• Geography blog illustration

What Should You Expect from the New PSD3 Rules?

With the introduction of the third Payment Services Directive (PSD3) and the accompanying Payment Services Regulation (PSR), the European Commission is setting the stage for a more secure, open, and competitive financial ecosystem. These new rules are not just regulatory updates — they are a strategic shift in how payments, banking services, and financial data are managed across the EU.

What Is PSD3?

The Payment Services Directive 3 (PSD3) is the European Union’s latest legislative proposal aimed at modernizing and strengthening the payments and financial services ecosystem across the EU. It builds on the foundations of PSD1 (2007) and PSD2 (2015), both of which were instrumental in shaping the current landscape of digital payments, open banking, and data-driven financial innovation.
Expected to be finalized in 2025, PSD3 is accompanied by a new Payment Services Regulation (PSR). Together, these two legislative instruments are designed to address the shortcomings of PSD2, respond to emerging technologies, and ensure a more secure, competitive, and consumer-friendly environment for payment services across Europe

Why PSD3? The Need for a New Directive

While PSD2 introduced groundbreaking concepts like open banking and strong customer authentication (SCA), its implementation revealed several gaps:

  • Inconsistent API standards across banks

  • Limited adoption of open banking by consumers

  • Rising levels of payment fraud

  • Regulatory ambiguity for non-bank providers

The European Commission recognized these issues and proposed PSD3 and PSR to:

  • Harmonize rules across member states
  • Strengthen consumer protection
  • Improve data access and security
  • Level the playing field between banks and non-bank providers
  • Encourage innovation in financial services and payments infrastructure
CTA-Ebook-Vop-IPR-EN

PSD3 vs. PSR: What’s the Difference?

While PSD3 is a directive (requiring transposition into national law), the PSR is a regulation — meaning it will apply directly and uniformly across all EU member states.

PSD3:

  • Focuses on legal definitions, licensing, and supervision
  • Applies to payment institutions, banks, and electronic money institutions
  • Requires national implementation

PSR:

  • Sets out operational rules for payment services
  • Covers consumer rights, data transparency, and security standards
  • Applies directly across the EU without national adaptation

Together, they form a comprehensive framework that governs both the structure and function of the European payments ecosystem.

PSD3’s Six Strategic Objectives

According to the European Commission’s proposal, PSD3 focuses on six core goals:

  • Enable payment service providers (PSPs) to share fraud-related data
  • Enhance SCA requirements
  • Extend refund rights for victims of fraud

  • Give users more control over their financial data
  • Improve transparency in account statements
  • Clarify ATM charges and access to cash services

  • Standardize access to payment systems for non-bank PSPs
  • Ensure fair competition between banks and fintech

  • Remove remaining barriers to open banking adoption
  • Streamline cross-border payments
  • Promote parity between domestic and international payment services

  • Allow retailers to offer cash withdrawals without requiring a purchase
  • Clarify rules for independent ATM operators

  • Update the authorization and supervision framework for non-bank providers
  • Ensure consistent enforcement across all European markets

Timeline and Implementation: What to Expect and When

Understanding the timeline for PSD3 and PSR is essential for software providers planning their compliance and product development roadmaps. As of mid-2025, the legislative proposals are still under review by the European Parliament and Council. However, the expected rollout follows a fairly predictable EU regulatory pattern.

Key Milestones

Date Milestone What It Means for You
Q4 2025 Final PSD3 and PSR texts published in the Official Journal of the EU The legal framework becomes official. This is the starting point for the transition period.
Early 2026 Transposition of PSD3 into national laws begins EU member states begin adapting their national legislation to align with PSD3.
Mid to Late 2026 Regulatory guidance and technical standards released Expect clarifications from the European Banking Authority (EBA) and national regulators.
Early 2027 PSD3 and PSR become applicable The new rules are enforced across the EU. PSR applies directly; PSD3 must be implemented nationally 2

The EU typically grants an 18-month transition period after publication of a directive. This gives banks, PSPs, and software vendors time to adapt their systems, update documentation, and train staff. However, this window is tight — especially for companies with complex financial services infrastructure or multiple European markets.

Action Plan: How To Prepare for PSD3?

Below is a detailed action plan broken into five key areas, each aligned with the directive’s core themes: security, compliance, data access, payments innovation, and customer protection.

Start by reviewing your current systems and processes against the new regulatory requirements.

Key Tasks:

  • Map all payment flows, data exchanges, and authentication steps.
  • Identify where your platform touches regulated services (e.g., payment initiation, account information).
  • Review how you handle Strong Customer Authentication (SCA) and whether it meets the new PSD3 thresholds.
  • Evaluate your data protection and consent management practices in light of both PSD3 and GDPR.

