PSD3 and PSR: What Every Fintech Company Must Prepare For in 2026

The Next Chapter in EU Payments Law

The EU's Payment Services Directive 2 (PSD2) reshaped financial services when it came into force in 2018. Now, its successor is on the horizon. The European Commission's twin legislative package — Payment Services Regulation (PSR) and PSD3 — is set to fundamentally upgrade how open banking, strong customer authentication (SCA), and third-party access work across the EU.

For fintech companies, this isn't a distant compliance exercise. The changes affect core product architecture, API design, fraud liability frameworks, and licensing.

This guide covers what PSR and PSD3 actually change, what's still uncertain, and what fintech compliance teams should be doing now.

What Is the Difference Between PSR and PSD3?

The Commission deliberately split the legislation into two instruments:

PSR (Payment Services Regulation) is a directly applicable regulation — it won't need transposition into national law. This eliminates the fragmented implementation that plagued PSD2 across member states. PSR covers most of the substantive rules: SCA, open banking, liability, and fraud.

PSD3 (Third Payment Services Directive) amends the authorisation and supervision framework — who can be a payment institution, what licenses look like, and how passporting works.

Together they replace PSD2 and PSD2-related provisions in other directives.

Key Changes Fintech Companies Must Understand

1. Open Banking Gets Real API Standards

One of PSD2's biggest failures was allowing banks to offer "dedicated interfaces" (APIs) without minimum quality standards. Banks could — and did — make APIs intentionally difficult to use, creating competitive moats while technically complying.

PSR changes this:

• **Mandatory API dashboards**: Payment service providers must publish real-time dashboards showing API availability and performance metrics
• **Fallback elimination**: Banks can no longer rely on screen-scraping fallbacks as a safety valve; APIs must work reliably
• **Standardisation push**: EBA is tasked with developing binding technical standards for API specifications — moving toward a true common standard
• **Account information services (AIS) limits**: A controversial change limits AISP access to 90-day re-authentication cycles for active users (up from PSD2's 90-day blanket rule)

What this means for fintech: If you build on bank APIs, your reliability SLAs just became legally relevant. If you are a bank or ASPSP, your API infrastructure needs significant investment.

2. Strong Customer Authentication Overhaul

SCA under PSD2 created enormous friction. PSR takes a more risk-based approach:

| Area | PSD2 | PSR |

|------|------|-----|

| Transaction monitoring | Optional | Mandatory baseline |

| Low-risk exemptions | Narrow (TRA up to €500) | Expanded with real-time fraud data sharing |

| Liability shift | Limited | Clearer PSP liability when SCA bypassed improperly |

| Payee IBAN/name match | Member state option | Mandatory EU-wide |

IBAN-Name Matching (Confirmation of Payee) is now mandatory across the EU. This is significant: every fintech processing credit transfers must verify that the payee name matches the account number before executing. This was already mandated in the Netherlands and UK — now it's EU-wide.

3. Fraud Liability Framework Clarified

PSD2's liability framework was litigated heavily because it was unclear. PSR addresses this directly:

• **Authorised Push Payment (APP) fraud**: PSR introduces EU-level rules on liability when users are manipulated into authorising fraudulent payments. PSPs share liability in certain circumstances — something UK law already addressed but EU hadn't.
• **Spoofing liability**: When a user is deceived by a fraudster impersonating the PSP, the PSP may bear liability even for authorised transactions.
• **Unconditional refund rights**: For certain fraud scenarios, users get immediate refund rights pending investigation.

What this means: Fintech payment providers need to review fraud prevention infrastructure and update T&Cs. Shared liability for APP fraud will require new operational procedures.

4. Payment Institution Licensing Changes

PSD3 updates the authorisation regime:

• **Own funds requirements** are recalibrated — some PI categories face higher capital thresholds
• **Safeguarding rules** are significantly tightened, moving toward a model closer to e-money institution safeguarding
• **Passporting**: The passporting framework is clarified but the Commission didn't eliminate host state supervision powers entirely
• **EMI/PI distinctions**: The boundary between e-money institutions and payment institutions is slightly redrawn

5. Financial Data Access (FIDA) — the Hidden Extension

While not technically part of PSD3/PSR, the Financial Data Access (FIDA) regulation is the third piece of the puzzle. FIDA extends open banking logic to:

• Insurance products
• Investments and pensions
• Mortgages
• Consumer credit

FIDA creates a "financial data sharing scheme" framework. Fintech companies positioned as data intermediaries or building wealth management tools need to monitor FIDA implementation alongside PSR.

Timeline: Where Are We Now?

| Milestone | Status |

|-----------|--------|

| Commission proposal | Published November 2023 |

| Council general approach | Agreed November 2024 |

| European Parliament position | Adopted early 2025 |

| Trilogue negotiations | Ongoing in 2025-2026 |

| Expected final text | Late 2026 |

| Transposition / application | 18-24 months after publication |

| Estimated application date | 2028-2029 |

Important: PSR/PSD3 is not yet in force. But implementation timelines are tight and architectural decisions made now will be expensive to undo later.

What Fintech Teams Should Do Now

Map Your PSD2 Dependencies

Start with a complete inventory:

• Which services rely on PSD2 authorisation (AIS, PIS, account-holding)?
• Where do you use SCA exemptions today?
• Which bank APIs does your product depend on, and what are their current reliability metrics?
• Do you process credit transfers subject to the IBAN-name matching requirement?

Assess Fraud Liability Exposure

Work with legal and product teams to model:

• What share of transactions could fall under new APP fraud liability rules?
• Do your current fraud detection systems meet the "reasonable measures" standard?
• What changes to user journey are needed to document authorisation intent?

Watch EBA Technical Standards

PSR mandates EBA to produce binding technical standards (BTS) for:

• API specifications and dashboards
• SCA risk-based exemption criteria
• Fraud data sharing requirements

These BTS will be the actual implementation details. Subscribe to EBA consultation processes — the comment periods are where product architecture gets shaped.

Plan for IBAN-Name Matching

Confirmation of Payee will be mandatory. If you're a payment initiation service provider or process credit transfers:

• Evaluate which vendors offer CoP infrastructure
• Understand the EU-level scheme that will eventually replace bilateral arrangements
• Build the UX for name-mismatch warnings into your product roadmap

The Competitive Opportunity

Compliance complexity creates moats. Fintech companies that invest in PSR/PSD3 readiness early will:

• **Win enterprise contracts** from clients who need a compliant payment provider from day one

• **Reduce operational risk** from fraud liability exposure

• **Build better APIs** as API quality standards create new market expectations

• **Expand into FIDA** as the open finance ecosystem matures

The companies treating PSR/PSD3 as a checkbox exercise will spend 2028 firefighting. The companies treating it as a product strategy opportunity will own the market.

Monitoring PSR/PSD3 with Regulatory Intelligence Tools

Tracking EU legislative developments manually is impractical. The Commission, Parliament, Council, and EBA produce thousands of pages of documents. Regulatory intelligence platforms that monitor official publications, extract obligation changes, and send targeted alerts are no longer a luxury for fintech compliance teams — they're infrastructure.

FinlexPro tracks PSR, PSD3, and related EBA technical standards in real time, mapping changes to your specific regulatory obligations.

---

*This article reflects the legislative status as of April 2026. PSR and PSD3 are still subject to final trilogue agreement and publication in the Official Journal.*