.svg)
Speaking exclusively to VIXIO, Denmark’s payments regulation lead has suggested changes to strong customer authentication (SCA), banks’ obligations and APIs should be on the agenda for the next iteration of the Payment Services Directive (PSD3).
"PSD2 has been a success,” acknowledged Rikke-Louise Ørum Petersen, who has served as the Danish Financial Supervisory Authority’s (DFSA) deputy director since 2018.
In her role, the regulator is responsible for overseeing payments services, as well as areas such as fintech, money laundering and consumer affairs.
National competent authorities are all too aware of the impact of PSD2 implementation, having been directly overseeing member states in their adaptation of the rules.
And now, as the time comes to reopen the laws again, Ørum Petersen has her thoughts on what should be addressed by the next legislation.
"As we move towards PSD2 changes and the open finance framework, we think that the regulation should be more principles-based and less detailed,” she said.
She continued to point out that people complain it lacks proportionality.
Meanwhile, smaller firms have said they cannot get into the market. “I'm not saying that anybody should have a free ride but I think we should try and strive for less detailed regulation."
In addition, the regulator sees PSD3 as an opportunity to revisit the SCA requirements.
"We want SCA to be risk-based and more innovative, as the current rules don't give sufficient room for that,” she said. “Consumer protection is at the core of our hearts and we need to combat fraud."
Although it is often the fintech side who claim that PSD2 has not created equal footing with the banks yet, Ørum Petersen pointed out that these incumbents have also made sacrifices.
"Rules regarding third-party providers need to be revisited,” she pressed. “Banks feel as if they are having to give out a lot of information and we may need to strive for more balance in the next framework."
Without PSD2, Ørum Petersen said that there would be no open APIs. “We would not have been able to force the banks to open up and make information available to third parties.”
In addition, the DFSA has seen a mentality shift with banks. “They want this to work,” she said.
The success of open APIs has mainly been felt by small and medium-sized businesses, which have greatly benefited according to the regulator. “Yet, for ordinary consumers, perhaps they have not benefited as much yet, albeit with new protections with SCA."
This is why the DFSA is, as with many other countries in Europe, still working to realise the true potential of PSD3.
"We're still focused on ensuring the full benefit of PSD2 and there is a continuous effort to ensure banks are offering fully functional APIs,” she said.
PSD3 safeguards
Nationally, the issue of safeguarding has also emerged as a trend, she commented. “It needs a stronger regulatory framework.”
“For example, we have had an insolvency case with one payments institution,” she said. “Here, it looks like money that was supposed to be in a closed account ended up used for different purposes."
Safeguarding has also been touted by the European Banking Authority as an area that the European Commission should look at, if it decides to propose a PSD3.
Recommendations in the European supervisory authority’s report include clarifying that safeguarding accounts should only be held with banks that are headquartered in the EU or the branches of third-country banks based in the trading bloc.
In addition, SCA is also very important, Ørum Petersen said. “We need to ensure that the rules are as effective as they were intended to be. If you see a fraud drop, then you can see it building up again. It is a constant fight."
According to the regulator, SCA-type features were already widely used in Denmark; however, there was still difficulty in getting systems for online card payments ready.
This was especially the case with getting smaller merchants ready for two-factor authentication rules. “It was this group that had the greatest difficulties.”
"We have seen amazing results from introducing SCA, yet fraud has slowly, steadily been on the rise again,” she warned. “This has always been the same with every type of crime. Instead of the ways they did it before, now criminals are turning to other fraud types such as social engineering and phishing.”
For Ørum Petersen, this rise from a good starting point after SCA means it is something that will need to be looked into when PSD3 is negotiated. “We need to look at what we can do now to ensure there are a high standard of safeguards in place that make it very difficult to make fraud schemes.”
She did not underestimate the challenges of crafting good regulation here, however.
“This will be difficult” because criminals are simply picking up the phone and targeting vulnerable segments of society such as the elderly. “Somehow in these conversations, fraudsters are able to come across as innocent and get consumers to give up their details,” she said.
Regulating crypto
Away from PSD2/3, the Danish regulator also joined others, such as the Bank of Lithuania, in expressing their keenness for the EU’s crypto-asset framework to be in force.
The EU’s Markets in Crypto Assets (MiCA) legislation will bring the EU’s 27 member states under uniform rules regarding crypto-assets — something which is currently only accounted for via anti-money laundering directives.
“We are looking forward to MiCA,” said Ørum Petersen. “We acknowledge the existence of crypto-assets and people using them. You can't just ignore this.”
“There is a good approach coming with MiCA but until the rules are in place, we will continue to just say that this is an unregulated market and people need to be careful."
So far, like many EU regulators, the DFSA has focused on informing consumers about the risks of investing in crypto-assets.
"We have issued warnings, and made the comparison that this market is like the wild west. We have been trying to tell consumers that this isn't a regulated market, it is a bit like gambling.”
There is, however, still a wait for MiCA to come into place, of course.
The regulation is currently likely to be in place in early 2024.
