PSD3 & PSR – What companies need to consider

Key Takeaways

1. Timeline: We expect finalisation of PSD3/PSR texts and official sign-off by Council and European Parliament in the coming weeks with earliest application of H2 2027, potentially moving to early 2028 if the Council's 24-month implementation period is adopted.

1. Evolutionary, Not Revolutionary: The new legislative package builds on PSD2 rather than fundamentally reshaping it, but still requires significant operational, technical and compliance changes from PSPs.

1. Extended Fraud Liability: Consumer-facing PSPs face an expanded liability regime covering authorized push payment fraud (impersonation fraud), in addition to existing obligations for unauthorized and defective transactions.

1. Stricter Open Banking Requirements: ASPSPs must implement dedicated interfaces for third-party providers (TPPs), provide customer dashboards for consent management, and face more limited grounds for refusing banking services to other PSPs.

What is PSD3/PSR?

PSD3 (the Third Payment Services Directive) and PSR (the Payment Services Regulation) represent the EU's next generation of payment services legislation, building upon the framework established by PSD2. The legislative package was proposed by the European Commission in June 2023, and the Council of the EU's drafts were approved by COREPER on 18 June 2025, allowing the trilogue process to commence.

A key structural change is that while PSD3 remains a Directive (requiring national implementation), many conduct-of-business requirements are now housed in the directly applicable PSR. This aims to ensure more consistent application across Member States and reduce the scope for divergent national implementation that characterised PSD2. Another structural element is that the formerly independent EMD2 is integrated into the new framework and that therefore EMIs are regulated alongside PIs.

What is the Timeline?

The legislative process is currently in the trilogue stage, with strong appetite to conclude both files in the coming weeks. Regarding implementation timelines:

• The original Commission proposal provides for an 18-month implementation period, while the Council proposes to extend this to 24 months (or 21 months in the draft agreement).
• As such, the earliest PSD3/PSR is likely to become applicable is H2 2027, although this could move into early 2028 if the Council is successful in extending the implementation period.
• Existing payment institutions (PIs) and e-money institutions (EMIs) will have two and a half years under the Council Text (up from two years in other versions) to demonstrate compliance with the incoming prudential requirements.
• Confirmation of payee requirements and the respective liability regime should apply from 24 months after the date of entry into force of the Regulation.

Which Companies Are Affected?

The new regime affects different parties in different ways:

What Are the Key Changes?

Strong Customer Authentication (SCA)

SCA elements no longer need to be from different categories (i.e., it could rely on two knowledge elements). Paper-based and MOTO transactions are not in-scope of SCA requirements, provided relevant security checks allow another form of authentication. PSPs' SCA solutions must cater for persons with disabilities, older persons, those with low digital skills and those who do not have access to digital channels-SCA cannot depend on access to a smartphone. AISP access will be permitted for 180 days following initial SCA without requiring further SCA (unless there are fraud concerns).

Fraud Liability and Impersonation Fraud

The PSR introduces a new obligation on PSPs to refund consumers within 10 business days where the consumer is tricked into authorising a payment by a fraudster impersonating the PSP. The consumer will not be entitled to a refund if they have been party to the fraud, or have been grossly negligent. The burden of proof is on the PSP to prove that the consumer acted fraudulently or with gross negligence. The EP Text seeks to broaden this to cover impersonation of "any other relevant entity of public or private nature," though this has not been accepted in the Council's Text.

Confirmation of Payee

PSPs will be required to provide a confirmation of payee service free of charge, notifying customers of any discrepancy between a unique identifier and the payee name provided. PSUs can opt out of the service, though PSPs must highlight the risks of doing so. A PSP will be liable to refund the PSU for payments where the PSP has failed to notify the PSU of a discrepancy. The Council Text leverages the verification of payee requirements under the Instant Payments Regulation, which amended the SEPA Regulation.

Open Banking and TPP Access

ASPSPs are now required to rely on a dedicated customer interface for TPP access. ASPSPs with modified customer interfaces will either have to apply for permission to use their customer interface or move to a dedicated customer interface. A "dashboard" must be provided enabling PSUs to manage the various consents they have given to TPPs centrally. Grounds for refusing access to payment services for PSPs are significantly limited.

Safeguarding

The safeguarding regimes of PSD2 and EMD2 are aligned-EMIs will now have to safeguard by the end of the following business day after receipt of funds. A new requirement to mitigate concentration risk of safeguarded funds is introduced.

Transaction Monitoring and Data Sharing

PSPs will be required to implement transaction monitoring mechanisms to prevent and detect potentially fraudulent transactions. PSPs must share unique identifiers to prevent and detect fraud when at least two different PSUs who are customers of the same PSP have notified their PSP that a unique identifier of a payee was used for fraud. PSPs must jointly conduct a DPIA under Article 35 of the GDPR.

Winding-Up Plans

PSD3 introduces a new requirement for applicants seeking authorisation as a payment institution to submit a winding-up plan in case of failure, adapted to the envisaged size and business model of the applicant. The plan must be appropriate to support an orderly wind-up of activities under applicable national law, including continuity or recovery of any critical activities performed by outsourced service providers, agents or distributors. For applicants intending to provide payment services as referred to in Annex I, points (1) to (5), or point (8) of PSD3, the winding-up plan must include arrangements for the return of safeguarded funds in the event of a disorderly wind-up. This requirement also applies to crypto-asset service providers (CASPs) seeking authorisation to provide payment services using electronic money tokens under PSD3.

How Should Companies Prepare?

The incoming changes will affect particular areas of a PSP's business in different ways, likely including a combination of changes to:

1. Customer agreements: Review and update terms and conditions, particularly regarding liability, SCA requirements, confirmation of payee, and consent management.
2. Policies and procedures: Update fraud prevention, transaction monitoring, safeguarding, and AML policies; develop data sharing arrangements with other PSPs.
3. Technology and operations: Build or enhance dedicated TPP interfaces, customer consent dashboards, confirmation of payee services, and SCA solutions that meet accessibility requirements.
4. Regulatory engagement: Existing APIs and EMIs will need to provide additional information required as part of an application for "re-authorisation"; notify regulators of new safeguarding arrangements; register distributors (for EMIs).
5. Gap analysis: Perform a gap analysis to determine what information must be provided to regulators and what operational changes are required.