Do you like cookies? 🍪 We use cookies, just to track visits to our website, we store no personal details. By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and our Terms of Service.
PSD3 is not just an update, but the evolution of trust in digital finance. Continuing the progress made by PSD2, the new regulation aims to further boost competition and consumer protection in electronic payments. It is also designed to empower consumers to securely share their data while gaining access to a wider range of affordable and innovative financial products and services.
The European Union estimates that electronic payments in the EU have increased by over 30% between 2017 and 2021 (from €184.2 trillion to €240 trillion). COVID-19, along with new players within the payments market, such as open banking providers, have accelerated this growth by driving digital adoption and increasing demand for more flexible, secure, and convenient payment solutions.
In 2023, the EU unveiled its proposed framework for PSD3. What will change from PSD2 and how will this affect financial institutions? Let’s explore the changes the regulation will bring.
What is the PSD3 regulation?
PSD3, or the Payment Services Directive 3, is the latest update to the European Union's regulatory framework governing electronic payments. Building on its predecessors, PSD1 and PSD2, PSD3 aims to enhance the security, competition, and innovation within the EU’s payment services market.
A key component of PSD3 is its emphasis on the evolving role of third-party payment providers, such as fintech companies and open banking platforms. By enabling safer and more efficient data sharing between financial institutions, PSD3 aims to unlock greater access to affordable and innovative financial products and services for consumers.
The regulation also seeks to create a more competitive market by fostering collaboration between traditional banks and new entrants, thereby encouraging innovation while safeguarding security and trust in digital payments.
What is the difference between PSD2 and PSD3?
PSD3 introduces several key advancements over PSD2:
PSD2
PSD3
Focused mainly on improving payment security, promoting innovation (especially through open banking), and enhancing consumer protection.
Expands on the foundations laid by PSD2, focusing not only on security and innovation but also on streamlining the regulatory framework. It aims to provide a more unified approach, particularly around data sharing, security, and consumer protection.
Introduced the concept of open banking, which allowed third-party providers to access consumer payment data with their consent to offer more tailored financial services.
Strengthens and expands the open banking framework. It focuses on giving consumers greater control over their data and ensures that third-party providers can access this data more seamlessly.
Introduced strong customer authentication (SCA) to reduce fraud and improve security in digital payments.
Builds on PSD2's security measures, introducing even stricter requirements for securing digital payments and reducing fraud.
PSD2 introduced complexities and inconsistencies in the regulatory environment, particularly in terms of enforcement across different EU Member States.
Aims to simplify and harmonize the regulatory environment by providing clearer guidelines for implementation and enforcement. It seeks to create a more consistent approach across all EU countries.
What are the key changes of the PSD3 directive?
Click on a bubble to discover 5 key changes of PSD3:
Enhanced Strong Customer Authentication (SCA)
Strong Customer Authentication (SCA) is a security protocol that requires consumers to provide at least two forms of identification from different categories—something they know, have, or are—during payment transactions to reduce fraud. The European Commission found it to be one of the most successful components of PSD2.
The new regulation expands on the old requirements by:
Providing clearer guidelines on when transactions may be exempt from SCA
Mandating SCA for mobile wallet registrations
Ensuring that payment service providers offer SCA options that incorporate multiple technologies, improving accessibility for all users, including elderly and low-income individuals.
Spoofing Prevention
Spoofing is a fraud tactic in which a person or system disguises itself as a trusted source to gain unauthorized access to data, systems, or communications.
As PSD2 did not include strong enough protection against spoofing, PSD3 requires financial institutions to:
Mandate that banks confirm the consistency between the recipient’s name and their IBAN for every credit transfer
Enhance systems that track transactions to detect suspicious or irregular payment behavior
Establish legal guidelines that allow payment providers to exchange information related to fraud and active scam operations Oblige payment providers to deliver comprehensive fraud awareness training to both employees and customers
Fair Competition
The absence of robust regulations ensuring fair competition often restricted the ability of non-bank payment service providers (such as e-money institutions) to access essential banking services and key payment infrastructure.
