PSD3 and Open Banking: What's Coming Next

The European Commission's proposals for a revised payments regulatory framework — comprising the Third Payment Services Directive (PSD3) and an accompanying Payment Services Regulation (PSR) — represent the most significant overhaul of EU payments law since PSD2 came into force in 2018. For payment firms operating across the EU, or serving EU customers from outside the bloc, these changes will require material operational and compliance adjustments over the next two to three years.

The PSD3/PSR Architecture

The most structurally significant change in the reform package is the splitting of the current PSD2 framework into two instruments: a directive and a directly applicable regulation. PSD3 will, like its predecessors, require member state implementation via national law. The PSR, however, will apply directly in all EU member states without national transposition — a deliberate move by the Commission to address the fragmentation that resulted from inconsistent implementation of PSD2 across member states. Issues such as varying SCA exemption thresholds, inconsistent API standards for open banking, and divergent national approaches to liability allocation have created compliance complexity for cross-border payment providers. The PSR is intended to resolve this by establishing a single, uniform set of rules.

Key Changes from PSD2

Open Banking: From Tolerated to Structured

PSD2 created the legal right for third-party providers (TPPs) to access payment account data and initiate payments, but the practical implementation has been widely criticised as inadequate. Banks frequently created friction for TPPs through API performance issues, inconsistent authentication flows, and obstacles to obtaining access. The regulatory response under the PSR is significantly more prescriptive.

Under the new framework, account-servicing payment service providers (ASPSPs — primarily banks) will be required to provide TPPs with dedicated interfaces that meet defined performance standards. Fallback interfaces will no longer be available as a safety net where dedicated interfaces exist, removing a loophole that some banks used to maintain substandard APIs. The PSR also strengthens TPP access rights and provides clearer remedies where ASPSPs obstruct access.

A new "financial data access" framework, separate from payment account access, will extend open data principles to a broader range of financial products over time — potentially including mortgages, investments, and insurance. This is a material expansion of the open finance concept beyond payments.

Fraud Liability: Shifting Responsibility

One of the most commercially significant changes in the PSR concerns liability for authorised push payment (APP) fraud — where victims are tricked into authorising payments to fraudsters. Under PSD2, once a customer has "authorised" a payment, the payment service provider generally bears no liability for losses, even where the authorisation was obtained through deception. This has been widely criticised as disproportionately burdening fraud victims.

The PSR introduces a mandatory requirement for payment service providers to apply verification of payee (VoP) checks — confirming that the name and account details of the intended recipient match — before processing credit transfers. Where a PSP fails to apply VoP and the customer suffers loss, liability shifts to the PSP. This mirrors the UK's Confirmation of Payee framework and the Contingent Reimbursement Model, and effectively mandates that EU PSPs implement equivalent controls. PSPs that have not yet implemented VoP capabilities will need to do so as a priority.

Strong Customer Authentication Evolution

SCA requirements are retained under the PSR but refined. The Commission has sought to address the persistent tension between security and user experience that has dogged SCA implementation since 2019. Key changes include clearer rules on SCA exemptions for low-risk transactions, strengthened requirements for SCA where fraud risk indicators are present, and provisions for payment service providers to use passive authentication methods (device binding, behavioural biometrics) without requiring active user interaction where these meet the security threshold.

The PSR also addresses the SCA challenges specific to open banking payment initiation — an area where inconsistent application of SCA requirements across member states has created friction for TPPs and their customers.

Consumer Protection Enhancements

The PSR strengthens transparency requirements for payment services, including mandatory disclosure of estimated currency conversion costs, enhanced receipt requirements for payment transactions, and clearer information about dispute resolution processes. For FX-active payment firms, the currency conversion disclosure rules are particularly relevant — the requirement to disclose the reference exchange rate and all charges applicable to a conversion, in a clear and comparable format, will require operational changes to customer-facing interfaces.

UK Divergence Post-Brexit

The UK is not implementing PSD3/PSR and is instead developing its own post-Brexit payment services framework. HM Treasury's consultation on the Payments Regulation and Supervision Bill sets out a UK approach that retains the core concepts of PSD2 but with material differences in areas including open banking, liability allocation, and SCA. UK firms serving EU customers directly will need to comply with the PSR as well as UK rules, creating a dual compliance burden that did not exist under the original PSD2 regime.

UK open banking is currently governed by a combination of the FCA's Payment Services Regulations 2017 (implementing PSD2) and the CMA's Open Banking Implementation Entity (OBIE) framework. The government has announced plans to transition open banking governance to a new entity — the Future Entity — and to extend open finance principles beyond payment accounts, broadly paralleling the EU direction. However, UK and EU standards will diverge in technical detail, creating interoperability challenges for cross-border open banking services.

Implementation Timeline

PSD3 and the PSR were proposed by the Commission in June 2023. After extended trilogue negotiations between the Parliament, Council, and Commission, final texts are expected by mid-2026. PSD3 will then require member state implementation within 18 months of entry into force, meaning national law changes across the EU are likely by late 2027 or early 2028. The PSR, being directly applicable, will take effect from the same date without further member state action.

Payment firms should begin gap analysis against the final texts once published — particularly around VoP implementation, SCA framework changes, and open banking interface standards — given the lead time required for technical and compliance changes of this magnitude.