In This Report
πŸ“’
Latest Development: On 27 November 2025, the European Parliament and Council of the EU reached provisional political agreement on PSD3 and the Payment Services Regulation (PSR), concluding trilogue negotiations. Publication in the EU Official Journal is anticipated in mid-2026, with the PSR entering into force 18 months after publication and PSD3 requiring national transposition within 18 months of entry into force β€” placing the primary compliance window between Q3 2027 and Q2/Q3 2028.
01

Where We Are: The Legislative Moment

The EU payments regulatory framework has not stood still since PSD2's core obligations became applicable in 2018. The intervening years brought the rise of open banking, the explosive growth of instant payments, the emergence of AI-driven fraud, and the arrival of crypto-asset services requiring intersection with payment rules. PSD2, as drafted, simply did not anticipate the world that followed it.

The European Commission recognised this gap in June 2023, publishing parallel proposals for a new Payment Services Regulation and a Third Payment Services Directive. What followed was over two years of intensive trilogue negotiation between the Parliament and the Council β€” a process concluded in November 2025 under the Danish EU Presidency, which pushed hard to secure agreement before its mandate expired on 31 December 2025.

The political agreement marks the end of the fundamental legislative debate. What remains now is the technical and legal-linguistic work before formal adoption β€” a process that, by reference to PSD2, typically takes around seven months. This places publication realistically in summer 2026, with the compliance clock starting immediately thereafter.

€240T
Annual EU payment value driving reform urgency
~40
EBA mandates expected under PSD3 / PSR
18 mo.
PSR transition period after entry into force
24 mo.
Payee verification obligation extended period
02

Understanding the Two-Instrument Architecture

One of the most consequential structural decisions in the reform is the deliberate split between a Directive (PSD3) and a Regulation (PSR). This is not a technical legal detail β€” it has direct operational implications for every institution in scope.

πŸ“˜
PSD3 β€” The Directive
Governs authorisation, licensing and supervision of payment institutions (PIs) and electronic money institutions (EMIs). It repeals both PSD2 and the Electronic Money Directive, folding e-money regulation into a single supervisory framework. Requires national transposition within 18 months β€” meaning implementation will still vary by Member State, though with much less room for divergence than PSD2 allowed.
πŸ“—
PSR β€” The Regulation
Directly applicable conduct-of-business rules β€” covering fraud liability, SCA, open banking API governance, fee transparency, and consumer rights β€” that apply uniformly across the EU without national transposition. This is the instrument that eliminates forum shopping and divergent national interpretations that plagued PSD2 enforcement. The PSR enters into force 18 months after publication in the Official Journal.

The scope is also significantly broader than PSD2. Beyond banks, PIs, and EMIs, the PSR draws in technical service providers and β€” in certain defined circumstances β€” telecommunications providers and online platforms. If your institution sits adjacent to payments infrastructure, you need to assess whether you are now in scope.

03

The Five Major Shifts Institutions Must Absorb

3.1 Fraud Liability: A Fundamental Rebalancing

This is arguably the most operationally demanding change in the entire package, and the one with the most direct P&L implications. The PSR introduces mandatory reimbursement for Authorised Push Payment (APP) fraud β€” where a customer is manipulated into authorising a payment to a fraudster. Liability attaches to the institution if it fails to implement adequate fraud risk controls or fails to act on notifications of suspicious activity.

Critically, the reimbursement requirement now extends to employee impersonation fraud β€” a rapidly growing attack vector where fraudsters pose as bank staff to instruct customers to transfer funds. PSPs will also be required to offer customers spending limits and blocking measures as standard features, not optional add-ons. Failure to provide these controls shifts liability decisively to the institution.

⚠️
Material Liability Risk: Under the PSR, PSPs that implement Verification of Payee (VoP) mechanisms but those mechanisms fail will bear liability for resulting customer losses. This creates a new category of operational risk around the performance and resilience of IBAN/name verification infrastructure β€” including third-party providers used for VoP checks.

