PSD3 and the Payment Services Regulation (PSR) will reshape the EU payments landscape, addressing fraud, elevating consumer rights, and harmonizing regulatory supervision. This update goes far beyond compliance—banks and financial leaders should act now to ensure readiness, mitigate risk, and capture new opportunities in digital finance.
Modernizing payment security: From PSD2 to PSD3 and PSR
PSD2 set the stage for open banking and strong customer authentication (SCA), but encountered limitations: patchwork national adoption, fragmented API standards, and a surge in new scams and fraud. To keep in step, the market needed more robust, uniform protection and innovation.
PSD3 (a directive) and PSR (a regulation) were introduced to:
PSD3 and PSR overview
– Transparent, all-inclusive fees before payments
– Guaranteed human support
– Quicker, alternative dispute processes
– Permission dashboards for data consent
– “Minimum compliance” and “barebones APIs” are no longer acceptable
– Retailers can provide cash withdrawals of up to €150 without requiring a purchase
– Crypto and e-money tokens partly covered going forward
The key differences between PSD2 and PSD3
Roadmap and key dates
7 Practical next steps for banks
See Entersekt’s advice for institutions:
How to stay ahead of PSD3 updates
Additional resources:
Modernizing payment security: From PSD2 to PSD3 and PSR
PSD2 set the stage for open banking and strong customer authentication (SCA), but encountered limitations: patchwork national adoption, fragmented API standards, and a surge in new scams and fraud. To keep in step, the market needed more robust, uniform protection and innovation.
PSD3 (a directive) and PSR (a regulation) were introduced to:
- Harmonize rules
- Future-proof payments against new fraud
- Create a level playing field for banks and PSPs
- Directly enforce uniform requirements across the EU
PSD3 and PSR overview
- Legislative status: Political agreement reached in late 2025; final implementation is expected between 2027-2028, via an 18–24 month rollout .
- Fraud and liability: Mandatory payee name checks, real-time transaction monitoring, and new refund rules for authorized push payment (APP) and impersonation fraud. The sending and receiving banks and payment service providers (PSPs) are jointly liable for any customer losses if fraud prevention controls are not in place.
- Consumer protection:
– Transparent, all-inclusive fees before payments
– Guaranteed human support
– Quicker, alternative dispute processes
- Open banking and digital payments:
– Permission dashboards for data consent
– “Minimum compliance” and “barebones APIs” are no longer acceptable
- Access and competition:
– Retailers can provide cash withdrawals of up to €150 without requiring a purchase
– Crypto and e-money tokens partly covered going forward
The key differences between PSD2 and PSD3
- Scope: PSD3 covers banks, fintechs, digital wallets, and e-money institutions under one harmonized regime.
- Customer authentication and fraud: PSD3 expands SCA, such as wallet onboarding, ensures SCA options for those without smartphones, and makes SCA methods risk-based. Fraud controls are continuous, not “tick box”.
- Liability: Clear refund obligations for impersonation scams and for provider failures .
- Open banking: Permission dashboards, full API standardization, and no “fallback” loopholes for low-quality integration.
- Data sharing: Lays pathway to open finance: cross-category customer data portability and new business models.
Roadmap and key dates
- Q1–Q2 2026: Final texts expected and legislative review ends
- Q2–Q3 2026: National transposition, major banks start system upgrades
- Late 2027–Early 2028: Full enforcement (PSR direct, PSD3 via national law)
7 Practical next steps for banks
- Gap analysis on PSD3/PSR: Map your authentication, fraud detection, and third-party data access processes against new rules.
- Upgrade fraud prevention: Adopt advanced monitoring, real-time analytics, and ensure name checking is fully implemented.
- Streamline customer journeys: Make SCA frictionless and accessible (including for non-mobile users); minimize journey abandonment.
- Modernize open banking infrastructure: Build to latest API/interoperability specs, and deploy user dashboards for consent control.
- Enhance customer support and dispute handling: Ensure human support is easily accessible and automate transparent fee disclosures.
- Cross-team training: Prepare risk, compliance, and customer-facing staff for new requirements and consumer rights.
- Engage fintechs partners: Pilot compliance solutions, such as payment authentication and AI-based fraud detectors, and join industry forums early.
See Entersekt’s advice for institutions:
- PSD3: What financial institutions need to know now
- PSD3 news: Beyond compliance, how banks can gain competitive wins
How to stay ahead of PSD3 updates
- Monitor regulatory updates directly: Subscribe to updates from the European Commission payment services site and industry groups.
- Join pilot programs and forums: Industry collaboration can help you shape requirements and access best practices.
- Ask about PSD3-readiness from existing partners: See what technology and consulting providers like Entersekt offer for rapid gap closure and strategic opportunities.
- Frame compliance as a competitive differentiator: Customers and fintech partners value fraud protection, transparent consent, and seamless experiences.
Additional resources:
