From PSD2 to PSD3

From PSD2 to PSD3 and the Payment Services Regulation: What’s Next for Payments Regulation in Europe?

The European Union’s payments framework is undergoing a significant transformation. Since the introduction of the Revised Payment Services Directive (PSD2) in 2015, the EU has made substantial strides in fostering innovation, improving security, and increasing competition in the payments ecosystem. However, with the market continuing to evolve—driven by new technologies, market entrants, and consumer expectations—the European Commission is now preparing to implement a new legislative package: PSD3 and the accompanying Payment Services Regulation (PSR).

For payment service providers (PSPs), fintech firms, and financial institutions, this shift represents both a regulatory update and a strategic inflection point.

Why PSD3 and the PSR?

PSD2 was transformative in many ways—ushering in open banking, setting new security standards, and expanding the regulatory perimeter. But it has also faced criticism for inconsistent implementation across Member States, gaps in enforcement, limited uptake of third-party provider (TPP) services, and ongoing fraud challenges.

In response, the European Commission published its proposals for PSD3 and the Payment Services Regulation in June 2023. These twin instruments are designed to:

  • Harmonize and strengthen consumer protection and fraud prevention

  • Clarify and expand the scope of regulated activities

  • Improve the functioning of open banking

  • Reduce regulatory fragmentation across the EU

Key Changes Introduced by PSD3 and the PSR

The legislative package is divided into two parts:

1. Payment Services Regulation (PSR)

Unlike PSD2, which was a directive requiring national implementation, the PSR will be directly applicable across EU Member States. This aims to eliminate divergence in interpretation and enforcement.

Key provisions include:

  • Enhanced fraud prevention: PSPs will be required to share fraud-related data and implement improved customer authentication and transaction monitoring tools.

  • Stronger consumer rights: Reduced liability thresholds for unauthorized payments and clearer refund procedures for payment fraud.

  • Unified rules for open banking: Greater control for TPPs, including obligations for banks to provide high-quality, dedicated APIs and reduce obstacles to data access.

2. PSD3 (Directive)

PSD3 will primarily update and consolidate the licensing framework and institutional supervision elements.

Key changes include:

  • Revised licensing requirements: Streamlined procedures and higher supervisory expectations for new entrants.

  • Extension of scope: Bringing new players—such as certain fintech business models that were previously unregulated—into the perimeter.

  • Strengthened supervision: Better coordination between competent authorities and more emphasis on cross-border oversight.

Open Banking: A Renewed Focus

One of the major goals of the new framework is to realize the untapped potential of open banking. Under PSD2, many TPPs struggled with inconsistent API quality and limited customer adoption. The PSR will introduce clearer requirements on:

  • API performance and availability

  • Obligations to avoid screen scraping bans unless APIs meet certain standards

  • A ban on “contingency mechanisms” as a long-term solution

  • New consumer dashboards to manage data sharing and consent

The intention is to shift open banking from a compliance exercise to a genuinely competitive pillar of digital finance.

What About Non-EU Firms?

As with PSD2, the implications of PSD3 and the PSR will extend beyond the EU’s borders. Non-EU PSPs that serve EU-based customers or partner with EU-regulated institutions will need to assess the impact on:

  • API and data access obligations

  • Cross-border fraud mitigation expectations

  • Risk management and incident reporting obligations

Moreover, firms using EU licenses for passporting across Member States will need to understand the new supervisory and compliance dynamics that come with the regulatory overhaul.

What’s Next?

The legislative proposals are currently under review by the European Parliament and Council, with adoption expected by late 2025 or early 2026, depending on the legislative timeline. Once finalized, the PSR will take effect across the EU without requiring national transposition, while PSD3 will follow the usual directive implementation process.

How Should Firms Prepare?

Regulated entities should take proactive steps now to assess their readiness:

  • Conduct a regulatory impact assessment across licensing, compliance, and operational domains

  • Evaluate API infrastructure and TPP relationships to ensure readiness for enhanced open banking obligations

  • Review fraud monitoring systems in light of upcoming data sharing and liability changes

  • Monitor legislative developments closely and engage with trade associations or regulatory consultants to stay informed

Supporting Your Transition

As a regulatory consultant specializing in fintech and payments regulation, I work with firms navigating EU and cross-border regulatory change. Whether you’re evaluating the impact of PSD3 on your business model, need support with compliance assessments, or are planning a licensing strategy, I can help position your firm for the next era of payments regulation in Europe.

Have questions about PSD3, the PSR, or what it means for your business? Get in touch to discuss how I can help you stay compliant—and competitive—as Europe’s payments framework evolves.

Previous
Previous

Canadian RPAA / RPAR