What is PSD2 — and What's Changing with PSD3?
The Payment Services Directive 2 (PSD2), which came into force in January 2018, fundamentally transformed European payment services by introducing open banking, Strong Customer Authentication (SCA), and a licensing framework for third-party providers. It created two entirely new categories of regulated entities — Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) — that forced traditional banks to share customer data through secure APIs.
In June 2023, the European Commission proposed PSD3, a comprehensive overhaul designed to address the shortcomings exposed during six years of PSD2 implementation. PSD3 will merge aspects of PSD2 with the Electronic Money Directive (EMD2) into a single regulatory framework, creating a unified licensing regime for payment institutions and electronic money institutions. The proposal also introduces a new Payment Services Regulation (PSR) that will be directly applicable across all EU member states without national transposition.
The shift from PSD2 to PSD3 reflects hard lessons learned: API standards varied wildly between banks, SCA implementation created friction that hurt conversion rates, and the open banking ecosystem failed to deliver on its full promise due to inconsistent data quality and access. PSD3 aims to fix these problems while expanding the scope to cover new payment methods and business models that didn't exist when PSD2 was drafted.
Key Requirements & Changes
Strong Customer Authentication (SCA) Reform
PSD3 refines SCA requirements to reduce friction while maintaining security. New exemptions for trusted beneficiaries and low-value transactions, plus clearer delegation rules for merchants.
Open Banking API Standardization
Mandatory adoption of standardized APIs with defined performance metrics. Banks must provide "dedicated interfaces" meeting minimum availability, latency, and data quality standards or face penalties.
Unified Licensing Framework
Merger of payment institution and e-money institution licenses into a single authorization framework, reducing regulatory complexity for multi-service providers.
Enhanced Fraud Prevention
New obligations for payment service providers to implement transaction monitoring, IBAN/name verification for credit transfers, and liability frameworks for authorized push payment fraud.
Access to Payment Systems
Non-bank payment institutions gain improved access to payment systems and bank accounts, addressing the "de-risking" problem where banks closed accounts of licensed fintechs.
Data Sharing & Privacy Balance
New "permission dashboards" where consumers can view and manage all third-party access to their payment accounts, aligning open banking with GDPR consent principles.
Who Must Comply?
Compliance Challenges
Managing the PSD2 to PSD3 Transition
Firms must maintain full PSD2 compliance while simultaneously preparing for PSD3. The transition period creates uncertainty around which requirements apply, especially for entities holding both payment institution and e-money institution licenses that will be merged under the new framework. Strategic planning is essential to avoid double investment in compliance infrastructure.
API Performance & Data Quality Standards
PSD3's stricter API performance requirements mean banks must invest significantly in their dedicated interfaces. Uptime requirements, response time SLAs, and data completeness standards will require infrastructure upgrades. Fintechs relying on screen scraping as a fallback will lose that option entirely under PSD3.
Fraud Liability Shifts
The new authorized push payment (APP) fraud liability framework fundamentally changes who bears the cost when consumers are tricked into sending money to fraudsters. Payment service providers on both the sending and receiving end may share liability, requiring new fraud detection systems and inter-PSP communication protocols.
Cross-Border Complexity
While PSD3 aims for harmonization, the co-existence of a directly applicable Regulation (PSR) and a Directive (PSD3) requiring national transposition means implementation will still vary. Firms operating across multiple EU member states must track how each country transposes the Directive's provisions into local law.
Key Timeline
The PSD2-to-PSD3 transition spans several years:
- January 2018: PSD2 entered into force across the EU.
- September 2019: SCA requirements became applicable (with extended migration periods).
- June 2023: European Commission published PSD3 proposal alongside the Payment Services Regulation (PSR).
- 2024–2025: Legislative negotiations (trilogue) between European Parliament, Council, and Commission.
- Expected 2026: Final adoption of PSD3/PSR text.
- Expected 2027–2028: Implementation deadline for member states and transition period for regulated entities.
How RegPulse Monitors PSD2/PSD3
RegPulse provides comprehensive payment services regulatory monitoring to keep your team ahead of every development in the PSD2-to-PSD3 transition.
European Commission Updates
Tracking legislative proposals, impact assessments, and regulatory roadmaps from the Commission's DG FISMA division.
EBA Technical Standards
Monitoring European Banking Authority RTS and ITS on SCA, API standards, passporting, and incident reporting requirements.
National Transposition Tracking
Tracking how each EU member state transposes PSD3 requirements, identifying divergences that affect cross-border operations.
Open Banking Standards
Monitoring Berlin Group, STET, Open Banking UK, and other API standardization bodies for technical requirement changes.
Enforcement & Supervisory Actions
Tracking national regulator enforcement actions and supervisory guidance on PSD2 compliance across the EU.
Industry Consultation Responses
Monitoring industry body responses and lobbying positions that signal likely amendments to the final PSD3 text.