PSD3 Explained: Key Changes to EU Payments and Open Banking
EU electronic payments move around €240 trillion in value every year. The rules governing all of it are being rewritten.
PSD3, the Third Payment Services Directive, replaces PSD2 entirely. It doesn't just update the old rules — it pairs the directive with a directly applicable Payment Services Regulation (PSR) that eliminates the national variation that made PSD2 inconsistent across EU markets. Stronger fraud protections, standardized open banking APIs, and explicit regulation of e-money tokens and crypto payment services are the headline changes.
A provisional political agreement was reached in November 2025. EU Official Journal publication is expected in Q2 2026. Full enforcement lands around 2028. The gap between those dates matters: the PSR applies 20 days after publication, well before member states finish transposing the directive into national law.
What Is PSD3?
The EU has run its payments market on directives since 2007. PSD1 established the basic framework. PSD2 followed in 2015, adding strong customer authentication and third-party access through open banking. PSD3 is the third generation — and it's a bigger structural change than either of those.
Unlike its predecessors, PSD3 doesn't stand alone. It comes with a Payment Services Regulation (PSR) that applies directly across every EU member state, no national transposition required. Under PSD2, Germany and France implemented the same directive differently. A fintech had to understand each market separately. Under the PSR, those differences collapse — the conduct rules are identical everywhere.
Two other changes matter structurally:
- The Electronic Money Directive (EMD2), which separately governed e-money institutions, merges into PSD3. EMIs become a sub-category of payment institutions under one framework.
- E-money tokens, meaning the crypto stablecoins used for payment purposes, come into EU payment services regulation for the first time.
PSD3 vs PSD2: What Changed
Six areas saw material updates between PSD2 and PSD3:
| Area | PSD2 | PSD3 |
|---|---|---|
| Legal instrument | Directive (national transposition) | Directive + PSR (uniform EU regulation) |
| EMI framework | Separate EMD2 directive | Merged into payment institution framework |
| SCA requirements | Strict factor categories | Independence principle; more flexibility |
| Open banking APIs | Voluntary formats, inconsistent | Standardized specs, mandatory reporting |
| APP fraud liability | Customer bears most risk | PSP liable unless gross negligence proven |
| Crypto / e-money tokens | Not covered | Explicitly in scope under PSR |
The move from directive-only to directive-plus-regulation matters more than it sounds. A fintech operating across Germany, France, and the Netherlands previously dealt with three differently transposed versions of the same law. Under PSD3/PSR, the conduct rules are identical in every member state.
IBAN Verification and APP Fraud Liability
Two of PSD3's most commercially significant provisions target fraud, specifically Authorized Push Payment (APP) fraud, where customers are manipulated into voluntarily sending funds to a criminal account.
IBAN name-matching is the first mechanism. Payment service providers must verify that the payee's name matches their IBAN before a credit transfer executes. The check must complete within a few seconds and is provided free to consumers. This mirrors the UK's Confirmation of Payee (CoP) system, which materially reduced APP fraud after its 2020 rollout. The requirement takes effect 24 months after PSD3 enters into force, estimated around 2028.
Liability shift is the second mechanism. Under PSD2, the burden of proof in APP fraud cases typically fell on victims to demonstrate they hadn't consented. PSD3 reverses this:
- Customer reports an unauthorized or fraudulently induced transaction
- PSP has 14 business days to process the refund claim
- PSP must refund in full unless it can prove the customer acted fraudulently or with gross negligence
- PSPs that fail to implement adequate fraud controls, including IBAN verification, assume default liability for losses
- Payer manipulation cases: if the PSP failed to notify a name/IBAN mismatch, it bears the loss regardless of other factors
Institutions that ignored PSD2's open intent on fraud liability now face mandatory financial exposure. This isn't just a compliance checkbox — it's a direct incentive to invest in fraud infrastructure.
Open Banking and API Standards
PSD2's open banking ambitions hit a practical wall: banks implemented APIs however they wanted. Third-party providers (TPPs), the fintechs building on top of bank data, faced dozens of incompatible implementations across EU markets. A French fintech accessing German bank data worked through a completely different interface than the one it used in Spain.
PSD3 fixes this with mandatory standardization:
- Account Servicing Payment Service Providers (ASPSPs) must offer dedicated interfaces meeting standardized EU specifications
- Banks must publish quarterly performance reports on API uptime, latency, and error rates
- If the primary API goes down, TPPs get fallback access to the bank's standard customer interface
- Customer consent dashboards become mandatory — users can see which third parties have access to their accounts and revoke permission in real-time
- Dedicated interfaces must be reliable enough to eliminate "screen scraping" as a fallback method
For banks, this means real accountability for API quality that was previously voluntary and largely ignored. For fintechs, it means consistent, auditable access across EU markets.
Strong Customer Authentication Under PSD3
PSD2's strong customer authentication (SCA) rules required two authentication factors drawn from at least two separate categories: something you know (PIN, password), something you have (device, card), or something you are (biometric). PSD3 keeps the two-factor requirement, drops the category rule.
