PSD3 Impact Analysis: What Payment Firms Need to Know

The European Commission's proposal for a revised Payment Services Directive — PSD3, formally published as a draft Directive in June 2023 alongside a proposed Payment Services Regulation (PSR) — represents the most significant structural reform of EU payment services law since PSD2. While the legislative process means that transposition into member state law is unlikely before 2026–2027, the direction of travel is clear enough that payment institutions and EMIs with EU operations, EU clients, or plans to passport services across the EEA should be reviewing their compliance programmes and business models now. For UK firms, PSD3 is also relevant as a calibration point for potential UK Payment Services regulatory reform under the FCA's ongoing PSR review.

PSD3: Structure and Legislative Timeline

PSD3 proposes a two-instrument structure: a Directive (PSD3) setting out the licensing, access, and conduct requirements, and a directly applicable Regulation (PSR) containing the detailed operational and technical requirements that previously required member state transposition. The PSR model means these requirements will apply uniformly across all member states without transposition discretion — reducing the implementation divergence that created compliance complexity under PSD2.

As of early 2026, PSD3/PSR is in the ordinary legislative procedure in the EU Parliament and Council. Significant amendments have been proposed at committee level. The expected timeline for final text is 2026, with an 18-month transposition period, meaning PSD3 could be in force in member states from late 2027. Firms with EU operations should treat 2026 as the year for gap analysis and 2027 as the compliance implementation deadline.

Key Changes from PSD2: What Matters for Payment Firms

Open banking access rights strengthened: PSD2 created open banking in theory but failed to deliver it in practice due to inadequate API implementation requirements by account-servicing payment service providers (ASPSPs). PSD3/PSR proposes a dedicated Open Finance Committee under EBA, binding technical standards for API performance (latency, uptime requirements), and an ASPSP permission dashboard obligation. For payment institutions using open banking for account information (AISP) or payment initiation (PISP), this means better, more reliable API access — but also compliance obligations to manage consumer consent and data more rigorously.

Non-bank PSP access to payment systems and central bank accounts: PSD3 proposes that payment institutions and EMIs should have a right to access EU payment systems (including Target2/T2S and equivalent national systems) directly, removing the current dependence on bank sponsors. This is potentially transformative for non-bank PSPs: current sponsorship arrangements mean PSPs depend on a bank intermediary for access to central bank settlement, creating operational dependency, cost, and a potential leverage point for de-risking. Direct access — if implemented — would significantly strengthen the PSP sector's independence from banks.

Fraud liability framework: PSD3 proposes a modified fraud liability allocation for authorised push payment (APP) fraud — transactions where the customer is deceived into authorising a payment to a fraudster. Under PSD2, the liability framework for authorised transactions (where the customer has consented) placed the loss with the customer. PSD3 proposes a more nuanced framework that allocates liability to the PSP where the PSP failed to apply adequate fraud detection or where verification mismatches were ignored. The UK's Mandatory Reimbursement framework under the Payment Systems Regulator (PSR), which came into force October 2023, is a more advanced version of this approach that serves as a reference point for what EU implementation might look like.

Licensing regime changes: PSD3 proposes merging the EMI and PI (Payment Institution) licensing regimes into a single framework, eliminating the distinction between electronic money issuance and payment services provision that has created complexity since PSD2. Under the merged regime, all licensed entities would be "Payment Service Providers" (PSPs) with permission sets covering the specific payment service categories they are authorised to offer. This simplifies the regulatory map but requires firms currently holding separate EMI and PI licences (or operating under one when they arguably need both) to review their permissions.

Safeguarding Reform

PSD3 proposes significant reform of the client fund safeguarding regime for PIs and EMIs. The current PSD2 approach to safeguarding (closely mirroring the UK EMR 2011 approach) leaves significant discretion to member states, resulting in implementation divergence. PSD3/PSR proposes a directly applicable safeguarding framework covering: the permitted methods (segregated accounts at credit institutions or central banks; insurance/guarantees), the ring-fencing obligations, and — crucially — new requirements around safeguarding account access and reporting to reduce the practical risk of insolvency loss demonstrated by several payment institution failures across EU member states in 2023–2024.

For UK EMIs, PSD3's safeguarding proposals are directly relevant because the FCA has signalled its own review of EMI/PI safeguarding requirements. The FCA's policy statement CP23/28 (October 2023) on payment services safeguarding proposed enhanced safeguarding requirements including daily reconciliation obligations, wind-down planning requirements, and more prescriptive safeguarding account documentation. These UK changes — partially aligned with PSD3 direction — are in late implementation as of early 2026.

UK Divergence: The PSR Review

The UK's post-Brexit path diverges from EU PSD3 in important respects. The UK is conducting its own Payment Services review through the Financial Services and Markets Act 2023 powers and the FCA/PSR's joint review programme. Key UK-specific developments include: the PSR's APP fraud reimbursement mandate (already in force), the FCA's Consumer Duty (FCA PS22/9, in force July 2023) applying to payment firms with retail customers, and the HM Treasury/FCA consultation on future payments regulation framework.

For UK-regulated EMIs with EU clients or EU entity ambitions, the PSD3/UK divergence creates a dual compliance track: UK requirements under the current PSR 2017 (as amended) and FCA rules on one side, and EU PSD3/PSR requirements applying to EU-established or EU-passporting entities on the other. The practical implication is that firms operating on both sides of the Channel need regulatory infrastructure in both jurisdictions — UK FCA authorisation cannot substitute for EU authorisation under PSD3, and vice versa.

CCYFX monitors PSD3 developments closely through our compliance team led by GP. For clients with EU payment service ambitions or questions about how PSD3 will affect their existing arrangements, contact our compliance team to discuss the implications for your specific business model.