The political, technical and business developments of the 21st century, above all digitalisation and globalisation, have led to a significant increase in the number of regulations for payment service providers and financial institutions. Compliance with these regulatory requirements, especially in payments, is inevitable for every financial service provider and implementation is often a challenge. Moreover, a clever, customer-friendly implementation is decisive for the market. PPI's experts accompany and support you with individual solution strategies and implementation concepts. By combining regulatory knowledge, professional requirements and IT know-how, they are also able to navigate, support and implement complex topics such as the Payment Services Directive (PSD2/PSD3), the Digital Operational Resilience Act (DORA), Markets in Crypto-Assets (MiCA), the open finance regulation FIDA (Financial Data Access Regulation) or the EU Funds Transfer Regulation (FTR) and other regulations for you.
Directives, regulations and laws play a decisive role in payments. They do not have to be an obstacle.
Payments are a highly regulated economic sector. Interdependencies have to be considered for a multitude of directives, regulations and laws and have an influence on every business decision. For example, it is necessary to differentiate between payments made within a country, within EU borders or in the context of non-European payments. Regulatory provisions such as the Payment Services Directive (PSD2/PSD3) or the SEPA Regulation standardise the legal framework, promote fair competition and create transparency for all parties involved. Furthermore, they serve to implement political and economic objectives, for example as an innovation incentive or to standardise markets. Their implementation and compliance continues to present challenges for payment service providers.
In order to further promote the European internal market and the necessary harmonisation of laws, European legislation is increasingly stipulating the framework conditions. In this context, the European Banking Authority (EBA) acts as an independent expert advisory body to sustainably pursue and achieve the stated objective: to create EU-wide uniform rules applicable to payment service providers in all countries of the EU.
The stability of the financial system shall also be strengthened as a result. To this end, the EBA is responsible for analysing the impact of certain regulatory instruments and continuously improving cross-border supervisory cooperation. The EBA furthermore has a statutory mandate to define Implementing Technical Standards (ITS) and Regulatory Technical Standards (RTS) for certain areas.
The task of the EBA, together with the European Central Bank (ECB) as the supreme European supervisory body and the national supervisory authorities of the EU member states, is to use its resources to ensure an effective and coherent level of regulation and supervision in the European banking sector. In Germany, the Federal Financial Supervisory Authority (BaFin), which is also represented in the ECB's Supervisory Board, is the national supervisory authority for the financial sector. The ECB's Supervisory Board proposes draft decisions to the Governing Council under the non-objection procedure. The ECB and BaFin also participate in the development and updating of standards and guidelines in the various EBA working groups.
The second European Payment Services Directive, PSD2 for short, regulates central topics in payments. The PSD2 is the main regulatory cornerstone and thus forms one of the most important legal frameworks for payments. A proposal for a revised PSD3 is already available. This revised version and the supplementary, newly created PSR (Payment Service Regulation) expand and concretise the contents of the PSD2. The E-Money Directive will also be absorbed into it. In addition, the drafts announce numerous further-reaching guidelines and standards, as we already know from the PSD2. In addition to adjustments regarding strong customer authentication and the dedicated interface, the issue of fraud and consumer protection will continue to move into focus.
Throughout the European Union, VAT fraud evades billions of euros in taxes every year. In order to effectively combat VAT evasion in e-commerce, payment service providers as defined by PSD2 have been obliged by the amending Directive 2020/284/EU to report certain payment data on cross-border payments to national tax authorities as of 1 January 2024. This data is then forwarded to the European Central Electronic System of Payment Information (CESOP) for retention. The aim is to strengthen the cooperation between the national authorities and improve the availability of information for the respective authorities. The data from CESOP is made available to officials of the Eurofisc network for analysis and evaluation in the course of combating VAT fraud. The European "Guidelines for the reporting of payment data from payment service providers and transmission to the Central Electronic System of Payment information (CESOP)" dated 03/08/2022 compile information on the payment data to be provided by payment service providers in the future. Moreover, the EU Commission initially published a 30-page document on 23/06/2023 with still open questions relating to the new directive. This document will be adapted on an ongoing basis until it enters into force.
The European Commission, the Council of the European Union and representatives of the European Parliament reached a preliminary agreement on the Digital Operational Resilience Act (DORA) proposal on 22 May 2022. The European Commission had published the legislative proposal on DORA on 24 September 2020 as part of the "Digital Finance Package". It also includes a strategy for the digitalisation of the financial sector, legislative proposals on crypto-assets (MiCA and DLT pilot regime), legislative proposals on the operational stability of digital systems (DORA) and a retail payments strategy.
The DORA regulation pursues two important goals: firstly, to strengthen the digital resilience of financial companies throughout the EU and, secondly, to create a uniform legal framework. Among other things, it calls for the harmonised introduction of regulations on the documentation, classification and reporting of serious incidents related to information and communication technology (ICT). Requirements are also defined for ICT risk management, regular tests of the operational stability of digital systems are prescribed in the scope of business continuity management (BCM), and supervisory monitoring of third-party IT providers (TPPs) of critical systems is also intended. In the course of implementation, a fundamental structural change in supervisory governance and practice is to be expected in large parts of European financial market regulation.
Tokens such as Bitcoin, Ethereum or Tether USDt are becoming increasingly popular on the European market, either as an investment opportunity or for trading. The "Markets in Crypto-Assets" (MiCA) regulation creates a comprehensive set of rules within the EU to regulate this trading and the public offering of crypto-assets in a uniform manner. This will protect investors in particular in the future. The regulation has already come into force on 29 June 2023, although many of its rules are not yet valid. In future, providers of crypto services will need a MiCA licence in order to be allowed to carry them out within the EU. In return, they benefit from so-called "passporting", which allows them to offer their services in any EU member state with the licence, without any bureaucratic effort. The issuers of tokens also face new challenges. Depending on whether a legal entity or a bank issues a "value-referenced token", an "e-money token" or an "other crypto-value", certain requirements such as holding equity as well as reserve assets or the right of redemption for holders of the token must be fulfilled. For all categories of tokens alike, the publication of a crypto whitepaper will be mandatory. In it, the issuer must provide all necessary information about the token and the issuer's company in an understandable manner.
Be it the PSD2 or soon PSD3, Accounts Directive, SEPA Regulation or changes in customer communication – PPI accompanies payment service providers and financial institutions in planning the upcoming regulatory changes and supports them in reviewing or updating already implemented requirements. Just as important as the goal of meeting the regulations is not losing sight of the stakeholders along the way. Linking regulatory requirements with positive customer and employee experiences creates significant added value for all parties involved. PPI helps with the interpretation of the requirements and derives the best possible implementation strategies together with the financial institutions.
The topic of regulation also finds a lot of resonance on the EBICS blog run by PPI.