The European payments landscape is going through a significant transformation, driven by a wave of new regulations and standards. To understand these changes and their implications, we sat down with Jan van Vonno, Head of Industry & Wallets at Tink, to gain his expert insights.

Jan van Vonno is an expert in open banking and digital transformation. Before joining Visa through its acquisition of Tink, Jan played an important role in Tink's journey from its early stages to its acquisition by Visa. Jan has actively participated in shaping payment initiation and authentication standards, making him a key figure in the evolution of the European payments ecosystem.

Following Jan’s presentation at the Ximedes roundtable in January, we thought it would be interesting to get his thoughts on where the industry is and where it’s heading.

Your presentation highlights how eIDAS 2.0, IPR, and PSR are reshaping Europe's payments landscape. Given Visa's acquisition of Tink, how are you balancing the dual mandate of compliance with these evolving regulations while maintaining the agility to innovate in open banking infrastructure?

The current landscape of payment initiation services (PIS) presents three key challenges. 

First, strong customer authentication (SCA) is heavily reliant on the bank's user experience, which varies significantly. eIDAS 2.0 promises to level the playing field in customer authentication, with the goal of achieving an industry-wide standard for a streamlined, 10-second process. 

Second, the Instant Payment Regulation (IPR) will have impacts that we are still currently analysing. 

Finally, the PSR's full effects remain speculative, as it is still under development. However, it will require banks to review their APIs, processes, and technical functionalities, which will encourage the market to become enabled. These three regulations, collectively, act as tailwinds, propelling the market towards greater innovation and standardisation.

The EUDI wallet rollout by 2026 aims to unify authentication across sectors. From Visa's unique vantage point, what technical and behavioural challenges do you anticipate in achieving critical mass adoption, and how might this redefine payment security paradigms?

On the technical front, a significant challenge lies in the incomplete nature of the EU toolbox, as the implementing acts are still in progress. Currently, only one set has been published, another is in draft, and the third has yet to be written. Additionally, the OpenID standard for Verifiable Credentials (VC) is still under development. Behaviorally, the ability to pay and accept payments via EUDI wallets is paramount, and it will probably be the most challenging behaviour in mass adoption. Countries with a strong preference for cash may face greater difficulty in adopting this new technology.

As an active participant in shaping payment initiation and authentication standards, how do you see the evolution of regulations like PSD3 and eIDAS 2.0 impacting the European payments ecosystem over the next five years? What opportunities or challenges do you foresee for financial institutions and fintechs in adapting to these changes?

The PSR dedicates considerable effort to clarifying misconceptions arising from PSD2, aiming to re-establish many of the use cases that existed before its implementation. PSD2 inadvertently disrupted certain business models by limiting access to data, a situation that PSD3 seeks to rectify. Payment journeys are multifaceted, encompassing more than just confirmation, and that’s where I see the most exciting

Your presentation emphasises the increasing compliance burden on financial institutions. How can organisations strike a balance between meeting regulatory requirements and fostering innovation, particularly in areas like open banking and real-time payments?

One of the most effective strategies is to partner with a specialised service provider. By leveraging the expertise and resources of these providers, financial institutions can navigate the complexities of regulatory compliance while simultaneously focusing on innovation and growth.

With the elimination of mandatory fallback interfaces, what technical-legal safeguards would you recommend for TPPs to maintain uninterrupted service when an ASPSP's dedicated interface fails to meet performance thresholds?

While the European Parliament (ECON) text has indeed removed the requirement for ASPSPs to provide a contingency mechanism to the AISP/PISP, the final PSR text has not yet been agreed upon. Therefore, it may be premature to conclude that this will be the case.

Nevertheless, if the availability of a contingency mechanism or interface is not available, AISPs and PISPs should still be able to expect access to resilient service as all financial institutions are subject to the rules outlined in the Digital Operational Resilience Act (DORA).

Either way, it is important that AISPs and PISPs continue to monitor the performance of the available dedicated interfaces as they are required to immediately report any deterioration in the quality or performance of services to the National Competent Authority (NCA).

The PSR requires PSPs to implement transaction monitoring mechanisms before applying SCA. How does this risk-based approach alter fraud prevention strategies compared to PSD2's rules, and what new compliance challenges does it create?

The proposed PSR builds upon the current RTS on SCA, aiming to create a more robust and harmonised framework for risk-based authentication and fraud prevention. While the current RTS has established the principle of risk-based SCA, the proposed PSR may introduce more stringent requirements and greater clarity, leading to further evolution in fraud prevention strategies and new compliance challenges for PSPs. Regardless, the "risk-based approach" is only relevant in the context where the PSP intends to exempt the application of SCA.

Given the new permission dashboards for open banking providers, what technical implementations do you foresee being most contentious in balancing user control with commercial data utilisation under FIDA's upcoming Open Finance framework?

One of the most contentious technical implementations will likely be the design of permission dashboards through which PSUs gain an additional channel to revoke third-party access to their payment account. Balancing user privacy, data minimisation, and the need for insights will require robust consent management systems, clear user interfaces, and compliance with data protection regulations like GDPR. Ensuring interoperability between different financial data access schemes will also be a significant challenge.

The EU's PSD3 and PSR proposals aim to strengthen user protection, enhance open banking competitiveness, and improve enforcement. From your legal perspective, what do you see as the most transformative aspect of these changes for FinTech companies? How should firms prepare to navigate the complexities of these new regulations?

As the EC stated along with the PSRD publication, it is an evolution, not a revolution. The most transformative aspect of PSD3 and PSR is the shift towards a harmonised and transparent regulatory framework. 

In particular, the PSR aims to drive competitive fairness across all EU member states and ensure uniformity in the enforcement of the open banking provisions – especially as they relate to dedicated interfaces. AISPs and PISPs should continue to engage with industry forums to stay informed about regulatory developments and adapt proactively.