PSD3 and PSR: What Changes for European Payment Platforms

PSD3 Is Not Just a Minor Update

The European Commission published its proposals for PSD3 and the accompanying Payment Services Regulation (PSR) in June 2023. Together, they represent a significant rework of the payment services framework. Unlike PSD2, which was entirely a directive (requiring national transposition), PSR will be a directly applicable regulation across all EU member states. This means consistent rules everywhere, with no room for local interpretation.

If you operate a payment platform in Europe, you need to understand what is changing and start preparing.

The Shift from Directive to Regulation

PSD2 was a directive. Each EU member state transposed it into national law, creating 27 slightly different implementations. This caused headaches for payment platforms operating across borders: different licensing requirements, different interpretations of SCA exemptions, and inconsistent enforcement.

PSR changes this. The core payment rules will be a regulation, directly applicable in all member states. PSD3 remains a directive but covers only the licensing and authorization framework for payment institutions. The practical result: one set of rules for payment operations, one licensing framework that still allows national nuance.

Key Changes That Affect Your Platform

IBAN-Name Verification

One of the most impactful changes is mandatory IBAN-name verification for credit transfers. Before processing a transfer, the sending PSP must verify that the payee's name matches the IBAN. If there is a mismatch, the payer must be notified before the payment proceeds.

Implementation impact:

Your system needs to call a verification service before processing outgoing credit transfers
You must present mismatch warnings to the user and capture their decision to proceed or cancel
This adds a synchronous step to what was previously a fire-and-forget flow

SEPA Instant Credit Transfer Regulation (which runs in parallel) will make instant payments the default, and IBAN verification will apply to those too.

Stronger Open Banking Framework

PSD3/PSR strengthens the open banking framework in several ways:

Dedicated interface requirements. Banks must provide a dedicated API interface for third-party access. The option to fall back to screen scraping through customer-facing interfaces is being removed. This means better API quality, but also means AISPs and PISPs can no longer rely on screen scraping as a backup.

Dashboard for consent management. Banks will be required to provide customers with a dashboard showing which third parties have access to their account data, with the ability to revoke access. Your platform needs to handle revocation callbacks cleanly.

Permission granularity. Access permissions become more granular. Instead of blanket account access, customers can authorize specific accounts, specific data types, and specific time periods.

Fraud Prevention and Liability

Extended liability for PSPs. If a PSP fails to apply IBAN-name verification and the customer falls victim to fraud, the PSP is liable. This creates a strong incentive to implement verification correctly.

Spoofing protection. PSR introduces specific provisions for impersonation fraud (where criminals pretend to be the bank). If a customer is tricked by spoofing that exploits the PSP's systems (e.g., caller ID spoofing from the bank's number), the PSP bears more responsibility.

Transaction monitoring requirements. PSPs must implement transaction monitoring systems that detect anomalous patterns and flag potential fraud before execution.

SCA Refinements

SCA requirements remain but with adjustments:

Clearer rules for when SCA applies to account information access
Better defined exemption criteria
More explicit requirements for accessibility of authentication methods (ensuring elderly and disabled users can authenticate)

Timeline and Preparation

The legislative process is ongoing. Realistic timeline:

2024-2025: Trilogue negotiations between European Parliament, Council, and Commission
2025-2026: Final text adopted and published
2026-2028: Implementation period (typically 18-24 months after publication)

This gives payment platforms roughly 2-3 years to prepare, but some changes (like IBAN verification) may arrive sooner through parallel regulations.

What to Do Now

Audit your open banking integrations. If you rely on screen scraping or fallback interfaces, plan your migration to dedicated APIs. This is the most urgent preparation item.

Design for IBAN verification. Map where credit transfers originate in your system and identify integration points for name verification services. Your SEPA processing pipeline needs a synchronous verification step.

Review your fraud monitoring. Assess whether your current transaction monitoring meets the emerging requirements. You will need to demonstrate that your systems detect and flag anomalous patterns.

Update your consent management. Build or extend your consent tracking to support granular permissions and revocation callbacks.

Watch the legislative timeline. The final text may differ from the current proposals. Follow the European Banking Authority (EBA) for technical standards that will specify implementation details.

What Stays the Same

Not everything changes. The fundamental PSD2 concepts remain:

SCA for electronic payments (with refined exemptions)
Regulated roles for AISPs and PISPs
Consumer protection rules for unauthorized transactions
Prohibition on surcharging for consumer card payments

The core architecture of your payment system likely does not need a rewrite. But the details of fraud prevention, open banking integration, and SEPA processing will need updates.

PSD3/PSR modernizes the European payment framework based on five years of PSD2 experience. The move from directive to regulation simplifies cross-border operations. Start preparing now for IBAN verification and open banking API migration, as these are the changes with the most technical impact.