PSD3 and the Payment Services Regulation (PSR) will reshape the EU payments landscape, addressing fraud, elevating consumer rights, and harmonizing regulatory supervision. This update goes far beyond compliance—banks and financial leaders should act now to ensure readiness, mitigate risk, and capture new opportunities in digital finance.
Modernizing payment security: From PSD2 to PSD3 and PSR
PSD2 set the stage for open banking and strong customer authentication (SCA), but encountered limitations: patchwork national adoption, fragmented API standards, and a surge in new scams and fraud. To keep in step, the market needed more robust, uniform protection and innovation.
PSD3 (a directive) and PSR (a regulation) were introduced to:
Harmonize rules
Future-proof payments against new fraud
Create a level playing field for banks and PSPs
Directly enforce uniform requirements across the EU
PSD3 and PSR overview
Legislative status: Political agreement reached in late 2025; final implementation is expected between 2027-2028, via an 18–24 month rollout .
Fraud and liability: Mandatory payee name checks, real-time transaction monitoring, and new refund rules for authorized push payment (APP) and impersonation fraud. The sending and receiving banks and payment service providers (PSPs) are jointly liable for any customer losses if fraud prevention controls are not in place.
Consumer protection:
– Full refund after impersonation scams (when reported) – Transparent, all-inclusive fees before payments – Guaranteed human support – Quicker, alternative dispute processes
Open banking and digital payments:
– Standards-based API requirements for third-party providers (TPPs) – Permission dashboards for data consent – “Minimum compliance” and “barebones APIs” are no longer acceptable
Access and competition:
– Non-bank PSPs receive non-discriminatory system access – Retailers can provide cash withdrawals of up to €150 without requiring a purchase – Crypto and e-money tokens partly covered going forward
The key differences between PSD2 and PSD3
Scope: PSD3 covers banks, fintechs, digital wallets, and e-money institutions under one harmonized regime.
Customer authentication and fraud: PSD3 expands SCA, such as wallet onboarding, ensures SCA options for those without smartphones, and makes SCA methods risk-based. Fraud controls are continuous, not “tick box”.
Liability: Clear refund obligations for impersonation scams and for provider failures .
Open banking: Permission dashboards, full API standardization, and no “fallback” loopholes for low-quality integration.
Data sharing: Lays pathway to open finance: cross-category customer data portability and new business models.
Roadmap and key dates
Q1–Q2 2026: Final texts expected and legislative review ends
Q2–Q3 2026: National transposition, major banks start system upgrades
Late 2027–Early 2028: Full enforcement (PSR direct, PSD3 via national law)
7 Practical next steps for banks
Gap analysis on PSD3/PSR: Map your authentication, fraud detection, and third-party data access processes against new rules.
Upgrade fraud prevention: Adopt advanced monitoring, real-time analytics, and ensure name checking is fully implemented.
Streamline customer journeys: Make SCA frictionless and accessible (including for non-mobile users); minimize journey abandonment.
Modernize open banking infrastructure: Build to latest API/interoperability specs, and deploy user dashboards for consent control.
Enhance customer support and dispute handling: Ensure human support is easily accessible and automate transparent fee disclosures.
Cross-team training: Prepare risk, compliance, and customer-facing staff for new requirements and consumer rights.
Engage fintechs partners: Pilot compliance solutions, such as payment authentication and AI-based fraud detectors, and join industry forums early.
Monitor regulatory updates directly: Subscribe to updates from the European Commission payment services site and industry groups.
Join pilot programs and forums: Industry collaboration can help you shape requirements and access best practices.
Ask about PSD3-readiness from existing partners: See what technology and consulting providers like Entersekt offer for rapid gap closure and strategic opportunities.
Frame compliance as a competitive differentiator: Customers and fintech partners value fraud protection, transparent consent, and seamless experiences.