PSD3
and the PSR
The Payment Services Directive 3 (PSD3) aims to harmonise the authorisation framework for Payment Institutions (PIs), which now also includes Electronic Money Institutions (EMIs). In parallel, the Payment Services Regulation (PSR) governs the rights and obligations of providers and users, while redefining transparency requirements regarding the information made available to service users.
Key Challenges
PSD3 builds on the foundations of PSD2 by focusing specifically on Payment Institutions (PIs) and Electronic Money Institutions (EMIs), raising requirements in terms of authorisation and supervisory standards, including:
-Mandatory authorisation to provide payment services (potentially through licences or registration);
-Verification of compliance and operational soundness of PIs and EMIs.
The PSR seeks to:
-Modernise and secure payment services (encouraging greater use of Open Banking for innovation and new services; combating fraud through enhanced data-sharing between payment service providers);
-Strengthen transparency, user rights, and access to personal data (aligning more closely with GDPR standards);
-Harmonise rules and practices (clarifying responsibilities and standardising sanctions);
-Improve the user experience while ensuring strong customer authentication (SCA), integrating authentication more smoothly into the purchasing journey and leveraging environmental and behavioural characteristics of the buyer;
-Guarantee access to strong customer authentication for specific groups (such as people with disabilities or elderly users), while introducing flexibility for certain transactions;
-Enhance market fairness by ensuring equal competitive conditions (improving access to EU payment systems) and encouraging data holders to provide high-quality interfaces.
Key Dates
The texts were published by the European Commission on 28 June 2023 and adopted by the European Parliament on 23 April 2024 .
-For PSD3, application will only take effect once the directive has been transposed into the national laws of EU Member States, expected around 2026–2027 .
-For the PSR, being a regulation, no transposition is required. Its implementation is defined directly within the text itself and is scheduled to apply 21 to 27 months (depending on the article) after its entry into force, broadly aligning with the PSD3 timeline.
Implications for Our Clients
Organisations will need to invest in upgrading and adapting their information systems in order to:
-Implement stricter authentication standards for most payments, while ensuring accessibility for all users;
-Strengthen user data protection and improve transparency;
-Enhance fraud prevention mechanisms (through stronger verification processes and inter-PSP communication);
-Facilitate access of non-bank PSPs to bank accounts, advancing Open Banking and granting customers greater control over their payment data.
The principal benefit for banks is the expected significant reduction in fraud. In France, during the first half of 2024, fraud accounted for €584.6 million (-1% vs 2023) across 3.9 million transactions (+12% vs 2023). Fraud is therefore increasing in volume, but less so in value, with card payments and, more recently, credit transfers being the most affected.
It is worth noting that since the introduction of strong customer authentication, **fraud by manipulation** has increased, representing around 30% of the total fraud value, although recent data suggests a downward trend. This improvement is attributed to progress in PSP scoring systems, clearer user journeys, and greater public awareness.
PSD3 and the PSR are therefore expected to further consolidate this positive trend.