Explainer: understanding PSD3 and PSR – key updates, timelines, and action points for firms

Dan Jones, FinTech Partner at global law firm Morrison Foerster, explains what's new in PSD3 and the PSR: direct-effect conduct rules, unified PI/EMI licensing, mandatory APP fraud reimbursement, IBAN/name verification, and stricter API standards.

Executive summary

The EU is finalising a significant overhaul of its framework for payments regulation. On 22 April, the proposed text of the Third Payment Services Directive (“PSD3”) and a new directly applicable Payment Services Regulation (“PSR”) were put before a meeting of national representatives for approval. Together, these measures will repeal and replace the existing regimes under PSD2 and the Electronic Money Directive (EMD2), with a single supervisory framework focused on harmonisation, fraud prevention, and strengthening open banking.

Provisional political agreement for the reforms was reached in November 2025, with formal adoption expected in 2026. On 23 April 2026, the Council of the European Union issued an ‘I’ Item Note (dated 17 April 2026) on the draft Directive and Regulation, alongside final compromise texts for both instruments. The Note which invites the Committee of Permanent Representatives to approve the drafts is another sign that PSD3 and the PSR are close to coming into force.

Firms should anticipate the coming into force of the new regime by late 2027, with transitional provisions applying to licensing. Firms should also note that Level 2 measures (Regulatory Technical Standards and Implementing Technical Standards) from the European Banking Authority (EBA) will follow, shaping detailed compliance requirements.

For banks, payment institutions (“PIs”), and e-money institutions (“EMIs”), PSD3/PSR will require material operational, legal, and compliance changes, particularly in fraud liability, API performance, and licensing structures.

Key takeaways

Structural reform: - Where PSD2 required EU Member States to interpret and implement regulation at the national level, conduct rules for payment service providers will sit within regulation, in the form of the PSR, which will be directly applicable and set standards across EU Member States, reducing fragmentation across the EU. 

Single licensing regime: there will no longer be separate rules for EMIs (the “E-Money Directive” or “EMD”), which will become a sub-category of PIs under the PSD3 framework and requiring re-authorisation. 

Fraud liability expanded: banks and PIs must comply with expanded fraud and consumer protection obligations, including mandatory IBAN/name checks and broader reimbursement obligations for authorised push payment (“APP”) fraud. 

Enforcement of Open Banking standards: PSD3 imposes more prescriptive requirements for APIs and access interfaces and obligations for Secure Customer Authentication (“SCA”), further reducing fragmented implementation and user experience across Member States.

Expanded liability for enablers: Under PSD3, third party providers of services to payment service providers may be liable where their systems contribute to failures or fraud in the payments chain. The new regime requires stronger internal controls and better transaction validation mechanisms.

Implementation horizon: Likely effective late 2027, but preparation must begin well in advance.

Background: PSD2 and its limitations

Payment services in the EU have been regulated since 2018 by PSD2 (Directive (EU) 2015/2366). The primary objectives of PSD2 were to:

• Create a level, harmonised playing field for the regulation of payment services across the EU;
• Support the growth of “open banking” (access to the payments capabilities of account information and payment initiation services); and
• Improve payments security through SCA.

However, experience and the European Commission review of PSD2 revealed several structural issues with the existing regime:

• Due to the need for each Member State to nationally transpose the Directive, it was open to differences in interpretation and enforcement and failed to completely harmonise regulation and eradicate regulatory arbitrage between Member States.
• Inconsistent enforcement of API standards meant that payment service users across Member States received different qualities of experience and open banking performance.
• Inconsistent standards of regulation and enforcement were further amplified by distinct regulations for PIs and EMIs, under PSD2 and EMD, respectively.

These shortcomings prompted the European Commission to propose a new framework.

The new framework: PSD3 and PSR

Dual legislative structure - The package of regulation proposed by the European Commission in June 2023 introduces a dual legislative structure.

