PSD3 and PSR: what changes for fintechs
Political agreement was reached in November 2025. Publication in the Official Journal is expected in summer 2026. Here is what the PSD3 and PSR package actually changes, and why the 21-month transition period is shorter than it looks.
Why PSD2 was not enough
PSD2 created the legal foundation for open banking in the EU. It required banks to provide account access to authorised third parties, introduced strong customer authentication, and established a harmonised licensing framework for payment institutions. By most measures it was consequential legislation. By the European Commission’s own review, it was also incomplete.
The Commission’s impact assessment found that consumers continued to face significant fraud risk and lacked confidence in digital payments. Open banking, despite its legal mandate, remained operationally difficult: bank APIs were inconsistent, fintechs faced unjustified access barriers, and the transposition flexibility that PSD2 allowed member states had produced a fragmented enforcement landscape. Firms could, and did, structure their licensing in jurisdictions with lighter-touch supervision and passport services from there.
PSD3 and its companion instrument, the Payment Services Regulation, are the legislative response to those findings. Political agreement was reached on 27 November 2025. Publication in the Official Journal of the European Union is expected in summer 2026. After publication, the PSR enters into application 18 months later, placing the main compliance obligations in early-to-mid 2028. That timeline is less generous than it sounds.
The structural change: directive plus regulation
The most important architectural change in the new framework is one that does not appear in any press release headline: the shift from a single directive to a directive-plus-regulation structure.
PSD2 was a directive. Every member state transposed it into national law, and every member state made choices during that transposition. The result was a patchwork: the same underlying rules applied differently across jurisdictions, enforcement priorities diverged, and firms with cross-border operations had to navigate multiple national interpretations of nominally harmonised requirements.
The PSR is a regulation. It is directly applicable across all EU member states without any national transposition step. The conduct-of-business rules that previously lived inside PSD2, and were therefore subject to national discretion, now move into the PSR. This closes off the regulatory arbitrage that PSD2 inadvertently permitted.
PSD3 remains a directive, but its scope is narrower: it covers licensing, authorisation, and prudential supervision of payment institutions and electronic money institutions. It also repeals the Electronic Money Directive and absorbs e-money institutions as a sub-category of payment institutions under a single regulatory framework. For firms currently licensed as EMIs, that reclassification has practical licensing consequences.
Fraud liability shifts materially
The most operationally significant change for fintechs is where fraud liability now lands.
Under PSD2, liability for unauthorised payments was relatively clear: if a transaction was not authorised by the customer, the PSP reimbursed. What PSD2 did not adequately address was authorised push payment fraud, where the customer authorises the payment but has been deceived into doing so. The customer sends money to a fraudster believing they are paying a legitimate counterparty. Under PSD2, the PSP faced no automatic reimbursement obligation in this scenario.
The PSR changes this in three specific ways.
First, name-to-IBAN verification. PSPs must verify that a payee’s name matches the account identifier before processing a credit transfer. Where this check was previously limited to instant payments under the Instant Payments Regulation, the PSR extends it to credit transfers generally. If a PSP fails to implement the verification mechanism and a customer suffers fraud as a result, the PSP is liable. The specific obligation for payee-name verification applies 24 months after entry into force, giving additional runway for system changes, but firms without a pathway to implementation are already behind.
Second, spoofing reimbursement. Where a fraudster impersonates a payment service provider or trusted authority and a consumer authorises a payment as a result, the PSP must reimburse within 15 business days unless it can demonstrate the customer acted with gross negligence or was complicit in the fraud. This is a meaningful reversal of the burden: the PSP now has to disprove negligence rather than the customer having to prove it.
Third, fraud data sharing. PSPs must share fraud-related intelligence with each other via a dedicated platform, with data retention capped at five years per incident. The rationale is straightforward: fraud networks operate across institutions, and siloed detection cannot match them. The operational implication is that firms need to build or integrate into data-sharing infrastructure, which is not a trivial exercise.
Platform liability is a new addition that did not appear in earlier proposals. Very large online platforms and search engines that display advertising for payment service providers must now ensure those PSPs are licensed in the jurisdictions where they operate. If a platform is notified of fraudulent content and fails to remove it, it becomes liable to PSPs that have reimbursed defrauded customers. For fintechs that depend on digital advertising channels, this changes the due diligence obligations of the platforms they advertise through, which in practice may affect how advertising is structured and verified.
Open banking: what actually changes
PSD2’s open banking provisions produced a legal right without a working market. Third-party providers had the right to access account data, but exercised it through APIs that were inconsistently implemented, frequently degraded relative to the bank’s own interfaces, and subject to friction that had no regulatory consequence.
The PSR addresses this directly. Banks must provide a dedicated interface for open banking data exchange as the sole access point, and that interface must perform on par with their own customer-facing interfaces. This performance parity requirement is enforceable: national regulators can penalise banks for API failures. Banks must also give clear documented reasons when they refuse access to a payment service provider, closing off the practice of unexplained denial that was common under PSD2.
The PSR introduces a consent dashboard requirement. Account-holding PSPs must provide customers with an online dashboard showing who has access to their payment data, what permissions are granted, and the ability to revoke access at any time. For fintechs building account information or payment initiation services, this changes the user experience that their banking partners must provide, and potentially affects how consent flows are designed on the fintech side.
