read
Work is already ongoing on developing an EU QR standard for payments. Тhe implementation of the regulation on instant payments is another trigger for the development of such EU-wide A2A payment solutions. Тhat share to DIGI PAY BLOG Eric Ducoulombier, Head of Unit, Retail Financial services, DG Financial Stability, Financial Services and Capital Markets Union, European Commission. He will a keynote speaker at DIGI PAY 2024 on October 8.
One area where continuing innovation is expected is the use of account to account (A2A) payments for the purchase of goods and services at POI or POS, thus avoiding the need for a payment instrument such as a card. The means of initiating such A2A payments can be for example a QR code or an app or NFC technology. Such solutions exist domestically in certain Member States, but they have yet to go cross-border.
New payments regulation PSD3
The Commission deemed it preferable not to impose a new standard Application Programming Interface (API) for data access, as this would be too costly for ASPSPs, and unfair to those which have in good faith implemented a different API from the one selected to be the required one, out of the several different existing API standards for OB.
On the other hand, the PSR proposal is much more explicit and detailed than previous rules regarding the minimum required functionalities and performance standards of dedicated OB interfaces. So many ASPSPs will need to upgrade their OB APIs following PSR, regardless of which particular API standard they are currently using. PSR is focussed on outcomes as regards OB, not on the means to achieve those outcomes.
Combining the regulations for payment institutions and electronic money institutions
The legal framework applicable to E-Money Institutions and Payment Institutions in the E-Money Directive and PSD2 is already reasonably consistent. However, the licensing requirements and some other key concepts governing the e-money business, such as issuance of e-money, e-money distribution and redeemability, are quite distinct as compared to the services provided by payment institutions. Supervisory authorities have experienced practical difficulties in clearly delineating the two regimes and in distinguishing e-money products/services from payment services offered by payment institutions. Therefore, a merger of the two regimes is proposed, bringing them together in one single piece of legislation and harmonising them to the extent possible. This will ensure a higher degree of harmonisation, simplification and consistent application of the legal requirements for PIs and former EMIs.
Competition for payment services
It should be noted that this reform was already enacted via the Regulation on Instant Payments, in anticipation of PSR and PSD3; the application deadline is in April 2025.
The issue was that the Settlement Finality Directive, as it stood, prevented access by PIs and EMIs to payment infrastructures which have been designated under that Directive, by not mentioning them as possible participants in such systems. This forced PIs and EMIs to rely even more on commercial banks, establishing a structural dependency on banks and an unlevel playing field, as banks are competitors of PIs and EMIs for the provision of payment services.
The removal of this barrier, with appropriate safeguards in place to ensure that PIs and EMIs can respect the rules of the payment systems in question, should allow PIs and EMIs to offer payment services at lower cost and with more reliability, thus promoting competition.
Instant payments in Bulgaria after Euro conversion
Instant Payments Regulation (IPR) does not govern instant credit transfers executed by PSPs in currencies other than the euro. (Note: it does govern instant credit transfers in euro that are sent from or received on accounts denominated in currencies other than the euro).
This is because regulation at the EU level has to respect the principle of subsidiarity which justifies intervention at the EU level in situations where Member States acting alone are not able to achieve outcomes that are as effective.
The SCT Inst Scheme is a scheme for instance credit transfers in euro. It was launched by the EPC in 2017. For this pan-European network to achieve its full economic potential (since payments is a network industry), actions that were needed to deal effectively with certain identified obstacles could have been best taken at the EU level. The same does not apply for instant credit transfers in national currencies other than the euro, since such payments are executed only domestically in respective Member States.
“Instant Payments Regulation encourages Member States, whose currency is not the euro, to apply rules on domestic instant credit transfers executed in their own national currency.”
IPR still encourages Member States, whose currency is not the euro, to apply rules on domestic instant credit transfers executed in their own national currency that are equivalent to the rules laid down in the IPR. Also, important to note that requirements which are included in the Payment Services Directive (currently under revision) apply to national instant credit transfers in the currency other than the euro.
Security of payment services will PSD3 implement
The PSR proposal includes among others measures to combat payment fraud and an number of clarifications related to the application of SCA related provisions:
- New refund right for consumers which were manipulated into authorizing a payment transaction by a fraudster pretending to be an employee of the consumer’s payment service provider (PSP) (‘impersonation fraud') under certain conditions (notification to the PSP and police; no “gross negligence”; limited to one-time occurrences) and cooperation requirement for electronic communication services providers;
- An extension of the IBAN/name check service to all regular credit transfers and instant payments (already adopted in the Instant Payment Regulation) to non-Euro EU currencies;
- A possibility for PSPs to share on a voluntary basis IBANs of a suspected fraudulent payment transaction, based on sharing arrangements and safeguards (e.g. subject to data protection impact assessment and consultation);
- An obligation of PSPs to ‘educate’ their customers and employees about fraud risks;
- Clarifications regarding the implementation of SCA. For merchant-initiated transactions (MITs), initial setup requires SCA, but not subsequent payments. Regarding the enrolment of payment instruments into digital wallets, this is clarified to require SCA at the time of enrolment of a new token or replacement of a token. For mail order and telephone orders (MOTOs), only the initiation of a payment needs to be non-digital for the payment to be exempt from SCA. For MOTOs, an exemption from SCA payment still needs to be subject to fraud checks, transaction risk analysis (TRA), and other security controls, to avoid abuse. The SCA exemption for direct debits has been narrowed. New SCA obligation for direct debits placed on a channel with the direct involvement of a PSP.
The FIDA approach
FIDA is not a completely different approach to PSD2 – these are complementary frameworks:
- Both introduce a legal obligation on financial incumbents to share data.
- Both limit access to data to strict licensing requirements
- Both look to enhance customer control by introducing user-centric permission dashboards.
The being said, differences between PSD and FIDA are inevitable. The types of data concerned are substantially different. The policy measures required to improve an already existing system of data sharing under PSD2 are different from those needed to build a new regulatory system for other parts of the financial sector. PSD is an existing legal framework that has a certain path dependency. Open finance is a new framework – this gives the advantage of being able to consider certain lessons learned from PSD2 and build differently.
FIDA builds on PSD2 but depart from it in key ways:
- First, on standardisation. PSD2 did not mandate common standards for APIs. FIDA now mandates the market to work together in financial data sharing schemes to work on standardised technical interfaces from the beginning.
- Second, on compensation and data quality. We want incumbents to see data sharing in finance as more than a mere compliance issue. FIDA is based on the Data Act which provides for reasonable compensation for making data available based on contractual access. As new investments are required to put in place interfaces, reasonable compensation will be a strong incentive for data holders to ensure development of high-quality interfaces.
The Commission is clear when FIDA should come into play: all FIDA obligations enter into force 24 months after entry into force. It is up to the co-legislators to decide whether to maintain this ambition.
This is about creating sufficient business incentives.
On the contrary: we believe moving to a system of reasonable compensation will incentivise the market to embrace FIDA. This is about creating sufficient business incentives.
The evaluation of PSD2 indicated that many data holders believe that the investments for building infrastructure without compensation are disproportionate.
Our own FIDA consultation showed that both data holders and data users are willing to pay reasonable compensation if it means access to higher quality data. 75% of respondents to the targeted consultation on open finance agreed that data holders should be entitled to compensation for putting in place the infrastructure. Speed is not the essence – the objective is to build a sound open finance framework that is built on data quality.
PSD3 will remain based on its current model, as the costs of changing existing system, including moving to a contract based model would be significant, and the justification for compensation is less strong since investments have already been made and interfaces are already in place.
Image Source: PixaBay