The European Parliament and Council reached provisional political agreement on PSD3 and the Payment Services Regulation (PSR) on 27 November 2025. Publication in the EU Official Journal is expected by summer 2026, which starts an 18-month transposition clock for PSD3 and direct application clock for the PSR. The first hard compliance deadline sits around early 2028 — closer than most payment institutions have accounted for in their planning cycles.

The Structural Split

PSD2 was a single directive covering both licensing and conduct. PSD3 and the PSR split these domains deliberately. PSD3 is a directive — it governs authorisation, supervision, and passporting of payment institutions and e-money institutions, and must be transposed into national law by each member state within 18 months of publication. PSR is a regulation — it covers the substantive conduct rules on SCA, open banking, fraud liability, and consumer protection, and applies directly and uniformly across all 27 member states without national transposition. This eliminates the interpretive divergence that made PSD2 compliance a genuinely different exercise in Ireland versus Germany versus the Netherlands.

Material Changes from PSD2

Strong Customer Authentication

PSR formally expands the definition of "inherence" — the biometric factor — to include behavioural and environmental characteristics: typing cadence, device handling patterns, geolocation context, and spending behaviour. A fingerprint combined with a behavioural pattern now constitutes valid two-factor authentication. PSPs can use up to two inherence factors together, but cannot double up on possession or knowledge factors.

When PSPs delegate SCA to third parties — wallets, gateways, authentication vendors — PSR classifies this as formal outsourcing, triggering EBA outsourcing guidelines and DORA requirements, including detailed written agreements, SLAs, exit plans, and unrestricted audit rights.

Confirmation of Payee — EU-Wide Mandate

IBAN-name matching (Confirmation of Payee) becomes mandatory across the EU for all credit transfers — instant and standard, in any currency. The EU Instant Payments Regulation already mandated this for euro-denominated instant credit transfers. PSR extends it universally. Every PSP processing credit transfers must implement verification infrastructure. The UK and Netherlands have already deployed national CoP schemes; PSR standardises this across all member states.

APP Fraud Liability

PSR introduces EU-level liability rules for authorised push payment fraud — cases where the customer was properly authenticated but manipulated into authorising a fraudulent payment. PSPs share liability in defined circumstances, including spoofing scenarios where a fraudster impersonates the PSP. The UK addressed this through the PSR's APP Fraud Reimbursement rules; PSD3 brings equivalent consumer protection to the EU market.

Open Banking API Standards

Banks must provide dedicated interfaces with performance parity to their own customer-facing interfaces — the fallback screen-scraping mechanism from PSD2 is removed. Banks must publish quarterly reports on API availability, uptime, and performance metrics. Consumers must be offered dashboards to monitor and revoke third-party access in real time. Anti-obstruction provisions are strengthened: banks are explicitly prohibited from adding friction — mandatory redirect flows, excessive re-authentication — to third-party access.

EMI Merger and Re-Authorisation

PSD3 merges the Electronic Money Directive into the payment services framework. EMIs become a sub-category of payment institutions rather than a separate regulatory species. Existing EMIs must re-apply for authorisation within 24 months of PSD3 entering into force — extendable to 30 months at member state discretion. Re-applications require updated governance documentation, DORA-compliant ICT frameworks, revised safeguarding policies, and updated capital requirements. New applicants will need only one licence rather than choosing between PI and EMI status.

What to Do Now

  • Map your current PSD2 posture against PSD3/PSR requirements. The material gaps are SCA delegation (now formal outsourcing), CoP infrastructure, and APP fraud liability frameworks.
  • If you hold an EMI licence, plan your re-authorisation. The 24-month window from publication starts in summer 2026, meaning applications need to be underway by mid-2027 at the latest.
  • Audit your exemption usage. The commercial agent exemption and limited network exemption are narrowed under PSD3. If your current model relies on either, legal review is required now.
  • Assess your DORA readiness in parallel. DORA applies to EU-regulated payment institutions from January 2025. PSD3's outsourcing classification of SCA delegation makes DORA compliance directly relevant to authentication infrastructure.

2026 is the planning year. 2027 is the implementation year. Early 2028 is when regulators start checking. The firms that treat this as a 2027 problem will find they have 2028 deadlines and 2026 lead times.