Back to blog

PSD3 vs PSD2 Regulations: What New EU Directive Means for Payment Sector


8 min read

Proposed back in 2015, PSD2 established ground rules for the payments industry. It introduced open banking and enabled third-party providers to collaborate effectively with traditional financial institutions. 

Nowadays, Most everyday transaction processing, provision ‘of banking services, and operation of fintech businesses in the EU and beyond it boards rely upon the provided PSD2 concepts. However, in 2023, the European Commission was presented with a third payment services directive. Therefore, now businesses have to adapt to changes in the directive that will likely translate into actual laws in the near future. 

In this article, you’ll discover more about the key changes of the newest payment directive, PSD3, compared to PSD. You’ll also discover what to expect, as a banking or a non-bank business, from the upcoming legislation and what innovations to implement in the future to achieve PSD3 compliance. 

What Is the PSD3 EU Directive?

PSD3 is a proposed update to the second European Union’s Payment Services Directive (PSD2) that provides rules for the authorization and supervision of non-bank payment service providers (PSPs) in the EU.

The PSD3 aims to protect consumers’ rights and personal information while fostering healthy competitiveness in the digital payments sector. It’s expected to empower consumers to share their data and contribute to the development and distribution of financial products and services. Since PSD3 is a directive, not the regulation itself, the PSD3 rules need to be transposed into the national laws of the EU Member States, i.e., countries belonging to the European Union. 

The list of key parties affected by the PSD3 proposal is shown in the infographic below:

As a banking or a non-banking business, you will be provided with additional opportunities as well as responsibilities and obligations before legislation as well as your panthers and your customers. Change, modifications, and impacts that will potentially be brought upon PSD3 translation into laws are provided in the following sections:

PSD3 vs PSD2: Key Changes, Updates, and Impacts Expected

While PSD2 essentially transformed open banking, its implementation raised a number of issues. These include an inflexible open banking approach and a lack of regulation in customer data handling. Besides, traditional banks tended not to meet requirements to a full extent, often interfering with providing their banking services within third-party applications in an intended format or just not providing third party access and refusing to participate in open banking operations. 

PSD will cover a more extensive scope than PSD regulation. It aims to address issues with uneven rule implementation and encourage regulatory arbitrage. In general, PSD3 will concern all parties listed above and will be applicable to:

  • Transparency in the financial industry.
  • Liability of all parties involved in interactions within the payment landscape.
  • Open banking.
  • Strong Customer Authentication (SCA).
  • Operation of payment system and data handling within them.
  • Handling of account information.

Upon translation of PSD3 provisions on actual laws of every European country separately, it can derive into varying requirements that will be set to all parties involved. 

PSD3 Directive in the Context of Open Banking

Open banking regulation, which emerged from PSD2 regulation back, is expected to be modified by changes introduced by PSD3. 

You can discover more about the open banking integrations from another our blog post. 

The major changes to open banking Europe regulation proposed by PSD3 include:

  • Removed obstacles to providing open banking services and increased uptime for banking and financial services.
  • Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) will have the authorization to create personalized interfaces for connections with banking service providers.
  • Banks and other e money institutions will be obligated to share more information about API performance by providing quarterly updates.
  • In case of financial institution downtime, banks need to allow PISPs and AISPs to use their own banking interfaces to prevent downtime.
  • Banks are required to provide customers with a permission dashboard to monitor and manage permissions granted to AISPs.
  • Non-bank PSPs will have access to all EU payment systems while implementing necessary safeguards and ensuring their right to hold bank accounts.
  • Granting consumers more control over their financial data access permissions.
  • Empowering national competent authorities with more robust enforcement powers and facilitating the implementation of clarified rules.

In essence, PSD3 is intended to make it easier for businesses aiming to integrate open banking to request, provide, and maintain related innovative services. It is also expected to grant customers more control over the data handleв by parties involved. 

PSD3’s Impact on the Strong Customer Authentication (SCA) Requirements 

#1 Enhanced data sharing for monitoring

Businesses using open banking and banking APIs will be obligated to share additional data with API issues, i.e., payment institutions they partner with. Data types includes:

  • User location.
  • Transaction time.
  • Devices used.
  • Spending habits.
  • Transaction history.
  • Session data.
  • Device IP.

The information will be used for regular and cross border payments fraud prevention and better determining which transactions to approve and which to decline. This will result in the need to technologically and procedurally modify the flow of collaboration of businesses with financial institutions. 

#2 Payment fraud liability shift

As per PSD3, schemes, and technical third party providers, such as companies offering digital wallets or digital infrastructure, will now be liable for fraud if they fail to apply SCA. 

Additionally, issuers will also be liable for payment fraud in cases where a criminal utilizes a bank’s employee to force a user to authenticate a payment or acts fraudulently in any other way. 

#3 Flexible authentication categories

While PSD2 required two of three authentication factors to be used, knowledge, possession, or inheritance, PSD3 allows the use of two of the same categories. For example, now users can have two passwords for two-step authentication instead of being obligated to have a password and undergo either biometric, email, or phone number authentication. 

#4 Exemptions from SCA

Merchant-initiated transactions (MITs) and card-based mail orders and telephone orders also called MOTO transactions, are now exempt from SCA. It means that only the first transaction of, for example, merchant-initiated subscriptions, will have to be SCA authenticated, easing the procedure for authenticating recurring digital payments. 

#5 SCA accessibility enhancement

SCA methods must now include authentication ways for vulnerable customers such as the elderly or people with disabilities who don’t rely solely on smartphone access. 

