- 1. Where We Are: The Legislative Moment
- 2. Understanding the Two-Instrument Architecture
- 3. The Five Major Shifts Institutions Must Absorb
- 4. The Compliance Timeline β Mapped
- 5. What You Must Do Now: A Prioritised Action Plan
- 6. The EU/UK Divergence Problem
- 7. Conclusion: The Window to Act Is Open β But Not Permanently
Where We Are: The Legislative Moment
The EU payments regulatory framework has not stood still since PSD2's core obligations became applicable in 2018. The intervening years brought the rise of open banking, the explosive growth of instant payments, the emergence of AI-driven fraud, and the arrival of crypto-asset services requiring intersection with payment rules. PSD2, as drafted, simply did not anticipate the world that followed it.
The European Commission recognised this gap in June 2023, publishing parallel proposals for a new Payment Services Regulation and a Third Payment Services Directive. What followed was over two years of intensive trilogue negotiation between the Parliament and the Council β a process concluded in November 2025 under the Danish EU Presidency, which pushed hard to secure agreement before its mandate expired on 31 December 2025.
The political agreement marks the end of the fundamental legislative debate. What remains now is the technical and legal-linguistic work before formal adoption β a process that, by reference to PSD2, typically takes around seven months. This places publication realistically in summer 2026, with the compliance clock starting immediately thereafter.
Understanding the Two-Instrument Architecture
One of the most consequential structural decisions in the reform is the deliberate split between a Directive (PSD3) and a Regulation (PSR). This is not a technical legal detail β it has direct operational implications for every institution in scope.
The scope is also significantly broader than PSD2. Beyond banks, PIs, and EMIs, the PSR draws in technical service providers and β in certain defined circumstances β telecommunications providers and online platforms. If your institution sits adjacent to payments infrastructure, you need to assess whether you are now in scope.
The Five Major Shifts Institutions Must Absorb
3.1 Fraud Liability: A Fundamental Rebalancing
This is arguably the most operationally demanding change in the entire package, and the one with the most direct P&L implications. The PSR introduces mandatory reimbursement for Authorised Push Payment (APP) fraud β where a customer is manipulated into authorising a payment to a fraudster. Liability attaches to the institution if it fails to implement adequate fraud risk controls or fails to act on notifications of suspicious activity.
Critically, the reimbursement requirement now extends to employee impersonation fraud β a rapidly growing attack vector where fraudsters pose as bank staff to instruct customers to transfer funds. PSPs will also be required to offer customers spending limits and blocking measures as standard features, not optional add-ons. Failure to provide these controls shifts liability decisively to the institution.
3.2 Verification of Payee β Extended Scope
The Instant Payments Regulation already mandated VoP for instant credit transfers within the EU. The PSR now extends this obligation to all credit transfers, not just instant payments, with a 24-month transition period from entry into force to allow institutions to build the necessary system infrastructure. The extended timeline reflects the scale of change required β but it is not an invitation to wait. System development, vendor assessment, and testing programmes need to begin now to be credibly in place by the deadline.
3.3 Open Banking: From Compliance Exercise to Enforceable Obligation
PSD2's open banking chapter was plagued by inconsistent implementation, poorly performing APIs, and the proliferation of obstacles that frustrated third-party providers (TPPs) seeking access to account data. The PSR directly addresses this failure mode.
Dedicated interfaces β the API channels through which TPPs access account information β must now deliver performance parity with the customer-facing interfaces operated by account servicing payment service providers (ASPSPs). The regulation enumerates specific prohibited obstacles, making enforcement more straightforward for national competent authorities. Permissions dashboards, giving consumers clear visibility of who has access to their data and the ability to revoke that access in real time, become mandatory.
"The PSR moves open banking from ambition to enforceable architecture. For institutions that have treated their PSD2 API as a compliance checkbox, the reckoning is coming."
