OK, not all the talk. The European Union’s Payments Service Directive 3 (PSD3) is not fully formed. In Hollywood terms, the project outline has been announced, but it is merely at the ‘script development’ phase. The PSD3 movie might not be out until 2026. Still, the announcement of a new directive is big news and certainly warrants a closer look.

To appreciate its significance, it makes sense to review what came before it. That takes us back to 2007, when the EU decided to harmonise the payment landscape by introducing PSD1. The idea was to implement new technical standards to lower access barriers for new payment providers, reduce transaction fees, speed up cross-border payments and strengthen customer protection.

But the timing was bad. 2007 was year zero for the smartphone revolution. Consumer payment habits changed and PSD1 quickly became obsolete and ineffective. It never established itself, so regulators revised their blueprint. The second version, PSD2, was proposed in 2015 and entered into force in January 2016.

PSD2 had similar goals to its prequel but its key proposal was to mandate incumbent financial institutions to open up access to customer data via application programming interfaces (APIs). The thinking was: customers own this data – let them give it to fintechs (with consent) and see what innovation results.

The intermediaries divided into two main types. The first were Account Information Service Providers (AISPs). They aggregated information from multiple accounts on a single dashboard to make it easier to manage money. The second were Payment Initiation Service Providers (PISPs). They were authorised to move money between accounts on behalf of consumers. The other key plank of PSD2 was Strong Consumer Authentication (SCA), which mandated two-factor authentication in various card-not-present payment situations.

So how did PSD2 do? Depends who you talk to. Some critics slammed the banks’ reluctance to embrace the data-sharing philosophy. They bemoaned the speed and quality of the APIs. Louise Beaumont, Co-Chair of TechUK’s Open Bank Working Group, told Financial World at the time: “It is like the 14-year-old boy who says he will do the washing up, but does it really badly so you decide not to ask him again.”

Then, in 2021, Starling founder Anne Boden told a Treasury committee that the open banking revolution promised by PSD2 had flopped. She questioned the demand for data portability and the way it was enacted. “Consumers do not want to pay an additional fee to a fintech so they can consolidate their data,” she said. “And above all of that, the implementations of open banking are clunky.”

The truth is probably somewhere in between. To gauge PSD2’s successes and failures (in advance of PSD3), the European Commission launched a consultation with the public and stakeholders. The main findings included:

• PSD2 increased competition and delivered more choice for end users
• APIs opened up data access but there remains a lack of standardisation and interoperability
• secure customer authentication has led to more payment friction and a poor user experience in some areas
• secure customer authentication can exclude users who do not have access to smartphones
• payment service providers have reported phishing and other frauds as criminals exploit the flaws in SCA and payment initiation
• there is a lack of coherence with legislation such as General Data Protection Regulation (GDPR), which has muddied the waters around data protection
• PSD2 can overlap with other payment and security regulations across different jurisdictions.

After studying the feedback, the Commission published its draft PSD3 proposal in June this year. It proposed making changes to the regulatory regime in three ways: with a new Payment Services Regulation (PSR1); via a new directive (PSD3); and via a new open finance framework – Financial Data Access (FIDA). Here are the most significant implications.