The new standard is "independence," not category separation. Two factors are compliant as long as compromising one doesn't automatically compromise the other. That's a real design win for payment providers who've been forced into awkward UX to satisfy a category rule that didn't add much actual security.
Merchant-initiated transactions change the most practically. Under PSD2, recurring charges after the initial SCA setup lived in a grey zone — the rules weren't designed for subscription billing. PSD3 closes it: SCA at mandate creation covers the ongoing relationship. Subsequent automatic charges don't need re-authentication.
Tokenization also gets clarified. SCA now triggers only when the cardholder actively participates in setting up a token. Once the token exists, transactions against it don't require fresh authentication for each charge.
Dynamic linking carries over from PSD2 — the authentication code still ties to the specific transaction amount and payee. And the PSR provides clearer guidance on SCA exemptions, which should reduce the market-by-market variation in how exemptions were applied under the directive alone.
PSD3, Crypto Payments, and E-Money Tokens
Most PSD3 guides skip this section entirely, or cover it in a single sentence. The connection between PSD3 and cryptocurrency is structural, not peripheral — it affects any business processing crypto payments in the EU.
The entry point is e-money tokens. Under MiCA, the EU's crypto-asset regulation that took effect in 2024, stablecoins pegged to a single fiat currency are classified as e-money tokens when used for payment purposes. USDC used to settle a EUR-denominated invoice, for example. PSD3 brings these tokens directly into the payment services framework.
The regulatory picture for a crypto payment service provider in the EU:
| Entity type | Regulation applies |
|---|---|
| Traditional payment institution | PSD3 + PSR |
| E-money institution | PSD3 (merged EMD2 framework) |
| Crypto PSP using e-money tokens | MiCA + PSD3/PSR (streamlined application) |
| BNPL provider | PSD3 + capital adequacy rules |
| Crypto wallet provider | PSD3 digital wallet framework |
The dual-regulation issue is where most compliance teams underestimate the complexity. A MiCA-authorized crypto-asset service provider (CASP) issuing e-money tokens doesn't automatically need a separate PSD3 authorization. But if it also provides payment services — sending, receiving, processing — a streamlined PSD3 application applies. The two regimes don't cover each other by default.
BNPL is another newly captured category. Providers that operated in a regulatory grey zone across EU markets now face formal payment institution authorization requirements and capital adequacy rules. The cost of compliance for the sector increases materially.
For businesses building crypto payment infrastructure, Plisio is an example of a crypto payment gateway navigating this regulatory environment — enabling merchants to accept cryptocurrency as the EU payment compliance framework evolves under PSD3 and MiCA.
Who Does PSD3 Apply To?
PSD3 and PSR apply to any entity providing payment services within the EU, regardless of where it is incorporated. The scope:
- Credit institutions (banks) providing payment services
- Payment institutions — non-bank PSPs including fintechs, neobanks, money transfer operators
- Electronic money institutions — now merged into the payment institution framework
- BNPL providers — newly in scope, subject to authorization and capital requirements
- Crypto-asset service providers offering payment services — dual-regulated under MiCA + PSD3
- Third-party providers (TPPs) — account information service providers (AISPs) and payment initiation service providers (PISPs)
Platforms and marketplaces face the most disruptive change. Under PSD2, many avoided payment service authorization through the "commercial agent exemption," claiming they acted as agents for both buyer and seller rather than as payment processors. PSD3 tightens that exemption sharply. Most platforms relying on it will need formal PSP authorization, capital requirements, and ongoing regulatory supervision — a significant operational shift for marketplace businesses that built their stack around that exemption.
UK-based entities: PSD3 is EU law only. Post-Brexit, the UK runs its own FCA framework. The UK's BNPL regulation (FCA effective July 2026) and Confirmation of Payee system track a similar direction, but businesses operating across both jurisdictions face entirely separate compliance tracks.
PSD3 Timeline: When Does It Take Effect?
PSD3 rolls out in phases, not as a single switch:
- June 28, 2023 — European Commission published PSD3 and PSR proposals
- November 27, 2025 — Provisional political agreement reached between EU Parliament and Council
- Q2 2026 (estimated) — Publication in the Official Journal of the EU; PSR enters into force 20 days later
- 18 months after entry into force — Deadline for member states to transpose PSD3 directive into national law
- 24 months after entry into force — IBAN/payee name verification requirement becomes mandatory (~2028)
- 24–30 months after entry — Existing PSD2 authorizations grandfathered; extension to 30 months possible
- Q2–Q3 2028 (estimated) — Full PSD3/PSR enforcement; PSD2 and EMD2 fully replaced
The 18-month transposition window is not a waiting period. The PSR's conduct rules apply EU-wide from day 20 of publication. Gap analysis against the PSR — covering SCA implementation, fraud controls, API infrastructure, and crypto licensing under MiCA coordination rules — should be running now.
