PSD3: All you need to know in 2025

Introduction

Payment Services Directive 3 (PSD3) is a proposed European Union measure designed to address challenges left by PSD2. It focuses on fraud prevention, clearer data-sharing practices, and safeguarding consumer rights in digital payments. The overall intention is to create a more reliable way for financial institutions and technology providers to work together, ultimately giving everyday users a safer experience when handling online transactions.

Although PSD3 was introduced in 2023, it is moving through the legislative process. Many observers expect it to be finalised by 2024, with Member States likely to begin enforcing its main requirements around 2025 or shortly after. This timeline reflects the typical two-year window for national authorities to embed new EU directives into local laws.

We will guide you through:

In brief, PSD3 aims to refine the ground covered by PSD2 by standardising how banks share data, improving rules on fraud checks, and ensuring consistent enforcement across all EU countries. This approach sets the stage for a more secure and clear-cut financial environment, where banks, payment providers, and customers can transact with greater confidence.

Why is PSD3 Needed?

Since the introduction of the original Payment Services Directive (PSD), the European payment landscape has undergone significant transformation. Digital payments have grown rapidly, Open Banking services have gained traction, and new financial service providers have entered the market.

The Second Payment Services Directive (PSD2) was introduced to address these developments by fostering innovation, increasing security, and promoting fair competition. PSD2 played a pivotal role in:

• Enabling third-party access to payment accounts (Open Banking).
• Implementing Strong Customer Authentication (SCA) to reduce fraud.
• Enhancing consumer protection in online and card payments.

However, as the financial sector continues to evolve, new challenges and regulatory gaps have emerged, necessitating further updates. The European Commission has proposed PSD3 and a complementary Payment Services Regulation (PSR) to modernise the regulatory framework, ensuring security, innovation, and fair market competition.

Key Drivers for PSD3

1. Strengthening Consumer Protection and Security

While PSD2 introduced SCA, fraud methods have evolved, requiring stricter safeguards. PSD3 aims to further mitigate risks by:

• Expanding fraud liability rules to cover wallet providers, payment gateways, and technical service providers if they fail to apply SCA.
• Allowing payment providers to process personal data for fraud prevention under GDPR without requiring explicit user consent.
• Introducing stronger rules against impersonation fraud (spoofing fraud), shifting more liability to issuers when fraudulent transactions occur.

These measures will increase trust in digital payments while ensuring consumers are protected from emerging threats.

2. Addressing Inconsistencies in PSD2 Implementation

PSD2 was a directive, meaning each EU Member State transposed it into national law, leading to variations in interpretation and enforcement. As a result:

• Open Banking adoption was uneven across the EU, with some banks limiting third-party access.
• Certain security requirements were applied inconsistently, creating regulatory fragmentation.
• The lack of a uniform dispute resolution mechanism complicated fraud claims and consumer rights enforcement.

To resolve this, PSD3 will focus on clearer, standardised rules, while the new Payment Services Regulation (PSR) will apply directly across all EU Member States without requiring national transposition, ensuring consistent enforcement.

3. Enhancing Open Banking and Payment Systems Access

While PSD2 mandated banks to provide third-party access to payment accounts, some institutions imposed technical and procedural barriers, making Open Banking adoption challenging. PSD3 and PSR aim to:

• Remove unjustified obstacles in bank APIs that hinder third-party providers (TPPs) from offering payment and account information services.
• Require banks to publish quarterly API performance reports, improving transparency and reliability.
• Allow third-party providers (PISPs and AISPs) to access bank interfaces in case of API downtime, ensuring uninterrupted financial services.

These changes will create a more competitive and resilient Open Banking ecosystem, benefiting both businesses and consumers.

4. Adapting to the Digital Payments Evolution

Since PSD2’s introduction, the payments industry has seen rapid innovation, including:

• Digital wallets (e.g., Apple Pay, Google Pay)
• Buy Now, Pay Later (BNPL) services
• Tokenisation and alternative authentication methods

PSD3 expands regulatory coverage to account for these newer services, ensuring clearer compliance guidelines and consumer protection measures.

What PSD3 Seeks to Achieve

The introduction of PSD3 and PSR aims to:
✅ Increase security by refining Strong Customer Authentication and fraud liability rules.
✅ Ensure consistent implementation by using a regulation (PSR) that applies directly across all EU Member States.
✅ Improve Open Banking adoption by removing barriers and enforcing transparent API standards.
✅ Support innovation by providing regulatory clarity for digital wallets, BNPL, and new financial services.