β CassConsult Payments Advisory Practice3.4 Strong Customer Authentication β Rebalanced for Usability
SCA has been one of PSD2's most contentious areas β balancing security against customer friction. The PSR takes a more nuanced approach, strengthening authentication requirements for high-risk transactions while expanding risk-based exemptions to improve user experience for lower-risk scenarios. Real-time fraud monitoring capabilities are explicitly embedded in the framework, recognising that static rule-based authentication is insufficient against modern fraud typologies.
An important governance change: where SCA is outsourced to a technical service provider, the issuer retains full regulatory responsibility. Detailed written agreements must be in place, granting the issuer and its regulators unrestricted audit rights. Institutions that have outsourced SCA without robust governance frameworks will need to remediate their contracts and oversight arrangements.
3.5 Fee Transparency and Consumer Rights
The PSR tightens transparency obligations across the board. Currency conversion fees, ATM withdrawal charges, and cross-border payment costs must be disclosed upfront and comparably β closing the loopholes that allowed some providers to bury costs in exchange rate margins. Estimated transfer times for cross-border payments must be disclosed. PSPs must provide access to human customer support. Alternative dispute resolution (ADR) participation becomes mandatory for consumer complaints.
| Area | PSD2 Position | PSD3/PSR Position | Impact |
|---|---|---|---|
| APP Fraud Liability | No mandatory reimbursement | Mandatory reimbursement where controls inadequate | High |
| Verification of Payee | Instant payments only (under IPR) | All credit transfers | High |
| Open Banking APIs | Dedicated interface encouraged | Performance parity mandatory; obstacles enumerated | High |
| SCA Framework | Rigid rules, limited exemptions | Risk-based exemptions expanded; real-time monitoring | Medium |
| EMI Regulation | Separate EMD regime | Merged into PSD3 single framework | Medium |
| Crypto/EMT Intersection | Regulatory gap / EBA NAL | PSR applies selectively; dual-auth cases reduced | New |
| Fee Transparency | General disclosure rules | Upfront, comparable disclosure mandatory | Medium |
| SCA Outsourcing | Limited governance requirements | Detailed written agreements; audit rights mandatory | High |
The Compliance Timeline β Mapped
The legislative journey from political agreement to full compliance obligation spans multiple years. Understanding where each obligation falls on that timeline is essential for resource planning and programme sequencing.
What You Must Do Now: A Prioritised Action Plan
The instinct to wait for final text is understandable β but it is the wrong strategic posture. The political agreement provides sufficient certainty on the major obligations for institutions to begin meaningful preparation. Those that act in 2026 will have the implementation runway they need; those that wait for final publication risk compressing a complex, multi-year programme into an unmanageable timeframe.
Immediate Actions (Now β Q3 2026)
- Commission a regulatory gap analysis. Map your current state against the known PSD3/PSR obligations β fraud controls, VoP capability, open banking API performance, SCA governance, fee disclosure. This baseline is the foundation for everything that follows. Waiting for final text adds weeks of delay for marginal additional certainty.
- Assess your fraud liability exposure. Model the financial impact of APP fraud reimbursement obligations under your current control environment. For many institutions, particularly those with high-volume retail payment books, this is a material P&L risk that warrants immediate Board-level attention.
- Review SCA outsourcing contracts. Identify every agreement where SCA functions are delegated to a technical service provider. Assess whether current contracts provide the detailed governance requirements, service level commitments, and audit rights that the PSR will mandate.
- Establish a PSD3/PSR programme governance structure. Designate a cross-functional programme owner. PSD3/PSR touches Compliance, Technology, Operations, Product, Legal, and Finance. Siloed responses will fail. Stand up an integrated programme board now.
- Map your open banking API performance. Benchmark current API availability, response times, and error rates against your customer-facing interfaces. Where gaps exist, begin the technology investment case β VoP and open banking parity will require system-level changes, not configuration tweaks.