3.2 Verification of Payee β€” Extended Scope

The Instant Payments Regulation already mandated VoP for instant credit transfers within the EU. The PSR now extends this obligation to all credit transfers, not just instant payments, with a 24-month transition period from entry into force to allow institutions to build the necessary system infrastructure. The extended timeline reflects the scale of change required β€” but it is not an invitation to wait. System development, vendor assessment, and testing programmes need to begin now to be credibly in place by the deadline.

3.3 Open Banking: From Compliance Exercise to Enforceable Obligation

PSD2's open banking chapter was plagued by inconsistent implementation, poorly performing APIs, and the proliferation of obstacles that frustrated third-party providers (TPPs) seeking access to account data. The PSR directly addresses this failure mode.

Dedicated interfaces β€” the API channels through which TPPs access account information β€” must now deliver performance parity with the customer-facing interfaces operated by account servicing payment service providers (ASPSPs). The regulation enumerates specific prohibited obstacles, making enforcement more straightforward for national competent authorities. Permissions dashboards, giving consumers clear visibility of who has access to their data and the ability to revoke that access in real time, become mandatory.

"The PSR moves open banking from ambition to enforceable architecture. For institutions that have treated their PSD2 API as a compliance checkbox, the reckoning is coming."

β€” CassConsult Payments Advisory Practice

3.4 Strong Customer Authentication β€” Rebalanced for Usability

SCA has been one of PSD2's most contentious areas β€” balancing security against customer friction. The PSR takes a more nuanced approach, strengthening authentication requirements for high-risk transactions while expanding risk-based exemptions to improve user experience for lower-risk scenarios. Real-time fraud monitoring capabilities are explicitly embedded in the framework, recognising that static rule-based authentication is insufficient against modern fraud typologies.

An important governance change: where SCA is outsourced to a technical service provider, the issuer retains full regulatory responsibility. Detailed written agreements must be in place, granting the issuer and its regulators unrestricted audit rights. Institutions that have outsourced SCA without robust governance frameworks will need to remediate their contracts and oversight arrangements.

3.5 Fee Transparency and Consumer Rights

The PSR tightens transparency obligations across the board. Currency conversion fees, ATM withdrawal charges, and cross-border payment costs must be disclosed upfront and comparably β€” closing the loopholes that allowed some providers to bury costs in exchange rate margins. Estimated transfer times for cross-border payments must be disclosed. PSPs must provide access to human customer support. Alternative dispute resolution (ADR) participation becomes mandatory for consumer complaints.

Area PSD2 Position PSD3/PSR Position Impact
APP Fraud Liability No mandatory reimbursement Mandatory reimbursement where controls inadequate High
Verification of Payee Instant payments only (under IPR) All credit transfers High
Open Banking APIs Dedicated interface encouraged Performance parity mandatory; obstacles enumerated High
SCA Framework Rigid rules, limited exemptions Risk-based exemptions expanded; real-time monitoring Medium
EMI Regulation Separate EMD regime Merged into PSD3 single framework Medium
Crypto/EMT Intersection Regulatory gap / EBA NAL PSR applies selectively; dual-auth cases reduced New
Fee Transparency General disclosure rules Upfront, comparable disclosure mandatory Medium
SCA Outsourcing Limited governance requirements Detailed written agreements; audit rights mandatory High
04

The Compliance Timeline β€” Mapped

The legislative journey from political agreement to full compliance obligation spans multiple years. Understanding where each obligation falls on that timeline is essential for resource planning and programme sequencing.

November 2025
Political Agreement Reached. European Parliament and Council conclude trilogue negotiations on PSD3 and PSR. Fundamental legislative debate closed.
Mid-2026 (Expected)
Official Journal Publication. Final texts published after legal-linguistic review and formal adoption. PSR enters into force 20 days after publication. Compliance clock starts. EBA to publish its implementation roadmap for ~40 mandates.
Q2 2026
EBA Publishes PSR/PSD3 Implementation Roadmap. Institutions will receive clarity on the sequencing of Level 2 regulatory technical standards (RTS) and implementing technical standards (ITS) β€” the detailed rules that operationalise the framework.
Early–Mid 2027
Start of Compliance Readiness Window. Institutions should be completing gap analyses, technology programmes, and governance updates. First EBA RTS consultations under PSD3/PSR expected.
Q3 2027 – Q2/Q3 2028
PSR Enters Full Application. Targeted applicability 18 months after entry into force. Core conduct obligations β€” fraud liability, VoP for credit transfers (standard), open banking parity, SCA rules β€” become enforceable.
~24 Months After Entry into Force
Payee Name/IBAN Verification Extended Obligation. Full VoP for all credit transfers, including the corresponding liability regime for verification failures.
By End 2028
PSD3 National Transposition. Member States must have incorporated PSD3 into national law within 18 months of entry into force. Institutions operating across multiple jurisdictions face a window of legal variation during this period.
05

