BlogCompliance & regulation

PSD3 has arrived: 7 key things you need to know

Author image
Andrei Cazacu, EU Public Policy Lead
27 Jun 2023
7 things you need to know about PSD3

On the 28th of June, the European Commission released its proposal for updating the EU’s payments legislation (PSD2). This long awaited proposal sets out several key changes and developments that will impact third-party providers, banks, PSPs and, in turn, merchants. In short, the biggest changes set out in the proposals include:

  1. The move from a Directive to a Regulation: standardising payments across the EU

  2. Better APIs: better open banking services

  3. More streamlined authentication: less pain at the checkout

  4. Direct access to payment systems for fintechs: a boost for innovation

  5. IBAN and name matching: a risk-based approach to fraud prevention

  6. Merging E-money and payments institutions: simplifying licensing

  7. Re-authorisation for firms under PSD3

Read on for our breakdown on all the new PSR1 and PSD3 developments.

Seven highlights in the EU Commission’s payments proposals

1. PSD2 becomes PSR1

Let’s get this one out of the way — we’ll be referring to ‘PSR1’ throughout this article. That’s because most of PSD2 will become the Payment Services Regulation (PSR1).

EU Directives require Member States to adapt them into national legislation, which means they can be interpreted in slightly different ways by each EU country. Regulations, on the other hand, apply ‘as is’, which can ensure a more consistent application across all 27 member states.

Shifting most of the payments rules from PSD2 to PSR1 will lead to a more harmonised payments market, with significantly fewer differences and inequalities between member states.

There is a new Directive — what we call PSD3 — which only focuses on licensing and authorisation for payments firms (see section 6).

PSD2, PSR1 and PSD3 explained

PSD2 (the revised Payment Services Directive): the EU law that governs digital payments. It established open banking, including giving customers the right to access their payment accounts and initiate payments via third parties. It will be repealed once PSR1 and PSD3 come into effect.

PSR1 (the Payment Services Regulation): the new Regulation that will replace PSD2. It includes specific proposals on API performance, streamlined authentication rules, risk-based fraud prevention and more.

PSD3 (the third Payment Services Directive): the new Directive from the EU Commission. This focuses specifically on the licensing and authorisation of payment and e-money institutions.


2. Better APIs will lead to better open banking services

Thanks to PSD2, application programming interfaces (APIs) have become the industry norm, just as they are the interface of choice in the digital economy.

However, the quality of API implementation continues to vary depending on bank and on market. Some of the most common issues with open banking APIs today are:

  • API downtime

  • Lack of harmonised implementation of API standards

  • Poor levels of support when APIs do have issues

PSR1 contains new rules on the performance requirements of APIs and on the minimum functionality that they should support.

For example, not all banks currently provide the name of the account holder initiating a payment. This can create challenges for PISPs looking to verify the payer’s identity before sending the payment order through. PSR1 recognises this as a challenge to providing basic payment services and therefore requires the name of the account holder to be shared with the PISP before initiation.

PSR1 also sets out requirements on levels of availability and on response times (also known as latency). The latency of open banking APIs should be no longer than the latency of the online or mobile banking application.

3. More streamlined authentication means less pain at checkout

Most of the obstacles to open banking identified by the European Banking Authority in 2020 will now be explicitly prohibited by PSR1. An open banking SCA journey will be required to be at least as seamless as what the user has available to them via online banking. For example:

  • Users will no longer have to go through significantly longer authentication journeys than they do when they complete a manual bank transfer.

  • Users will no longer be asked to type in their own lengthy IBAN to initiate a payment or access their accounts.

  • Payments can no longer be restricted to contacts on the trusted beneficiaries list, or to domestic beneficiaries.

These changes will need to be incorporated by EU standards organisations into technical specifications, and then banks will need to update their own APIs and SCA requirements accordingly.

The end result should be a much improved user experience across Europe that will increase user adoption.

Because open banking is significantly cheaper than cards, merchant demand is already high. To make sure consumers also adopt open banking payments at checkout, when in competition with cards and other methods, the user experience should be frictionless and inspire trust. PSR1 is a step in this direction.

4. Direct access to payment systems for fintechs

Today, only banks are legally allowed access to payment settlement infrastructure in Europe. Fully licensed payment institutions like TrueLayer do not have this option and must instead rely on banking partners to process payments. This means that payment firms depend on the choices made by banks, for example whether to adhere to SEPA Instant or whether to charge high fees for instant payments.

It is a relic of how EU payment laws have evolved. Before the first Payment Services Directive (2007), banks performed both the role of a credit institution and that of a payment institution. PSD1 introduced this distinction, but did not give payment institutions the legal right to obtain a settlement account.

