• Paying contract blog illustration

PSD2 or PSD3? Understanding the Shift in Payment Rules

The European payment landscape is undergoing a major transformation. With the introduction of PSD3 and the accompanying Payment Services Regulation (PSR), the European Union is building on the foundation laid by PSD2 to create a more secure, transparent, and innovative financial services environment. But what exactly is changing?

What Was PSD2 All About?

The Second Payment Services Directive (PSD2), formally known as Directive (EU) 2015/2366, was introduced by the European Commission to modernize the regulatory framework for payment services across the EU. It came into effect in January 2018 and marked a significant shift in how financial data, banking access, and payment security were handled in the digital economy.

PSD2 aimed to increase competition, enhance customer protection, and foster innovation in the payments market. It did this by opening up the banking ecosystem to third-party providers—such as fintechs and software platforms—through regulated access to bank account information and payment initiation services. This laid the groundwork for Open Banking, where customers could authorize licensed service providers to access their financial data and initiate payments on their behalf.

One of the most impactful features of PSD2 was the introduction of Strong Customer Authentication (SCA). This security requirement mandated multi-factor authentication for most online payments, significantly reducing the risk of fraud and unauthorized transactions.

What’s New in PSD3 and the PSR?

Unlike PSD2, which was a standalone directive, the new approach splits the regulatory framework into two parts PSD3 and PSR.
PSD3 is the successor to the Second Payment Services Directive (PSD2). As a directive, it must be transposed into national law by each EU member state, which allows for some flexibility in implementation. PSD3 focuses on updating the legal and supervisory framework for payment service providers (PSPs), with the goal of strengthening the EU’s digital finance ecosystem.
PSD3 addresses:

  • Licensing and Supervision: PSD3 introduces stricter and more harmonized requirements for obtaining and maintaining a license as a payment service provider or electronic money institution. It also enhances the powers of national supervisory authorities to monitor and enforce compliance.

  • Organizational Requirements: The directive sets clearer rules around governance, risk management, and internal controls for PSPs, especially in relation to fraud prevention, data protection, and customer fund safeguarding.

  • Market Entry and Competition: PSD3 aims to reduce barriers for new entrants, including fintechs and non-bank providers, by clarifying the conditions under which they can access banking infrastructure and offer payment services.

  • Consumer Protection: It strengthens rules around transparency, dispute resolution, and liability in the event of unauthorized or fraudulent payments.

The Payment Services Regulation (PSR) is a new legal instrument that complements PSD3. Unlike a directive, a regulation is directly applicable in all EU member states without the need for national transposition. This ensures uniform rules across the EU, particularly in areas where consistency is critical for cross-border payments and data access.

CTA_Ebook_LFAI_EN

Key Enhancements in PSD3 and PSR

The new rules introduce a comprehensive anti-fraud framework. Payment service providers will be required to:

  • Share fraud-related information across the industry.
  • Implement real-time verification of IBAN and account holder names before executing payments.
  • Collaborate with electronic communication service providers (e.g., telecoms, messaging platforms) to detect and prevent scams like spoofing.

These measures aim to reduce the growing threat of online payment fraud while ensuring that customers are not held liable for unauthorized transactions.

The PSR mandates clearer disclosure of:

  • All fees and exchange rates before ATM or card payment transactions.
  • Charges applied by payment card schemes, helping businesses and customers make better-informed decisions.

This increased transparency is designed to foster trust and competition in the payments market.

The new rules expand access to banking data for third-party suppliers, enabling more advanced Open Banking use cases. Licensed payment initiation and account information service providers will benefit from:
  • Broader and more standardized data access.
  • Fewer technical and legal barriers to integration with banks.
  • A more level playing field with traditional financial institutions.
This is expected to accelerate the development of new digital payment services and embedded finance solutions across the EU.

PSD3 refines SCA requirements to reflect technological advancements. It supports:
  • The use of biometric authentication (e.g., facial recognition, fingerprint).
  • Emerging standards like passkeys for seamless and secure online payments.
These updates aim to strike a balance between security and user convenience.

PSD2 vs PSD3: A Quick Comparison

Category PSD2 PSD3 + PSR
Legal Form Directive only Directive (PSD3) + directly applicable Regulation (PSR)
Scope National implementation across EU Harmonized rules across all EU member states
Open Banking Enabled access to banking data via APIs Streamlined data access, improved API performance, and stronger consumer control 1
Access for Non-Bank Providers Limited and inconsistent Guaranteed access to all EU payment systems with safeguards; right to a bank account 1
Strong Customer Authentication (SCA) Introduced multi-factor authentication Enhanced with support for biometrics, passkeys, and future-proof security methods 1
Fraud Prevention Basic SCA and liability rules Real-time fraud detection, mandatory data sharing, and telecom collaboration to prevent spoofing 1
Consumer Rights Improved transparency and dispute resolution Expanded rights: clearer ATM fees, refund rights, and better payment information 1
Supervision & Enforcement National authorities with limited coordination Stronger EU-wide enforcement powers and clearer implementation guidelines 1
E-Money & Payments Separate legal frameworks Unified under a single regulatory regime 1

This comparison highlights that PSD3 and the PSR are not a radical departure from PSD2, but rather a strategic refinement. They aim to close regulatory gaps, enhance security, and ensure that payment service providers, banks, and customers benefit from a more consistent and innovative financial ecosystem across the EU.

