PSD3 and PSR in 2026: The Complete Transition Guide

PSD3 and PSR in one page

PSD3 is the third Payment Services Directive, proposed by the European Commission on 28 June 2023 to replace PSD2 (Directive 2015/2366) and EMD2 (Directive 2009/110). It is paired with a brand-new Payment Services Regulation (PSR) that is directly applicable across the EU and carries the conduct-of-business rules (fraud, SCA, refunds, APIs) that no longer need national transposition.

The European Parliament and the Council reached provisional political agreement on 27 November 2025. Final texts are expected in the Official Journal in H1 2026. Entry into force is anticipated for 2027 after a 21-month transition, so realistically mid-to-late 2027. Member States must transpose PSD3 within 18 months of entry into force; PSR applies directly on the same date.

The FIDA (Financial Data Access) Regulation was proposed alongside PSD3 and PSR but is still in trilogue in April 2026. It extends open-banking-style access to investments, pensions, insurance and mortgages under a new Financial Information Service Provider category. PSD3 itself does not wait for FIDA.

The PI and EMI merger

The single biggest structural change: PSD3 merges the Payment Institution and Electronic Money Institution regimes into one Payment Institution authorised to issue e-money. E-money becomes a sub-activity within a unified licence.

• Existing EMIs are grandfathered into the new regime and do not need to re-apply from scratch. They do need to update their authorisation file, governance documentation and reporting to the new taxonomy.
• Existing PIs are similarly grandfathered, keeping their current service scope. To add e-money issuance, a PI notifies the home NCA and provides the additional information the merged regime requires.
• New applicants file under the unified regime from the day PSD3 applies. The capital floor for e-money activity (EUR 350k) sits alongside the PI floors (EUR 20k, 50k, 125k) inside the same rulebook.
• Own-funds methods keep their A, B, C, D structure, with Method D remaining the reference method for AIS and PIS activity only.

Operationally, the merger removes the annoying PSD2-vs-EMD2 friction on mixed businesses (neobanks, wallet issuers, acquirers with stored balances) and makes it much easier to expand services without a separate licence.

Conduct upgrades: IBAN-name check, SCA, fraud liability

PSR concentrates the conduct-of-business changes that hit payment service providers hardest. Expect multi-quarter build work.

1. Mandatory IBAN-name check (Verification of Payee, VoP). PSPs must verify the match between the IBAN and the named payee before a transfer and flag a mismatch to the payer. This applies to credit transfers and SEPA Instant, and the EU has already required it for SEPA Instant from 9 October 2025 under the Instant Payments Regulation. PSD3/PSR extends the rule across payment rails.
2. APP fraud liability. Where the payer was misled by a fraudster to authorise a payment (authorised push payment fraud, APP fraud), the PSP can be held liable for reimbursement if it failed to meet expected fraud-detection standards. The scheme is modelled on the UK Contingent Reimbursement Model and the Confirmation of Payee regime.
3. Strong customer authentication upgrades. Clearer rules on biometric auth, mobile-only flows, accessibility for vulnerable users, and specific carve-outs for transactions the user has pre-approved (e.g. subscription top-ups).
4. Transaction monitoring standards. Minimum requirements on real-time monitoring, IBAN-beneficiary reputational data sharing between PSPs, and direct-debit fraud detection.
5. Refund rules for unauthorised transactions. Stricter deadlines (end of the next business day), clearer definitions of what counts as unauthorised, and extended refund rights for vulnerable consumers.

The fraud package is a response to EBA data showing that fraud losses in EU payments rose materially in 2022-2024, with APP fraud the fastest-growing category.

Open banking: mandatory dedicated APIs, longer consent

PSR tightens the open-banking regime with four changes.

• Mandatory dedicated APIs. Account-servicing PSPs (ASPSPs) must provide a dedicated API for PSD access. The PSD2 fallback interface exemption is abolished. Screen-scraping remains banned.
• Performance KPIs. Uptime targets, latency thresholds and error-rate limits are harmonised at EU level. Unjustified API downtime is a supervisory breach.
• Longer consent lifecycle. AIS consent cycle extended from 180 days to 365 days. Reduces churn and re-consent fatigue in aggregator apps.
• Data-access parity. TPPs must have the same data access as the ASPSP's own customers using its direct channels. Ends the practice of stripping data fields from TPP endpoints.

For AISPs and PISPs this is a material improvement. For ASPSPs it is a material extra engineering obligation. Many large banks are already upgrading to "open-banking-plus" standards in advance of PSD3 to avoid a compressed 2027 rebuild.

Safeguarding upgrades and diversification

Safeguarding of customer funds is tightened in both the directive and the regulation.

