Navigating the shift from PSD2 to PSR and PSD3
This article is part of our series tracking the developments of the EUʼs new payments framework and what it means for the financial industry. The shift from PSD2 to PSR and PSD3 marks a structural change in Europeʼs payments landscape, bringing new opportunities but also stricter technical and compliance obligations for banks.
A new regulatory architecture
At the heart of this reform lies a structural shift: dividing rules between a directly applicable Regulation and a Directive requiring national transposition.
- Payment Services Regulation (PSR): A directly applicable EU Regulation, setting out conduct-of-business rules such as consumer rights, transparency obligations, fraud prevention and Open Banking mandates.
- Payment Services Directive 3 (PSD3): A Directive focusing on licensing, authorisation, and prudential supervision of Payment Institutions (PIs) and Electronic Money Institutions (EMIs), which Member States will transpose into national law.
This new architecture is designed to reduce regulatory fragmentation and create a more coherent single payments market. For banks and other Account Servicing Payment Service Providers (ASPSPs), it means adapting to a more harmonised and potentially more stringent compliance landscape.
Key regulatory and operational impacts for banks
The legislative package introduces several changes impacting bank operations, compliance obligations, and liability exposure.
Enhanced fraud liability and mandatory verification of payee
The evaluation of PSD2 identified the significant rise in new types of fraud, particularly complex ‘social engineeringʼ and ‘spoofingʼ scams, as a major concern regarding consumer protection objectives. These manipulative techniques blur the traditional distinction between unauthorised transactions and authorised payments made under deceptive pretences. Consequently, the new legislation significantly shifts the financial burden and accountability
related to these evolving fraud vectors directly towards banks and Payment Service Providers (PSPs).
Since PSPs possess greater capacity to implement robust technical and preventative safeguards, the regulatory shift places the ultimate burden of proof on the PSP to demonstrate that the customer acted fraudulently or with gross negligence in cases of disputed loss. Crucially, the simple fact that a transaction was authenticated, even through Strong Customer Authentication (SCA), is deemed insufficient alone to prove authorisation or gross negligence on the part of the payer.
The transfer of risk is cemented through two primary mechanisms: the implementation of the Verification of Payee (VoP) service and expanded liability for impersonation fraud
- Verification of Payee (VoP): Banks will need to offer a service that checks whether the payeeʼs name matches their unique identifier (e.g. IBAN) for credit transfers in all EU currencies not already covered by the Instant Payments Regulation (IPR). If a discrepancy is detected and not flagged to the payer, the bank becomes liable for the full amount.
- Spoofing liability: The PSR introduces a new refund right for consumers in cases of ‘spoofingʼ or impersonation fraud. The Councilʼs position proposes limiting this liability to cases where the fraudster impersonates the consumer’s own PSP, requiring the latter to refund the consumer within 10 business days unless the consumer acted fraudulently or with gross negligence. Banks now face stricter protocols for demonstrating gross negligence on the part of the payer.
Open Banking infrastructure mandates
The adoption and functionality of Open Banking services under PSD2 proved challenging, largely due to operational friction and insufficient regulatory clarity, which ultimately hampered its objective of improving competition by lowering market barriers faced by third-party providers (TPPs). Evaluations of PSD2 highlighted persisting shortcomings where the full potential of Open Banking was not achieved, primarily due to inconsistent interfaces and the exposure of TPPs to many unjustified obstacles. These problems stemmed partly from the reliance on a Directive (PSD2), which led to divergent interpretations and enforcement across Member States, creating different regulatory conditions and encouraging regulatory arbitrage.
To eliminate this friction, improve the competitiveness of Open Banking, and ensure uniform application across the internal market, the solution adopted by the new framework is twofold: first, by placing rules governing the conduct of business, including Open Banking requirements, into the PSR; and second, by fundamentally mandating a high-quality, dedicated infrastructure for access. Many technical requirements previously confined to the Regulatory Technical
Standards (RTS) are now directly integrated into the PSR itself. This shift mandates stricter standards, aiming to enhance legal coherence and minimise the historical margins of interpretation.
A central element of the updated regime concerns the establishment and quality of dedicated
interfaces:
- Dedicated interfaces (APIs): ASPSPs offering online-accessible payment accounts must provide at least one secure dedicated API for interaction with Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). Avoidance requires a narrowly defined formal derogation from the NCA.
- Removal of mandatory fallback: The requirement to maintain a permanent fallback interface is removed.
- Data parity and performance: The dedicated interface must meet high standards, offering at least the same level of availability and performance as the interface the ASPSP makes available directly to its own users. It must also ensure ‘data parityʼ, meaning it includes the payment account data available in the customer interface.
