PSD3: Advancing payment security and innovation.
Seven years after the Payment Services Directive 2 (PSD2) transformed Ireland's payment landscape, the European Union is poised to introduce PSD3 and the Payment Services Regulation (PSR) in 2026. This new framework aims to tackle emerging fraud challenges and propel the EU's payment agenda forward. PSD3 will support initiatives like real-time payment authentication (SEPA Instant) and phase out manual card entry, while aligning with recent regulations such as GDPR, DORA, MiCA, and the EU AI Act. As the payments sector evolves, PSD3 promises to strike a balance between enhanced security and continued innovation, addressing stakeholder concerns and paving the way for a more robust, integrated European payment ecosystem and in this first part of our two-part PSD3 series, we delve into these topics and more.
The PSD3 imperative
PSD2 has undeniably transformed the European payments landscape, creating a safer, more competitive and innovative ecosystem. Key achievements include:
1. Third-party provider (TPP) growth
The number of licensed TPPs has surged to over 500 across the EU by 2023, fostering competition and driving innovation in the financial sector.
2. Open banking expansion
Open banking has flourished, with countries like Germany, Sweden and the Netherlands experiencing significant growth in adoption. This surge is propelled by regulatory support and increasing consumer demand for innovative financial solutions.
3. Enhanced security measures
The introduction of Strong Customer Authentication (SCA) has yielded tangible results in fraud reduction. The European Central Bank reported a 17% drop in card fraud within the first year of SCA implementation.
4. Strengthened consumer protection
PSD2 bolstered consumer confidence by clarifying liability regimes and improving dispute resolution mechanisms, resulting in a more secure and trustworthy payments environment.
5. Market integration
The directive played a crucial role in integrating the EU payments market, streamlining cross-border transactions. Since PSD2's implementation, the average cost of cross-border payments within the EU has decreased by 20%.
These achievements underscore PSD2's success in laying the groundwork for a more integrated, secure and innovative European payment ecosystem. As the financial landscape continues to evolve, PSD3 emerges as a necessary next step to address new challenges and further enhance the payments sector.
Despite its successes, PSD2's implementation also introduced new challenges to the payments sector:
Complexity and compliance costs
The directive brought significant compliance costs and complexity for banks and payment service providers. Implementing requirements like SCA has been resource-intensive, particularly for smaller institutions.
Emerging security and fraud risks
While PSD2 aimed to enhance security, the increased connectivity and data sharing between banks and third-party providers introduced new vulnerabilities. Ensuring robust security measures and protecting customer data have become ongoing challenges, requiring constant vigilance and adaptation.
Market fragmentation and inconsistencies
Despite PSD2's goal of creating a unified payments market, inconsistencies in implementation across EU member states have led to fragmentation. This has resulted in regulatory arbitrage, where companies exploit differences in regulations across countries, potentially undermining the directive's harmonisation objectives.
User experience friction
The implementation of SCA, while improving security, has sometimes led to increased friction in the user experience, particularly for online transactions. Balancing security requirements with seamless customer experiences remains a challenge.
Limited scope for certain innovations
Some argue that PSD2's regulatory framework has not kept pace with rapid technological advancements, potentially limiting certain innovative payment solutions that fall outside its scope.
These challenges underscore the necessity for PSD3, which aims to build upon PSD2's foundations while addressing its shortcomings. The new directive places increased emphasis on electronic payments, reflecting their exponential growth since PSD2's introduction and the acceleration driven by the COVID-19 pandemic. To provide a comprehensive overview, we have analysed PSD3's components across four key areas: new aspects, growth and enhancement aspects, merging and streamlining aspects, and phasing out aspects. This structured approach allows for a clear understanding of how PSD3 intends to shape the future of European payments.