What You Must Do Now: A Prioritised Action Plan

The instinct to wait for final text is understandable β€” but it is the wrong strategic posture. The political agreement provides sufficient certainty on the major obligations for institutions to begin meaningful preparation. Those that act in 2026 will have the implementation runway they need; those that wait for final publication risk compressing a complex, multi-year programme into an unmanageable timeframe.

Immediate Actions (Now β€” Q3 2026)

Medium-Term Actions (Q4 2026 β€” Q2 2027)

06

The EU/UK Divergence Problem

For institutions operating across both EU and UK markets, PSD3/PSR creates an increasingly complex bilateral regulatory environment. The UK's post-Brexit payment services reform is proceeding on a separate legislative track, with the FCA and PSR developing their own approach to open banking, APP fraud reimbursement (the UK's mandatory reimbursement regime is already live from October 2024), and payment system access.

The convergence assumption that underpinned many firms' compliance operating models during the PSD2 era no longer holds. EU and UK rules on VoP, SCA, open banking interface standards, and fraud liability will differ in design, threshold, and enforcement β€” requiring genuinely distinct compliance frameworks for each jurisdiction, not a single policy with minor carve-outs.

Institutions with cross-border payment books should now be conducting explicit divergence assessments: for each major obligation area, what is the EU requirement, what is the UK requirement, and what is the most efficient operating model that satisfies both without unnecessary duplication?

07

Conclusion: The Window to Act Is Open β€” But Not Permanently

PSD3 and the PSR represent the most significant reform of EU payments regulation since the original PSD1 in 2007. They are not an incremental update to PSD2 β€” they are a structural redesign that shifts liability, extends scope, eliminates forum shopping, and hardwires open banking into the regulatory fabric of the single market.

The institutions that will navigate this transition most effectively are those that treat 2026 as the year to understand, plan, and begin β€” not the year to wait. The political agreement provides sufficient certainty for meaningful gap analysis and programme design. The EBA's implementation roadmap in Q2 2026 will add sequencing clarity. Official Journal publication in mid-2026 will start the compliance clock formally.

What it will not do is extend the runway for institutions that chose to delay. The technical work required β€” VoP infrastructure, API performance upgrades, fraud reimbursement frameworks, SCA outsourcing governance, fee disclosure redesign β€” takes time, budget, and organisational focus. The window to act without crisis is open now. It will not remain open indefinitely.

"The year 2026 should be used to understand regulatory requirements in detail, identify areas for action, determine the need for adjustments, and start implementation by the beginning of 2027 at the latest."

β€” Banking.Vision, March 2026

At CassConsult, our Payments Advisory Practice works with banks, payment institutions, and e-money institutions to translate regulatory complexity into clear, actionable programmes. We offer structured PSD3/PSR gap assessments, fraud liability modelling, open banking API audits, and implementation programme design β€” calibrated to your institution's specific business model, geographic footprint, and risk profile.

CC
CassConsult Payments Advisory Practice
Specialist Consultancy Β· Payments Β· Banking Regulation Β· Process Automation
CassConsult provides expert advisory to financial institutions navigating payments transformation and regulatory change. Our team brings direct practitioner experience from banks, payment institutions, and regulatory environments across the EU. We combine deep domain knowledge with hands-on implementation capability to deliver outcomes that matter.

Ready to Begin Your PSD3/PSR Readiness Programme?

Speak with a CassConsult payments specialist. We offer structured gap assessments, liability modelling, and implementation programme design tailored to your institution.

Schedule a Free Consultation β†’