The European Parliament and Council reached provisional political agreement on PSD3 and the Payment Services Regulation (PSR) on 27 November 2025. Publication in the EU Official Journal is expected by summer 2026, which starts an 18-month transposition clock for PSD3 and direct application clock for the PSR. The first hard compliance deadline sits around early 2028, closer than most payment institutions have accounted for in their planning cycles.

The Structural Split

PSD2 was a single directive covering both licensing and conduct. PSD3 and the PSR split these domains deliberately. PSD3 is a directive, it governs authorisation, supervision, and passporting of payment institutions and e-money institutions, and must be transposed into national law by each member state within 18 months of publication. PSR is a regulation, it covers the substantive conduct rules on SCA, open banking, fraud liability, and consumer protection, and applies directly and uniformly across all 27 member states without national transposition. This eliminates the interpretive divergence that made PSD2 compliance a genuinely different exercise in Ireland versus Germany versus the Netherlands.

Material Changes from PSD2

Strong Customer Authentication

PSR formally expands the definition of "inherence", the biometric factor, to include behavioural and environmental characteristics: typing cadence, device handling patterns, geolocation context, and spending behaviour. A fingerprint combined with a behavioural pattern now constitutes valid two-factor authentication. PSPs can use up to two inherence factors together, but cannot double up on possession or knowledge factors.

When PSPs delegate SCA to third parties, wallets, gateways, authentication vendors, PSR classifies this as formal outsourcing, triggering EBA outsourcing guidelines and DORA requirements, including detailed written agreements, SLAs, exit plans, and unrestricted audit rights.

Confirmation of Payee, EU-Wide Mandate

IBAN-name matching (Confirmation of Payee) becomes mandatory across the EU for all credit transfers, instant and standard, in any currency. The EU Instant Payments Regulation already mandated this for euro-denominated instant credit transfers. PSR extends it universally. Every PSP processing credit transfers must implement verification infrastructure. The UK and Netherlands have already deployed national CoP schemes; PSR standardises this across all member states.

APP Fraud Liability

PSR introduces EU-level liability rules for authorised push payment fraud, cases where the customer was properly authenticated but manipulated into authorising a fraudulent payment. PSPs share liability in defined circumstances, including spoofing scenarios where a fraudster impersonates the PSP. The UK addressed this through the PSR's APP Fraud Reimbursement rules; PSD3 brings equivalent consumer protection to the EU market.

Open Banking API Standards

Banks must provide dedicated interfaces with performance parity to their own customer-facing interfaces, the fallback screen-scraping mechanism from PSD2 is removed. Banks must publish quarterly reports on API availability, uptime, and performance metrics. Consumers must be offered dashboards to monitor and revoke third-party access in real time. Anti-obstruction provisions are strengthened: banks are explicitly prohibited from adding friction, mandatory redirect flows, excessive re-authentication, to third-party access.

EMI Merger and Re-Authorisation

PSD3 merges the Electronic Money Directive into the payment services framework. EMIs become a sub-category of payment institutions rather than a separate regulatory species. Existing EMIs must re-apply for authorisation within 24 months of PSD3 entering into force, extendable to 30 months at member state discretion. Re-applications require updated governance documentation, DORA-compliant ICT frameworks, revised safeguarding policies, and updated capital requirements. New applicants will need only one licence rather than choosing between PI and EMI status.

What to Do Now

  • Map your current PSD2 posture against PSD3/PSR requirements. The material gaps are SCA delegation (now formal outsourcing), CoP infrastructure, and APP fraud liability frameworks.
  • If you hold an EMI licence, plan your re-authorisation. The 24-month window from publication starts in summer 2026, meaning applications need to be underway by mid-2027 at the latest.
  • Audit your exemption usage. The commercial agent exemption and limited network exemption are narrowed under PSD3. If your current model relies on either, legal review is required now.
  • Assess your DORA readiness in parallel. DORA applies to EU-regulated payment institutions from January 2025. PSD3's outsourcing classification of SCA delegation makes DORA compliance directly relevant to authentication infrastructure.

2026 is the planning year. 2027 is the implementation year. Early 2028 is when regulators start checking. The firms that treat this as a 2027 problem will find they have 2028 deadlines and 2026 lead times.

The PSR's Open Banking API Upgrade in Detail

Beyond the headline Confirmation of Payee mandate, the PSR introduces a set of technical performance standards that will materially change how banks design and resource their open banking infrastructure. Dedicated interfaces must now demonstrate a response time that matches or exceeds the bank's own consumer-facing app under equivalent load conditions. "Equivalent load" is defined by reference to measured traffic patterns rather than theoretical capacity, meaning banks that have provisioned their APIs on the assumption of light usage will need to re-architect.

The anti-obstruction provisions are strengthened significantly compared to PSD2. Under PSD2, the EBA's anti-obstruction guidelines prohibited specific behaviours: unnecessary redirects, excessive friction in the consent flow, differential treatment of third-party payment initiations. The PSR elevates these prohibitions to regulation-level obligations and adds a new category of prohibited behaviour — "passive obstruction", which captures infrastructure choices that produce friction through design rather than through explicit policy. A bank that responds to open banking API calls in 4 seconds while its own app responds in 400 milliseconds is exhibiting passive obstruction even if no policy decision was taken to disadvantage third parties.

For payment institutions that have built A2A payment products on PSD2 open banking access, the upgraded standards mean their connectivity assumptions will be more reliable — but also that their own performance obligations to end users will need to be reassessed in the context of faster, more consistent upstream data access.

Passporting and Authorisation Under PSD3

The passporting framework under PSD3 is formally preserved: a payment institution authorised in one member state may provide payment services across the EU through notification to the home state competent authority. The substantive change is in the minimum capital requirements and the conditions under which passporting rights can be suspended or revoked.

PSD3 increases the minimum initial capital requirement for payment institutions, and introduces a new requirement for dynamic own funds that scales with payment volume. The precise thresholds are set in PSD3 directly, meaning they do not depend on national implementing measures and are uniform across member states from the date of application. Firms that were authorised under PSD2 with capital positions calibrated to PSD2 requirements need to assess whether their current capital structure remains compliant when PSD3 applies.

The most consequential passporting change concerns outsourcing. Under PSD3, where a payment institution outsources material functions — including customer due diligence, fraud monitoring, or settlement reconciliation — to a service provider located in a third country, the home state competent authority must assess whether effective supervision of the outsourced function is possible. This is not a prohibition on third-country outsourcing, but it creates an assessment obligation and a potential ground for supervisory intervention that did not exist with the same clarity under PSD2. Firms operating from EU hubs with operational functions in non-EU jurisdictions need to document their outsourcing chains against this standard now, not after the PSR applies.

Fee Transparency and the Value Date Rules

The PSR restates and extends the value date and fund availability rules from PSD2. For euro-denominated credit transfers within the SEPA zone, the PSR requires that the payee's account is credited with value the same business day as the transfer is received. For non-euro transfers, the maximum execution time is extended to one additional business day. These are not new rules conceptually, but the PSR's direct application means that national implementing measures that previously gave member states discretion over value dating for domestic transfers are superseded.

The fee transparency rules require clear disclosure of all charges, including currency conversion charges, before a payment is executed. The PSR introduces a standardised cost comparison tool requirement: PSPs must direct consumers who request currency conversion to a comparison source approved by the European Banking Authority. This directly affects foreign exchange and currency conversion services embedded in payment apps and travel-oriented card products. Pricing models that rely on non-transparent margin embedded in exchange rates will need to be redesigned or clearly disclosed at the point of transaction initiation.