The European Commission (“Commission“) published the “Financial Data Access and Payments Package” (“Package“) on 28 June 2023. With this Package, a significant step was taken in amending the legislation regulating the financial sector, including payment systems, within the scope of the European Union (“EU“). The Commission aims to increase the synchronization of the payment and financial sector with the digital age, improve competition in electronic payments, and enable secure sharing of consumer data, which may result in increased transaction volume and access to financial products and services.
The Commission also highlighted that the payment service sector is continually growing, and its value increased from 184.2 trillion euros four years ago to 240 trillion euros in 2021. While acknowledging the economic growth, the Commission also draws attention to the emergence of “more sophisticated” types of fraud cases, which puts consumers at risk and affects trust. The Package aims, as expressed by the Commission, “to enable the EU’s financial sector to adapt to the purposeful and ongoing digital transformation and the risks and opportunities it presents for consumers”. The Package primarily focuses on the following legal regulations:
- Payment Service Directive 3 (“PSD3”)
- Payment Service Regulation 1 (“PSR1”)
- Financial Data Access Regulation (“FIDA”)
The details regarding the relevant legislative regulations can be addressed as follows:
- Regulations Introduced Within the Payment System Sector
Under the Package, PSD3 and PSR1 have been aimed at achieving four objectives in the payment sector:
Strengthening consumer protection and confidence in the payment sector: The proposals include measures that will make users feel more secure. This will reduce the risk of fraud and misuse, enhancing users’ trust in payment processes.
Enhancing the competitiveness of Open Banking services: Open Banking as a service allows data sharing between banks and non-bank institutions. The proposals include regulations that will promote competition in this area, facilitating the entry of new players, encouraging innovation, and providing users with a broader range of services.
Regulation of audit powers and responsibilities to improve implementation in member states: The Package regulates audit powers and responsibilities to make the implementation process more consistent and effective across member states. This will promote harmonization and collaboration among different member states, enabling effective management of payment services.
Regulation of non-bank institutions’ access to payment systems and bank accounts: The proposals include measures to balance access to payment systems and bank accounts between banks and non-bank institutions, encouraging competition. This will provide non-bank institutions with more opportunities and reduce the unequal playing field in the sector.
The achievement of these objectives will enable sector players to operate in a more secure and competitive payment environment, contributing to the development of the financial sector.
From PSD2 to PSD3
Following the implementation of the Revised Payment Services Directive (EU) 2015/2366, also known as “PSD2”, in January 2016, significant changes and rapid developments were observed in the payment, financial, and e-commerce sectors, primarily triggered by consumer habits. PSD2, however, proved insufficient in ensuring market and consumer protection amidst these changes and developments. Initiatives addressing this concern first emerged with the 2020 Retail Payments Strategy, gaining momentum through consultations on amending the legislation by the Commission as of May 2022. After extensive work and consultations since 2022, a significant step has been taken towards improving the functioning of PSD2 with the introduction of PSD3.
PSD2 constitutes the existing legal framework for all electronic payments, regardless of currency including the Euro, and data sharing activities within the EU. It encompasses rules related to consumer protection, transaction security, and the licensing and supervision of Payment Service Providers (“PSP”). Additionally, PSD2 introduced Strong Customer Authentication (“SCA”) as a measure to reduce fraud and provide an additional layer of protection for online payments. The Commission’s statement emphasizes that the use of SCA resulted in a 50% decrease in fraud related to payment systems between 2020 and 2021. Although PSD2 addressed several positive regulations, the entry of new players and the rapid development of innovations also led to uncertainties and gaps in certain areas of the legislation.
Similar to PSD2, the Commission addresses regulations concerning the licensing and supervision of financial institutions, while also acknowledging the national competence of EU member states in the Directive. Once presented to the European Parliament and the Council, PSD3 is expected to be accepted, leading to the repeal of PSD2 and the commencement of the process to align national laws of EU member states with PSD3. Furthermore, the Second Electronic Money Directive (Directive 2009/110/EC) will be repealed from the date of application of PSD3 (like PSD2), and there will be transitional provisions regarding the transition to the new licensing regime.
PSR1 regulates the fundamental rights and obligations of parties (PSP and consumers) in the payment service sector. It aims to “combat and mitigate” payment fraud by enabling payment service providers to share fraud-related information with each other. Additionally, PSR1 makes it mandatory to create a system to increase consumer awareness, strengthen customer authentication rules, expand the conditions for refund rights of consumers affected by fraud, and verify the compatibility of payees’ International Bank Account Numbers (IBAN) with their account names in payments. Once the legislative process is positively completed, PSR1 will be directly applicable by EU member states.
Key Topics of the Package from the Payment Sector Perspective
- It is proposed to amend the existing PSD2 rules with PSR1 to enable the direct and consistent application of conduct rules for payment service providers across the EU.
- The goal is to ensure payment institutions’ direct participation in payment systems, rather than indirect participation. This aims to enable payment institutions to access payment systems directly, without the need for intermediaries such as banks, resulting in faster and more efficient payment processes.
- The extension of IBAN verification to all credit transfers is recommended. This will allow payment institutions to identify any discrepancies between the recipient’s account number and name during transactions, reducing fraud.
- Furthermore, changes are proposed to strong customer authentication rules and Open Banking. These changes aim to strengthen security measures to provide consumers with a safer payment experience. Additionally, modifications in Open Banking seek to offer consumers more control and choices, as well as promote innovation. Recommendations include changes to strong customer authentication rules, the removal of fallback interfaces, and other adjustments to enhance security and prevent fraud during payment transactions.
- It is proposed to make it mandatory for payment institutions to hold funds under protection in multiple banks. This measure will enhance the financial security of payment institutions and ensure the protection of customers’ funds.
