The next evolution of EU Payments: an update on PSD3 and PSR
This article is the first in our new series tracking the developments of the EU’s new payments framework and what it means for the financial industry. With trilogue negotiations now underway, the final shape of the rules is becoming clear, and financial institutions should anticipate compliance obligations likely starting from the second half of 2027 or early 2028.
A new chapter for European payments
The second Payment Services Directive (PSD2) fundamentally reshaped the European financial landscape, ushering in the era of Open Banking. Now, the European Union is preparing for the next significant evolution with a new legislative package: the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR).
This new framework is designed to build on the successes of PSD2 while addressing its shortcomings. Its goals are to:
- Strengthen consumer protection and combat emerging forms of payment fraud.
- Improve the functioning and enforcement of Open Banking.
- Further harmonise the EU payments market by moving many provisions into a Regulation (PSR), ensuring identical application across all member states.
Current status: trilologue negotiations are underway
The legislative process has now entered its final and most critical stage: the trilogue negotiations. This is where the European Parliament, the Council of the EU (representing the member states), and the European Commission negotiate a final compromise text.
Key themes on the negotiating table
While the institutions broadly agree on the main points, details are now being debated. Some of the most-watched topics, which will have a direct operational impact on all payment service providers (PSPs), include:
1. Enhanced fraud prevention
A new consumer refund right for “spoofing” (impersonation fraud) is being introduced. The key debate is its scope: the European Parliament wants to cover the impersonation of any relevant authority, while the Council seeks to limit the right to only cases where the fraudster impersonates the consumer’s own bank.
A major operational change under the PSR is the mandatory adoption of a service to verify discrepancies between a payee’s name and unique identifier. This new rule is designed to complement the Instant Payments Regulation (IPR), which already mandates a “Verification of Payee” (VOP) service for all credit transfers in euros. The PSR, therefore, extends this same obligation to credit transfers in non-euro EU currencies.
2. Improving Open Banking
The new framework aims to remove the obstacles and friction that have hindered Open Banking’s adoption under PSD2. For institutions that provide account access (ASPSPs), the rules for dedicated APIs are at the centre of the trilogue negotiations.
- A central debate is the proposed removal of the “fallback” mechanism (access to the customer interface), which the Council supports. This would be replaced by mandating stricter API performance standards, including rules on “optimal recovery time,” limiting maintenance windows, and ensuring API performance is at least as fast as the bank’s own customer interface.
- The new rules focus on a better user experience by explicitly listing “prohibited obstacles” (like adding extra steps to authentication journeys) and mandating a new user-facing “permission dashboard” for managing TPP access.
- The legal text also formally replaces the term “explicit consent” with “permission” to avoid confusion with GDPR consent requirements.
As a provider of a high-performance PSD2 dedicated interface, Finologee is closely monitoring this debate. Our solution is already built to meet high availability standards and provide detailed performance statistics. The new “permission dashboard” requirement also aligns with the TPP verification and consent management capabilities at the core of our platform.
3. Market harmonisation
To create a more level playing field, the PSR will harmonise rules that were previously subject to national interpretation. Key topics include:
- Narrowing the Limited Network Exclusion (LNE) and Commercial Agent Exclusion to ensure consistent application.
- Addressing the “de-risking” of payment institutions (PIs), with the Council proposing new, specific rules (linked to the AML Regulation) on when a credit institution can deny a PI access to a bank account.
- Debating the banning of surcharging, where the EP is pushing for a complete, EU-wide ban, while the Council favours maintaining the existing PSD2 rules.
The road ahead: an estimated timeline
While a final agreement is pending, the broad timeline looks as follows:
- Final political agreement: There is strong political momentum to conclude the trilogue negotiations by late 2025 or the first quarter of 2026.
- Formal adoption: Following a legal-linguistic review, the final texts would be formally adopted, likely in mid-2026.
Application dates:
- PSR: As a regulation, the PSR will be directly applicable in all EU member states. However, the exact implementation period is still being debated, with proposals ranging from 18 to 24 months. Some specific new PSR rules, such as the mandatory VOP-like service and its related liability, will have an even longer implementation period. This is also under negotiation, with proposals ranging from 24 to 30 months.
- PSD3: As a directive, PSD3 must be transposed into national law by each member state.
The PSR is intended to apply from the same date as the PSD3 transposition deadline, so the 18-to-24-month negotiation effectively applies to both.
Raoul Mulheims, CEO and co-founder of Finologee: “We see this legislative transition as a robust roadmap to delivering on three strategic imperatives: strengthening consumer trust, perfecting the open banking framework and creating a more harmonised and competitive market.”
How Finologee is preparing to support this transition
As a long-standing partner providing foundational PSD2 compliance and Open Banking infrastructure for Luxembourg’s financial institutions, Finologee is closely tracking these negotiations at a technical level.
The modularity of our platforms is designed to adapt to new regulatory and technical standards. We are actively analysing how future requirements can be efficiently integrated into our existing solutions. Our goal is to ensure our clients can navigate this transition smoothly, leveraging their existing infrastructure to meet the next generation of compliance.
