PSD3 news

The EU is replacing the Payment Services Directive 2 (PSD2) with a new two-part framework. Here’s what’s changing, why it matters, and what financial services firms need to do next.

Key Takeaways 

  • The EU is replacing PSD2 with a dual package: the Payment Services Regulation (PSR) and the Payment Services Directive 3 (PSD3). 
  • Strong Customer Authentication must now only include biometric checks
  • Fraud prevention to become binding law 
  • Impersonation fraud liability to shift to Payment Service Providers (PSPs) 

Commonly known as the European Union’s payments rulebook, PSD2 introduced Strong Customer Authentication and laid the groundwork for open banking, but, as of June 2026, has ultimately served its purpose. 

Unfortunately, much like with each iteration of the Anti-Money Laundering Directive, EU Member States invariably transposed PSD2 requirements differently, leading to a fragmented landscape of SCA interpretations, inconsistent consumer protections, and uneven enforcement, a fragmented landscape of SCA interpretations, inconsistent consumer protections, and uneven enforcement. 

Thankfully, that era is ending. 

The EU is replacing PSD2 with a dual package: the Payment Services Regulation (PSR) and PSD3. Publication in the Official Journal is expected by the end of Q2 2026. Member states will then have a maximum of 21 months to implement the changes into national laws. 

With the Compliance Clock already ticking for all manner of regulatory reasons, including eIDAS 2.0 and the Anti-Money Laundering Regulation (AMLR), financial services need to start preparing now. 

PSD3 News: What is the Difference Between PSR and PSD3?

The new package splits the framework into a regulation and a directive: 

  • PSR (Regulation) covers the operational rules, including SCA, fraud prevention, IBAN/name verification, open banking and transparency. As a regulation, it will apply to every Member State the moment it enters into force. No interpretations ordivergence. 
  • PSD3 (Directive) covers the institutional framework, which means the licensing, authorisation, supervision and access to payment systems. Here, Member States will have the flexibility to integrate these provisions into their existing supervisory structures. 

PSD3’s Top 5 Changes for Financial Services.

1. SCA Gets Biometrics Exception 

While the main SCA rule will remain unchanged (authentication must use two elements from different categories, such as something you know, something you possess, something you are), PSR introduces one new exception. 

Now, payment service providers must satisfy SCA using two elements from the inherence category, in other words, biometrics alone. 

In practice, this could mean facial recognition combined with voice recognition, or facial recognition combined with behavioural biometrics. What it does not mean is two passwords or two devices. 

“The European Banking Authority (EBA) will develop guidelines within 18 months of the PSR entering into force to define the specifics, in particular what ‘independence of elements’ means in practice. But for financial services firms — and for their customers — the direction of travel is clear: biometric-only authentication is coming very soon.” 

Liudmyla Rabchynska, Director of Global and Regulatory Affairs at IDnow.

The EU Digital Identity Wallet also fits naturally within this framework. A wallet-held credential (possession) combined with a biometric unlock (inherence) satisfies the standard two-category requirement. 

2. The EUDI Wallet Becomes Mandatory for Payment Services

Under eIDAS 2.0, payment service providers are obliged to accept the EU Digital Identity Wallet to support SCA for online account login and transaction initiation. The PSR operationalises this obligation through EBA technical standards (Article 89) and confirms the cross-regulatory link in Recital 111. 

Sounds complicated, but what this means is simple: every payment services provider (PSP) in the EU must integrate EUDI Wallet acceptance into its authentication flows. Not as an option. Not as a nice-to-have but as a legal requirement. 

For consumers, this is transformative. The EUDI Wallet will allow them to authenticate securely across any payment service — in any Member State — using a single, trusted digital identity. For PSPs, the integration deadline will be set by the EBA’s RTS, but the obligation itself is not in doubt.

Check out our blog, ‘The EUDI Wallet Explained: Everything Banks Need to Know Before 2027.’

