EU overhauls payment rules with PSD3 and PSR to tighten security and open banking
By Aarav Garg
The European Union's next major payments rulebook is moving closer to completion after lawmakers published final compromise texts for PSD3 and the Payment Services Regulation (PSR), bringing broad reforms for banks, FinTechs and payment providers a step nearer.
Publication of the final texts suggests political negotiations are now largely complete. The next steps are formal approval by the Council and the European Parliament, followed by publication in the EU Official Journal. The rules would then enter into force 20 days later.
Fraud prevention is one of the biggest areas of reform. The PSR introduces tougher transaction monitoring requirements, including real-time checks for instant payments. It also expands verification of payee rules, requiring firms to check that a recipient's name matches the account identifier before a transfer is sent, where other instant payment rules do not already apply.
Open banking rules are also being tightened. Banks and other account providers will generally need to maintain secure APIs for licensed third parties. Consumers are also set to receive clearer tools to manage, withdraw or restore consent for data sharing.
The package updates strong customer authentication rules as well, giving more clarity on when extra security checks are required, including for merchant-initiated payments. New accessibility measures are intended to ensure authentication methods do not depend only on smartphones and remain usable for vulnerable customers.
Under the new structure, PSD3 will cover licensing and supervision, while the PSR will contain conduct and operational rules that apply directly across EU member states. This is designed to reduce the national differences that developed under PSD2.
Existing payment institutions and e-money firms are expected to receive transition periods of up to 27 months, giving the sector time to update systems, controls and customer journeys.
Alexis Valdez, Head of Risk & Compliance at Mambu, commented, "What's really changing from PSD2 to PSD3 is the EU's tolerance for 'open banking in theory' where reliability and real-world usability were inconsistent. PSD3 is about operational resilience - performance, incident response, and accountability - and at that level, architecture matters. That's where PSD3 has real teeth: it forces the question of whether systems are built to work every time, safely, and at scale. Access alone hasn't delivered the consistent experience users expect. This gap won't close without infrastructure designed for operational resilience, not just connectivity. If PSD2 made open banking possible, PSD3 makes it enforceable. The industry has spent years celebrating access while quietly tolerating poor performance. That era is ending. Open finance won't be defined by who has an API; it will be defined by who can turn that API into a product people trust."
