PSD3 and the Payment Services Regulation: a tracker
PSD3 and the Payment Services Regulation are the next major rewrite of the EU payments rulebook. They replace and split PSD2: the regulation handles the prudential and conduct rules directly, while a recast directive covers authorisation. The package was proposed by the European Commission in 2023 and is currently moving through trilogue. Anyone scoping a 2026–27 build needs to follow the file. This is the operational tracker — what is changing, what is settled, and what to plan for.
1. Why PSD3 / PSR exists
PSD2 — Directive (EU) 2015/2366 — has been in force since January 2018 and reshaped the payments market: SCA, AISP / PISP licensing, the open-banking access regime. The European Commission’s 2023 review identified gaps:
- Inconsistent national supervision and authorisation criteria
- Open-banking permissions overly burdensome on consumers
- Fraud-loss allocation unclear for new fraud patterns (impersonation, social-engineering)
- SCA exemptions inconsistently applied across the bloc
- Non-bank PSPs blocked from key payment-system access
The Commission’s response was to split PSD2 into two instruments: a Regulation (the PSR) handling rules of conduct that should apply uniformly across the EU, and a Directive (PSD3) handling licensing and supervisory architecture that member states implement nationally.
2. The two instruments at a glance
| Instrument | What it covers | Direct effect? |
|---|---|---|
| PSR — Payment Services Regulation | Rights and obligations of users and PSPs, fraud-loss allocation, SCA, open-banking access, account-information and payment-initiation services, transparency requirements | Yes — applies uniformly across all EU member states without national transposition |
| PSD3 — Payment Services Directive (third) | Authorisation of payment institutions and electronic-money institutions, prudential supervision, member-state competent-authority architecture | No — each member state transposes; some discretion preserved |
The split is a significant architectural change. Conduct rules that today differ across member states (because PSD2 is a directive) become uniform under the PSR. Authorisation rules that need national tailoring (capital, governance, supervisor architecture) stay in PSD3.
3. Open banking — the biggest functional rewrite
The open-banking regime was the most criticised part of PSD2. The PSR proposal addresses:
- Permission management for consumers — a standardised dashboard at the bank where consumers see active third-party permissions and can revoke them in one click. This becomes a regulated user-interface obligation, not a market-led add-on.
- Data scope — clearer demarcation of which data fields a TPP is entitled to, and clearer constraints on derivative use.
- Performance standards — defined SLAs on TPP-bank API performance, breach of which can be supervised at the bank.
- Reverse access (industry “FIDA”) — separate Financial Data Access Regulation extends open-data principles beyond payments. This is a related but distinct file.
4. Fraud-loss allocation
The PSR proposal rewrites the allocation rule for unauthorised payments and authorised-push-payment fraud:
- Spoofing fraud — where the fraudster impersonates the bank itself (vishing, phishing using the bank’s brand), the loss falls on the PSP unless the consumer was grossly negligent. This is a meaningful shift; today the allocation often falls on the consumer.
- Verification of Payee — the PSR codifies the VoP obligation already introduced under the IPR; a misdirected payment where the PSP failed to perform VoP triggers PSP liability.
- SCA exemptions — the proposal tightens corporate-payment SCA exemptions and clarifies the recurring-transaction logic.
5. Non-bank access to payment systems
One of the most-discussed PSD3 provisions: the directive proposes that non-bank PSPs (PIs, EMIs) gain direct access to settlement systems including TARGET2 / TARGET, ending the requirement to operate through correspondent banks for euro settlement. The mechanics — collateral, governance, prudential thresholds — are working through the trilogue.
If finalised as proposed, this materially changes the cost structure and resilience profile of EMIs and PIs. It also changes where to base an EMI — direct settlement access becomes a meaningful supervisory capability that varies by national central bank.
6. Authorisation rules under PSD3
The directive recasts the licensing framework:
- EMI / PI merger of frameworks — the proposal removes the separate Electronic Money Institution category and folds it into a unified Payment Institution licence with sub-categories, reducing classification ambiguity for hybrid models.
- Capital requirements — the floor figures and the calculation methods are revisited; expect modest upward adjustment for some categories.
- Governance and outsourcing — alignment with DORA obligations is explicit.
- Cross-border passporting — clarified procedural rules to reduce host-state friction.
7. Timeline — what to expect
What that means for project planning:
- Builds going live in 2025 should respect PSD2 — that is the live regime.
- Builds going live in 2026 should be designed PSD3-aware, particularly on open-banking dashboards and fraud-allocation logic.
- Builds going live in 2027 onwards should assume the new regime is in operation and design around it from the start.
8. Overlap with the Instant Payments Regulation
Several PSR provisions overlap with the Instant Payments Regulation: VoP, sanctions-screening simplification for SEPA-only transfers, fee parity. Where the PSR codifies obligations already introduced by the IPR, the IPR remains the operative instrument until the PSR enters into force; the PSR does not displace the IPR’s earlier deadlines.
9. FAQ
Is PSD3 already in force?
No. The Commission’s proposal dates from June 2023. The file is in the EU legislative process. Both the PSR and PSD3 will only apply after final adoption and (for PSD3) national transposition.
Does PSD3 replace PSD2?
Yes — PSD3 plus the PSR are intended to replace PSD2. The split (regulation + directive) is itself a structural change; some content moves from directive to regulation form.
Will my EMI authorisation continue under PSD3?
The Commission’s proposal includes transitional provisions for existing PSD2 authorisations. The expectation is that current EMI and PI licences continue, with a defined window to align with new requirements. Specifics will be set in the final text.
Does the PSR change anything for AISPs and PISPs?
Yes. The PSR rewrites the open-banking access regime, the consent dashboard at banks, the data-scope rules, and the performance SLAs. AISP / PISP firms should follow the file closely.
What about the Financial Data Access Regulation (FIDA)?
FIDA is a separate but related file extending open-data principles beyond payments to insurance, savings, mortgages and pensions. It is not part of PSD3 / PSR but the architectures interact.
Will I need a new licence?
Probably not — the Commission’s proposal grandfathers existing licences. Expect to update governance, capital calculations and outsourcing-register details rather than re-license.
10. What to do, today
- Subscribe to the European Banking Authority’s PSD3 / PSR communications and the Commission’s press releases for updates.
- Map your current PSD2-driven obligations and identify which ones are likely to migrate to the PSR (uniform) versus stay in PSD3 (national).
- Plan open-banking dashboards as a 2026–27 capability requirement — even before final adoption.
- Stress-test fraud-allocation flows against the proposed spoofing-fraud allocation rule. The shift can be material.
- If your roadmap includes direct settlement access, watch the non-bank-PSP-access provisions carefully — they materially change the EMI / PI operating model.
Related: Instant Payments Regulation report · Verification of Payee under IPR · Where to base your EMI
