PSD3 and PSR: What you need to know

The European framework for payments is entering a new phase. On November 27, 2025, the Council and the European Parliament reached a provisional political agreement on the Payments Services Package. It includes the third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR / RSP).

Together, these two texts aim to build a safer, more transparent and more competitive payments ecosystem that protects consumers, supports innovation and strengthens trust in digital transactions in Europe.

In this article, we walk you through the key points, what will change for you and in the payment ecosystem, and what to expect over the next few years.

1. PSD3: a new directive for payment service providers

PSD3 updates and modernises the EU rules that govern payment services and the companies offering them. It focuses on customer protection, licensing and supervision of payment institutions, fraud rules and liability, access to cash and transparency obligations.

2. PSR: an harmonised rulebook

Unlike a directive, the PSR (Payment Services Regulation) applies directly in all EU countries. It creates a uniform set of rules for security and fraud prevention, transparency of fees, open banking and access to account data, user rights and dispute handling.

PSD3 sets the framework and the PSR contains the operational rules. Together, they will replace PSD2.

3. What will change under PSD3 and PSR

3.1. Stronger protection against fraud

The agreement introduces a series of important new obligations.

Mandatory name / IBAN matching

Payment service providers will need to verify whether a beneficiary’s name matches the IBAN before a transfer is executed. If it does not match, the PSP must reject the payment and inform the user. This has been added already in the Instant Payment Regulation (IPR) that came into force on 09/10/2025. It proves that EU regulation can be decisive and quick to establish new measures to combat fraud.

Digiteal already provides a Verification of Payee API that enables PSPs, payment platforms and all other organizations to meet this requirement efficiently.

Shared fraud information between PSPs

Payment service providers will have to exchange fraud-related data so suspicious patterns can be identified earlier.

User-controlled spending limits and blocking tools

PSPs must offer customers the ability to set spending limits and block payment methods to reduce the risk of fraud.

Full liability when fraudsters initiate or change a transaction

Any transaction manipulated or initiated by a fraudster will be treated as unauthorised. The PSP must reimburse the full amount.

Receiving PSPs must freeze suspicious incoming transactions

This mechanism strengthens detection and prevents suspicious funds from being moved too quickly.

Protection against impersonation fraud

If a criminal pretends to be the customer’s bank or PSP and tricks them into approving a payment, the PSP will have to refund the victim once the fraud is reported to the police.

These measures create a more consistent and much stricter fraud-management framework across the EU. The modalities of this will be important to correctly define in the upcoming regulatory technical standards (RTSs) linked to the PSR not to put unrealistic constraints on PSPs.

3.2. New responsibilities for online platforms and financial advertisers

Online platforms will be liable towards PSPs when they have been notified of fraudulent content (fake ads, fake merchants, phishing pages…) AND they fail to remove it.

Financial advertisers will also need to prove to large online platforms and search engines (VLOPs and VLOSEs) that they are legally authorised to offer the services they promote.

This builds on the Digital Services Act and further protects consumers in the digital space.

3.3. A more reliable and accessible open banking ecosystem

To make open banking work better in practice, the PSR introduces:

A list of prohibited technical obstacles preventing third-party providers (AIS/PIS) from accessing account data
Non-discriminatory access to payment accounts
A user dashboard where customers can easily see, manage and revoke the consents they have granted. This will lead to the removal of the requirement to renew the consent every 180 days. The consent will be valid until revoked by the user.

In addition to this, mobile device manufacturers and electronic service providers must allow apps and interfaces to store and transfer the data needed to process payments, on fair and reasonable terms. This ensures that payment innovation is not blocked by hardware or software restrictions.

3.4. Full transparency on fees

Before a payment is made, users must be clearly informed about all fees applied, currency-conversion charges, withdrawal fees at ATMs, regardless of the operator.

The goal is simple: no hidden costs and better comparability for users.

3.5. Easier access to cash

To support people in rural or remote areas, PSD3 allows retail shops to offer cash withdrawals of up to 150 € (with a minimum of 100 €) without requiring the customer to make a purchase. This ensures that cash remains accessible as a payment option.

3.6. Human support and financial education

Users must have access to human customer support, not only chatbots. Public authorities will also dedicate resources to educating citizens about fraud prevention.

3.7. A clearer and simpler licensing process for PSPs

PSD3 aims to harmonise and simplify the authorisation of payment institutions by aligning capital and governance requirements with the provider’s risk profile, merging the rules for payment institutions and e-money institutions, offering a simplified process for crypto-asset service providers already authorised under MiCA.

All PSPs will also have to participate in alternative dispute resolution whenever a consumer requests it.

4. Who will be affected by PSD3 and PSR?

PSD3 and the PSR cover the entire payments value chain: (neo)banks, payment institutions, fintech companies, payment gateways, card processors, e-commerce platforms, marketplaces, retailers offering cash withdrawals, device and operating system manufacturers, crypto-asset service providers…

If you process payments or handle payment data in any way, this reform concerns you.

5. Timeline: when will PSD3 apply?

The agreement reached is provisional and still needs technical work before formal adoption. Therefore, the following timeline is indicative.

Late 2025 / early 2026
formal adoption by the Council and Parliament
Following publication
entry into force
Approx. 12 months later
most PSR (RSP) rules start applying directly in all EU Member States
Approx. 18 months later
Member States must transpose PSD3 into national law
2027-2028
full application of the new framework (fraud rules, open banking requirements, transparency, support obligations, etc.).

For businesses, this means that the first operational impacts could arrive as early as 2026.

6. What it means for you (and how Digiteal can help)

6.1. For organisations using payment providers

You will need to ensure that your payment partners:

Implement the new fraud-prevention obligations
Provide transparent pricing and clear user information
Offer spending limits and blocking tools
Support compliant SCA flows
Allow smooth reconciliation and refund processes

6.2. For PSPs, banks and fintechs

Key workstreams include:

Upgrading fraud-detection tools
Implementing name / IBAN matching
Adjusting API and open banking rules
Creating customer dashboards for consent management
Updating user journeys to ensure compliance with all transparency and support requirements.

7. Conclusion

PSD3 and the PSR represent a major step forward for payments in Europe. By combining stronger anti-fraud measures, clearer responsibilities, better transparency and a more functional open banking ecosystem, the EU is building a safer and more user-friendly environment.

For payment providers and businesses, this is both a challenge and an opportunity. A challenge because compliance efforts will be significant, and an opportunity because trust, security and transparency are decisive differentiators.

At Digiteal, our mission has always been to make payments and financial processes simple, secure and fully compliant. As a PSD2-licensed Payment Institution (PI), we support organisations in managing payment flows and electronic invoicing connectivity in line with the latest European standards. We will apply the changes required to become one of the first PSD3 payment institutions in Belgium just as we were one the first PSD2-licensed PI.

If you would like guidance on how PSD3 and the PSR may impact your organisation, we are here to help.

LEGAL

ISO-27001 Certified