PSD3 gets real: What the EU’s new payment rules mean for you

The EU’s landmark payments reform package PSD3 and the new Payment Services Regulation (PSR) is no longer just theory. As of June 2025, the Council of the EU has adopted its negotiating position, and trilogue negotiations are now underway. These reforms will overhaul payments compliance across the EU and beyond, and the time for waiting is over.

 

For payment firms, e-money institutions, fintechs, and even non-EU providers offering cross-border services, the window to prepare is closing fast.

 

Where do things stand now?

 

After months of consultation, PSD3 and PSR are entering the final stretch, with formal negotiations now underway and compliance deadlines fast approaching.

 

  • In June 2025 the Council formally approved its negotiating position on PSD3 and PSR, enabling trilogue talks with the European Parliament to begin. 
  • Final texts are expected by late 2025, with implementation starting in 2026. 
  • Because PSR is a regulation (not a directive), parts of the new framework will be directly applicable and enforceable from the outset—no national transposition required. 
  • Firms should expect compliance obligations to go live in phases starting Q1 2026. 

 

What’s changing in PSD3?

 

While many updates build on PSD2 foundations, there are some game-changers. Here are the most significant changes:

 

1. Expanded fraud liability and customer protections

 

  • Payment firms could be liable for impersonation fraud, where scammers trick users into authorising payments. 
  • Refund deadlines extended from 10 to 15 business days. 
  • New fraud reporting obligations, including data-sharing with other PSPs and telecom providers. 
  • The EU may introduce a voluntary data exchange mechanism for fraud intelligence. 

2. Tighter authentication and stronger SCA requirements

 

  • Real-time behavioural monitoring will become a standard expectation. 
  • SCA exemptions are being re-evaluated, and firms relying on current thresholds may be non-compliant under PSR. 
  • Increased focus on biometric verification and AI-powered fraud detection.

 

3. Inclusion of big tech in fraud prevention

 

  • The Council’s position brings electronic communications service providers (ECSPs), like messaging apps and telecoms, into scope for fraud-related cooperation. 
  • This may include sharing fraud intelligence across sectors to tackle spoofing and impersonation scams. 
  • A voluntary EU-wide mechanism for real-time fraud data exchange is also under discussion.

4. New fraud controls: Spoofing refunds, confirmation of Payee, and data-sharing limits

 

  • PSD3 introduces conditional reimbursement for impersonation (spoofing) fraud and victims may be refunded unless they acted with gross negligence. 
  • Confirmation of Payee (CoP) checks will become mandatory for all credit transfers, helping to combat invoice redirection scams. 
  • The PSR encourages fraud data sharing, but proposed rules limit this to confirmed fraud linked to an IBAN after two incidents, a narrow scope that may undermine proactive anti-fraud efforts. 
  • New provisions also call for accessible SCA options to support vulnerable customers, such as alternatives to smartphone-based authentication.

 

5. Greater accountability for API access and open banking uptime

 

  • The EBA will introduce quarterly reporting requirements for API performance and outage recovery. 
  • Banks will need to guarantee fairer access to infrastructure for Third-Party Providers (TPPs). 
  • TPPs face enhanced liability standards and security controls. 

6. Merged supervision of payment and e-money institutions

 

  • The e-money directive will be folded into PSD3, removing previous regulatory distinctions. 
  • Expect stricter licensing, governance, and capital requirements, especially for non-bank fintechs. 

7. Fee transparency and FX disclosures

 

  • Payment processors and card schemes will be required to disclose fee structures to merchants and consumers. 
  • FX conversions must be clearly presented before payment authorisation, not buried in terms or interfaces. 

 

What about the UK?

 

While the UK is not bound by PSD3/PSR, firms operating in the EU or with EU customers must still comply. UK regulators are closely aligned in intent, pursuing similar goals through domestic reforms. These include the expansion of Open Banking into other sectors, backed by the forthcoming Data, Usage and Access Act (DUAA), as well as stronger regulatory powers under the Financial Services and Markets Act 2023 and the introduction of the Failure to Prevent Fraud offence under the Economic Crime and Corporate Transparency Act.

 

What should organisations be doing now?

 

With trilogue negotiations underway and direct regulatory obligations looming, compliance teams should not wait for final implementation, but rather act now. Here are some key steps to take:

 

  • Conduct a PSD3/PSR gap analysis against existing PSD2 controls and fraud frameworks 
  • Review and update strong customer authentication (SCA) procedures, including exemptions and support for vulnerable users 
  • Map out fraud prevention controls, including readiness for conditional reimbursement and Confirmation of Payee 
  • Assess API uptime, fallback procedures, and reporting capabilities in light of new TPP access obligations 
  • Evaluate data-sharing policies and agreements to prepare for fraud intelligence exchange 
  • Prepare senior leadership and compliance teams for new governance, licensing, and capital requirements 
  • Monitor trilogue outcomes and UK developments, particularly DUAA and the UK’s Open Banking Expansion 

 

It all comes back to fraud

 

Fraud prevention is no longer just a compliance box to tick; it’s becoming a central regulatory obligation. At the heart of PSD3 and PSR is a clear shift toward proactive fraud controls, including conditional reimbursement for impersonation scams, mandatory Confirmation of Payee checks, and new expectations around real-time data sharing — even across sectors like telecoms and big tech.

 

This same theme drives the UK’s latest legislation: the new corporate failure to prevent fraud offence, which comes into force on 1 September 2025, holding firms criminally liable if they don’t have “reasonable procedures” in place to stop fraud before it happens.

 

Join our upcoming webinar

 

Fraud is evolving, and so is regulation. Now is the time to act, for PSD3, PSR, and failure to prevent. Join us on Wednesday, 3 September at midday for our Failure to Prevent Fraud — Complying with the New Corporate Offence webinar, where our expert panel will share practical, actionable steps for complying with the UK’s new failure to prevent fraud offence. Our clear, practical guidance will help your organisation prepare with confidence.

 

Register now