- Functionality: The dedicated interface should support fundamental functionalities for PISPs, including the initiation of single payments, standing orders, and direct debits.
- Prohibited obstacles: The PSR addresses prior regulatory deficiencies by establishing a clear and non-exhaustive list of prohibited obstacles that ASPSPs must avoid imposing on TPPs, such as requiring excessive re-authentication or imposing additional steps in the user journey compared to the ASPSP’s own customer channel.
- Permission dashboard: ASPSPs must provide a new ‘permission dashboardʼ allowing customers to manage their granted permissions centrally. This requires ASPSPs and TPPs to cooperate to ensure the displayed information is accurate and made available in real time or without undue delay. This feature’s proposed alignment with the Financial Data Access (FIDA) regulation dashboards, allowing unified management of payment account data and broader financial data, is part of the ongoing trilogue discussions.
Strengthening PI/EMI access to accounts
The new framework addresses long-standing challenges for payment and e-money institutions.
- Access obligation: Banks must grant PIs and EMIs access to payment accounts on an objective, non-discriminatory, and proportionate basis.
- Narrowed refusal grounds: Refusals or closures must be specifically justified and cannot rely on broad arguments such as “business model risk” or compliance cost.
Strong Customer Authentication (SCA) updates
Reflecting the rapid evolution of the retail payments market and the emergence of new security risks, the new framework clarifies and extends the SCA requirements. The enhanced regime expands the application of SCA beyond payment initiation to cover any action carried out through a remote channel that may imply a risk of payment fraud or other abuses.
Simultaneously, a primary objective is financial inclusion, addressing shortcomings identified under PSD2 where certain consumers found remote transactions impossible due to their material incapability of performing SCA. Finally, the framework embeds the use of Transaction Monitoring Mechanisms (TMMs) into the core requirements, mandating that PSPs establish tools that actively support the risk-based application of SCA by analyzing behavioural and environmental data to detect potential fraud, thereby enhancing overall risk management.
- Flexibility: The initial proposal allowed for the use of two authentication elements from the same category (knowledge, possession, or inherence), provided the elements maintain independence and high security. However, this specific provision is a subject of ongoing debate in trilogue negotiations, as the Council advocates for a stricter rule requiring the elements to belong to different categories.
- Accessibility: PSPs must ensure that SCA methods are adapted to the needs of all customers, including vulnerable groups such as those with disabilities or limited digital skills. The rules emphasise that authentication should not rely solely on one device or technology. However, under the Councilʼs position, an exception may apply if the payment account package chosen by the user consists in providing services exclusively through a smartphone. This addition is subject to discussion in the trilogues.
- Transaction Monitoring Mechanisms (TMMs): PSPs are mandated to implement TMMs as a core requirement to actively support the risk-based application of SCA and enable the detection and prevention of potentially fraudulent payments. TMMs rely on the analysis of previous transactions and online account access, analysing environmental and behavioural characteristics (such as user location, transaction time, and device data) to identify potentially fraudulent or atypical activity. The European Banking Authority (EBA) is tasked with developing the necessary RTS to detail the specific technical requirements for these mechanisms
The road ahead and preparing for compliance
The legislative process has entered trilogue negotiations in June 2025 between the European Parliament, the Council, and the Commission. A final political agreement is anticipated by late 2025 or the first quarter of 2026, with compliance obligations likely to begin in the second half of 2027 or early 2028.
Raoul Mulheims, CEO and co-founder of Finologee: “We see this legislative transition as a robust roadmap to delivering on three strategic imperatives: strengthening consumer trust, perfecting the open banking framework and creating a more harmonised and competitive market.”
How Finologee can support the transition
As a trusted provider of PSD2 compliance and Open Banking infrastructure in Luxembourg with 35 banks and PSPs using its platform, Finologee continues to monitor the evolution of the PSR and PSD3 frameworks closely.
Our existing platform and services already proactively address many of the new PSR requirements, positioning us to help banks adapt smoothly as the regulatory landscape evolves. In practice, this means our infrastructure already incorporates several capabilities that align with the upcoming framework, including:
- API management and compliance: Providing managed access platforms to meet the dedicated API requirements, coupled with the reporting of detailed performance statistics.
- Consent management: Delivering the necessary technical infrastructure and consent handling capabilities to support the new permission dashboard for users to manage third party data access.
- Authentication: Handling complex SCA integration and managing authentication flows.
By leveraging third-party solutions like Finologee’s platform, banks can reduce the extensive internal IT and compliance workload associated with implementing these complex technical standards and accelerate their compliance roadmap.
