The evolution of the European payments ecosystem has reached a turning point with the arrival of the regulatory package consisting of the Payment Services Regulation (PSR) and the Payment Services Directive 3 (PSD3). These regulations not only aim to harmonize the market but also drastically raise security and accessibility requirements, positioning biometrics as the key strategy for financial institutions to comply effectively.
What are the PSR Regulation and the PSD3 Directive?
The PSR and PSD3 are the new European regulations designed to replace and improve the current PSD2, harmonizing payment rules throughout the European Union. While the PSR is a directly applicable regulation that establishes rules on transparency and rights, PSD3 focuses on the authorization and supervision of payment institutions.
Unlike the previous directive, the PSR ensures that no discrepancies exist between Member States as it is directly applicable. This new legal framework introduces critical concepts such as liability for impersonation fraud (spoofing) and flexibilizes the use of authentication factors, allowing two elements of the same category, such as two different inherence factors, to comply with Strong Customer Authentication (SCA).
How does the PSR redefine Strong Customer Authentication (SCA)?
Strong authentication under the PSR now allows the two required factors to belong to the same category, provided that their independence is guaranteed. This means that an entity can use two “inherence” elements (such as biometrics) to validate a transaction, improving both security and the user experience.
The regulation also expands the concept of “inherence” to include environmental and behavioral characteristics, such as location or device usage habits. For Veridas, this evolution is fundamental, as our facial and voice biometrics solutions allow compliance with these requirements of independence and high security without unnecessary friction for the end customer.
Why is accessibility mandatory in the new regulation?
Article 88 of the PSR imposes an obligation on payment service providers to offer authentication methods adapted to people with disabilities, the elderly, or those with low digital skills. The regulation requires that authentication does not depend exclusively on a single device or technology, such as a smartphone.
Veridas supports this transition by providing a “diversity of means” for the application of SCA. Our voice biometrics technology, for example, allows people who do not use mobile applications or smartphones to authenticate securely through telephone channels, thus complying with the financial inclusion criteria required by the new European regulatory framework.
What is the liability for impersonation fraud?
One of the most impactful novelties of the PSR is the obligation for payment service providers (PSPs) to refund customers the defrauded amount in cases of “impersonation fraud” within 10 days. This applies especially when the scammer pretends to be a representative of the bank itself to deceive the user.
Faced with this risk, which could significantly affect the annual profits of entities, the implementation of robust identity verification systems is vital. Veridas solutions allow for the reliable verification of both the sender’s and receiver’s identity, mitigating the risk of “spoofing” and protecting the entity from the severe penalties provided, which can reach 7.5% of annual turnover.
