TL;DR
Package architecture: why two acts instead of one
| Act | Form | Scope | Direct applicability |
|---|---|---|---|
| PSR (Regulation) | Regulation | Market conduct: transparency, user rights and obligations, SCA, open banking, access to payment systems, fraud | Yes, directly applicable across Member States |
| PSD3 (Directive) | Directive | Licensing, prudential requirements, and supervision of payment institutions and e-money institutions | Requires transposition into national law |
PSD3 repeals EMD2 and folds e-money institutions (EMIs) into the broader payment institutions category as a sub-type, ending the regulatory split that has existed since 2009. The Settlement Finality Directive is also amended, allowing payment institutions and EMIs direct participation in designated payment systems, a competitive breakthrough relative to banks.
Why the reform: the Commission's diagnosis
The package addresses all four, although, as we'll see, with varying degrees of ambition.
Combating fraud: the deepest change in the package
Verification of Payee (VoP): universal IBAN-name check
The payer's bank must verify that the payee name entered by the customer matches the account number (IBAN). Where there's a mismatch, the PSP must inform the payer of the discrepancy and its degree, within seconds of payee details being entered. VoP has been mandatory since October 2025 for euro-denominated instant credit transfers under the Instant Payments Regulation. PSR extends the obligation to all credit transfers, instant or not, in euros or any other currency. In the event of a mismatch, the PSP must refuse to execute the transfer and notify the payer.
Liability shift: impersonation and control failures
Under PSD2, liability for authorised push payment fraud (APP fraud) sat primarily with the payer. PSR retains that baseline, but introduces two important exceptions. First: where a fraudster impersonates the PSP itself (not just an employee, as the Commission's 2023 proposal had limited it), and the customer promptly reports the matter to police and the PSP, the bank must refund the full amount. Second: where the fraud occurred because the PSP failed to properly implement VoP, monitor transactions, or block a suspicious payment, liability rests with the PSP. Liability has no upper cap (the comparable UK regime caps at £85,000 per case).
Online platform liability: a new layer of accountability
Online platforms become liable to banks that have refunded defrauded customers, where the platform was notified of fraudulent content and failed to remove it. This builds on the Digital Services Act, but adds concrete financial accountability into the fraud-prevention chain. According to a Revolut report, around 75% of APP fraud originates on social platforms, Facebook, Instagram, WhatsApp, Telegram. The package, for the first time, gives banks a real recourse claim. A PSP that has compensated a victim can subsequently shift liability to a telecom operator or online platform if the fraud originated there.
Financial-services advertising: control at the source
Advertisers of financial services must demonstrate to very large online platforms and search engines that they are legally authorised (or formally exempted) to offer those services in the country in question, or that they advertise on behalf of someone who is. Platforms are prohibited from displaying ads from PSPs that lack authorisation in the Member State where services are offered.
Fraud-data sharing among PSPs
PSPs will be required to share fraud-related information (IBANs of suspicious payees, manipulation techniques) through a dedicated platform. The obligation will also extend to social media operators and telecoms. Data retention is constrained, and a Data Protection Impact Assessment (DPIA) is mandatory.
Transaction monitoring on steroids
PSR expands transaction-monitoring requirements well beyond PSD2. Banks will need to take into account device intelligence (whether the payer is on an unfamiliar device, whether malware or remote-access tools like AnyDesk or TeamViewer are present, whether the device is on a phone call during the session) and behavioural intelligence (typing pattern, screen-touch behaviour, transaction speed, anything that may signal the payer is acting under pressure). PSPs will be required to block suspicious transactions in defined circumstances. Banks may delay or hold suspect instant credit transfers, providing time to intervene, a meaningful softening of the instant-payments regime in favour of risk management.
Cooling-off period and SCA redefined
PSR introduces waiting periods for spending-limit changes (modelled on Dutch banks, where such changes only take effect after four hours), to give victims time to reflect when fraudsters pressure them into raising their limits. SCA itself remains a two-element check, but the final PSR text allows two elements from the inherence (biometric) category, opening the way to combinations of physiological biometrics (fingerprint, face) with behavioural biometrics (usage patterns). PSPs cannot rely on a single SCA mechanism; they must support multiple options, including for users with disabilities, the elderly, and those with low digital literacy. The package also introduces a right to human support, not just chatbots, alongside an obligation to invest in public education about recognising fraud.
Important nuance:
What didn't make it: Parliament tried to extend liability to impersonation of any other public or private entity (e.g. police, tax authorities). That extension was not retained in the final text. The compromise stops at impersonation of the PSP itself.
Open banking: from PSD2 to PSD3
List of prohibited obstacles (PSR Article 44)
A bank may not, among other things: prevent a provider from using customer credentials, require manual entry of unique identifiers, require additional registration of information, or impose SCA more times than necessary.
Dedicated interface as the standard
The ASPSP (bank) must operate at least one dedicated interface for data exchange with AIS and PIS providers. Screen scraping (access via the customer interface) is prohibited: TPPs must always identify themselves and only retrieve the data necessary to provide their service.