With these updates, the European Commission seeks to future-proof the payments industry while maintaining a balanced approach to security, innovation, and competition.

Key Changes in PSD3

PSD3 introduces several enhancements to security, consumer protection, Open Banking regulations, and payment service provider (PSP) supervision. These changes address gaps identified in PSD2 and ensure that financial services remain resilient, competitive, and secure in the digital age.

Below is a structured breakdown of the key regulatory updates introduced by PSD3 and the complementary Payment Services Regulation (PSR).

1. Stronger Consumer Protection & Security Measures

Stronger Customer Authentication (SCA) Enhancements

PSD3 expands SCA rules to reduce fraud risks while improving payment efficiency. Key updates include:

• More flexible authentication methods: Unlike PSD2, which required authentication factors from two different categories (knowledge, possession, inherence), PSD3 allows two factors from the same category (e.g., token + SMS OTP or biometric verification with PIN).
• Stronger authentication requirements for third-party services: SCA delegation (e.g., Apple Pay authentication) is now classified as outsourcing, requiring compliance with outsourcing regulations.
• Exemptions for recurring payments & certain transactions: Merchant-initiated transactions (MITs), such as subscription-based services, will only require SCA for the first transaction—simplifying payment flows.

Expanded Fraud Liability Framework

PSD3 introduces stricter fraud liability rules to hold financial service providers accountable:

• Payment service providers (PSPs), wallet providers, and gateways are now liable for fraud if they fail to apply SCA.
• Issuers will bear liability for impersonation fraud (spoofing fraud), where fraudsters trick consumers into making unauthorised transactions.
• Consumers remain liable only in cases of gross negligence or intentional fraud.

More Secure Data Sharing for Fraud Prevention

PSD3 introduces new data-sharing policies under GDPR to enhance fraud detection:

• PSPs and payment schemes can process personal data (transaction history, device IP, behavioral patterns) for fraud prevention purposes without requiring explicit consumer consent.
• This will improve fraud detection algorithms, helping issuers approve more legitimate transactions while blocking fraudulent ones.

2. Open Banking & Payment Systems Access Improvements

PSD3 builds on PSD2’s Open Banking framework by removing technical barriers and increasing transparency in API performance.

Improved API Access & Standardisation

• Banks and financial institutions must provide higher API reliability and publish quarterly reports on API performance & availability.
• Third-party providers (AISPs & PISPs) can now use alternative interfaces if bank APIs experience downtime, ensuring service continuity.
• Open Banking providers can build custom interfaces to streamline connectivity with banks and financial institutions.

Enhanced Customer Control Over Open Banking Permissions

• Banks must introduce permission dashboards, allowing customers to monitor and revoke third-party access to their data at any time.
• These dashboards improve transparency, ensuring consumers remain in control of their financial data.

3. Harmonisation & Standardisation Across the EU

PSD3 introduces structural changes to improve regulatory consistency across EU member states:

Introduction of the Payment Services Regulation (PSR)

PSD3 will coexist with PSR, a new regulation that will apply directly across all EU countries without requiring national transposition. This will:

• Ensure uniform consumer protection rules across all EU markets.
• Prevent regulatory arbitrage by standardising implementation.
• Improve legal clarity for businesses operating in multiple EU jurisdictions.

Stronger Oversight of Non-Bank PSPs

PSD3 introduces stricter supervision rules for non-bank payment service providers (fintechs, payment gateways, Open Banking providers) to:

• Prevent regulatory loopholes that allow unfair market advantages.
• Ensure consistent security and operational standards.

4. Payment Methods & Transaction Rules Updates

PSD3 introduces changes to various payment methods to improve accessibility and streamline compliance.

Exemptions & Changes to Authentication Requirements

• Merchant-initiated transactions (MITs):
  • Only the first transaction requires SCA; subsequent payments are exempt.
  • Subscription payments will have an 8-week unconditional refund right similar to SEPA Direct Debits.
• Mail Order & Telephone Order (MOTO) transactions:
  • These payments will be exempt from SCA, simplifying processes for industries like travel and hospitality.
• Tokenisation & Digital Wallets:
  • SCA is only required when a customer adds a new card to a digital wallet or initiates a new transaction.