Medium-Term Actions (Q4 2026 β Q2 2027)
- Build or procure Verification of Payee capability. VoP for all credit transfers requires infrastructure that most institutions do not currently have in place for non-instant payments. Define your build vs. buy decision, select a vendor or architecture approach, and begin development. The 24-month transition sounds generous β it is not, for complex multi-market institutions.
- Redesign fraud monitoring and intervention frameworks. Implement spending limit management, real-time anomaly detection, and customer blocking mechanisms as product features. Ensure transaction monitoring rules are calibrated for the expanded SCA exemption landscape to avoid both over-authentication (friction) and under-authentication (fraud losses).
- Engage with the EBA implementation roadmap. The EBA anticipates around 40 mandates under PSD3 and PSR and plans to publish its roadmap in Q2 2026. This roadmap will determine the sequencing and timing of Level 2 standards β participate in consultations where your business model is affected. Early engagement shapes better outcomes.
- Update fee disclosure frameworks. Review all customer-facing fee schedules, FX margin practices, and ATM charge disclosure mechanisms against the PSR's upfront transparency requirements. Product teams and Legal need to work in concert to redesign disclosure journeys.
- Train and upskill compliance and payments operations teams. The shift from directive to regulation eliminates many of the national implementation nuances that teams have navigated under PSD2. Direct familiarity with the PSR's conduct obligations β not filtered through national transposition β is the new baseline.
The EU/UK Divergence Problem
For institutions operating across both EU and UK markets, PSD3/PSR creates an increasingly complex bilateral regulatory environment. The UK's post-Brexit payment services reform is proceeding on a separate legislative track, with the FCA and PSR developing their own approach to open banking, APP fraud reimbursement (the UK's mandatory reimbursement regime is already live from October 2024), and payment system access.
The convergence assumption that underpinned many firms' compliance operating models during the PSD2 era no longer holds. EU and UK rules on VoP, SCA, open banking interface standards, and fraud liability will differ in design, threshold, and enforcement β requiring genuinely distinct compliance frameworks for each jurisdiction, not a single policy with minor carve-outs.
Institutions with cross-border payment books should now be conducting explicit divergence assessments: for each major obligation area, what is the EU requirement, what is the UK requirement, and what is the most efficient operating model that satisfies both without unnecessary duplication?
Conclusion: The Window to Act Is Open β But Not Permanently
PSD3 and the PSR represent the most significant reform of EU payments regulation since the original PSD1 in 2007. They are not an incremental update to PSD2 β they are a structural redesign that shifts liability, extends scope, eliminates forum shopping, and hardwires open banking into the regulatory fabric of the single market.
The institutions that will navigate this transition most effectively are those that treat 2026 as the year to understand, plan, and begin β not the year to wait. The political agreement provides sufficient certainty for meaningful gap analysis and programme design. The EBA's implementation roadmap in Q2 2026 will add sequencing clarity. Official Journal publication in mid-2026 will start the compliance clock formally.
What it will not do is extend the runway for institutions that chose to delay. The technical work required β VoP infrastructure, API performance upgrades, fraud reimbursement frameworks, SCA outsourcing governance, fee disclosure redesign β takes time, budget, and organisational focus. The window to act without crisis is open now. It will not remain open indefinitely.
"The year 2026 should be used to understand regulatory requirements in detail, identify areas for action, determine the need for adjustments, and start implementation by the beginning of 2027 at the latest."
β Banking.Vision, March 2026At CassConsult, our Payments Advisory Practice works with banks, payment institutions, and e-money institutions to translate regulatory complexity into clear, actionable programmes. We offer structured PSD3/PSR gap assessments, fraud liability modelling, open banking API audits, and implementation programme design β calibrated to your institution's specific business model, geographic footprint, and risk profile.
Ready to Begin Your PSD3/PSR Readiness Programme?
Speak with a CassConsult payments specialist. We offer structured gap assessments, liability modelling, and implementation programme design tailored to your institution.
Schedule a Free Consultation β