PSD3 and PSR: New payment regulation for payment service providers and banks

The European Commission has initiated a comprehensive revision of the regulatory framework for European payment transactions with the drafts of the Third Payment Services Directive (Payment Services Directive 3 – PSD3) and the new Payment Services Regulation (PSR).

For credit institutions, e-money institutions and payment service providers (PSPs), this means that they should review their compliance structures, contractual regulations and IT architecture at an early stage and adapt them where necessary.

This is because the changes will bring stricter rules. The licensing and supervisory requirements will be consolidated, e-money institutions will be integrated into the framework as a category of payment institutions, and governance and outsourcing will be subject to a clearly stricter regime.

PSD3 and PSR are intended to harmonize regulation

By transferring central behavior-related regulations to the PSR, the legislator is pursuing the goal of reducing national implementation leeway and thus regulatory fragmentation. This increases legal and planning certainty, but also leads to more uniform and stricter enforcement of the regulations with less room for national interpretation.

More security and fraud prevention

The new features place even greater emphasis on security and fraud prevention. Strong Customer Authentication (SCA), improved transaction monitoring and the (re)introduction of IBAN name matching are intended to reduce risks and increase trust in digital payments. The tightening of liability and reimbursement in cases of fraud is also operationally challenging: Similar to the UK and Singapore, PSPs will have to reimburse losses in certain constellations of fraud at the expense of bank customers. At the same time, it will become easier – and in some cases mandatory – to exchange fraud data. There will be narrowly defined possibilities for recourse against telecommunications companies whose infrastructure has been used by fraudsters.

The regulatory framework for open banking is also being further developed. Dedicated, secure interfaces and clear rules on interface governance are intended to increase availability and quality; customers are to be given more transparency and control over data access, for example via authorization dashboards.

Strengthening consumer protection and transparency

The information obligations towards customers will be specified, in particular with regard to currency conversion fees and the blocking of funds. As a result, many institutions will have to revise the content and editing of their general terms and conditions, customer information and product-related documents.

Those affected should use the time

Following the political agreement reached by the Parliament and Council on November 27, 2025, we expect the PSD3/PSR package to be formally adopted and published in the first half of 2026. The PSR is expected to enter into force 20 days after publication and will generally apply directly in all member states 18 months later. The PSD3 must be transposed into national law by the member states within 18 months of its entry into force; only then will the respective national transposition provisions apply. A transitional/grandfathering phase is planned for institutions that are already authorized: Existing ZAG/PSD2 authorizations continue to apply, but affected institutions must adapt their governance, organization and processes to the new requirements within the transition periods and submit supplementary documents or a (re-)authorization/adaptation application to the supervisory authority.

How companies should prepare for PSD3 and the PSR

Credit institutions, payment institutions, e-money institutions and AIS/PIS providers should (have) an integrated legal and operational gap analysis carried out at an early stage so that the requirements of PSD3/PSR are translated into processes, controls, IT and contracts in a verifiable manner.

The most efficient approach is one in which legal departments and second-line managers work closely together and translate the regulatory interpretation directly into an actionable operating model – especially for GRC, third-party/outsourcing governance, contracting, SCA/fraud controls and API/interface governance.