Why This Matters for Providers and Businesses

For payment service providers, banks, and software companies, the shift from PSD2 to PSD3 is more than a regulatory update—it’s a strategic opportunity. The new rules will:

PSD3 and the PSR aim to remove the remaining barriers to Open Banking by improving API performance, standardizing access protocols, and strengthening customer control over payment data. This creates a fertile environment for:
  • Fintechs to build new services like smart budgeting, real-time credit scoring, and embedded finance.
  • Banks to partner with third-party providers and monetize their infrastructure.
  • Software providers to integrate financial features directly into non-financial platforms (e.g., e-commerce, HR, logistics).
This shift enables businesses to move beyond traditional payment services and into data-driven financial innovation.

The PSR guarantees non-bank providers access to all EU payment systems, with appropriate safeguards. This is a game-changer for fintechs and digital-first businesses, as it:
  • Reduces dependency on traditional banks for infrastructure.
  • Encourages competition and innovation in the payments market.
  • Enables faster go-to-market for new entrants.
For established players, this means adapting quickly to stay relevant in a more open and dynamic ecosystem.

With stronger rules around fraud prevention, SCA, and data protection, PSD3 and the PSR aim to restore and reinforce customer trust in digital financial services. Businesses that adopt these standards early can:
  • Reduce fraud-related losses and chargebacks.
  • Offer a more secure and seamless payment experience.
  • Differentiate themselves as trustworthy and compliant providers.
This is especially important in sectors like e-commerce, travel, and digital banking, where trust directly impacts conversion and retention.

The legislative package is part of a broader EU strategy to open up financial data beyond just payment accounts. This will allow businesses to:
  • Offer more personalized financial products.
  • Improve risk assessment and underwriting.
  • Build AI-powered tools that rely on real-time financial behavior.

Preparing for the Transition

The shift from PSD2 to PSD3 and the introduction of the Payment Services Regulation (PSR) represent more than just a regulatory update—they signal a strategic transformation in how payment services, banking access, and financial data are governed across the EU. For payment service providers, banks, and fintech companies, early preparation is essential to remain compliant, competitive, and secure in this evolving landscape.

Before planning for PSD3, assess your current compliance with PSD2:
  • Are your SCA (Strong Customer Authentication) mechanisms fully implemented?
  • Are your APIs aligned with current Open Banking standards?
  • Are your fraud detection and reporting systems up to date?
This audit will help identify gaps and prioritize areas for improvement under the new rules.

The European Commission is actively publishing updates, FAQs, and legislative documents related to PSD3 and the PSR. Subscribe to regulatory newsletters, attend industry webinars, and monitor the Commission’s finance portal to stay ahead of changes.

PSD3 introduces real-time fraud monitoring, mandatory data sharing between providers, and collaboration with telecom operators to prevent spoofing. Prepare by:
  • Investing in behavioral analytics and AI-driven fraud detection.
  • Enhancing your SCA stack with biometric authentication and passkey support.
  • Ensuring your systems can verify IBAN and account holder names before executing payments.

The PSR and the EU’s new financial data access framework will expand the scope of data sharing beyond payment accounts. To prepare:
  • Ensure your APIs are scalable, secure, and standards-compliant.
  • Implement robust consent management and audit trails.
  • Explore partnerships with fintechs to leverage new data-driven services.

Transparency is a key theme in the PSR. You’ll need to:
  • Clearly disclose fees, exchange rates, and payment terms—especially for cross-border and ATM transactions.
  • Update your terms of service and privacy policies to reflect new rights and obligations.
  • Train customer support teams to handle new dispute resolution and refund processes.

Start conversations early with your national competent authority and industry associations. Participating in regulatory sandboxes or working groups can help you:
  • Test new technologies in a compliant environment.
  • Gain clarity on ambiguous requirements.
  • Influence the development of technical standards.

While the final adoption of PSD3 and the PSR is expected by late 2025, full compliance may not be required until 2027–2028. Use this time to:
  • Allocate budget and resources for compliance projects.
  • Build internal roadmaps for system upgrades and staff training.
  • Pilot new services that align with the upcoming rules.

Projected Calendar for PSD3 and PSR Implementation

Date Milestone Details
June 2023 Proposal Published The European Commission officially presented the PSD3 and PSR package.
2024–2025 Legislative Negotiations Ongoing discussions between the European Parliament and the Council of the EU to finalize the legal texts.
Q3–Q4 2025 Final Adoption Expected If negotiations proceed smoothly, final adoption of PSD3 and PSR could occur by late 2025.
2026 Transposition Period Begins (PSD3) As a directive, PSD3 will require EU member states to transpose it into national law—typically within 18–24 months.
2026–2027 PSR Becomes Directly Applicable As a regulation, the PSR will apply uniformly across the EU without national transposition, likely within 12–18 months of adoption.
2027–2028 Full Compliance Deadline Businesses, banks, and payment service providers are expected to be fully compliant with PSD3 and PSR by this time.
  • The PSR will likely come into force sooner than PSD3, since it does not require national implementation.
  • The European Commission has emphasized the importance of giving the industry sufficient time to adapt to new rules, especially around fraud prevention, SCA, and data access.

The transition from PSD2 to PSD3 marks a pivotal moment in the evolution of European payment services. With a stronger focus on security, data transparency, and innovation, the new framework is designed to meet the demands of a rapidly changing financial ecosystem. Whether you’re a bank, a payment provider, or a tech company building banking solutions, now is the time to prepare for the new rules—and the opportunities they bring.

FAQ

Need to learn more?

Regulation protects businesses and consumers from abuse, fraud, and financial risks, while ensuring market transparency and stability.

Key regulations include GDPR (data protection), the AML Directive (anti-money laundering), and PSD2 for payment security.

By implementing strict internal compliance processes, training employees on regulatory requirements, and using technology solutions to automate monitoring and audits.

Companies face substantial fines, criminal penalties, reputational damage, and potential restrictions on their business operations.

I choose my network and I share!