The EU Commission recognises this oversight and has included an amendment to the Settlement Finality Directive (SFD), which gives payment and e-money institutions the right to directly access settlement infrastructure.

It is a significant change which will create more competition and innovation, level the playing field, and ultimately result in better and more efficient payments services across the EU.

5. IBAN and name matching to prevent fraud

PSR1 extends the IBAN and name check requirements which will be introduced by the Instant Payments Regulation to all forms of credit transfers. It will be the responsibility of payment providers to make sure that the payee account details that the payer inputs match those on the receiving account.

This mechanism — known as Confirmation of Payee or CoP in the UK — can be useful to reduce cases of fraud or misdirected payments in manual bank transfers.

It is less useful for open banking payments, where the open banking provider has a commercial relationship with that merchant and has carried out due diligence to make sure they are a legitimate business. The account details are pre-populated by the open banking provider and the payer cannot be deceived into changing them to a fraudster’s account details.

PSR1 rightly recognises that requiring IBAN and name matching for open banking would duplicate efforts. It does not require the service for payments where the payer does not input the payee details themselves.

6. Merging e-money and payment institutions

Another significant change is the merger of the licensing and authorisation regimes of PSD2 and the E-Money Directive (EMD2) into a newly created PSD3.

In the new framework, former Electronic Money Institutions (EMI) are a subcategory of Payment Institutions (PIs). Both the EU Commission and the European Banking Authority consider that payment services and e-money services are very similar in nature and risks, and therefore should have almost identical legal requirements when it comes to authorisation and requirements for safeguarding and initial capital.

The changes should create a clearer, simpler framework for e-money and payment institutions. This may also help businesses who have previously struggled to decide what kind of firm they need to partner with for payment services.

7. Re-authorisation for payment firms under PSD3

As a result of some changes in the licensing and authorisation regime, payment and e-money institutions will need to seek re-authorisation from national authorities within 24 months of the new rules coming into force. This will help ensure that all firms operating under PSD3 are fit to operate and ultimately keep consumers and businesses safe.

A major evolution for payments

PSR1 provides an exciting opportunity for EU payments and open banking to evolve.

We are encouraged to see that open banking receives considerably more attention in PSR1 than in PSD2. The proposed changes show that the European Commission understands the practical challenges that open banking is facing, and how to solve them. PSR1 focuses on further levelling the playing field by improving APIs, setting out minimum open banking functionality requirements, and by giving non-banks the legal right to access payment settlement systems, among others.

These new rules could be finalised by 2025, and in effect by 2026

We look forward to continuing to support the EU Council and Parliament as they discuss and negotiate the Commission’s proposals over the coming months.

Insights straight to your inbox
Join 10,000+ subscribers getting the latest open banking news.
Latest
Pay by bank phone
12 Jun 2025

Pay by Bank protections: a modern approach

15 million users milestone
10 Jun 2025

TrueLayer hits new industry milestone, surpassing 15 million consumers

Hey, I'm Andy from TrueLayer, and I'm going to try and tell you everything you need to know about Pay by Bank—in just ninety seconds. Let’s start the clock. Let’s keep it simple. What is Pay by Bank? It’s a payment method that lets you pay directly from your bank account via your banking app—with zero need for card networks. That could mean buying pizza, paying for flights, or just about anything in between. And it’s actually pretty easy—and very quick. It looks a bit like this: start by tapping the Pay by Bank button, then choose your bank from the list. If you’ve used it before, we can even preselect your preferred bank. You then review the payment, and you’re seamlessly redirected to your bank app to approve it using secure biometrics. That’s Face ID or a fingerprint, to you and me. And that’s it—success. But no time to relax—we're on the clock! Now, this might be the first time you’re hearing about it, but every month in the UK, 27 million payments are made using Pay by Bank. And most people who haven’t tried it yet say they’d be happy to—if given the option. On the merchant side, nine out of ten businesses are already planning to adopt it in one way or another. So what’s in it for businesses? Number one: more potential sales. No cards means no long card numbers, no clunky 3DS2—just a smoother experience from start to finish. And it converts. Number two: because payment details are pre-populated and verified with biometrics, things like card-not-present fraud, chargebacks, and authorized push payment fraud are virtually eliminated. Number three: lower costs. Without all the intermediaries and manual admin, the total cost of Pay by Bank is typically lower than card payments. I'm running out of time—one last benefit: instant refunds. And trust me, shoppers love instant refunds. And breathe. That was a lot to cram into ninety seconds. If you’d like to take your time and learn more about Pay by Bank—and why brands like Just Eat Takeaway, lastminute.com, Ryanair, and Papa John’s already offer it at checkout—you can read our in-depth guide. There should be a link on screen now. And that’s it. Thanks for watching.
9 Jun 2025

Pay by Bank explained in 90 seconds

Categories to explore