top of page

PSD3 & PSR: What Every Board and Senior Manager Needs to Know

  • Elena Niki Karletidi
  • Mar 8
  • 4 min read

1. The Big Picture: Why This Matters to You


The European Union's payments landscape is undergoing its most significant transformation in over a decade. The Third Payment Services Directive (PSD3) and the new Payment Services Regulation (PSR) together replace the existing PSD2 framework, and the implications reach every institution that touches payments in the EU, from banks and FinTechs to insurance groups and investment firms.


On 27 November 2025, the European Parliament and the Council of the EU reached a provisional political agreement on both texts. Formal adoption and publication in the Official Journal are expected in mid-2026, followed by an 18-to-21-month transition period. That puts the compliance deadline squarely in late 2027, but for organisations with complex operating models, that window will pass quickly.


This is not a regulation to approach reactively. The institutions that start now will be better positioned, better protected, and better able to capture the competitive opportunities the new framework creates.


2. PSD3 vs PSR: Understanding the Two Forces


One of the most important structural changes in this reform is the deliberate split between a Directive and a Regulation:


PSD3: The Directive

PSD3 primarily governs authorisation and supervision of payment service providers. As a directive, it must be transposed into national law by each EU Member State. It will address licensing frameworks, governance requirements, capital thresholds, and the regulatory relationship between payment institutions and national competent authorities.

Critically, existing authorisations granted under PSD2 will remain valid for 24 months from PSD3's entry into force, but institutions will need to submit a new application demonstrating compliance with updated requirements. Plan for this re-authorisation process early.


PSR: The Regulation

The Payment Services Regulation is directly applicable across all EU Member States without national transposition. It covers the rules governing how payment services are delivered, security, strong customer authentication (SCA), open banking obligations, fraud prevention, and consumer rights.

PSR obligations may become binding before PSD3 is transposed in certain jurisdictions. Compliance timelines for the two instruments may differ, and firms must plan accordingly.


3. Five Key Changes Boards Must Understand


1. Fraud Liability Has Shifted — Significantly

Under the new framework, if a Payment Service Provider fails to implement appropriate fraud prevention mechanisms, it will be held liable for covering customer losses. PSPs are now required to verify that a payee's name and unique identifier match before processing a credit transfer. Where discrepancies exist, the payment must be refused and the payer informed.

For impersonation fraud, where a criminal poses as a PSP employee to manipulate a customer into approving a transaction, PSPs must refund the full amount, provided the customer reports the fraud to the police. This is a substantial extension of liability and requires robust fraud detection infrastructure.


Action Point:  Review your fraud prevention architecture, SCA implementation, and customer refund policies against the new liability standard now, do not wait for final texts.


2. Open Banking Gets a Meaningful Upgrade

PSD2 introduced open banking, but its implementation was inconsistent across the EU. PSD3 and PSR aim to resolve this by standardising API access requirements, setting clear reliability and availability expectations, and introducing consent dashboards that give consumers visibility and control over who accesses their financial data.

Firms that invest in high-quality, standards-compliant APIs will be better positioned in the competitive landscape for financial data services, especially as the proposed Financial Data Access (FIDA) framework develops in parallel.


3. A Level Playing Field Between Banks and Non-Banks

PSD3 and PSR provide clearer and more consistent conditions for non-bank payment service providers to access payment systems and hold accounts at credit institutions. Banks face greater competitive pressure from fintechs and payment institutions. Non-bank PSPs face higher compliance obligations as their regulatory footing becomes equivalent.


4. Stronger Consumer Rights and Transparency

The new framework significantly strengthens consumer-facing obligations: unexpected account blocks, unclear fee structures, and insufficient transparency on ATM charges and cross-border payment costs are all addressed. PSPs must offer customers clear spending limits and account-blocking tools, and consumers will have enhanced dispute resolution rights.


5. Crypto and MiCA Alignment

PSD3 introduces a simplified authorisation pathway for providers already licensed under the EU Markets in Crypto-Assets Regulation (MiCA). For firms operating at the intersection of traditional payments and digital assets, this alignment reduces regulatory duplication, but requires careful analysis of which activities fall under which regime.


4. The Compliance Timeline: What to Do and When


Now - Mid 2026: Monitor and Diagnose

–      Conduct a preliminary gap analysis against the agreed political text, sufficient detail is available now to begin.

–      Identify which parts of your business are in scope for PSR (directly applicable) versus PSD3 (transposition dependent).

–      Map your fraud prevention and SCA architecture against the new liability standard.

–      Engage with your national competent authority on the re-authorisation process timeline.


Mid 2026 - End 2026: Detailed Impact Assessment

–      Obtain and review the final published texts once available in the Official Journal.

–      Commission a full regulatory impact assessment covering systems, processes, governance, and contracts.

–      Begin API remediation projects if open banking access is material to your business.

–      Update compliance monitoring programmes and internal audit plans to reflect new requirements.


2027: Implementation and Readiness

–      Complete re-authorisation submissions ahead of national deadlines.

–      Staff training and awareness programmes, regulators will expect documented evidence.

–      Final testing of fraud detection, SCA, and customer-facing transparency tools.

–      Pre-deadline internal audit to verify compliance readiness.


5. How ENAH Services Ltd Can Help


ENAH Services Ltd has deep expertise in EU financial services regulation, internal audit, and compliance across payments, banking, and investment services. Our team has supported clients through PSD2 implementation and is already advising on PSD3 and PSR readiness.


We offer a structured PSD3/PSR readiness programme tailored to your institution's size, business model, and regulatory footprint, including:

–      Regulatory gap analysis and impact assessment

–      Compliance programme design and policy drafting

–      Internal audit readiness and independent review

–      Tailored training for boards, senior management, and compliance teams

–      Ongoing regulatory monitoring and horizon scanning



Get in touch with ENAH Services Ltd to discuss your PSD3/PSR readiness.

 
 

The material reflected in our website, including Blog material, is for informational purposes only and does not constitute legal advice, consulting, or any other professional advice. Please seek independent professional guidance for your specific needs.

All rights reserved. No part of this work may be reproduced, stored in a retrieval system of any nature, or transmitted, in any form or by any means including photocopying and recording, without the prior written permission of the ENAH Services Ltd. The reproduction or transmission of all or part of the work, whether by photocopying or storing in any medium by electronic means or otherwise without the written permission of the owner is strictly prohibited and the commission of any unauthorised act in relation to the work will result in civil and/or criminal actions. 

bottom of page