Building on the preceding PSD2, the Third Payments Services Directive, or PSD3, is a proposed EU directive intended to modernise and reinforce payment services laws. It seeks to increase competition and innovation in the European payments system, strengthen security through more robust authentication and transaction monitoring, and improve consumer protection. Allowing non-bank payment companies to use central bank clearing systems and elucidating fraud prevention regulations are two significant advances.
PSD3 fixes PSD2’s flaws, including member state implementation variations, even though PSD2 brought important ideas like open banking and Strong Customer Authentication (“SCA”).
PSD2 provided the founding blocks to:
- Open banking: In order to facilitate services like account aggregation and third-party payment initiation, banks are required to share account data with licensed third-party providers (TPPs) with the approval of customers.
- Strong Customer Authentication (“SCA”): This feature greatly enhances security for distant electronic transactions by requiring multi-factor authentication for online payments.
Its execution, though, was disjointed. Being a directive, PSD2 may be interpreted and applied differently by EU member states, resulting in disparate regulations and consumer experiences within the EU.
Key changes in PSD3
The first significant change brought about by PSD3 is the creation of a new Regulation, the Payment Services Regulation (“PSR”) that will directly affect all EU Member States, as well as an amended Directive that must be incorporated into national laws. As a result, enforcement will be uniform throughout the EU block.
Payment Service Providers (“PSPs”) must use such in their daily operations from the standpoint of transaction monitoring, while also integrating behavioural and environmental data to evaluate risk. From the standpoint of SCA, new regulations will necessitate strategies that increase accessibility. A fraud prevention framework that mandates quicker client reimbursements in the event that suspicious or fraudulent behaviour is discovered will be implemented.
Along with enabling non-bank PSPs to link directly to central banks and clearing infrastructures without depending on commercial banks, PSD3/PSR is also intended to promote the adoption of open banking.
In order to enhance security and user safety, PSD3 will include Buy Now, Pay Later (“BNPL”) services inside its regulatory purview. This implies that BNPL providers will have to abide by new regulations for enhanced fraud prevention measures and strong customer authentication (SCA), much like other payment systems. Additionally, PSD3 would regulate cryptocurrencies by subjecting them to the same security and consumer protection requirements as conventional payments, which will include licensing, capital adequacy guidelines, and improved fraud prevention measures for providers of crypto-asset services.
A more visual comparison of the differences between PSD2 and the future PSD3 / PSR may be found in the following table.
Feature | PSD2 | PSD3 & PSR |
Regulation Type | Directive, leading to varied implementation by country. | PSD3 (Directive) for licensing and supervision; PSR (Regulation) for security and operational rules, ensuring direct, uniform application. |
Fraud Prevention | Introduced SCA but was not fully equipped to handle new types of fraud. | Stricter measures, including mandatory IBAN/name verification for payee confirmation and liability shifts for spoofing scams. |
SCA | Mandated multi-factor authentication but suffered from inconsistencies that caused checkout friction. | Harmonised and modernised rules, expanding authentication methods to be more inclusive and consistent for all users. |
Open Banking | Initiated open banking but with varying API standards and reliability among banks. | Enhanced APIs, mandating standardised, high-performance interfaces to improve reliability and facilitate better data sharing. |
Scope | Primarily covered banks and traditional payment providers. | Expanded to include new players, such as non-bank payment service providers (PSPs) offering instant payments BNPL and cryptocurrencies. |
Account Access | Enabled TPPs to access payment account information with user consent. | Refined rules to give consumers more transparent control over their data, including user-friendly permission dashboards. |
PSD3/PSR still need to obtain approval and therefore it is not yet in force. Implementation is expected to be between the end of 2025 and early 2026. It is anticipated that many of the new rules may come into effect in 2026.
Nicholas Warren
Head of Risk & Regulatory Compliance (Advisory)
Nicholas began his career at the Malta Financial Services Authority and has over 20 years’ experience in financial services and regulatory affairs. He leads the financial services arm at ARQ Group, supporting clients with the licensing of entities and ongoing regulatory and operational compliance.
His focus areas include investment services, funds, banking and EMIs. Over his career, he has built strong expertise in strategic management and operations. Nicholas is qualified in Banking & Finance, holds the ACCA qualification, and a master’s degree in Business Administration specialising in strategic planning. He also holds certificates in Islamic Finance.
