The European Commission proposed the Payment Services Directive 3 and the Payment Services Regulation in June 2023 to address shortcomings identified in PSD2, which had been in effect since 2018. On 27 November 2025, the European Parliament and Council reached provisional political agreement. The texts are currently in legal-linguistic review across 24 official EU languages, with formal adoption and Official Journal publication expected around mid-2026.
The regulatory framework splits into two instruments with different legal mechanics. PSD3 is a directive that member states must transpose into national law within 18 months. It covers licensing, supervision, and authorization of payment institutions. It also merges the Electronic Money Directive (EMD2) into the payments framework, making e-money institutions a sub-category of payment institutions rather than a separate regime. The PSR is a regulation that applies directly across all EU member states without national transposition, eliminating the implementation variations that weakened PSD2's effectiveness.
The PSR introduces three significant changes to fraud prevention. First, payment service providers on both the sending and receiving side become liable if they fail to implement adequate fraud prevention mechanisms. A sending PSP that does not block a suspicious transaction is directly liable for the customer's loss. Second, verification of payee becomes mandatory for all credit transfers, not just SEPA instant payments. If a payee's name and IBAN do not match, the PSP must refuse the payment and notify the payer. This obligation applies 24 months after entry into force to allow system changes. Third, PSPs gain the ability to share fraud-related information between themselves through dedicated arrangements, subject to data protection safeguards.
Open banking receives a substantial overhaul. PSD2's framework for account information and payment initiation services encountered practical obstacles, with many banks providing unreliable interfaces and limiting data access. The PSR establishes clearer technical standards for dedicated interfaces, requires consistent performance, and expands the range of data that account-servicing PSPs must make available. Non-bank payment service providers gain the right to access all EU payment systems — a provision that directly impacts operators of systems like STEP2, RT1, and national ACH networks. Settlement finality protections are extended to cover these new participants.
The framework addresses several operational realities. Currency conversion transparency increases, with clear disclosure requirements at ATMs and before payment initiation. Temporary holds on customer funds receive time limits and disclosure obligations. Account statement information must include the IBAN of the counterparty for all transactions. Cash access provisions allow consumers to withdraw money at retailers without making a purchase, extending access in areas where ATM networks have thinned.
For payment infrastructure operators, the timeline creates distinct preparation phases. The PSR's core provisions apply 18 months after Official Journal publication, likely putting the compliance deadline in late 2027 or early 2028. The payee verification requirement has a 24-month timeline, extending to mid-2028. PSD3's directive requirements follow the same 18-month transposition period for most provisions, but the Settlement Finality Directive amendments enabling non-bank access to payment systems have a shorter six-month implementation period to accelerate competitive neutrality.
The practical impact varies by institution type. Banks must upgrade their fraud monitoring to meet the new liability standards, implement name-checking for all credit transfers (not just instant payments), and prepare for non-bank participants entering payment systems they currently dominate. Payment institutions face updated capital requirements adjusted for inflation, new safeguarding diversification rules requiring multiple methods for protecting customer funds, and the option to hold safeguarding accounts directly at central banks. E-money institutions transition to the payment institution framework, requiring re-authorization under the merged regime.
Two areas remain unresolved. The Financial Data Access Regulation (FiDA), originally proposed alongside PSD3, is still in trilogue negotiations and is not part of the November agreement. FiDA would extend open banking principles to insurance, investment, and pension data. Additionally, several provisions require the European Banking Authority to develop regulatory technical standards, a process that typically adds 12-18 months to the practical implementation timeline.