PSD3 & PSR1: a harmonised, secure and innovative European framework for payments

The draft Third Payment Services Directive (PSD3) and the First Payment Services Regulation (PSR1) represent a major turning point for payment services in Europe. Proposed by the European Commission in June 2023, these texts are now entering their final phase of negotiation at the European level. The PSD3 proposal builds on the experience gained from PSD2 in order to:

• Strenghten security;
• Improve access to payment services;
• Protect consumers while paving the way for Open Finance and new financial services.

On the one hand, PSD3 recalibrates the sector’s overall architecture: determining who may operate, under which prudential requirements, and under what supervisory framework. On the other hand, PSR1 sets out the day-to-day operational rules: user rights, security, open banking and transparency.

For businesses, the implications are tangible: securing payment flows, streamlining customer and supplier journeys, and accelerating the adoption of digital solutions.
 

PSD3 & PSR1: a harmonised regulatory framework

A structuring reform

he reform is driven by three clear observations:

• First, the uneven interpretation of PSD2 across Member States has hindered market integration, as identical user journeys did not necessarily produce consistent outcomes.
• Second, open banking has at times been constrained by inconsistent interfaces, generating friction and customer drop-off.
• Finally, fraud has evolved toward more sophisticated manipulation patterns in which users are induced to authorise transactions themselves.

The European response is pragmatic: a directive governing licensing and supervision—transposed by Member States—and a regulation directly applicable to day-to-day conduct.

PSD3 is expected to be adopted at European level in the coming months. Its application will follow a transitional period, with an indicative timeline of 18 to 24 months depending on the specific provisions, giving market participants sufficient time to adapt systems and processes.
 

Harmonisation and a unified status for market participants

PSD3 harmonises the regulatory treatment of payment institutions and electronic money institutions, previously governed by two separate instruments.

This harmonisation enables:

• Standardisation of interfaces and improved interoperability;
• Reduction in technical costs;
• Lower risks associated with workaround solutions;
• The integration of electronic money tokens into the payment institution regime.

Crucially, the directive also opens the possibility—subject to appropriate security and risk management safeguards—for more direct access to payment systems for non-bank actors. In practice, this means less “default” intermediation and more “value-added” intermediation. For corporate users, this translates into more diverse offerings and faster implementation timelines.
 

Coordinated implementation

The split between PSD3 and PSR1 follows a logic of execution. PSD3 governs the structural framework: licensing, governance, safeguarding of funds, and prudential oversight. PSR1 addresses day-to-day operations: pre-contractual information, refund rights, and anti-obstacle provisions. The benefit for businesses is immediate: the same rules apply in the same way, at the same time across all EU Member States.

Open Finance represents a natural evolution of Open Banking. It allows access to a broader set of data (accounts, credit, investments, insurance), fostering the development of integrated and innovative financial services.

Among the innovations introduced:

• Cashback at merchant level and the deployment of non-bank ATMs—stand-alone cash withdrawal services provided by non-traditional operators, such as cash-in-transit companies;
• A unified data framework (FIDA) ensuring free and standardised access to essential financial data.

Security and user protection

Combating fraud and strong customer authentication

Strong Customer Authentication (SCA) remains the cornerstone of security, but its implementation is becoming more intelligent. Rather than multiplying unnecessary “re-SCAs,” the focus is placed where it genuinely enhances protection. A compelling example for e-commerce and subscription teams: merchant-initiated transactions (MITs) may rely on robust authentication at mandate set-up, rather than at each subsequent occurrence. The result: reduced friction for customers, higher conversion rates, and maintained security.

The reform strengthens accountability across the entire technical chain. When a payment scheme, gateway or technology provider fails to meet security requirements, it can no longer rely solely on the customer’s bank to assume responsibility: its share of liability is formally recognised. At the same time, controlled and supervised anti-fraud information-sharing between service providers is encouraged, enabling earlier detection of weak signals. The framework remains fully GDPR-compliant: exclusive fraud-prevention purposes, relevant and proportionate data, and limited retention periods.
 

Transparency and dispute management

The PSD3–PSR1 package enhances transparency around fees and charges, while clarifying dispute-resolution procedures. 

Consumers now benefit from a centralised dashboard allowing them to view which companies or third-party providers have access to their data and to manage their consents easily. Moreover, the directive provides a right to reimbursement for fraud victims, ensuring stronger user protection. PSPs and banks are also required to inform and educate their customers about the new procedures, enabling them to use payment services securely and with full awareness of the associated implications.

For businesses, this represents a meaningful lever for auditability and governance: access rights are documented, consent compliance can be demonstrated, and control can be regained with a single click. This long-awaited transparency simplifies internal controls and reduces disputes.

What are the impacts for the sector?

Adjustments for banks and large corporates

With PSD3, banks will need to adapt their transaction-validation systems and update their cash-management, internal-control and governance frameworks, including roles such as the RCCI. They must also strengthen their anti-money laundering and counter-terrorist financing measures to comply with new regulatory requirements and the growing use of new payment instruments such as instant payments and electronic money tokens (EMTs/stablecoins).

They will further need to redesign their authentication journeys, removing unnecessary friction without reducing protection where risk remains significant. Finally, banks will need to treat their APIs as true service platforms: documented, stable and consistently available. They are no longer a marginal regulatory obligation but a commercial asset. High-quality APIs facilitate integration with fintechs, invoicing solutions, ERPs and corporate treasury tools. In a market where user experience matters as much as price, this “integration quality” becomes a differentiator.
 

New services for non-bank providers

PSD3 also opens new opportunities for PSPs and other non-bank players. They may now offer cash withdrawals through non-bank ATMs, provide cashback services, or participate directly in payment systems, fostering the emergence of innovative fintech services.
 

A step towards Open Finance

PSD3 also prepares the transition from Open Banking to Open Finance—supported by FiDA—by standardising access to financial data beyond traditional bank accounts, including credit, investment and insurance information. This shift enables the development of integrated, secure and personalised financial services, while contributing to a coherent European ecosystem that promotes innovation and competition.
 

The Financial Data Access Regulation (FiDA), introduced by the European Commission, represents a new step beyond PSD3 by extending data sharing beyond payment services. It aims to establish a common Open Finance framework, allowing consumers and businesses—subject to their consent—to share their financial data (savings, insurance, credit, etc.) with authorised providers. FiDA therefore complements PSD3 by paving the way for a more integrated, innovative and user-centric financial ecosystem.

PSD3 and PSR1 together establish a modern, harmonised and secure European framework designed to enhance security and consumer protection while fostering innovation and the development of new financial services.

This framework also improves transaction transparency and helps build lasting trust between users and payment service providers, while ensuring a level playing field between traditional banks and fintechs.

To fully benefit from these developments, banks and fintechs must prepare promptly by upgrading their systems, ensuring compliance and informing their clients about the new procedures. Consumers, in turn, will enjoy an improved user experience, more innovative services and stronger protection against fraud.