Search
Choose a style
Dark
Light
Time to read: 6 min

PSD3 explained: How EU payments regulation is evolving

PSD3: What you need to know.
The EU’s third Payment Services Directive (PSD3) is the biggest overhaul of European payments regulation in a decade. Here is what changes and who it affects.

The first Payment Services Directive (PSD), adopted in 2007, established a harmonised legal framework for an integrated EU payments market. PSD2 followed, with most provisions applying from 2018, though strong customer authentication requirements were subject to repeated delays and only fully came into force in 2021. It introduced open banking and the regulatory foundation for third-party access to payment accounts.

But payments moved fast. The European Commission‘s own review of PSD2 identified that consumers remained at high risk of fraud and lacked confidence in payments; that open banking was inefficient and obstructed innovation; that supervisors across member states had inconsistent powers; and that non-bank PSPs faced a competitive disadvantage relative to banks.

A two-instrument package

PSD3 – and its companion instrument, the Payment Services Regulation (PSR) – is the response to those findings. PSD3, as a directive, primarily addresses licensing and supervision, and will need to be transposed into national law by each member state.

The PSR, as a regulation covering security, strong customer authentication and the obligations of payment service providers (PSPs), is directly applicable across all EU member states without the need for local transposition.

PSD2 was a directive, which meant member states had discretion in how they transposed it. Conduct-of-business rules that previously sat within PSD2, allowing member states discretion during transposition, will now be incorporated into the directly applicable PSR, ensuring uniform application across the EU.

The effect is to close off the regulatory arbitrage that allowed some firms to passport services from jurisdictions applying lighter enforcement.

Fraud liability shifts to providers

The most significant operational change in PSD3 is where fraud liability lands. PSPs that fail to implement adequate fraud risk controls will assume liability for customer losses. Specifically, if a customer is defrauded through impersonation fraud, the PSP will have the obligation to reimburse them.

The PSR introduces the following specific fraud prevention obligations:

  • Name-to-IBAN matching – PSPs must verify that a payee’s name matches the account identifier before a transfer is processed, extending a Verification of Payee-style requirement across the EU.
  • Fraud data sharing – PSPs must share fraud-related data with each other via a dedicated platform, subject to a data protection impact assessment, with stored data limited to a maximum of five years.
  • Spoofing reimbursement – a new consumer refund right for cases where a fraudster impersonates a trusted authority is being introduced.
  • Platform liability – large online platforms will be liable to banks if they fail to remove fraud-promoting content after being notified, where that content triggered reimbursement payments.

Strong customer authentication is broadened

The proposed legislation imposes enhanced strong customer authentication (SCA) requirements, obliging PSPs to implement adaptive, risk-sensitive authentication processes that reflect user behaviour, transaction patterns and emerging fraud typologies. PSPs will also have to improve the accessibility of SCA for users with disabilities, older people and others facing challenges.

The political agreement opens the possibility for PSPs to use an SCA mechanism built from a combination of physiological biometrics – including fingerprints and facial recognition – and behavioural biometrics, such as typing and screen-touch patterns.

What changes for banks

For credit institutions, PSD3 and the PSR impose new obligations around API quality and PSP access. Banks will have to give clear reasons if they decline to give PSPs access to their services, addressing a recurring complaint from open banking providers that PSD2’s access requirements were inconsistently enforced.

Failure to meet API obligations is now an enforceable matter: national regulators can penalise banks for failing their API obligations.

Banks will also be subject to the same broadened SCA and fraud-monitoring requirements under the PSR, with regulators expected to increase scrutiny of fraud prevention and operational resilience across the sector.

Changes for payments firms across the EU with PSD3. Image credit: Mounir Taha/Shutterstock

What changes for non-bank PSPs and EMIs

Non-bank payment institutions and electronic money institutions (EMIs) – including fintech acquirers, wallets, processors and e-money institutions – face significantly tougher safeguarding and capital rules, including stronger client-fund safeguarding, enhanced capital requirements, and alignment with the Digital Operational Resilience Act (DORA) on information and communications technology (ICT) risk.

The PSD3 and PSR frameworks will harmonise and streamline the authorisation regime for payment institutions and EMIs, consolidating PSD2 and the Electronic Money Directive into a single supervisory framework.

Applicants will face clearer initial capital requirements, harmonised timelines and more detailed expectations around governance, risk management and internal controls.

Under the new authorisation regime, authorisations already granted to payment institutions (PIs) and EMIs will remain valid for 24 months from the entry into force of PSD3. However, PIs and EMIs will have to submit a new application to their national competent authority to demonstrate compliance with the new requirements.

Firms should expect that process to resemble the grandfathering exercise that accompanied PSD2, with national competent authorities (NCAs) publishing formal deadlines for applications.

For payment initiation service providers (PISPs) and account information service providers (AISPs), they will be allowed to build and connect their own interfaces to banks and other financial institutions, removing one of the persistent frictions of the PSD2 era where reliance on bank-provided APIs created performance and availability issues.

PSD3 will also introduce a simpler authorisation application process for providers already licensed under Markets in Crypto-Assets Regulation (MiCA), though two-licence outcomes remain necessary for certain business models where crypto-asset activities fall within the scope of both regimes.

Status and timeline

PSD3 will change the mechanism in which objectives under PSD2 are delivered – fraud prevention, open banking, consumer protection and supervisory harmonisation – to make rules directly applicable across the EU where PSD2 saw regulation diverge in application.

On 27 November 2025, the European Parliament and the Council of the EU reached a provisional political agreement on both texts. The agreed texts are still being finalised through legal linguistic review and translation.

The key dates firms should be tracking:

  • H1 2026 – publication in the Official Journal anticipated, though not yet confirmed at time of writing
  • 18 months after entry into force – PSR applies; PSD3 transposition deadline for member states (the Council proposed extending this to 24 months; the final implementation period remains subject to the published text)
  • 24 months after entry into force – payee-name/IBAN verification obligation takes effect
  • H2 2027 at earliest, potentially H1 2028 – full compliance across EU markets, depending on the final implementation period

For firms, 2026 should be used to understand regulatory requirements in detail, identify areas for action, and begin implementation by the start of 2027 at the latest.

Subscribe to our newsletter