There has been a recent flurry of EU developments relating to a number of ongoing initiatives relevant to firms in the retail banking and payments sectors, including some movement on the European Commission's review of PSD2 (otherwise known as "PSD3"). Below is a brief overview of this latest regulatory activity. Whilst these developments are all at an EU level they are of interest from a UK perspective as HM Treasury continues its post-Brexit review of the UK financial services regime with the possibility of further divergence or, where developments are seen as beneficial, the potential to implement similar changes.

Towards PSD3: European Commission consultations and calls for evidence on PSD2 review and open finance

The European Commission has launched a public consultation on PSD2 and open finance, aiming to assess the effectiveness, efficiency, costs and benefits, coherence, and EU added value of PSD2. Calls for evidence on related impact assessments for potential legislative initiatives have also been published, as well as targeted consultations on the PSD2 review and on open finance.

Consultation on PSD2 review and open finance

The EU Digital Finance Strategy and the EU Retail Payments Strategy announced the launch of a comprehensive review of the application and impact of PSD2 to assess whether legislation remains fit for purpose. In parallel to the PSD2 evaluation, the Digital Finance Strategy announced the Commission’s ambition to propose legislation on a broader ‘open finance’ framework with the aim of allowing customer data beyond the scope of PSD2 to be shared and re-used by financial service providers for creating new and improved services, subject to customer agreement as well as the effective application of data protection rules and security safeguards.

The public consultation, which is in questionnaire format, is specifically designed for respondents that have minimum technical knowledge about the payment industry or about data access and reuse in the context of open finance. The results will determine if the PSD2 objectives have been achieved or if changes are needed to ensure EU retail payment rules remain fit for purpose and future-proof (and if so, the type and scope of changes), with a view to the Commission's ongoing work on the open finance framework which is part of the Data Strategy for Europe.

The deadline for comments is 2 August 2022.

The EBA's response to the Commission's November 2021 call for advice on the PSD2 review (under Article 108 PSD2) is also pending. The EBA was requested to gather evidence and provide advice on the application and impact of PSD2, including any benefits and challenges that may have arisen relating to scope and definitions under PSD2, enforcement issues and cross-sectoral topics, and in other areas including supervision of payment service providers, transparency of conditions and information requirements, rights and obligations and SCA. The advice is due by 30 June 2022.

Calls for evidence on impact assessments for PSD2 review and open finance

Accompanying the public consultation are:

  • A call for evidence on an evaluation and an impact assessment relating to its review of PSD2, indicating that the Commission is considering publishing a report on the application and impact of PSD2 in Q4 2022 and, if considered appropriate, a legislative proposal to amend the Directive (with an accompanying impact assessment) in the first half of 2023.
  • A call for evidence on an impact assessment to assess the policy options relating to an "Open finance framework – enabling data sharing and third party access in the financial sector" initiative. In 2021, the Commission established an expert group on the European financial data space and a dedicated subgroup on open finance has recently started its work. The Commission will take into account the lessons learned from the payment accounts data access provisions contained in PSD2. The Commission is considering a legislative initiative here too, with indicative timing of Q1 2023.

The deadline for comments on both of the calls for evidence is 7 June 2022.

Targeted consultation on PSD2 review

The Commission's targeted consultation paper on the PSD2 review is designed to inform the Commission on the application and impact of PSD2 taking into consideration, among other things, developments in the payment market, payment user needs and the need for possible amendments.

The consultation focuses on technical issues and the Commission is looking in particular for responses from professional stakeholders such as payment services and technical services providers. Part 1 covers general questions concerning PSD2's main objectives and specific objectives grouped by theme, while Part 2 covers questions on whether the specific measures and procedures of PSD2 remain adequate, including questions concerning possible changes or amendments to the Directive.

The deadline for comments is 5 July 2022. If necessary, the Commission may publish another targeted consultation, eg to consider specific policy options and impacts in more detail.

Targeted consultation on open finance framework and data sharing in the financial sector

The Commission's targeted consultation paper on an open finance framework (announced in the Capital Markets Union communication of November 2021) and data sharing in the financial sector looks to gather evidence and stakeholder views on the current status and further development of open finance in the EU and effective customer protection. Customers of financial services firms (consumers and corporate customers), financial institutions and other firms that either hold data or intend to use it are specific targets of the consultation.

The deadline for comments is 5 July 2022.

Distance marketing of financial services contracts: European Commission legislative proposal for new Directive

The European Commission has adopted a legislative proposal for a Directive concerning financial services contracts concluded at a distance which would repeal the current Distance Marketing Directive (DMD) and transfer the framework for consumer protections relating to financial services distance contracts to the Consumer Rights Directive (CRD).

The proposed Directive would aim to modernise the existing DMD framework, including requiring traders to: provide an email address in pre-contractual information and supply pre-contractual information at least a day before consumers are bound by any distance contract; allow consumers to use a withdrawal button where distance contracts are concluded by electronic means; provide adequate explanations on proposed financial services contracts (and if a trader uses online tools for this purpose consumers will have a right to request and obtain human intervention). The application of certain rules in the CRD, including on additional payments and enforcement and penalties, will also be extended to financial services distance contracts.

The legislative proposal will now be considered by the Council of the EU and the European Parliament.

Proposed Regulation on digital operational resilience (DORA): provisional political agreement reached

The Council of the EU and the European Parliament have reached a provisional political agreement on the proposed Regulation on digital operational resilience for the financial sector (DORA).

The Council's related press release highlights key aspects of the agreement, which include:

  • The new rules will constitute a very robust framework that boosts the IT security of the financial sector, with the efforts required from financial entities being proportional to the potential risks.
  • Almost all financial entities will be subject to the new rules, but the inclusion of auditors will be part of a future review of DORA.
  • To allow for proper oversight of critical third-country ICT service providers to financial entities in the EU, such service providers will be required to establish an EU subsidiary.
  • Given the cross-sectoral nature of digital operational resilience, an additional joint oversight network will strengthen the co-ordination between the European Supervisory Authorities.
  • Penetration tests will be carried out in functioning mode and it will be possible to include several member states' authorities in the test procedures. The use of internal auditors will be possible only in strictly limited circumstances, subject to safeguard conditions.

The European Parliament also published a separate press release on the agreement.

The provisional agreement is subject to approval by the Council and the European Parliament before going through the formal adoption procedure. The agreed revised text of the legislative proposal has not yet been published.

The new rules will apply 24 months after they enter into force.