The scope and timeline are locked in for PSD3 and PSR. What should PSPs know?

What PSD3/PSR aim to achieve

Improve clarity and harmonization in EU

The package prioritizes greater harmonization of payment rules to reduce fragmentation and national interpretation, while tightening security and fraud prevention standards.

Stronger fraud controls and liability framework

The regime expands liability, enhances risk-based monitoring, and strengthens the avenues for reimbursement in fraud cases, including a framework that touches on “authorized push” style fraud (APP) and online platforms (e.g: ecommerce, marketplaces) accountability.

Enhance open banking to build an alternative payment mean

The functioning of open banking will be improved through more reliability, standardization, and security of bank APIs used by TPPs (third-party providers). The package will also remove remaining obstacles, such as the obligation for ASPSPs to provide a dedicated data interface and enhance customer control over payment data through a permission dashboard. These changes will likely support a higher adoption of open banking transactions in EU.

Key changes from PSD2 to PSD3 / PSR

Fraud prevention and platform liability

• Expanded liability for PSPs and, in certain cases, for online platforms if they fail to act on known fraud after being notified. PSR introduces a formal liability framework that extends beyond traditional PSP boundaries to include large online platforms when fraud content is not removed after notification.
• Introduction of collaborative fraud data sharing among PSPs via a dedicated platform, with data protection impact assessments and time-bounded data retention (up to five years after an incident).
• Banks may delay or block suspicious instant payments to provide a window for intervention, a notable evolution in real-time payments for risk management.

SCA enhancements

• PSD3 imposes clearer rules and more flexible exemptions to balance security and user experience. It emphasizes stronger verification for high-risk transactions, while expanding risk-based exemptions and improving real-time monitoring to detect and respond to fraud more quickly.

Open banking governance and data access

• PSD3/PSR standardize Open Banking interfaces as the main access point for data exchange, with stronger governance over APIs and data access rights. Customers get clearer visibility and control through dashboards that show who has access and make it easy to revoke permissions.
• Provisions to prevent discrimination against authorized open banking providers, and to enforce fair terms for data access, are reinforced.

Transparency and consumer protection

• Transparency obligations around fees, exchange rates, and currency conversions are tightened, including upfront disclosure of exchange rate margins and estimated transfer times for cross-border payments.
• ATM receipts and currency conversion disclosures are expanded, with a requirement for visible and, in some cases, printed disclosures.

Regulated scope and governance

• PSD3 integrates e-money institutions into the same regulatory framework as payment institutions, subjecting them to similar licensing, governance, and outsourcing requirements.
• There is a concerted shift toward uniform, EU-wide implementation with less room for national interpretation. The purpose is to reduce regulatory arbitrage and promote a stable operating environment for PSPs.

Who is impacted

Banks and payment service providers (PSPs)

Banks and PSPs are the core regulated entities subject to licensing, governance, outsourcing, and strict security obligations. They must upgrade IT architectures, implement enhanced fraud controls, and adapt to stricter liability regimes.

E-money institutions and AIS/PIS providers

They were brought into the PSD3/PSR framework with alignment to licensing, governance, and operational standards.

Online platforms and telecommunications providers

Could bear liability in certain fraud scenarios, especially when asked to remove fraudulent content after being informed.

Merchants and end users

Expect greater transparency on fees, more robust fraud protections, and improved control over data access and permissions. End users gain dashboard-based visibility into data access and consent management.

Open banking ecosystems and tech suppliers

Need to support standardized interfaces, governance, and data-sharing arrangements, while ensuring compliance with data protections.

Implementation timeline and next steps

Following formal adoption and publication in the EU Official Journal, PSR is expected to enter into force 20 days after publication and apply EU-wide after an 18-month transition, while PSD3 requires national transposition within 18 months of entry into force, with implementing provisions coming into force thereafter. Practical readiness should focus on gap analyses, governance, and IT upgrades, and trilogue refinements will finalize text on liabilities and transitional rules, aiming for market readiness in the second half of 2027 to Q2/Q3 2028. See below Worldline’s timeline expectations.