One provision specifically relevant to fintechs building on mobile infrastructure: device manufacturers and electronic service providers must allow payment apps to store and transfer payment data on fair, reasonable, and non-discriminatory terms. This is a targeted response to the access barriers that some payment service providers faced on mobile platforms, and it has been strengthened during the trilogue negotiations.
SCA: what the political agreement did and did not settle
Strong customer authentication requirements are modified in two notable ways.
The definition of SCA is broadened. Under PSD2, authentication had to combine elements from different categories: something the user knows, something the user has, something the user is. The PSR allows two elements from the same category to satisfy SCA requirements, giving PSPs more flexibility in how they design authentication flows.
Account information service providers are now permitted to perform SCA in an open banking context, which was not clearly permissible under PSD2. This opens up a class of authentication product that was legally ambiguous before.
PSPs must support multiple authentication mechanisms and cannot rely on a single channel, such as a smartphone-based authenticator. They must ensure that authentication is accessible to users with disabilities, older users, and those without access to digital channels. Firms that have built authentication entirely around mobile devices will need to extend their support.
Beyond these points, the political agreement was notably quiet on SCA. The detailed requirements will be set out in EBA regulatory technical standards that follow publication of the final texts. Firms should expect the EBA’s post-publication work programme to be substantial: the EBA has 18 mandates under the PSD3 and 22 under the PSR to deliver.
Licensing: EMIs and the MiCA overlap
For electronic money institutions, the PSD3 reclassification into a sub-category of payment institutions has practical licensing consequences. Existing EMI licences are grandfathered for a defined period, but firms will need to re-authorise under PSD3 within that window. The timeline for re-authorisation will depend on national competent authority processing capacity, which varies considerably across member states.
The MiCA overlap is a live issue for crypto firms with payment service activity. The EBA issued a no-action letter in 2025 and a subsequent Opinion on 12 February 2026 that reduced the scope of activities requiring dual authorisation under both MiCA and PSD2, but two-licence outcomes remain necessary for certain business models. PSD3 introduces a simplified authorisation pathway for firms already licensed under MiCA, though the precise scope of that simplification is in the final texts rather than the political agreement summary. Firms operating at the intersection of crypto-asset services and payment services should not assume the MiCA licence is sufficient: the question is which specific activities require what authorisation.
The timeline and why 2026 is the preparation year
The expected sequence is as follows. Publication in the Official Journal is anticipated in summer 2026, though this has not been formally confirmed at time of writing. The PSR enters into force 20 days after publication. It then applies 18 months after entry into force, placing the main compliance deadline in early-to-mid 2028. The payee-name verification obligation has an additional six months, applying 24 months after entry into force.
PSD3, as a directive, requires member states to transpose within 18 months of entry into force. National transposition will again introduce variation, but the scope of that variation is significantly narrower than under PSD2 because the conduct rules have moved into the directly applicable PSR.
The 21-month transition period is a working planning assumption, not a confirmed figure. The Council proposed extending the implementation period to 24 months during negotiations; the final figure depends on the published text.
Why 2026 is the preparation year despite obligations not applying until 2028: the compliance programme for PSD3 and PSR is not a documentation exercise. Verification of Payee infrastructure requires system changes that take time to procure and build. Fraud data sharing requires integration into a platform that does not yet exist in its final form. Fraud liability exposure begins on the application date regardless of how long implementation takes internally. Firms that begin gap analysis in 2027 will be building under deadline pressure into a year that is already dense with other regulatory deliverables.
The prudent approach is to treat 2026 as the period for understanding requirements and sizing the compliance programme, with implementation work beginning by early 2027.
What to watch
The EBA’s post-publication work programme is the critical dependency. Forty regulatory technical standards and guidelines need to be delivered before firms can finalize implementation in key areas, including SCA and fraud detection. The quality and speed of EBA delivery will determine whether the 18-month transition period is actually usable.
The Financial Data Access Regulation is still in trilogue as of April 2026. FiDA extends data sharing obligations beyond payment accounts to the broader financial sector. It was proposed alongside PSD3 and PSR but has not reached political agreement. When it does, it will extend open finance obligations for the same firms now preparing for PSR compliance. It is worth tracking in parallel.
The EU/UK divergence is real and growing. The UK’s own payments regulatory reform is proceeding on a separate track under FCA and PSR supervision. For firms operating in both markets, the compliance programmes are distinct. Regulatory arbitrage that was once possible by licensing in a lighter-touch EU member state is no longer available under the PSR; but the EU and UK regimes are now substantively different and that difference requires active management.
For compliance professionals and fintech founders tracking the PSD3 and PSR legislative process as the final texts move toward Official Journal publication, Forseti, Citium’s EU regulatory intelligence platform, is in development and will monitor EU financial regulation continuously. If you want to be kept informed ahead of launch, get in touch.
For the broader landscape of EU financial regulation and how the payment services reform fits within it, the EU financial regulation overview sets the context. For key deadlines across all major instruments, the EU financial regulation calendar covers the full timeline.