PSD2 — Directive (EU) 2015/2366 — has been the foundational EU regulation for payment services since January 2018. It brought Strong Customer Authentication (SCA), open banking rights for PISPs and AISPs, and a layer of consumer protection. After seven years the Commission saw the limits: authorised push payment fraud grew sharply, the open banking API ecosystem fragmented, and the line between e-money and payment institutions blurred. On 28 June 2023 the Commission proposed PSD3 + PSR. This article reads the transition from the perspective of a working PSP, EMI or fintech: what changes and which areas merit early preparation today.
Why Two Instruments?
The Commission deliberately split the package into two:
- PSD3 — Directive. Requires Member State transposition. Contents: payment institution authorisation, cooperation between national competent authorities.
- PSR — Regulation. Directly applicable. Contents: user protection, SCA, open finance, fee transparency, integration of EMD2.
This split addresses PSD2's biggest complaint: as a directive, PSD2 was transposed differently across Member States, and the "EU-wide single market" cracked in practice. PSR's direct applicability closes that fragmentation.
Trilogue Process and Expected Timeline
As of May 2026 the PSD3 + PSR proposal is in trilogue between the European Parliament and the Council. Expected timeline:
| Stage | Expected Date |
|---|---|
| Trilogue completion | Late 2026 - mid 2027 |
| Official Journal publication | 2027 |
| PSR application date | 2028-2029 (18-30 months after publication) |
| PSD3 transposition deadline | 2028-2029 |
These dates are not certain — European regulatory processes routinely slip. Even so, today's PSD3 proposal is structurally stable enough to predict the direction of change.
Key Changes
1. EMD2 Integration
PSD3 + PSR repeals EMD2 (Directive 2009/110/EC). EMIs become "payment institutions issuing e-money," consolidated under PI status. The important EMD2 substance is preserved:
- €350k minimum capital for e-money-issuing PIs.
- 100% safeguarding, segregation method preferred.
- EU passporting right.
Operational impact for EMIs: one application, one licence type. Existing EMIs are expected to be automatically converted (a grandfathering clause is envisaged). For a deeper EMD2 analysis see our EMD2 E-Money Directive Explained article.
2. Mandatory IBAN-Name Matching
PSR Article 50 (Verification of Payee — VoP) makes IBAN-name matching mandatory in a SEPA payment. The rule arrived first via the SEPA Instant Credit Transfer Regulation (2024/886) — PSR generalises it to all PSPs. Practical flow:
- User enters IBAN + beneficiary name.
- PSP queries the recipient bank for IBAN-name verification.
- Response: match, close match or no match.
- PSP informs the user — and obtains explicit consent before completing the payment in case of no match.
The rule directly targets authorised push payment fraud (the user being misled into paying a deceptively similar IBAN). PSR also partially shifts fraud reimbursement obligations onto PSPs.
3. Open Banking to Open Finance
PSR extends API access rights beyond payment accounts:
- Account Information Services (AIS): already in PSD2; tighter SLAs under PSR, with less reliance on "screen scraping fallback."
- Payment Initiation Services (PIS): already in PSD2; under PSR a "no premium API" rule — PSPs must provide free APIs.
- Open finance data access: pursued in parallel via the separate FIDA (Financial Data Access) Regulation proposal — covering credit, insurance, investment and pension data.
In practice FIDA + PSR together move the EU from "open banking to open finance." PSPs will need additional API investment and third-party data-sharing agreements.
4. SCA Updates
SCA was the centrepiece of PSD2; under PSR:
- Accessibility: SCA must offer biometric-free alternatives (for elderly and disabled users).
- Bias correction: ML models must demonstrate parity across age, race and gender.
- Wallet providers: Apple Pay, Google Pay and similar wallets get a clearer SCA delegation framework — the wallet may technically discharge the PSP's SCA obligation.
5. Fraud Reimbursement
The new regime introduces partial PSP liability for authorised push payment fraud: if the PSP failed to perform IBAN-name matching or applied weak SCA, it reimburses the user's loss. Close to the UK Payment Systems Regulator (PSR-UK) model.
6. Open Banking Access for CASPs
A notable provision in the PSR draft: CASPs and authorised crypto entities may obtain PISP status — i.e. they can use open banking APIs for crypto buy/sell flows. This may be the first concrete result of the MiCA + PSR intersection.
PSD2 vs PSD3 Comparison
| Topic | PSD2 (current) | PSD3 + PSR (proposed) |
|---|---|---|
| Legislative type | Directive (MS transposition) | Directive (PSD3) + Regulation (PSR) |
| E-money integration | EMD2 separate | EMD2 absorbed into PSR |
| IBAN-name matching | None | Mandatory |
| Fraud reimbursement | Limited | Partial PSP liability |
| Open banking API fees | Ambiguous | Free mandated |
| Open finance | None | Parallel via FIDA |
| SCA exceptions | RTS-based | Extended accessibility |
| Wallet provider SCA | Unclear | Delegation framework |
A Preparation Checklist for a PSP/EMI Today
- IBAN-name matching integration. Already mandatory for SEPA Instant (from October 2025 for PSPs, October 2027 for PIs). PSD3 generalises this obligation.
- De-premium open banking APIs. PSR mandates free access — revise the revenue model now.
- Fraud monitoring + transaction-level risk scoring. PSP liability is rising; better fraud detection = lower reimbursement cost.
- Open finance API readiness. FIDA + PSR together will create a wider API ecosystem. Early prep buys time.
- EMD2 grandfathering plan. If you are an EMI, estimate the operational lift of the PSR transition (licence updates, new reporting formats).
- AML/KYC integration overhaul. PSR + AMLR (2027) apply concurrently — meeting both obligations through a single compliance technology layer creates scale economies.
Frequently Asked Questions
When does PSD3 actually apply?
As of May 2026 the proposal is still in trilogue. Expected timeline: trilogue completion late 2026 - mid 2027, Official Journal publication in 2027, PSR application 18-30 months after publication (2028-2029). These dates may slip.
When is PSD2 repealed?
PSD2 is repealed once PSR is published. In the transition, PSD2-issued licences are automatically carried over into the new regime (grandfathering). Detail will be set out in PSR's transitional provisions.
Isn't IBAN-name matching already mandatory under SEPA Instant?
Yes — the SEPA Instant Credit Transfer Regulation (2024/886) requires PSP-to-PSP IBAN-name verification from October 2025. PSR generalises this — to all SEPA Credit Transfers (not just instant) and all PSP segments. So if you are already SEPA-Instant-ready, the PSR lift is relatively small.
Will EMIs become a separate licence type under PSR?
No — the EMI as a separate licence disappears. The category becomes "payment institution issuing e-money." Existing EMI licences are expected to be grandfathered. The €350k minimum capital and safeguarding obligations are preserved.
Are crypto-asset service providers (CASPs) in scope of PSD3?
Primarily no — CASPs are covered by MiCA. However if a CASP offers fiat payment services (e.g. card-funded crypto purchase, fiat on-ramp), that part may also require payment institution authorisation. PSR's proposal to open PISP status to CASPs clarifies this intersection.
How Legichain Helps with PSD3 Readiness
The PSD2-to-PSD3 transition means deeper, continuous control layers for PSPs and EMIs — IBAN-name matching, fraud monitoring, open finance integration all require compliance technology to be embedded more tightly. The Legichain AML screening API is designed to satisfy AMLD5/6 + the forthcoming AMLR + PSR user protection obligations through a single integration. Our PSP solution combines sanctions screening, fraud risk scoring and transaction monitoring; our e-money solution supports EMIs with PSR-ready safeguarding reporting and customer onboarding.