PSD3 (a Directive requiring national transposition) will govern authorisations, prudential supervision, and licensing. It will incorporate the requirement for EMIs to seek reauthorisation as a PI under PSD3.
The PSR (a Regulation with direct effect at the Member State level) will govern conduct of business rules, including SCA, transparency, open banking standards and fraud liability.

This dual structure permits national regulators a level of control over which firms are permitted to operate in the jurisdiction while ensuring greater legal certainty and consistency of services across the EU.

Enhanced fraud prevention and liability - Mandatory IBAN/name verification before payments – Payment services providers will be required to check, for each credit payment not already covered under instant payments regulation, that the payee name matches the unique identifier / international bank account number and provide early warnings where there are discrepancies in this information.

Where authorised push payment (“APP”) fraud occurs, the payment will be treated as an unauthorised transfer and payment services providers will be required to fully reimburse the payer.

Payment service providers (“PSP”) will be required to implement risk- and behaviour-based transaction monitoring systems. In conjunction with principles of the General Data Protection Act, and in an effort to improve fraud detection across the market, PSPs will also be able to exchange specified information as part of a structured, fraud information sharing arrangement.

Strengthened Open Banking Framework – PSD3 and the PSR introduce more prescriptive requirements on API performance and uptime.

National regulators will be expected to act “without delay” against interfaces which don’t meet expected standards of functionality, response timelines for incident reports and/or overly rely on fallback interfaces where dedicated interfaces fail.

Expanded Regulatory Perimeter - technical service providers (“TSPs”) providing SCA to PSPs must be subject to detailed written agreements as part of increased scrutiny of outsourcing arrangements.
PSD3 tightens outsourcing requirements by requiring firms to ensure that outsourcing does not impair operational resilience, mandating clear allocation of responsibilities, audit and access rights and contingency planning, including exit strategies.

Increased Harmonisation - Core conduct rules will now move to PSR and will not be open to inconsistent interpretation and implementation across Member States. 
An example of this will be the application of the Limited Network Exemption. Where application of this exemption was previously open to interpretation under PSD2, allowing some Member States to take a more restrictive approach, the PSR will now specify the conditions for the exemption to apply and will be directly effective.

Governance and Risk Management - The draft PSD3 requires payment institutions to have robust governance arrangements, including ICT risk management; internal control mechanisms; systems ensuring; continuity of payment services; and incident management capabilities.

These requirements build on PSD2 but are more explicit and aligned with concepts in DORA (e.g. risk frameworks, incident handling).
 
PSPs should use the time between now and the coming into force of PSD3 and the PSR to think through the changes needed for their business to be compliant. For EMIs, this exercise could be potentially significant with a requirement for new authorisation as a PI.

We outline below some practical steps that all PSPs should follow to ensure readiness and compliance with the new payments regime.

Conclusion

PSD3 and the PSR represent a fundamental redesign of EU payments regulation, with a clear emphasis on harmonisation, consumer protection, and operational resilience.

Although implementation is expected by late 2027, the scale of change—particularly in fraud liability, licensing, and Open Banking—means firms should begin preparations now.

At the same time, UK divergence will require firms to adopt jurisdiction-specific compliance strategies, increasing complexity for cross-border operations.

About Dan Jones

Dan Jones is a London-based FinTech Partner at global law firm Morrison Foerster. With a focus on innovation and technology in financial services, he advises the world's leading banks, payment companies, investment platforms and online marketplaces on all aspects of their UK and European regulatory obligations

 

 

 

About Morrison Foerster

Morrison Foerster is a leading global law firm, advising the world’s most innovative companies—from startups to Fortune 100 leaders—across technology, life sciences, financial services and other industries. MoFo’s premier FinTech team works across the market, whether developing new technology platforms or structuring new products or services, our team advises clients across banking and BaaS, consumer and commercial lending, payment, billing and money transfer, investment infrastructure and trading platforms