Explainer: PSD3 and PSR – overview and key considerations

Financial law expert Emanuel van Praag offers an insightful perspective on PSD3 and PSR, explaining their key implications for customers and financial institutions. 

Introduction – why PSD3 and PSR matter

On 28 June 2023, the European Commission introduced a series of legislative proposals to optimise the EU’s financial framework. These include updates to the Payment Services Directive (PSD2), which will become PSD3, as well as the establishment of a directly applicable Payment Services Regulation (PSR).

In parallel, the Commission also presented its Open Finance proposal (FIDA – Financial Data Access Regulation). While PSD3 and PSR focus on payments, FIDA extends data sharing beyond payment accounts to include products such as mortgages, savings, investments, pensions, and insurance. It also introduces the idea of gradually expanding access based on data readiness. This means certain products may enter the Open Finance framework earlier than others, depending on how standardised and digitalised their data already is.

What is it about?

PSD3 and PSR aim to establish a modern legal framework for payment services providers. This includes credit and debit card payments, credit transfers, direct debits, money remittances, alternative payment methods (including iDEAL), and e-money issuers such as PayPal. The proposals also benefit other key players such as digital wallet providers (e.g., Google Pay and Apple Pay) and online merchants who incorporate various payment methods into their services.

Additionally, PSD3 introduces two technical updates: the E-Money Directive and the transfer of specific PSD2 rules into the PSR. This technical change aims to optimise the coherence of implementation across EU member states and does not introduce any new regulations.

Meanwhile, FIDA allows customers to instruct data holders (banks, insurers, investment firms, pension providers) to share their data with authorised data users, such as financial institutions or third-party providers. This access will occur through regulated schemes with clear participation rules, governance structures, and transparent compensation models. The customer must provide explicit consent, and data must be shared in real time.

Timeline

The legislative process for PSD3 and PSR has been gradual. Key dates include:

• 28 June 2023 – The European Commission presented PSD3 and PSR proposals.
• April 2024 – The European Parliament adopted its negotiating position on the new framework.
• June 2025 – The Council of the EU approved its negotiating mandate, allowing trilogue discussions between the Parliament, Council, and Commission.
• Late 2025 to early 2026 – A final political agreement is expected.
• Once adopted, PSD3, as a directive, will require transposition into national law within 18 months, while the PSR, as a directly applicable regulation, will enter into force automatically.

Key updates in PSD3

Restricting the commercial agent exemption

Under PSD3, the commercial agent exemption will be further limited. Therefore, a commercial agent is only exempt from PSD3 (and the licence requirement) if:

1. is a self-employed intermediary who has continuing authority to negotiate the sale or purchase of goods on behalf of ‘the principal‘, or to negotiate and complete such transactions on behalf and in the name of that principal*;
2. is authorised through an agreement to negotiate or complete the sale or purchase of goods or services on behalf of either the payer or the payee, but not both, regardless of whether the commercial agent has the client's funds;
3. the agreement gives the payer or the payee a real margin to negotiate with the commercial agent or to finalise the sale or purchase of goods or services.

This new requirement of a real margin to negotiate limits marketplaces' ability to rely on the commercial agent exemption. The EBA will develop further guidelines and examples.

 

Key impacted parties	Impact
Collecting PSPs that provide payment services to platforms/marketplaces processing payment transactions for their merchant	Collecting PSPs need to reassess whether the platforms/marketplaces can continue to rely on the commercial agent exemption and do not need their own PSD3 licence
Platforms/marketplaces processing payment transactions for their merchants	Such platforms/marketplaces need to reassess whether they can still rely on the commercial agent exemption or if they need to change their way of handling payments for their merchants

 

Open Banking under PSD3

New requirements for ASPSPs, AISPs, and PISPs

PSD3 introduces new obligations for the ASPSP (account servicing payment service provider), typically a bank:

• Immediately after receiving a payment order from a payment initiation service provider (PISP), the ASPSP must provide or make available all information about the payment initiation and execution to the PISP. If some information is not immediately available, the ASPSP must provide it promptly once it becomes accessible.
• The ASPSP must provide the account holder with a permission dashboard to monitor and manage any permissions provided to account information service providers (AISPs) on an ongoing basis. This dashboard provides users with a clear oversight of which AISPs access their data for specific purposes and offers an easy way to stop data sharing. There is no need to contact the AISPs, as data sharing can be terminated within the ASPSP’s online environment. Obviously, early termination could have contractual repercussions involving the AISP.

The AISP gets several new rights and obligations:

• When an AISP accesses data, the ASPSP should only require strong customer authentication (SCA) for the initial access to payment account data by that AISP. Unless the ASPSP has reasonable grounds to suspect fraud, SCA will not be required for further access to that payment account by the AISP.
• Unless the ASPSP has reasonable grounds to suspect fraud, AISPs shall apply their own SCA when the payment services user accesses the payment account information retrieved by that AISP at least 180 days after the last SCA was applied.

