What is PSD3? It's the European Union's proposed refresh of its regulatory approach to payment services. This revision builds on PSD2, clarifying its ambiguities and expanding its scope to reflect the modern realities of digital commerce. PSD3 has three central goals: safeguarding consumers, reinforcing payment security, and fuelling fair competition.
PSD3 isn’t just a regional update—it’s a signal. As the EU raises the bar for payments compliance, security, and transparency, global brands operating in Europe will need to meet these new standards. Whether you’re expanding into the EU or serving EU-based users, PSD3 will shape expectations around digital payments, data access, and consumer protection worldwide.
Think of PSD3 not as a reset, but as a refinement. It clarifies existing obligations while reaching into areas PSD2 left underdeveloped. The changes respond to both the rise of non-bank players and evolving customer expectations around consent, data use, and identity.
PSD3 vs PSD2: Not just a name change
While PSD2 shook up the market with its rules on open banking and Strong Customer Authentication (SCA), PSD3 tightens the screws further. It raises the bar on oversight by introducing licensing for currently unregulated players and harmonising standards for new forms of access. The new regime will also clarify liability rules and push for more structured innovation.
|
Area |
PSD2 |
PSD3 |
|
Authentication |
Introduced SCA requirements with broad exemptions |
Stricter SCA rules with fewer exemptions and re-authentication triggers |
|
Regulatory coverage |
Focused on banks and regulated PSPs |
Extends licensing to unregulated providers and tightens oversight |
|
TPP access |
Mandated but often inconsistently implemented |
Enforced with API quality standards and fair access rules |
|
Innovation framework |
Enabled open banking, but lacked standardisation |
Encourages structured innovation with clearer boundaries |
|
Liability rules |
Varied by interpretation and implementation |
Clarifies responsibilities in fraud and data misuse |
PSD3 builds on PSD2’s foundation with greater clarity and consistency. By refining exemptions and tightening definitions, it gives businesses, consumers, and payment providers a clearer, more reliable framework to operate in—protecting against risk while supporting the growth of digital commerce across Europe.
Want to find out how you can better prepare for PSD3? Speak with our team.
Understanding the legal timeline
As of June 2025, PSD3 and the companion Payment Services Regulation (PSR) are still moving through EU legislative channels. Once passed, national regulators will likely face an 18-month transition period to transpose the directive into local law. That means a full application could arrive by late 2026.
Timeline at a glance:
- June 2023: European Commission releases draft PSD3 and PSR proposals
- Late 2024 (expected): Final texts of PSD3 and PSR agreed and published
- Mid 2026 (estimated): Transposition period ends for PSD3 (18 months after publication)
- Late 2026: PSD3 requirements likely fully applicable across EU
- Immediate upon publication: PSR becomes directly applicable in all EU member states
There’s a subtle yet significant distinction here: the directive (PSD3) requires national implementation, while the regulation (PSR) will be directly enforceable across the EU. The combination reduces discrepancies between jurisdictions—something CFOs and payment teams handling multi-market operations will appreciate.
What PSR adds to the mix
If PSD3 sets the course, the Payment Services Regulation is the engine. Its directly applicable rules will streamline cross-border supervision and close gaps created by uneven national practices. It also introduces mandatory customer refund rights, stronger dispute resolution timelines, and obligations for data access transparency.
Expect higher standards around operations, particularly for those managing marketplaces or embedded finance setups. Under PSR, real-time monitoring and system accountability aren't nice-to-haves—they're table stakes.
What’s changing in authentication
Strong Customer Authentication is no longer new, but its application is becoming more defined. PSD3 introduces specific triggers for re-authentication, particularly around mobile wallets and third-party app authorisations. The regulation encourages broader use of biometrics, but not at the expense of redundancy—fallback methods will be obligatory.
Transaction Risk Analysis and exemptions for low-risk payments remain, but they’ll face stricter thresholds. Marketplaces will need to reassess consent journeys and consider how friction impacts user trust.
Open banking APIs and TPP access
PSD3 and PSR inject new momentum in the evolution of open banking by enforcing quality standards for APIs and formalising third-party provider (TPP) access. Banks can no longer stall or overcharge; they must provide real-time, robust access to account data and payment initiation tools.
This update is not only about infrastructure. It's about fairness—creating a level playing field between banks, fintechs, and intermediaries. For CFOs, that translates into more efficient PSP integrations and clearer data ownership terms.
What marketplaces need to rethink
Platform operators will find that status quo won’t hold. PSD3 compels more transparency in fund flows, fee structures, and end-user communications. Consent mechanisms can no longer be tucked away behind toggles or generic prompts.
More pointedly, liability frameworks around fraud and failed payments will demand explicit user messaging and audit trails. As operational UX collides with legal risk, finance leaders will need to partner more closely with product and compliance teams.
Fraud liability and dispute rules
Who bears the cost when fraud strikes? PSD3 spells it out more clearly, with sharper accountability depending on authentication quality and provider type. AI-led fraud detection moves from nice-to-have to necessity.
That doesn’t mean real-time AI alone will solve the issue. It means layered systems like Antom Shield—capable of identifying anomalies, managing exceptions, and supporting post-transaction investigations—will become a defining feature of mature payment operations.
You may also want to learn about Top fraud trends global businesses need to pay attention to in 2025.
Key terms you’ll be hearing more
- PSD3: Third Payment Services Directive
- PSR: Payment Services Regulation
- SCA: Strong Customer Authentication
- TPP: Third-Party Provider
- API: Application Programming Interface
- ASPSP: Account Servicing Payment Service Provider
These acronyms will appear in legal contracts, internal memos, and vendor briefings. Know what they mean. Better yet, know what they imply.
Action plan: What you can do now
- Review and document your current SCA workflows
- Identify and prioritise systems that interface with open banking APIs
- Engage legal and compliance teams to track regulatory updates
- Evaluate fraud tools and reporting capabilities for upcoming thresholds
Even without a final timeline, PSD3 readiness is no longer optional—it’s strategic.
Here’s where Antom can help
We’d be remiss not to mention that Antom is preparing merchants for what’s ahead. Our regulatory-ready systems, real-time APIs, and secure infrastructure are already aligned with PSD3 goals.
When regulation becomes reality, having a partner who’s thought a step ahead can make the difference between reaction and readiness.
