Unlocking the Future of Payments: Preparing for PSD3

The most valuable sector in financial services is preparing to adapt to a new round of complex European regulation — again. Later this year, the EU is expected to unveil its full text for the PSD3, with member states likely to be required to transpose the rules into national law within 18 months of publication.

As with most regulations, PSD3 presents a significant operational challenge for payments — a fast-moving, highly innovative industry that generates $2.5 trillion in revenue from $2 quadrillion in value flows and 3.6 trillion transactions globally, according to McKinsey’s Global Payments Report. 

Compliance will require sustained effort across the industry. While the full penalty framework has not yet been published, firms that fail to meet the new requirements are likely to face substantial financial, reputational and operational consequences. Right now, payment firms have a little time on their side, but firm deadlines will soon be put in place. To help you prepare, we’ve compiled some of the most important takeaways about this potentially industry-changing new directive.

What is PSD3? 

PSD3 is a follow-up to the Second Payment Services Directive (PSD2), which harmonized payment rules across Europe, introduced Strong Customer Authentication (SCA) and mandated open banking — requiring banks to provide regulated third parties with access to customer account data to improve competition. 

The new directive consolidates previously separate legal regimes for Payment Institutions (PIs) and Electronic Money Institutions (EMIs) into a single authorisation framework. It forms part of a broader legislative package alongside the Payment Services Regulation (PSR), which will apply directly across all 27 EU member states without needing to be written into each nation’s laws.  

Under PSD2, differences between PI and EMI regimes created complexity, uneven supervision and opportunities for regulatory arbitrage. By merging the two frameworks, the EU aims to simplify oversight and align prudential and safeguarding requirements, creating a more consistent supervisory environment across the single market. 

Tackling Fraud 

When the European Council and Parliament reached a provisional political agreement on PSD3 in November 2025, Danish business minister Morten Bødskov described the directive as “a major step in the fight against payment fraud in the EU.”  

PSD3 will strengthen fraud protections by tightening and clarifying Strong Customer Authentication (SCA) and redistributing liability. When PSD3 enters into force, PSPs will be liable if they fail to verify payee details. Schemes and technical providers may also be held responsible when SCA is not properly applied, while issuers face liability for spoofing fraud. 

The directive confirms that SCA can be delegated to third parties and clarifies that authentication must be applied when cards are added to digital wallets.  

It also requires richer contextual data sharing, including device, location, transaction timing and behavioral signals, to improve fraud detection and authorization accuracy. Mandatory Confirmation of Payee will verify IBANs and account holder names during credit transfers, and a clear GDPR-compliant legal basis will be established for fraud intelligence sharing between PSPs. 

For payment companies, fraud management is set to become a core regulatory exposure. Firms will need to invest in real-time verification infrastructure, stronger behavioral analytics and tighter third-party oversight. Existing contractual arrangements between schemes, PSPs and service providers are likely to require review in light of the revised liability model. 

Cross-Border Clarification 

PSD3 updates the authorization and supervision framework for firms operating across multiple EU jurisdictions, clarifying supervisory responsibilities and reducing ambiguity around passporting. 

The directive also tightens the commercial agent exemption, which has allowed some marketplaces and platforms to provide payment-related services without full authorisation. While the final scope remains under negotiation, PSD3 is likely to include narrower exemptions and potentially expanded licensing requirements for certain platform models. 

For cross-border operators, supervisory scrutiny will increase and opportunities to rely on structural regulatory differences between member states will be reduced. Platform-based firms may need to reassess whether existing arrangements remain viable under the revised perimeter. 

Protecting Consumers 

PSD3 is closely aligned with the Digital Operational Resilience Act (DORA), which reinforces operational resilience and ICT risk management standards.  

Under the rules, SCA must be made accessible to users with limited digital skills or disabilities. Additionally, SCA should not rely solely on smartphones — a measure intended to reduce digital exclusion. Refund rights are set to be expanded for victims of unauthorized transactions and certain types of fraud.  

As firms work towards compliance, technology stacks will need to support inclusive authentication journeys without compromising security. Expanded refund rights may increase dispute volumes and operational costs, requiring stronger case management and clearer customer communication processes. 

Preparing for PSD3  

Full clarity will be provided with the publication of the directive’s full text and the beginning of the 18-month compliance countdown. As the PSR is directly applicable EU law, it will take effect upon publication in the Official Journal without the need for national implementation. As such, some of its requirements could be implemented within weeks rather than years.  

Although details of the directive may change, one point is certain. PSD3 is not a minor update. In fact, it will be a structural recalibration of Europe’s payments framework — requiring careful attention from all payments players.  

Whatever stage of preparation you are at, we can help. Critical Software brings deep experience in delivering secure, resilient systems in high-assurance sectors including space, transport and defense. Get in touch to find out how we can enable PSD3 compliance and strengthen operational resilience in a fast-changing regulatory landscape.