- Giving product intervention powers to the European Banking Authority (also known as EBA) is suggested to facilitate effective regulation of financial products and ensure consumer protection.
The aim of the aforementioned provisions is to create a safer, more efficient, and innovative environment in the payment sector.
Financial Data Access: FIDA
As part of the Package, the Commission has published FIDA (Financial Data Access) containing regulations concerning financial data access and expanding the usage of financial data beyond payment accounts towards other financial services. FIDA sets forth that access, sharing, and usage of specific customer data categories will be subject to limited rules. It also introduces a new category called “authorized financial information service providers” to regulate the financial information service area.
The Commission has addressed existing issues in the data flow process in the financial sector. The lack of a standardized Application Programming Interface (API) and data gaps, as well as the absence of a tool for individual or legal entity customers (data holders) to manage permissions for their data usage with financial institutions, have posed problems. Additionally, the absence of a legal framework for data sharing between financial institutions and financial technology (“Fintech”) companies, and Fintech companies’ inability to provide data-driven products or services to customers, has resulted in legislative inadequacy.
The lack of rules and tools for managing data sharing permissions and customers’ uncertainty about how potential risks are addressed have led to an environment of mistrust, causing customers to be reluctant to share their data. On the other hand, even if customers desire to share data, the lack of clear or comprehensive legal regulations has not obligated data holders (e.g., financial institutions) to always grant data access. As a consequence of legislative insufficiency, conflicts of interests often arise between customers and financial institutions. The lack of regulations and non-standardized technical infrastructure for customer data result in several issues, including costly data sharing.
Considering the aforementioned problems, the Commission addresses various aspects through FIDA, such as customer access rights, oversight of data users, collaboration in financial data sharing, standardized security conditions, standardized data access, and management of customer permissions. The aim is to overcome the current problems and establish more transparency and control over data sharing relationships for customers, thereby fostering greater trust in data sharing and enabling customers to access more innovative and cost-effective financial services. For Fintech companies, FIDA allows for increased access to customer sets, promoting Fintech innovations and enabling new service and revenue streams.
Current Situation and Expected Developments in Türkiye
When comparing the regulations brought by the Package with the payment and financial sector legislation in Türkiye, it can be observed that although there are similar concerns and objectives, there are some differences in the implementation. Türkiye closely monitors EU regulations, and the Eleventh Development Plan explicitly states “In order to strengthen the legal infrastructure of open banking, alignment with the EU Payment Services Directive 2 will be ensured.”. As part of the process of aligning with PSD2, the “Regulation on Banks’ Information Systems and Electronic Banking Services”, which defines the concept of “Open Banking” was published in the Official Gazette on 15 March 2020, and came into effect on 1 July 2020. Furthermore, as part of this alignment, changes were made to Law on Payment and Securities Settlement Systems numbered 6493, Payment Services and Electronic Money Institutions, defining the services of Account Information Service Providers (AISP) and Payment Initiation Service Providers (PISP) in line with PSD2. As mentioned earlier, the Package addresses a broader scope in the payment sector, particularly aiming to enhance the competitiveness of Open Banking services, improve supervisory powers in member states, and enable payment institutions to directly participate in payment systems. In Türkiye, however, the legislation concerning payment services, licensing, and supervision is primarily limited to consumer protection and financial stability.
Moreover, the financial sector in Türkiye is governed by various regulations, including the Banking Law, Financial Leasing, Factoring, and Financing Companies Law, Regulation on Remote Identity Verification Methods and Establishment of Contractual Relationship in Electronic Environment, Regulation on Principles and Procedures Applicable to Factoring Transactions, and Regulation on Establishment and Operations of Financial Leasing, Factoring, and Financing Companies. As explained in detail above, FIDA brings greater transparency and control to customer data sharing relationships, instills trust in data sharing, and allows customers to choose from more innovative and cost-effective financial services, opening up new opportunities. In Türkiye, however, these issues are addressed under different legal regulations. Especially, under the Financial Leasing, Factoring, and Financing Companies Data Systems Management and Audit Regulation, there are stringent regulations concerning the use and retention of primary system data. The regulations do not provide a comprehensive framework for the use and rights of consumers over primary system data. The approach of FIDA, which supports innovation while safeguarding consumer rights, has not yet been fully adopted in Turkish legislation, and the fragmented nature of various regulations creates uncertainties in practice.
In the future, a series of changes that are more compliant with EU regulations and consider technological developments may take place in Türkiye’s payment and financial sector legislation. The process of strengthening the legal infrastructure of Open Banking may continue with further regulations aiming to align with EU regulations. A development that brings more transparency, control, and security measures in data sharing may emerge. Given the broad scope of the financial sector, it is likely that new regulations will be introduced to offer more innovative financial products and services, better protect consumer rights, and ensure financial stability. Türkiye is expected to continue its collaboration with other countries and efforts to comply with international standards.
- The Commission Communication on the Retail Payments Strategy for the European Union.https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020DC0592
- Financial Data Access Regulation, https://finance.ec.europa.eu/system/files/2023-06/230628-proposal-financial-data-access-regulation_en.pdf
- The Factsheet on Electronic Payments in the EU Review of Payment Service Directive 2 published by the European Commission.. https://finance.ec.europa.eu/system/files/2023-06/230628-payments-fida-factsheet_en.pdf
- Payment Service Directive 2, https://finance.ec.europa.eu/system/files/2023-06/230628-report-payment-services-directive-review_en.pdf
- Payment Service Directive 3, https://finance.ec.europa.eu/system/files/2023-06/230628-proposal-payment-services-directive_en.pdf
Payment Service Regulation, https://finance.ec.europa.eu/system/files/2023-06/230628-proposal-payment-services-regulation_en.pdf