PSD3 will require financial institutions to justify strong reasons for refusing services to non-bank payment providers. This will be done by:
Granting non-bank PSPs the right to appeal service refusals or account closures to their national regulatory authority
Introducing greater oversight to ensure that denial of access is not arbitrary or anti-competitive
Creating mechanisms that promote transparency and accountability in decisions made by banks regarding service provision
Supporting a more balanced financial ecosystem by enabling non-bank PSPs to compete fairly with traditional banking institutions
Cash Withdrawals
Through PSD3, the European Commission aims to expand consumer access to cash by simplifying the process for both retailers and ATM operators to offer withdrawal services. PSD2 permits some ATM operators, specifically those not managing payment accounts, to function without obtaining a license. As this exemption remains relatively unknown within the industry.
PSD3 aims to clarify these rules to boost the presence of ATMs across the EU, especially in underserved or remote regions with limited cash access.
PSD3 will require payment service providers to clearly inform users about the fees applied by all ATM operators within their respective Member States. PSD3 also plans to revise the cash-back rules, allowing shops to offer cash withdrawals independently of any sale.
This means customers will be able to walk in and withdraw money using their payment card or digital wallet without having to buy anything. To ensure balance with ATM services and protect merchants’ available cash, limitations—such as a €50 maximum per transaction—will still apply.
Open Banking
Building on the foundation laid by PSD2, PSD3 will further develop the concept of “open banking,” allowing third-party providers to access a customer’s banking and payment account data with their consent. This will enable the delivery of services like spending insights, budgeting assistance, and personalized financial product offerings.
PSD3 is set to implement the following key updates to open banking requirements:
Eliminating the need for banks to operate two separate data access interfaces, making the “fallback” interface unnecessary.
Mandating that banks and payment account providers offer a consumer dashboard, enabling users to view which companies have access to their data and easily manage or revoke permissions when desired.
How can financial institutions prepare for PSD3?
Once PSD3 is finalized and enacted, financial institutions will need to start aligning their operations with the new requirements.
Below are five ways they can do this:
1
Conduct impact assessments: perform a thorough analysis to identify how PSD3 will impact operations, services, and customer experience, and use the insights to adjust strategies for offering new products and services.
2
Review and update compliance frameworks: ensure that internal policies and procedures align with PSD3’s new requirements, such as enhanced data sharing, stronger customer authentication, and clearer fee disclosures.
3
Collaborate with third-party providers: strengthen partnerships with third-party service providers (TPPs) and ensure their services comply with PSD3's updated data-sharing and security requirements.
4
Focus on consumer transparency: implement tools that allow customers to easily view and manage their data access, as well as provide clear information on fees and exchange rates for cross-border transactions.
5
Hire consultants: engaging with consultants who specialize in regulatory compliance can help financial institutions navigate the complexities of the new regulations, ensuring a smoother transition and minimizing the risk of non-compliance.
When will PSD3 come into effect?
PSD3 is currently in draft form, but once adopted, it will take effect 20 days after publication, with EU Member States given 18 months to implement the directive into their national laws.
This schedule indicates that PSD3 may be implemented by 2026. However, these dates are provisional and may be adjusted during the legislative process.
Financial institutions and stakeholders should monitor official EU updates and industry announcements to ensure they remain compliant with the upcoming regulations.
At Pideeco, our team of seasoned consultants combines legal insight with hands-on industry experience to help financial institutions align with PSD3 requirements efficiently and effectively. Whether it’s conducting gap analyses, optimizing compliance frameworks, or implementing robust risk controls, we provide tailored solutions that turn regulatory challenges into strategic advantages. Don't hesitate to get in touch!
What impact did the EU's 2019 directive on whistleblowing have? Learn the legal repercussion of a leak, how entities...
ComplianceMon 23 January 2023
Experts in risk management and regulatory compliance
Pideeco is a consultancy firm providing legal services, business solutions, operational assistance and educational material for professionals in the financial industry.
We are based in Brussels and we specialize in regulatory risk compliance services covering the Eurozone.
Pideeco combines professional Regulatory knowledge and technical expertise to safeguard your business’ reputational and operational risk. Our unique customer-centric approach helps us build strategical and legitimate cost-efficient remedies.
Working with us means reaching out to complementary people, allowing for original thinking and innovative vision.
