PSD3: A bank guide to the Payments Services Directive 3

Expected in 2027 (the deadline is yet to be confirmed), banks and other entities that provide or facilitate electronic payment services in the EU will need to comply with the upcoming Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR). These regulations are the latest development of the open banking framework established by PSD2.

Unlike PSD2, which focused on improving competition and security (particularly through Strong Customer Authentication), PSD3 will create a more comprehensive regulatory framework. It will focus on fraud prevention, clearer data-sharing practices and safeguarding consumer rights in digital payments.

The regulation will require banks to improve their tech infrastructure and strengthen customer relationships.

In this article, we’ll explain what PSD3 is, the problems it aims to solve, its implementation schedule and how banks can effectively prepare.

PSD3 is the next evolution of the EU Commission’s payment services regulatory framework, aiming to create a more secure, integrated and efficient EU payments market. It builds on the foundations established by PSD1 in 2007 and PSD2 in 2015.

A key structural change is its split into two parts:

• Payments Services Directive 3 (PSD3): This directive focuses on the payment service providers’ operations, particularly the authorisation and licensing of payment institutions and e-money providers. Once the PSD3 Directive is published by the European Commission and formally adopted, each EU Member State will be required to transpose it into their national legislation within a specified timeframe. The directive text will explicitly state the deadline for transposition, typically 18 to 24 months from that publication date.
• Payment Services Regulation (PSR): This directive outlines the operational framework and conduct requirements that payment service providers will need to follow. Once the PSR is published in the Official Journal of the EU following formal adoption, it will become directly applicable and binding in all EU Member States without the need for national transposition - implementation can begin immediately or from the specific date set in the regulation.

PSD3 modernises the existing payments regulatory framework, responding to the fast pace of innovation and digitisation in the sector. It will work alongside the upcoming Financial Data Access (FiDA) regulation, which extends open finance beyond payment accounts to include savings, mortgages, pensions, investments, insurance and other financial services.

One of the biggest changes to PSD3 is the consolidation of regulatory frameworks. The current E-money Directive will be scrapped and e-money institutions will become a sub-category of Payment Service Providers (PSPs).

PSD3 will also update rules regarding Strong Customer Authentication (SCA). For example, PSD2 required two methods of identification from different categories (knowledge, possession and inherence). But the current PSD3 document draft (which is subject to change) suggests that two authentication factors from the same category will be allowed (e.g. two knowledge-based factors such as a password and a memorable word).

It will also improve accessibility for elderly people, those on low-incomes and people with disabilities by ensuring authentication doesn’t solely rely on smartphones.

The Payment Services Directive 3 is still progressing through the EU’s legislative process. But it’s expected to broadly follow the below schedule:

• June 2023: The European Commission published the initial proposals for PSD3 and the Payment Services Regulation (PSR) to modernise EU payment rules.
• Q1-Q2 2025: Negotiations between the European Commission, Parliament and Council are currently in progress. These largely focus on unresolved issues like fraud liability for tech platforms and open banking standards.
• Q3-Q4 2025: PSD3 and PSR are expected to be formalised and published in the EU Official Journal.
• 2026–2027: EU member states will have 18 months to implement PSD3 into their national legislation. PSR doesn’t require national transposition and will become directly applicable across the EU 21 months after publication (likely mid-2027).
• Mid-2027: Banks and other payment service providers will need to be fully compliant with the PSD3 and PSR requirements, assuming final adoption and publication happen by late 2025 or early 2026.

Banks in Germany and Austria will need to implement PSD3 according to the EU timeline. Swiss banks will also need to comply if they have local EU operations.

The Payment Services Directive 3 presents both challenges and opportunities for banks.

To benefit from these changes, they should:

• Take a strategic approach: Rather than viewing PSD3 as a simple box-ticking exercise, consider how these changes could help improve your offerings and open up new revenue streams (e.g. premium API services or more personalised customer experiences).
• Assess gaps ahead of time: Review current systems, processes and policies to identify areas that will need addressing to meet PSD3 requirements. This will ensure there’s enough time and resources available to make the changes before the deadline.
• Improve fraud prevention: Develop or upgrade systems to support name and account number verification, improve fraud monitoring capabilities and establish protocols for sharing fraud data with other financial providers. It may also be worth investing in transaction monitoring that can identify potentially suspicious activity and minimise liability in cases of fraud.
• Upgrade API infrastructure: Review and update API infrastructure to meet the new requirements.
• Develop customer consent dashboards: Design user-friendly interfaces that allow customers to view and manage their data sharing permissions.
• Rethink customer loyalty: PSD3 will make it easier for customers to switch banks. So focus on strengthening customer relationships by delivering modern digital experiences, personalised financial insights and value-added services such as budgeting tools and loyalty rewards.

Not only will addressing these changes early help banks gain a competitive advantage, but it’ll also ensure banks aren’t penalised for missing regulatory requirements by the deadline - penalties can include a fine of potentially up to 10% of a firm’s total annual worldwide turnover - in cases of serious and systemic breaches!

Want to learn how G+D Netcetera can help your bank stay up to date with regulatory changes? Get in touch with our experts.