The EU is finalising a significant overhaul of its framework for payments regulation. On 22 April 2026, the proposed text of the Third Payment Services Directive (PSD3) and a new directly applicable Payment Services Regulation (PSR) were put before a meeting of national representatives for approval. Together, these measures will repeal and replace the existing regimes under PSD2 and the Electronic Money Directive (EMD2), with a single supervisory framework focused on harmonisation, fraud prevention, and strengthening open banking.
The provisional political agreement for the reforms was reached in November 2025, with formal adoption expected in 2026. On 23 April 2026, the Council of the European Union issued an ‘I’ Item Note (dated 17 April 2026) on the draft Directive and Regulation, alongside final compromise texts for both instruments. The Note which invites the Committee of Permanent Representatives to approve the drafts is another sign that PSD3 and the PSR are close to coming into force.
Firms should anticipate the coming into force of the new regime by late 2027, with transitional provisions applying to licensing. Firms should also note that Level 2 measures (Regulatory Technical Standards and Implementing Technical Standards) from the European Banking Authority (EBA) will follow, shaping detailed compliance requirements.
For banks, payment institutions (PIs), and e-money institutions (EMIs), PSD3 and the PSR will require material operational, legal, and compliance changes, particularly in fraud liability, API performance, and licensing structures.
Payments services in the EU have been regulated since 2018 by PSD2 (Directive (EU) 2015/2366). The primary objectives of PSD2 were to:
However, experience and the European Commission review of PSD2 revealed several structural issues within the existing regime:
These shortcomings prompted the European Commission to propose a new framework.
Dual legislative structure: The package of regulation proposed by the European Commission in June 2023 introduces a dual legislative structure.
PSD3 (a directive requiring national transposition) will govern authorisations, prudential supervision, and licensing. It will incorporate the requirement for EMIs to seek reauthorisation as a PI under PSD3.
The PSR (a regulation with direct effect at the Member State level) will govern conduct of business rules, including SCA, transparency, open banking standards, and fraud liability.
This dual structure permits national regulators to have a certain level of control over determining which firms are permitted to operate in the jurisdiction while ensuring greater legal certainty and consistency of services across the EU.
Enhanced fraud prevention and liability: Payment services providers will be required to check, for each credit payment not already covered under instant payments regulation, that the payee name matches the unique identifier/IBAN and provide early warnings where there are discrepancies in this information.
Where APP fraud occurs, the payment will be treated as an unauthorised transfer and payment services providers will be required to fully reimburse the payer.
Payment services providers (PSPs) will be required to implement risk- and behaviour-based transaction monitoring systems. In conjunction with principles of the General Data Protection Act, and in an effort to improve fraud detection across the market, PSPs will also be able to exchange specified information as part of a structured, fraud information-sharing arrangement.
Strengthened open banking framework: PSD3 and the PSR introduce more prescriptive requirements for API performance and uptime.
National regulators will be expected to act “without delay” against interfaces which don’t meet expected standards of functionality, don’t meet response timelines for incident reports, and/or overly rely on fallback interfaces where dedicated interfaces fail.
Expanded regulatory perimeter: Technical service providers (TSPs) providing SCA to PSPs must be subject to detailed written agreements as part of increased scrutiny of outsourcing arrangements.
PSD3 tightens outsourcing requirements by requiring firms to ensure that outsourcing does not impair operational resilience, mandating clear allocation of responsibilities, audit and access rights, and contingency planning, including exit strategies.
Increased harmonisation: Core conduct rules will now move to the PSR and will not be open to inconsistent interpretation and implementation across Member States.
An example of this will be the application of the Limited Network Exemption. Where application of this exemption was previously open to interpretation under PSD2, allowing some Member States to take a more restrictive approach, the PSR will now specify the conditions for the exemption to apply and will be directly effective.
Governance and risk management: The draft PSD3 requires payment institutions to have robust governance arrangements, including information and communication technology (ICT) risk management; internal control mechanisms; systems ensuring continuity of payments services; and incident management capabilities.
These requirements build on PSD2 but are more explicit and aligned with concepts in the Digital Operational Resilience Act (DORA) (e.g., risk frameworks, incident handling).
PSPs should use the time between now and the coming into force of PSD3 and the PSR to think through the changes needed for their businesses to be compliant. For EMIs, this exercise could be potentially significant with a requirement for new authorisation as a PI.
We outline below some practical steps that all PSPs should follow to ensure readiness and compliance with the new payments regime.
Practical Action Points for Firms | ||
Conduct a PSD3/PSR Gap Analysis | Map current compliance frameworks against PSR conduct rules and PSD3 licensing requirements | |
Review Fraud and Liability Frameworks | Implement or enhance IBAN/name verification tools and transaction monitoring systems | |
Review Fraud and Liability Frameworks | Reassess customer reimbursement policies | |
Assess Open Banking Infrastructure | Evaluate API performance, resilience, and compliance with anticipated standards | |
Prepare for Licensing Changes | EMIs: Plan for re-authorisation under PSD3 PIs: Review governance, capital, and safeguarding arrangements | |
Update Contracts and Outsourcing Arrangements | Revisit agreements with technical service providers and SCA vendors and address liability allocation and regulatory compliance | |
Engage with Regulators Early | Open dialogue with national regulators on transition timelines and authorisation expectations | |
Align with Parallel Regulatory Regimes | Coordinate PSD3/PSR readiness with: DORA (operational resilience), MICA (crypto assets), the GDPR, and other EU data access initiatives | |
While PSD3 and the PSR will reshape the EU payment services framework, the UK is pursuing its own payments reform agenda, which will most likely lead to increasing divergence.
PSD3 and the PSR represent a fundamental redesign of EU payments regulation, with a clear emphasis on harmonisation, consumer protection, and operational resilience.
Although implementation is expected by late 2027, the scale of change—particularly in fraud liability, licensing, and open banking—means firms should begin preparations now.
At the same time, UK divergence will require firms to adopt jurisdiction-specific compliance strategies, increasing complexity for cross-border operations.