3. IBAN Name Verification Extends to all Credit Transfers 

Until now, the obligation to verify that a payee’s name matches their IBAN applied only to instant credit transfers in euros under the Instant Payments Regulation

PSR Article 50 changes this fundamentally. The Verification of Payee obligation is extended to all credit transfers, including non-euro transfers and those falling outside the scope of the SEPA framework. 

The mechanics are the same as under the Instant Payments Regulation: before executing a credit transfer, the sending PSP must check the payee’s name against the name registered to the destination account. If there is a mismatch, the payer must be notified before the transaction proceeds. 

For consumers, this is straightforward and means fewer misdirected payments and fewer successful authorised push payment fraud attempts. For PSPs, however, it is a significant infrastructure project. 

4. Fraud Prevention Becomes Binding Law

Under PSD2, fraud prevention obligations were largely ‘soft law’, comprising EBA guidelines and general SCA requirements. The PSR hardens these into explicit, binding obligations with explicit liability consequences. 

For example, PSR Article 83 requires PSPs to implement transaction monitoring mechanisms before executing a payment and before making funds available to the payee. When a PSP does not carry out such monitoring and the payer incurs financial damage, the PSP shall bear liability. 

“This closes a significant liability gap in the current framework. The receiving PSP is now squarely in scope not just the sender. The message is clear: fraud prevention is no longer a matter of industry best practice. It is a legal obligation with liability attached,” said Liudmyla. 

PSR also introduces mandatory fraud information sharing between PSPs through structured arrangements.  

5. Impersonation Fraud Liability Shifts to PSPs 

Perhaps the most consumer-protective change in the entire package is PSR Article 59, which introduces a ‘refund right’ for impersonation fraud. Europe’s fastest-growing fraud type occurs when a consumer is manipulated by a third party pretending to be their own PSP. Here, fraudsters use communication channels attributed to that PSP (spoofed phone numbers, email domains, SMS sender IDs), to receive a fraudulent authorised payment transaction.  

With PSR, PSPs must now refund the consumer in full, if: 

  • The consumer was manipulated by someone impersonating their PSP 
  • The manipulation used communication channels attributed to the PSP 
  • The consumer notified their PSP without undue delay and reported the fraud to the police 
  • Refund must be made within 15 business days 

Crucially, the burden of proof now sits with the PSP, not the consumer, to demonstrate fraud or gross negligence if it wishes to withhold a refund. 

PSPs must also ensure they have “adequate prevention and robust technical safeguards in place” to prevent fraudsters replicating their communication channels in the first place.

PSR and PSD3 Timeline.

  • End of Q2 2026: Expected publication in the Official Journal 
  • Q4 2027 / Q1 2028: PSR applies (18 months after entry into force) 
  • Q2 / Q3 2028: PSD3 transposition deadline (24 months after entry into force) 
  • Q3 2028 / Q1 2029: VoP provisions apply (27 months after entry into force) 

Eighteen months from publication to application is not a long runway for the scale of infrastructure changes required. Firms that wait for the EBA’s RTS before beginning preparation will find themselves severely behind.

What PSD3 and PSR Means for Financial Services.

For consumers, PSD3 and PSR will user in a wave of changes to the user experience. For example, biometric-only authentication promises a frictionless payment experience and EUDI Wallet integration means a single, secure digital identity can be used across every payment service in Europe. What’s more, mandatory payee verification reduces the risk of misdirected or fraudulent payments, and the new impersonation fraud refund right provides meaningful protection against the fastest-growing fraud type in Europe.  

For banks, payment institutions, fintechs and neobanks, the Compliance Clock is ticking with each day that passes: SCA upgrades, EUDI Wallet integration, IBAN/name verification across all credit transfers, binding fraud monitoring with liability attached and mandatory fraud data sharing with GDPR-compliant governance. 

PSR and PSD3 represent the most comprehensive reform of European payment services law since PSD2 was adopted in 2015. 

