I. The Legislative Architecture: PSD3 and PSR Together
Unlike PSD2, which was a single directive, the new framework consists of two instruments: a revised Payment Services Directive (PSD3), which member states will transpose into national law, and a directly applicable Payment Services Regulation (PSR), which will apply uniformly across the EU without the variation that characterised PSD2 transposition.¹³
This structural change is significant. The inconsistencies in how PSD2 was implemented across the 27 member states created a fragmented compliance environment that imposed material costs on cross-border payment operators. The PSR's direct applicability removes this variation — but also removes the flexibility that some national competent authorities used to accommodate local market characteristics. Payment firms will need to recalibrate their compliance frameworks against the PSR's uniform requirements, not their incumbent national transposition.
PSD3 does not replace PSD2 — it substantially revises it. The key changes span five domains.
II. The Five Structural Changes
1. Expanded Fraud Liability
PSD3 materially expands the circumstances under which payment service providers bear liability for authorised push payment (APP) fraud. The directive requires PSPs to demonstrate that they have implemented fraud monitoring capabilities capable of detecting anomalous payment instructions, including those manipulated through social engineering.¹⁴ The IBAN name verification requirement — already operational in the Netherlands and being piloted across several member states — becomes pan-European, requiring PSPs to verify payee name against IBAN before executing credit transfers.
The liability implications are direct: payment firms without transaction-level fraud intelligence may find themselves exposed in circumstances where a customer's payment instruction was manipulated but the firm lacked the monitoring infrastructure to detect the manipulation. This creates a strong commercial incentive to invest in AI-driven fraud detection ahead of enforcement.
2. Open Banking Reform
PSD2's open banking framework significantly underdelivered relative to regulatory expectations. API availability was inconsistent, response times were often degraded, and access restrictions imposed by banks frustrated AISPs and PISPs. PSD3 addresses this through more prescriptive API quality standards, mandatory fallback mechanisms, and enhanced legal rights for third-party providers seeking access.¹³ For fintech firms building on open banking infrastructure, the PSD3 framework represents a material improvement in the reliability and commercial value of data access rights.
3. Licence Rationalisation
PSD3 consolidates the current licensing categories — small payment institution, authorised payment institution, and e-money institution under EMD2 — into a unified framework.¹³ ¹⁵ Existing licence holders will need to assess whether their current permissions map correctly to the new structure and, where they do not, initiate a transition process with their national competent authority. The window for this analysis should begin well ahead of the application date.
4. DORA Integration
PSD3 explicitly references the Digital Operational Resilience Act as the applicable ICT risk management framework for payment service providers. DORA applied from 17 January 2025.¹⁶ Payment firms that have not yet established a compliant DORA ICT risk management programme are simultaneously in scope of DORA enforcement and behind the curve on PSD3 preparation. Treating these as separate compliance workstreams creates unnecessary duplication of effort and cost — a unified operational resilience platform addresses both.
5. Strong Customer Authentication Evolution
PSD3 refines the SCA framework established under PSD2, adjusting exemption thresholds and expanding the circumstances under which transaction risk analysis (TRA) can replace full SCA. For payment firms that have invested in AI-powered transaction risk scoring, this represents a commercial opportunity — higher TRA exemption rates translate directly into lower customer friction and higher conversion, particularly for recurring and low-value payments.
DORA's ICT incident classification requirements apply to payment institutions from January 2025. The European Systemic Risk Board estimates that 60% of material ICT incidents at EU financial institutions remain unreported under existing frameworks — a compliance gap that PSD3 supervisors will be examining.¹⁶ Source: ESRB, 2024; EBA DORA Guidelines 2024¹⁶
III. The FINREP/COREP Dimension
For EU-licensed credit institutions and payment groups that hold a banking licence, FINREP and COREP reporting obligations to the ECB and EBA represent a significant ongoing compliance burden, with reporting templates subject to regular revision.¹⁷ Payment institutions operating under standalone PI licences face lighter direct reporting obligations, though PSD3 progressively strengthens the supervisory data requirements applicable to all PSPs.
The intersection of PSD3, DORA, FINREP, and COREP creates a regulatory data management challenge that is increasingly difficult to address with disconnected compliance tools. Firms investing in unified regulatory reporting infrastructure now — where a single data model feeds multiple regulatory outputs — will find each successive regulatory change significantly less disruptive than firms managing each framework separately.
IV. The First-Mover Commercial Case
In most regulated markets, compliance is framed as a cost of operation. In the EU payments market, it has become a competitive differentiator. Enterprise clients — particularly those with treasury, procurement, and HR system integration requirements — are selecting payment platform partners partly on the basis of regulatory credibility. A firm that can demonstrate PSD3 compliance readiness ahead of enforcement dates is differentiated in procurement processes, more attractive to institutional investors, and exposed to lower legal and operational risk than competitors still reactive to regulatory change.
360 Fintech AI's European compliance module is being developed in parallel with PSD3 finalisation. The platform already generates FINREP and COREP data outputs directly from operational data, monitors DORA ICT risk indicators in real time, and will incorporate a PSD3 compliance framework module aligned with the final text upon enactment.
For a PSD3 readiness gap analysis, contact europe@360fintech.ai.