Non-discriminatory account access
Banks must provide payment institutions with non-discriminatory access to bank accounts. They may only refuse for serious reasons (suspicion of illegal activity, breach of agreement, missing information).
Consent dashboard
The user gets a control panel to monitor and manage the access permissions they have granted to third parties, including the ability to revoke consent easily.
Mobile-device opening: a breakthrough for front-end wallets
This is arguably the most political element of the reform. Manufacturers of mobile devices and providers of electronic services will be required to enable front-end providers (apps, interfaces) to store and transmit data necessary for payment execution on fair, reasonable, and non-discriminatory (FRAND) terms. In practice, this targets the Apple Pay monopoly and the Google Pay ecosystem's grip on NFC and the secure element. Although the text does not say NFC explicitly, the industry reads it as opening up the payment layer in mobile devices.
Licensing, capital, and CASPs
Streamlined authorisation procedure
PSD3 unifies the licensing procedure for PSPs and EMIs. Requirements remain substantial (prudential requirements, own funds, business projections), but processes are harmonised, and initial capital is scaled to the level of risk and types of services provided, a departure from the flat threshold under PSD2.
Streamlined path for MiCA-authorised CASPs
Crypto-asset service providers (CASPs) authorised under MiCA will be subject to a streamlined procedure when applying for PSP authorisation (while retaining appropriate risk controls and limiting scope to services specified in the application). The logic: the regulator has already vetted the firm in terms of governance, AML, capital, fit-and-proper management, and IT security. There's no need to repeat all of that for PSP authorisation; only payment-specific elements (PSP minimum capital, safeguarding of client funds) need to be added. For crypto exchanges, brokers, and stablecoin issuers wanting to operate direct fiat on-/off-ramps, this lowers the barrier to PSP status meaningfully.
Account Information Service Providers (AISPs)
AISPs are not subject to authorisation, but must register with the same scope of information that would be required for full authorisation. New: EUR 50,000 initial capital as an alternative to professional indemnity insurance, an option not available under PSD2.
Access to payment systems
The most competitively significant change in PSD3: the amendment of the Settlement Finality Directive enables direct participation by payment institutions and EMIs in designated payment systems (e.g. TARGET2, national clearing systems). They cease to be dependent on bank intermediaries.
Transparency and consumer protection
No surprises on fees
Customers must be fully informed of fees before payment initiation: including currency conversion rates and fixed ATM withdrawal charges (regardless of the operator). ATMs must display all fees and exchange rates before transaction confirmation. Merchants must ensure that their trading name matches the name appearing on customer statements, an end to confusing payment-processor names.
Better cash access
In response to shrinking ATM and branch networks: retail shops may offer cash withdrawals without requiring a purchase, in the EUR 100-150 range per transaction. Independent ATM deployers are exempted from the PSP licensing requirement, registration suffices.
Alternative dispute resolution (ADR)
All PSPs will be required to participate in ADR procedures if the consumer requests it.
What hasn't changed, what's missing
Timeline: when this takes effect
| Date | Step |
|---|---|
| 28 June 2023 | Commission publishes the package proposal |
| 23 April 2024 | Parliament adopts first-reading position |
| 18 June 2025 | Council adopts negotiating mandate |
| 27 November 2025 | Provisional political agreement in trilogue |
| 23-24 April 2026 | Council publishes final compromise texts (ST-8221/8222-2026-INIT) |
| Q2 2026 (planned) | Publication in the Official Journal of the EU |
| ~Q2 2026 + 20 days | Entry into force of PSR and PSD3 |
| Entry into force + 6 months | Application of Settlement Finality Directive amendments |
| Entry into force + 18 months | Deadline for transposition of PSD3; application of general PSR provisions |
| Entry into force + 24 months | Application of VoP obligation (IBAN-name check) |
| ~Q1/Q2 2028 | Full operational applicability of the package |
What organisations should be doing now
The CEE / Polish perspective
MiCA implementation status
Poland is the only EU country without enabling legislation for MiCA in place. The streamlined procedure for CASPs entering PSP status assumes that a working MiCA regime exists in the relevant Member State. Without that legislation, CASPs registered in Poland may struggle to use the streamlined path, unless they go through another EU country (e.g. Lithuania, Cyprus).
Express Elixir and PISP
For the PISP market in Poland, where Express Elixir is becoming a real alternative to cards, the opening of the mobile payment layer and the strengthening of open banking represent meaningful competitive support. Non-discriminatory access to bank accounts is expected to materially improve API quality, an area where PISPs have long had grievances.
KNF and supervision
PSD3 strengthens the powers of national competent authorities in cross-sectoral cooperation and gives the EBA a larger coordination role. For Poland's KNF, this means heavier obligations around fraud-data exchange and sanctioning of non-discriminatory-access violations.
Closing commentary
The devil, as always with EU regulation, is in the delegated acts and RTSs. The next 18-24 months will reveal whether 1:25 a.m. in Strasbourg was indeed a turning point.
Sources
As of 27 April 2026. This article does not constitute legal advice. The final wording of the acts may still change in the course of formal adoption and publication in the Official Journal of the EU.