Interested in how IDnow can support your PSR and PSD3 compliance journey? Contact our team.  

Read more from IDnow: 

FAQs about PSD3

What is the difference between PSR and PSD3?

The EU’s new payments framework is split into two instruments. The Payment Services Regulation (PSR) is directly applicable across all EU Member States the moment it enters into force — covering operational rules such as Strong Customer Authentication, fraud prevention, IBAN/name verification, and open banking. PSD3 (the Directive) covers institutional matters — licensing, authorisation, and supervision — and gives Member States flexibility in how they transpose it into national law. Together, they replace PSD2. 

When does PSD3 come into force?

Publication in the EU’s Official Journal is expected by the end of Q2 2026. From that point, PSR will apply approximately 18 months later (Q4 2027 / Q1 2028), PSD3 must be transposed by Member States within 24 months (Q2/Q3 2028), and Verification of Payee provisions will apply 27 months after entry into force (Q3 2028 / Q1 2029).

What are the main changes to Strong Customer Authentication (SCA) under PSR?

The core SCA rule — requiring two elements from different categories (something you know, something you have, something you are) — remains unchanged. However, PSR introduces one significant new exception: payment service providers can now satisfy SCA using two elements from the inherence category alone, meaning biometrics-only authentication (e.g. facial recognition combined with voice recognition or behavioural biometrics) will be permitted. The EBA will publish guidelines within 18 months of PSR entering into force to define the specifics.

Will payment service providers be required to accept the EU Digital Identity Wallet?

Yes. Under PSR (operationalising eIDAS 2.0), every payment service provider in the EU will be legally required to accept the EUDI Wallet for Strong Customer Authentication — covering both online account login and transaction initiation. This is a mandatory obligation, not an optional integration. The EBA will set the precise technical standards and integration deadline via Regulatory Technical Standards.

What is Verification of Payee (VoP) and who does it apply to under PSR?

 Verification of Payee (VoP) requires a sending payment service provider to check that a payee’s name matches the name registered to the destination IBAN before executing a credit transfer. If there is a mismatch, the payer must be notified before the transaction proceeds. Under PSR Article 50, this obligation — previously limited to instant euro credit transfers — is extended to all credit transfers, including non-euro and non-SEPA transactions.

Who is liable for impersonation fraud under the new rules?

Under PSR Article 59, if a consumer is manipulated by a fraudster impersonating their payment service provider — using spoofed phone numbers, email domains, or SMS sender IDs — the PSP must refund the consumer in full within 15 business days. The burden of proof shifts to the PSP: it must demonstrate fraud or gross negligence on the consumer’s part if it wishes to withhold a refund. PSPs must also have technical safeguards in place to prevent fraudsters replicating their communication channels.

What are PSPs’ fraud prevention obligations under PSR?

PSR hardens fraud prevention from soft-law guidelines into binding legal obligations. Under Article 83, PSPs are required to implement transaction monitoring mechanisms before executing a payment and before making funds available to the payee. Where a PSP fails to conduct such monitoring and a payer suffers financial loss, the PSP bears direct liability. PSR also mandates that PSPs share fraud data with one another through structured, GDPR-compliant arrangements.

How is PSD3 different from PSD2? 

PSD2 left significant room for inconsistent national transposition, creating a fragmented landscape of SCA interpretations and uneven consumer protections across the EU. PSD3 and PSR address this by: making key operational rules directly applicable (via the PSR regulation); introducing biometric-only SCA; mandating EUDI Wallet acceptance; extending Verification of Payee to all credit transfers; and creating binding fraud prevention obligations with explicit liability consequences — a significant upgrade on PSD2’s largely guidance-based approach. 

By

10 Steps that European Banks Must Take to Meet the EUDI Wallet Deadline. 5

Jody Houton
Senior PR & Content Manager at IDnow
Connect with Jody on LinkedIn