PISPs also gain new rights: before initiating a payment transaction, the ASPSP must provide the PISPs with the account's unique identifier, the account holder's names, and the currencies available to the payment service user.

 

Key impacted parties	Impact
AISPs and PISPs	Except for the permission dashboards, AISPs and PISPs positions, which have strengthened under PSD3, providing easier access
ASPSPs	ASPSPs must implement several new technical requirements, including a permission dashboard

 

Clarifications

In PSD3, the definition of a payment account is clarified, especially since only payment accounts are subject to PSD3 open banking rules. A payment account is an account held by a payment service provider for one or more users, used for payment transactions and for sending and receiving funds. However, it remains unclear if an account that can only send or only receive funds qualifies as a payment account. The PSD3 text and recital offer different interpretations, which can be relevant, for example, in the context of credit cards. 

The PSD2-as-a-service model (white-label solutions) for AISPs forwarding data to other parties, which DNB and EBA accept, is formally recognised in PSD3. This therefore increases confidence in the model's acceptability across the EU.

EBA’s published opinion on obstacles to third-party provider services under the Payment Services Directive has been integrated into PSD3, optimising its status. 

PSD2 data access and payment initiation remain free of charge and cannot depend on contracts, but premium services under the scheme may be charged. This supports the European Payment Council's initiative to develop the SEPA Payment Account Access (SPAA) scheme rulebook as a premium service. 

 

Dedicated interfaces

PSD3 clearly prefers a dedicated interface (APIs) and requires ASPSPs to implement them. A permanent contingency mechanism (or fallback solution) is not required. The customer interface can be accessed only by AISPs and PISPs if the dedicated interface is not functioning properly or if an ASPSP has been granted a regulator-approved exemption to develop a dedicated interface.

• ASPSPs must ensure that their dedicated interfaces use communication standards issued by European or international standardisation organisations, including the European Committee for Standardization (CEN) or the International Organization for Standardization (ISO).
• PSD3 sets detailed requirements on the technical information to be provided by ASPSPs about their dedicated interfaces to AISPs and PISPs. 
• ASPSPs must ensure that, except for emergency situations which prevent them from doing so, any change to the technical specifications of their dedicated interface is made available to PISPs and AISPs in advance, as soon as possible, and not less than 3 months before the change is implemented. 
• ASPSPs shall publish quarterly statistics on the availability and performance of their dedicated interface on their website. 
• ASPSPs shall offer a testing facility with support for connecting to the dedicated interfaces and conducting functional testing.
• PSD3 specifies the functionalities that the dedicated interface must provide to PISPs for payment initiation, such as starting and cancelling a future-dated payment and making payments to multiple beneficiaries.

 

Key impacted parties	Impact
ASPSPs	ASPSPs need to implement the technical requirements above
AISPs and PISPs	AISPs and PISPs get more certainty regarding the quality of APIs in terms of availability, technical access, and functionalities

 

Digital wallet providers and technical service providers

A topic of ongoing discussions was whether digital wallet providers and technical service providers would be regulated under PSD3. The PSD3 clearly establishes that this will not be the case.

• Pass-through wallets, such as Google Pay and Apple Pay, which involve the tokenization of an existing payment card, will not be regulated as a payment service unless the token can be used as a standalone payment instrument to initiate a payment order independently of the underlying tokenized payment instrument. 
• Operators of digital pass-through wallets that verify the elements of SCA used for payments are required to enter into outsourcing agreements with the payer’s issuing bank. The payer’s issuing bank should, under such agreements, retain full liability for any failure by operators of digital pass-through wallets to apply SCA and have the right to audit and control the wallet operator’s security provisions.
• NFC technology itself is also classified as a no payment service.
• It has been confirmed that other technical service providers do not offer payment services and therefore do not need regulation. 

 

Key impacted parties	Impact
Issuers	Issuers – if not already done – need to enter into outsourcing agreements in line with the EBA Guidelines on outsourcing and/or DORA with technical service providers offering delegated SCA

 

Combating payment fraud

Payment fraud is one of PSD3’s key themes. Therefore, several new requirements and rights related to this issue are introduced:

• Payment service providers must confirm payee services to their customers. This is already a market practice in the Netherlands, commonly known as the IBAN-name check.
• Payment service providers are liable to their customers in cases of spoofing (when fraudsters impersonate the bank). In the Netherlands, payment service providers already compensate their clients in cases of spoofing based on an agreement among the major Dutch banks. 
• Transaction monitoring must be strengthened and detailed by the EBA in a new RTS. These requirements should build on environmental and behavioural characteristics related to payment habits.

