The wait is nearly over. The European Parliament and EU Council have provisionally signed off. Soon, the work to move from PSD2 (Payment Services Directive 2) to PSD3 (Payment Services Directive 3) and PSR (Payment Services Regulation) can begin.
This evolution is good news for consumers and businesses – they’ll both benefit from wider data sharing, better fraud prevention and more interoperability between EU banks.
But what does this actually mean? In this article, we’ll explain the EU’s Open Banking journey and what you need to do to get ready for the new regulations.
What is PSD3?
PSD3 is the EU’s Open Banking legislation. It’s an update on PSD2, which launched in 2018 and changed the way money moves in Europe. PSD2 drove instant digital payments, fintech innovation, and customer-centric financial services. PSD3 will take things even further by elevating transparency, reinforcing data security, and strengthening consent management.
You may be wondering, then: why is it needed? Well, PSD2 has had “mixed success” in its uptake (the European Commission’s words, not ours). According to the most up to date figures, In 2024 Europe accounted for 31.3% of the global Open Banking market and had more than 64 million users in the EEA (European Economic Area), generating €12.4bn in revenue in 2025. That’s great. However, non-banks found it difficult to compete due to a lack of infrastructure access. And poorly performing APIs and substandard UX for consumers did not help either.
So, PSD3 and PSR aim to remove these issues:
PSD3: the directive. This is the rulebook for financial institutions. It covers market infrastructure, the firms that can operate as payment institutions, their licensing, and the required governance standards.
PSR: the regulation. This covers the mechanics of day-to-day payments, consumer rights, and how Open Banking APIs must perform, and responsibility for fraud liability. Unlike PSD2, this applies identically across all 27 EU member states, with no room for interpretation.

The key benefits of PSD3 and PSR
Banks that invested in API quality since 2018 are well-positioned to succeed – and it’s not just them who’ll benefit:
- Banks: Better APIs become a differentiator. The protection offered by restricted infrastructure access is weaker, so you need to compete on quality.
- Non-bank PSP and EMIs: They will get transformative access to the payments system. Firms like Revolut and Wise no longer depend on incumbent banks, which reshapes the competitive landscape.
- Consumers and merchants: Improved APIs transform the experience for both parties in a transaction – introducing account-to-account (A2A) payments at scale, less SCA friction, and fewer abandoned carts.
There are 5 key changes that will improve on the foundations of the PSD2 era:
1. Stronger fraud protection
What’s changing?
PSD3 introduces a set of mandatory, EU-wide measures to tackle payment fraud head-on, particularly the surge in scams that trick consumers into authorizing payments themselves.
- Mandatory Verification of Payee (the EU equivalent of UK Confirmation of Payee), already live under the IPR (Instant Payment Regulation) for SCT Inst (SEPA Instant Credit Transfer) & SCT will be extended under PSR to all credit transfers.
- PSPs (Payment Service Providers) will be liable for spoofing scams
- EBA-issued (European Banking Authority) technical standards on enhanced transaction monitoring
Why?
Fraud levels across the EU have risen sharply, but the rules designed to stop it have been inconsistent and unevenly enforced.
- Combatting the increase in Authorised Push Payment (APP) fraud
- Inconsistent consumer protections in place across the EU
Key drivers
A combination of eroding public trust and political momentum — particularly lessons learned from the UK — has pushed fraud protection to the top of the regulatory agenda.
- Addressing a loss of consumer trust in digital payments
- Political pressure to offer better protection for vulnerable consumers
- The success of the UK’s CoP rollout
2. Better Open Banking performance
What’s changing?
PSD3 moves beyond simply mandating Open Banking to setting minimum quality standards. This means third-party access will no longer be negatively impacted by poor infrastructure.
- Banks are obligated to provide dedicated, high-quality APIs to non-bank PSPs
- Secure testing environments for TPPs (Third-Party Providers) to build and trial their connections to banks’ infrastructure
- Permission dashboards for customers to control third-party access to their account
Why?
The promise of Open Banking under PSD2 was largely undermined by the poor technical reality banks delivered in practice.
- PSD2 often suffered from unreliable, slow, or blocked APIs which impacted consumer adoption rates
- Low-quality APIs forced TPPs to build workarounds
Key drivers
Persistent underperformance and fragmentation have prevented Open Banking from reaching its potential as a payments infrastructure.
- Poor Open Banking experience for consumers and banks
- A fragmented implementation across EU banks
- The need for a solution to support scalable A2A (account-to-account) payments
3. Fair competition and market access
What’s changing?
PSD3 levels the playing field by giving non-bank payment providers direct access to infrastructure they previously had to obtain through their competitors.
- Payment institutions (PIs) given direct access to payment systems
- Banks must justify refusal or account closures for non-bank PSPs
- Electronic Money Institutions (EMIs) — such as Wise — will be merged into the PI framework and will operate under a single unified rulebook
Why?
Non-banks have been at a structural disadvantage where they’re dependent on the very banks they compete with for access to core financial infrastructure.
- Banks could block competitors from accessing financial infrastructure without explanation
- Non-banks are dependent on competitors for critical infrastructure
Key drivers
The status quo has created higher costs and slower innovation, which is at odds with the EU’s broader ambitions for a competitive digital economy.
- Unlevel playing field between banks and non-banks
- Higher costs for non-bank PSPs, consumers and businesses
- Slower pace of innovation for fintechs, which is at odds with the EU’s goal to strengthen competitiveness
4. Smarter strong customer authentication
What’s changing?