Tools to Use:

PSD3 and PSR place a strong emphasis on open banking and API performance. Poorly performing APIs were a major issue under PSD2 — and the new rules aim to fix that.

Key Tasks:

  • Ensure your APIs meet minimum uptime, latency, and error rate standards.
  • Implement versioning, monitoring, and fallback mechanisms.
  • Support real-time payment initiation and data retrieval.
  • Provide sandbox environments for third-party developers.

Strategic Tip:

Consider adopting standardized API frameworks like Berlin Group or Open Banking UK to ensure interoperability across European banks and PSPs.

PSD3 introduces stricter rules around fraud liability, transaction monitoring, and customer protection.

Key Tasks:

  • Integrate real-time fraud detection tools such as Sis ID.
  • Implement transaction risk analysis (TRA) for dynamic SCA exemptions.
  • Offer user alerts, transaction confirmations, and dispute resolution workflows.
  • Share fraud-related data with other payment service providers as allowed under the directive.

Regulatory change isn’t just a technical challenge — it’s a people challenge. Your teams and clients need to understand what’s changing and why.

Key Tasks:

  • Train product, engineering, and compliance teams on PSD3 and PSR.
  • Create internal documentation and FAQs.
  • Host webinars or workshops for clients using your payment services or banking APIs.
  • Update your terms of service, privacy policies, and user interfaces to reflect new data rights and security obligations.

PSD3 encourages greater collaboration between banks, non-bank providers, and regulators. Don’t go it alone.

Key Tasks:

  • Join industry working groups (e.g., European Payments Council, Open Banking Europe).
  • Participate in API testing programs with partner banks.
  • Engage with regulatory sandboxes to test new features in a controlled environment.
  • Monitor updates from the European Commission, EBA, and national regulators.

PSD3 and the Future of Embedded Finance

The rise of embedded finance — where financial services are integrated directly into non-financial platforms — has been one of the most transformative trends in the digital economy. From e-commerce checkouts offering Buy Now, Pay Later (BNPL) options to ride-sharing apps with built-in wallets and real-time payments, the line between banks, software, and services is blurring fast.
With the introduction of PSD3 and PSR, the European Commission is taking steps to regulate this fast-growing space more effectively. These new rules will have a significant impact on how fintech platforms, software providers, and non-bank payment providers operate across the EU.

Embedded finance allows companies to:
  • Offer payment services without becoming a bank
  • Monetize financial data and transactions
  • Improve customer experience with seamless banking features
  • Build loyalty through integrated financial tools
However, this model also introduces regulatory complexity, especially when it comes to data sharing, security, and consumer protection.

One of the most exciting developments under PSD3 is the push for real-time payments. For embedded finance platforms, this means:
  • Instant settlement of transactions
  • Faster cash flow for merchants and users
  • Reduced payment failures and processing delays
According to Hartford Payments, real-time transactions are becoming the new standard in financial services, offering benefits like:
  • Instant access to funds
  • Improved customer experience
  • Reduced operational costs
  • Enhanced security and fraud detection
For software providers, integrating real-time payment rails will be essential to remain competitive and compliant.

While regulatory compliance may seem like a burden, it can also be a differentiator. Platforms that align early with PSD3 and PSR will be able to:
  • Expand across European markets with fewer legal barriers
  • Build trust with banks, partners, and end users
  • Offer premium features like secure data sharing, instant payments, and automated reconciliation
In a crowded fintech landscape, being compliant, secure, and transparent is no longer optional — it’s a strategic advantage.

The arrival of PSD3 and PSR marks a pivotal moment for the European payments and banking ecosystem. These new rules are not just about compliance — they’re about building a more secure, open, and innovative financial future.
For software providers, this is both a challenge and an opportunity. Those who act early — by upgrading their systems, aligning with regulatory expectations, and embracing open banking — will be best positioned to lead in the next wave of digital finance.
So, what should you expect from the new PSD3 rules? Expect change. Expect complexity. But most of all, expect opportunity.

FAQ

Need to learn more?

Financial fraud refers to any illegal activity aimed at deceiving a company or individual to gain a financial advantage, often through fraudulent transfers or embezzlement

Identity theft, phishing, CEO fraud, and fake wire transfer orders are among the most frequent.

By implementing strict internal controls, raising employee awareness of potential threats, and using fraud detection software solutions.

Unusual transactions, urgent or non-compliant communications, and changes to banking details without verification are often indicators of potential fraud.

I choose my network and I share!