 

Key impacted parties	Impact
PSPs	PSPs will need to invest in additional fraud monitoring measures and enable confirmation of payee to be offered

 

Opening access to financial markets for payment institutions

The ability of payment institutions to access the financial markets infrastructure is improved. They will become less reliant on banks, and their position relative to banks where they hold a payment account will be strengthened. 

• Payment institutions will be included in the settlement finality directive, allowing them direct access to settlement systems like the ECB's Target2.
• Payment system operators must accept payment institutions as customers. They should not deny access to their payment systems unless necessary to (1) protect against specific risks, including settlement, operational, credit, liquidity, and business risks, or (2) maintain the financial and operational stability of their system. This allows payment institutions to gain direct access to processing systems such as equensWorldline NV. 
• Credit institutions can refuse or close a payment account only for reasons such as suspicions of money laundering or terrorism financing, illegal activities, contract breaches, insufficient information from the applicant, the applicant's risk profile, or potential negative impacts on the institution's profitability.
• Payment institutions can now safeguard client funds directly with the central banks, whereas currently, based on client safeguarding rules, funds must be kept with banks or selected high-quality financial instruments.

 

Key impacted parties	Impact
Payment institutions	Payment institutions get better access to payment infrastructure, such as Target2 and processors

 

What will PSD3 and PSR mean for customers?

From a customer perspective, the main takeaways regarding PSD3 and PSR are:

• Optimal Strong Customer Authorisation (SCA), which contributes to safer buying experiences;
• More data control due to stricter access rules on customers' payments and account information;
• Stronger protection of customers’ rights and personal information;
• Efficient services such as aggregation of multiple accounts, tailored recommendations, and improved financial products;
• Increased competition in the payment industry will lead to the development of new and improved products and services.

What will PSD3 and PSR mean for banks?

For banks and PSPs, the main takeaways regarding PSD3 and PSR are:

• Technical updates such as API development, dashboards, and testing environments;
• Stricter compliance obligations like reporting, fraud monitoring, SCA, and CoP measures;
• Business optimisation, such as new revenue opportunities through premium API access and partnerships with third-party providers;
• Competitions as increased pressure from non-bank PSPs entering the market;
• Licencing, meaning that marketplaces and intermediaries may now require PSD3 authorisation.

Challenges and open questions

While PSD3 and PSR aim to create a more unified and innovative payments landscape, several challenges remain:

• Maintaining implementation consistency and ensuring the optimal application of PSD3 and PSR across all EU member states will be challenging, especially given national regulatory differences.
• Interplay with Open Finance (FIDA), particularly around customer consent management, data portability, and scope of accessible financial data.
• Market competition, as non-bank PSPs gain direct access to financial infrastructures, the balance between innovation and systemic risk management will require careful supervision.
• Alignment with DORA, ensuring coherence between PSD3’s payment security rules and the Digital Operational Resilience Act’s (DORA) ICT risk and incident reporting obligations will be mandatory. PSPs and banks must integrate technical, security, and operational resilience requirements across both frameworks to maintain compliance and avoid regulatory overlap.
• Customer adoption – despite improved security and transparency, customers' willingness to adopt new Open Banking and Open Finance services will depend on clear communication, trust, and perceived value.

Additional note

On 27 November 2025, the Council of the European Union and the European Parliament reached a provisional political agreement on the new payments framework, confirming that fraud-prevention and price-transparency measures across digital payments will be implemented. This means that the transition toward the PSD3/PSR era has already begun.

Final thoughts

Although PSD3 and PSR won't become legally binding until 2026, their influence is expected to be felt before that date. These regulations clarify key requirements and guide the development of payment regulation, giving banks, PSPs, and customers a strategic preview of what to anticipate. The coming years are critical for establishing consumer trust, fostering innovation, and preparing Europe for its next significant era in payments technology and services.

*The reference is made to Article 1(2) of Directive 86/653/EEC.

About the author

As an Attorney-at-law at Kennedy Van der Laan, Emanuel van Praag helps leading financial institutions navigate the complex and dynamic regulatory landscape. With over 15 years of experience in the financial industry, he has in-depth knowledge and practical insights into the legal and business challenges facing the sector, especially in the areas of Big Data, Open Finance, Payments (PSD2), Investment Services (MiFID II, AIFMD), and Crypto-Assets. Emanuel combines legal practice with academic research and teaching as a Professor of Financial Technology and Law at Erasmus School of Law. He publishes articles and books on the impact of emerging technologies on the financial sector and the law. He wrote a leading textbook on PSD2 and Open Finance. 

 

The author’s analysis was expertly edited and prepared for publication by Paula Albu,  Editor at The Paypers.

This article is part of The Paypers’ Explainers section. To access other educational materials, click here. If you have suggestions about other topics that could be included in this section, we invite you to write to us at editor@thepaypers.com