Rather than applying blanket authentication requirements, PSD3 introduces a more calibrated approach, matching the level of friction to the actual level of risk.
- Clearer SCA (Strong Customer Authentication) exemptions for low-risk, recurring payments with trusted merchants
- The need for authentication is proportionate to the level of risk (e.g. high-value payments to a new payee would require SCA, but not for low-risk transactions)
- Improved accessibility to authentication methods on a wider range of devices (i.e. non-smartphones)
Why?
Blanket SCA requirements under PSD2 created unnecessary friction that damaged conversion rates without meaningfully improving security.
- The application of SCA under PSD2 regulations created checkout friction and cart abandonment during transactions
Key drivers
Sustained pressure from merchants and measurable drops in consumer completion rates have made SCA reform a commercial as much as a regulatory priority.
- Merchant complaints & consumer drop-off rates due to high friction at the checkout, hurting sales and confidence. This pushed SCA reform up the business agenda too
- The need for balance between security and customer experience – PSD2 inconvenienced legitimate customers while failing to keep pace with evolving fraud
5. Strong harmonization via PSR
What’s changing?
The PSR shifts the rules from directives — which each country interprets and implements differently — to directly applicable regulations, creating a single, consistent framework across the EU.
- Key operational rules are moving from directives to PSR regulations
- More consistency across EU countries with PSR regulations, with fewer national interpretations
Why?
PSD2’s directive model created a fragmented patchwork of rules, which firms exploited and regulators struggled to enforce consistently.
- Each country transposed the PSD2 directives differently, meaning multiple separate interpretations
- “Regulatory arbitrage” — where firms based themselves in different EU countries depending on the interpretation of the directives — creating an uneven playing field across the bloc
Key drivers
Fragmentation has undermined both market integrity and the EU’s ability to compete as a unified payments bloc.
- Fragmented internal market due to multiple variations of PSD2 across member states
- Inconsistent enforcement of the rules by different regulators created a competitive imbalance for financial institutions
- The need for a single EU payments rulebook applied identically by all 27 countries
PSD3 can be a revenue generator
So, PSD3 and the PSR improve on PSD2. How can you make the most of it?
Just because PSD3 is a regulation doesn’t mean it should be treated as a compliance cost. It can be a revenue generator if you position yourself correctly.
New APIs
While PSR doesn’t allow banks to charge for the mandated Open Banking data access, banks can monetize the new regulations through premium services that go beyond the regulatory minimum. This opens the door to revenue from access charges for enriched data, SLA-backed access, VRPs (Variable Recurring Payments) and value-added APIs.
Think of how AWS turned internal infrastructure into a global business. Banks that treat their APIs as a product, rather than a compliance obligation, can monetize access to account data, transaction history, and payment initiation in ways that create entirely new revenue lines.
Fraud prevention
This can be a marketable feature. Banks with the strongest and most user-friendly SCA will lose less money through fraud and be able to attract and retain more customers. Walmart’s 2024 pay-by-bank launch working with Fiserv illustrates this point well.
Despite the product offering a smoother checkout experience, consumer reaction was skeptical. Not because the technology was flawed, but because people didn’t trust Walmart with their bank account the way they trust their bank. PSD3 gives them the tools to strengthen trust and actively market it.
Cross-border consistency
PSR ends regulatory arbitrage and fragmentation, so banks operating in multiple member states will now have a single set of compliance rules and fewer product variations. A bank currently maintaining seven slightly different versions of the same product across seven EU countries can consolidate into one. That’s a cost saving, it’s a faster time-to-market when launching new features, and a more consistent experience for customers wherever they are in the EU.
Ready for Open Finance
And if you’ve got clean APIs, established data infrastructure, and effective partnership models when FIDA lands (the EU’s Open Finance legislation), then you’ll have a head start for Open Finance. Banks that invested early in Open Banking found themselves well-positioned to onboard fintech partners quickly when demand grew.
The same logic applies here: if you treat PSD3 compliance as a foundation rather than a finish line, you will be first to market when FIDA creates demand for mortgage, insurance, and investment data sharing.
When will PSD3 be implemented?
PSR is expected to be published in the Official Journal in summer 2026 and will come into force 20 days later. More provisions will apply 21 months after coming into force, so we can expect the new payee verification regime in early 2028, and the liability shift applying 3 months after that, in mid-2028. The transposition of PSD3 by EU member states will follow broadly the same track.
With the ink drying on the final texts for the next stage of the EU’s payments rulebook, we now understand what the transition from PSD2 to PSD3 and PSR will look like.
Under PSD2, banks held an advantage by controlling infrastructure access. When the new regulations come into force, they won’t have this edge. The new era will bring about a competitive shift, one that rewards quality data, products, and partnerships.
Changing your infrastructure to be both compliant and competitive will take time. Building APIs as a commercial product doesn’t happen overnight and neither does creating the partnership models that will thrive when FIDA comes into effect.
The banks that treat the next 12-18 months as a time to build and launch will enter the next phase of Open Banking and Open Finance already at race pace. The cost of being slow on PSD2 was reputational; under PSD3, if you’re late, the cost will be commercial.
Get ready for PSD3
We can help with the PSD3 transition.
If you’re working on what PSD3 readiness looks like for your institution, and need help plotting the API roadmap, data infrastructure, or partnership strategy, RedCompass Labs can help with that journey. Get in touch now.
Share this post
Written by
Geetha Narkhede
Senior Business Analyst, RedCompass Labs
Resources