New in PSD3
| Verification of payee (VoP) | PSD3 introduces VoP functionality to verify the payee's name and account details before processing payments. This enhancement aims to reduce fraud and misdirected payments, improving overall transaction security. |
| Advanced data sharing and consent management | The directive implements real-time consent management requirements, empowering customers to control their data access more effectively. This feature enhances transparency and gives users greater autonomy over their financial information. |
| Payment Services Regulation (PSR) | Accompanying PSD3 is a new PSR, directly applicable to all EU member states. This ensures uniform implementation across the EU, addressing the inconsistencies experienced under PSD2. Unlike its predecessor, which required individual states to interpret and transpose directives into national laws, the PSR will provide a standardised framework, reducing fragmentation and regulatory arbitrage. |
Merging and streamlining in PSD3
Scope of directives
|
PSD3 consolidates and clarifies the regulatory scope, ensuring consistent application across all EU member states. This harmonisation addresses the fragmentation issues experienced under PSD2, creating a more unified European payments landscape. The directive also aligns with other relevant EU regulations such as GDPR, DORA, and MiCA, reducing regulatory overlap and potential conflicts. |
| Operational resilience | PSD3 introduces comprehensive requirements for operational resilience, ensuring PSPs have robust systems to handle disruptions. This includes mandating detailed business continuity plans, regular stress testing and enhanced cybersecurity measures. By streamlining these requirements, PSD3 aims to create a more resilient and secure payment ecosystem across the EU. |
Enhanced in PSD3
| Strong Customer Authentication (SCA) | PSD3 expands SCA beyond two-factor authentication to include biometric authentication, particularly for contactless payments. The directive provides more detailed guidelines on implementation, ensuring a balance between security and user experience. This enhancement aims to further reduce fraud while minimising transaction friction. |
| Open banking | PSD3 improves the accessibility and adoption of open banking by addressing data sharing challenges and enhancing the regulatory framework. It allows TPPs direct access to account information and payment initiation services, fostering innovation and competition. The directive also introduces standardised APIs and improved consent mechanisms to streamline the open banking ecosystem. |
| Consumer protection | PSD3 further strengthens consumer protection measures with stricter liability rules for unauthorised transactions and improved transparency in cross-border payments. It introduces clearer dispute resolution processes and enhances information requirements for payment service providers, ensuring consumers are better informed and protected throughout the payment journey. |
Phasing out in PSD3
| No more fragmentation | PSD3 addresses the regulatory fragmentation that existed under PSD2, where payment services were regulated by PSD2 and e-money services by the 2009 Electronic Money Directive (EMD). This distinction created a complex regulatory environment for providers offering both types of services. By consolidating these regulations, PSD3 simplifies the regulatory landscape, making it easier for service providers to navigate and comply with a single, comprehensive framework. |
| Unified licensing | Under PSD3, payment institutions and e-money institutions will be subject to a single set of licensing requirements. This unification eliminates the need for separate licenses for payment services and e-money services. The streamlined approach reduces administrative burdens, simplifies operations, and promotes a more efficient and competitive market. This unified licensing system also facilitates easier entry for new players into the payment services ecosystem, potentially fostering greater innovation and consumer choice. |
PSD3 aims to future-proof payments innovation and security by promoting the adoption of cutting-edge technologies, including real-time payments and advanced authentication methods. It also seeks to consolidate future payment agendas in the EU, aligning with card schemes' plans to phase out card numbers in favour of tokenisation and biometric authentication by 2030. This initiative focuses on safeguarding consumers against fraud and unauthorised transactions by eliminating card numbers and implementing robust authentication methods, thereby significantly reducing the risk of data breaches and identity theft.
Furthermore, PSD3 will interconnect and harmonise with other recent regulations such as the General Data Protection Regulation (GDPR), the Digital Operational Resilience Act (DORA), the Markets in Crypto Assets (MiCA), and the EU AI Act as they pertain to the payment ecosystem. This alignment ensures a cohesive regulatory framework that addresses the multifaceted challenges of the modern payment landscape.
Key actions businesses can take today
The forthcoming PSD3 is expected to have a broad and far-reaching impact on all stakeholders — financial institutions, PSPs, fintechs, TPPs, merchants, consumers and national regulators. Many anticipate that PSD3 will energise the payment ecosystem and further democratise payment acceptance in the EU. As merchants prioritise cost-effective methods like A2A payments, card payment volumes are likely to decrease significantly.
Across the payments value chain, ecosystem players and consumers should expect transformative impacts, including:
Banks and financial institutions: must adapt and update legacy systems for better data sharing and security. In addition, the ongoing effort to implement SEPA instant [See our last publication on SEPA for more] by October this year will provide further impetus for change in the payments space.
Non-bank payment service providers: gain better access to payment systems but face stricter regulations and enhanced supervision.
Consumers: benefit from hyper-dynamic payment methods, enhanced fraud prevention, expanded rights and improved transparency.
Retailers: more competitive payment acceptance options leveraging A2A, QR Codes, Payment tokens etc. as well as improved offering of cash services to consumers without requiring purchases.
As the anticipated release timeline for the PSD3 directive approaches, stakeholders can take the following immediate actions in preparation:
- Stay informed: keep up to date with the latest drafts and updates on PSD3 to understand the evolving regulatory landscape.
- Enhance security measures: review and strengthen security protocols to ensure compliance with enhanced security requirements.
- Audit data handling practices: evaluate and improve how customer data is managed and protected.
- Engage with regulators: maintain open communication with regulatory bodies to ensure alignment with compliance expectations.
Other actions to consider as you prepare for PSD3 include:
Invest in technology: potential upgrade of legacy systems to support new regulatory requirements (e.g. high-quality APIs for open banking).
Training and education: provide ongoing training for staff to ensure they understand and can implement and operationalise the PSD3 requirements effectively.
Collaborate with industry peers: engage in industry forums and working groups to share best practices and stay ahead of regulatory changes.
Develop a compliance roadmap: create a strategic plan outlining steps to achieve compliance, including timelines and resource allocation.
We’re here to help you
At PwC, we offer a unique set of skills and support, from regulatory advice provided by our dedicated payments team to full-scale technology solutions developed with our strategic alliance partners and technology practitioners. As you prepare for PSD3, we're here to support you every step of the way. Contact our team to discover how we can help you strategise and implement effective solutions for this new regulatory era.
Banking and Capital Markets
Keep pace with change and sustain your business.
Contact us
