PSD3/PSR Political Agreement Reached - Fraud Liability Shifts to PSPs and Platforms

The European Parliament and Council reached a provisional political agreement on PSD3 (Directive) and PSR (Regulation) on November 27, 2025, after trilogue negotiations - the most significant overhaul of EU payment regulation since PSD2 in 2015.

Key Provisions

PSPs become liable for fraud losses if they fail to implement prevention mechanisms. Mandatory payee name/IBAN matching (Verification of Payee) is codified into primary legislation. Banks must provide full refunds for impersonation fraud if the customer reports to police and notifies the PSP. Online platforms become liable in certain fraud scenarios to reimburse banks. Cash access rules are improved, allowing withdrawals in shops without purchases.

Implementation Timeline

The PSR (Regulation) will apply directly across the EU once formally adopted - expected late Q1/early Q2 2026 entry into force, with provisions applying approximately 21 months after. PSD3 (Directive) requires 18-month national transposition by member states.

What This Means

The fraud liability shift is transformative. PSPs and platforms that cannot demonstrate adequate fraud prevention will bear financial losses - changing the cost calculus for investment in transaction monitoring, strong customer authentication, and Verification of Payee systems. For payment professionals, compliance planning should begin now given the 21-month implementation window.

Sources: European Parliament, Council