• Mandatory diversification. Above a threshold, customer funds must be spread across at least two credit institutions. Concentration risk at a single safeguarding bank is no longer acceptable.
• Central-bank accounts. Where national law allows, PIs can safeguard directly at their national central bank. This removes single-bank concentration risk entirely for firms in eligible jurisdictions.
• Daily reconciliation. Formally required with a documented process and evidence pack for supervisors. Common audit finding: reconciliation performed daily but evidence not retained.
• Insolvency ring-fencing. Clearer priority of customer claims over safeguarded funds in the event of PI/EMI insolvency. Alignment with bank deposit-guarantee logic but without a full deposit-guarantee scheme.

UK readers should note that the FCA's PS25/12 safeguarding regime (published August 2025, in force 7 May 2026) runs in parallel with equivalent aims. The UK regime is tighter on some points (formal customer money rules with trust structures) and the EU approach will converge during the PSD3 transition.

Authorisation and supervision changes

On the authorisation side PSD3 is an evolution, not a revolution.

1. Unified authorisation file. Single file for PI and e-money activity under the merged regime. Simpler for mixed businesses.
2. Small PI and small EMI regimes retained. National discretion continues under PSD3. Thresholds may be updated for inflation.
3. Tighter substance expectations. In line with the AIFMD 2.0, MiCA and DORA trend, PSD3 codifies that letter-box arrangements are not acceptable. Head office, management and critical functions in the home state.
4. Supervisory convergence. EBA gains stronger coordination powers over NCAs. More peer reviews, more binding mediation, more consolidated supervisory reporting.
5. Direct access to payment systems. PIs get clearer rights to access payment systems (TARGET2, instant payment schemes) alongside banks, reducing dependency on sponsor banks.

FIDA: the sister regime that is still coming

The Financial Data Access (FIDA) Regulation was proposed alongside PSD3 and PSR on 28 June 2023. It extends open-banking-style access to a much broader data set beyond payment accounts: investments, pensions, insurance, mortgages and loans. FIDA creates a new regulated category, the Financial Information Service Provider (FISP).

FIDA is still in trilogue in April 2026 and its adoption timeline is less certain than PSD3 and PSR. Likely scenarios:

• Best case. Political agreement in 2026, publication in 2027, applicability 24 months after entry into force, so operational around 2029.
• Base case. Agreement slips to 2027, applicability late 2029 to 2030.
• Pessimistic case. FIDA reopened at level-1 or significantly narrowed in scope.

Compensation mechanism between data holders and data users is the single most contested item. Regardless of the outcome, AISPs and PISPs that plan product expansion beyond payment accounts should monitor FIDA actively; the FISP category will be the next natural licence for consolidated-finance apps.

What PIs and EMIs should do now

PSD3 and PSR will not apply before mid-to-late 2027, but credible firms are already upgrading in 2026. A 2027 compressed re-build produces worse fraud outcomes, worse safeguarding evidence and more regulator friction.

1. Map the merger. Review how the new unified regime maps to your existing licence and service scope. Identify the incremental documentation the NCA will expect at re-authorisation.
2. Deploy IBAN-name check. Already mandatory for SEPA Instant from 9 October 2025 under the Instant Payments Regulation. Extend to all transfer rails before 2027.
3. Upgrade fraud monitoring. Build real-time transaction monitoring, APP-fraud detection rules, and IBAN-beneficiary reputation sharing. Allocate a dedicated data-science function for fraud if not already in place.
4. Diversify safeguarding. Split safeguarded funds across at least two credit institutions now. Start the process to access central-bank accounts where available.
5. Lift API performance. If you are an ASPSP, invest in dedicated-API reliability, data parity with direct channels, and measurable KPIs. If you are a TPP, monitor ASPSP quality and plan for better data access.
6. Update governance and substance. Review board composition, local staffing and outsourcing arrangements against the PSD3 and DORA converged substance bar. Letter-box structures are a clear supervisory risk.
7. Prepare for FIDA optionality. If your product roadmap includes investments, pensions, insurance or mortgage data, start the data-access architecture now.

Ship a PSD3-ready payment product with Crassula

The regulatory layer is PSD3 and PSR. The product layer is everything else: ledger, accounts, cards, SEPA and SEPA Instant, fraud monitoring, IBAN-name check, safeguarding and reconciliation, open-banking API fleet, reporting. Retrofitting a PSD2 stack to a PSD3 and PSR ruleset mid-2027 is a multi-quarter project for most firms. Crassula's platform is PSD3-ready today and scales from small PI up to a full "payment institution authorised to issue e-money".

We work alongside your legal counsel on the transition to the merged PSD3 regime and integrate the platform with your safeguarding, card-scheme and fraud-data partners.

FAQ