Enhanced Accessibility for Vulnerable Consumers

PSD3 ensures that Strong Customer Authentication (SCA) remains accessible to all users, including:

• Elderly and disabled consumers
• Individuals without smartphones (alternative authentication options must be available)

Impact of PSD3 on Businesses & the Financial Industry

For Financial Institutions & Payment Service Providers (PSPs)

• Stronger security measures will require upgraded fraud prevention systems.
• More liability for fraud means PSPs and payment gateways must ensure proper SCA application.
• Greater transparency in Open Banking APIs will encourage more collaboration with fintech providers.

For Merchants & Digital Businesses

• More seamless authentication flows will reduce friction and increase transaction approval rates.
• Exemptions for MITs and MOTO payments will streamline subscription and telephone-based payment processing.
• Increased fraud protection means merchants will have fewer chargebacks and unauthorised transactions.

For Consumers

• Stronger fraud prevention mechanisms will enhance security in digital payments.
• More control over Open Banking permissions will increase trust in financial data sharing.
• Improved accessibility measures will ensure that payment authentication remains inclusive.

Final Thoughts on PSD3’s Key Changes

PSD3 represents a significant step forward in strengthening payment regulations, consumer protection, and Open Banking accessibility. Its key updates include:
✅ Stronger Customer Authentication (SCA) rules to combat fraud while maintaining transaction efficiency.
✅ More liability for payment providers, ensuring they uphold secure and seamless services.
✅ Improved Open Banking API access, creating a more competitive and innovative financial ecosystem.
✅ Direct EU-wide regulations (PSR) for greater consistency and standardisation.

These changes modernise PSD2’s framework, ensuring that digital payments and Open Banking services continue to evolve securely and efficiently.

Why Choose Finexer for Secure Open Banking

Finexer, an FCA-authorised Open Banking provider, positions businesses to stay ahead of evolving regulations like PSD3 by emphasising robust security, high API reliability, and tailored integrations. While PSD3 is still taking shape, Finexer’s proactive approach ensures its platform can adapt to new standards as they arise. Below is an overview of Finexer’s core strategies, along with user testimonials illustrating its commitment to secure, innovative solutions.

A. Regulatory Awareness & Forward-Looking Security

• FCA-Authorised Infrastructure
  Finexer’s current compliance framework meets UK regulations (including PSD2), laying a solid foundation for potential PSD3 updates. This includes advanced encryption and authentication protocols designed to scale with future security and liability requirements.
• Ongoing Compliance Monitoring
  Finexer actively tracks European Commission directives and industry best practices, making it easier to adjust to evolving mandates and maintain continuous compliance.

“We were looking for a partner that could not only meet our current needs but also anticipate and support our growth. Finexer delivered exactly what we needed, from compliance-ready software to seamless integration with our existing systems.”
— David Kern, CEO, VirtualSignature-ID

B. Scalable & Reliable Connectivity

• Instant Access to UK Banks
  A single Finexer API connects businesses to most UK financial institutions, simplifying integrations and accelerating deployment. This reduces complexity for startups, SMBs, or enterprises dealing with multiple banking relationships.
• Emphasis on Uptime & Backup Options
  Finexer’s infrastructure focuses on maintaining over 98% API availability, backed by continuous monitoring. In cases of bank API downtime, Finexer provides alternative access, an essential safeguard as PSD3 calls for more stringent service resilience.

“Finexer’s willingness to work closely with us, rather than treating us as just another customer, was truly refreshing. Their flexible approach to business-focused solutions helped us serve high-profile clients more effectively.”
— Penny Phillips, Chief Commercial Officer, Sysynkt

C. Tailored Offerings for Diverse Business Needs

• Flexible Pricing & White-Label Solutions
  Businesses can start small and scale up with usage-based fees, while white-label options allow for complete brand continuity and a seamless customer experience.
• 3x Faster Deployment & Custom Integrations
  Finexer’s API-first model and dedicated support team streamline the onboarding process, enabling businesses to integrate Open Banking services quickly. This agility is key for companies adapting to new PSD3 guidelines as they are finalised.

By blending current FCA authorisations with a proactive stance on PSD3, Finexer ensures that its clients can confidently offer secure, reliable Open Banking services—all while staying poised for future regulatory developments.