Basically, new SCA provisions are focused on reducing the boundaries and inflexibilities that are now experienced by users committing purchases online. They also focused on open banking PSD compliance and embedded finance facilitation. Allowing customer to utilize the modified authentication methods will require additional mobile app development update.  

Let DashDevs team of qualified engineers make an impact on your best project with our expertise and experience

Summing Up: PSD2 vs PSD3 Key Legislation Changes Applicable to Businesses

To banking service providers, changes introduced by PSD3 compared to PSD2 results in the following:

  1. Liability to receive additional customer data from non-banking businesses in your API network in a secure way to enhance transaction processing by improving approval rates and minimizing fraud.
  2. Liability to provide PISPs and AISPs in your API network with means to create their custom API data access interfaces to rely on in case of your API downtime.
  3. Required modification of authentication methods offered by your digital applications so they can support flexible SCA.
  4. Liability to tightened access to payment systems and account information. 
  5. Fraud liability if your employees or other resources and mechanisms are used to force a user to authenticate a payment.

In their turn, to startups and non-finance organizations, changes introduced by PSD3 compared to PSD2 results in the following:

  1. Required modification of authentication methods offered by your digital applications so they can support flexible SCA.
  2. Possibility and the right to create your custom open banking API and banking API interfaces. 
  3. Liability to maintain your custom API interface and use it in case of your banking service provider’s API interface downtime.
  4. Required provision of customer financial data to your banking service provider.
  5. When setting up recurring methods like subscriptions, you now have to authenticate only the first transaction. 

These are the key changes as of 2024, which will likely take effect in one form or another in two to three years. To be able to respond to these changes, both banking and non-banking businesses, as well as startups and providers of digital infrastructure, will need to make software updates to their digital products and modify procedures and protocols. 

When Will PSD3 Become a Law and What to Expect In 2024 and Beyond?

To be able to respond to the changes listed above, banking and non-banking businesses, as well as startups and providers of digital infrastructure, will need to make software updates to their digital products and modify procedures and protocols. 

Considering that it took PSD2 three years to become active as a law back in 2018, after its proposal in 2015, we can expect PSD3, proposed in June 2023, to be released approximately in 2026. Basically, it means that companies have about two years to prepare to comply with EU laws that emerged from PSD3. 

Quick reminder: penalties for non-compliance with PSD2 regulations can amount to up to 4% of annual returns. The same probably will apply to PSD3 non-compliance cases. 

Aside from the technical and procedural modifications detailed above, changes in the regulatory landscape that businesses should expect upon transferring PSD3 to actual legislation are:

  1. Stricter data security regulations and requirements toward more open sharing of banking information.
  2. Stricter requirements for authentication technologies in place.
  3. Tighter collaboration of electronic money institutions with fintech companies and other providers aiming to adopt banking services in their software solutions.
  4. Enhancement of cross-border payment partnerships and related efficient payment processes.
  5. Additional security measures focused on financial fraud detection and prevention.

One of the key ways to prepare for PSD3 is to start strategizing for the development of fintech software or updating your existing digital product so it will meet upcoming regulatory standards and requirements. 

Entrust DashDevs team to help you achieve compliance with upcoming PSD3 requirements.

Final Take

Basically, PSD3 came out as an extension to PSD2. It broadens the rights of customers to control their data sharing and authenticate in their preferred ways, empowers businesses to create and use their custom API interfaces, and obligates banks to use additional information about customers to provide them with better banking services. Besides, PSD3 introduced stricter provisions about customer data security and authentication protocols to make the digital environment safer for end users.

If you strategize for future PSD3 compliance, you’ll need a fintech service provider to back you up from the technical perspective. Don’t hesitate to contact expert business analysts and engineers from DashDevs. We are ready, willing, and able to help you meet ever-evolving demands in the payment services industry. 

Contact us

Share article

Table of contents
What is PSD3?
PSD3 refers to the third iteration of the Payment Services Directive, a regulatory framework for payment services in the European Union. It provides additional requirements for businesses and financial institutions towards open banking, customer data handling, authentication, and transaction processing security.
Does PSD3 apply to UK?
Since the UK has left the European Union, it is no longer directly bound by EU regulations, including PSD3. However, considering the international nature of the legislation, the UK, as well as other countries that are not part of the EU, will highly likely implement PSD3 provisions, as they did with PSD2, resulting in their local law called Payment Services Regulation (PSR). Besides, UK businesses serving citizens of EU countries will still be bound by PSD3 regulation as they have to comply with the norms and standards of the region their customers are from.
What is the difference between PSD2 and PSD3?
The difference between PSD2 and PSD3 lies in their regulatory scope and features, with PSD3 offering updated rules focused on open banking, collaboration of non-banking businesses and payment institutions, and enhanced consumer data protection.
What to expect from PSD3?
As a business, you should have higher expectations towards digital payment security, tighter regulations on emerging financial services in the EU, and higher involvement of business in open banking integrations.
What is the PSD3 in Europe?
PSD3 in Europe is a legislative proposal aimed at further regulating payment services, improving upon the existing PSD2 framework for better financial security and innovation.
Will PSD3 affect international money transfers?
PSD3 may influence international money transfers by imposing stricter regulatory controls and transparency requirements on cross-border transactions.
How does PSD3 impact online banking in the EU?
PSD3 will likely introduce stricter security protocols and more user-friendly processes for online banking in the European Union. Details on actual laws applicable in that regard will be available once they are accepted by every EU member state.
When will PSD3 become effective?
Considering that it took PSD2 about three years from a proposal to actual legislation, provisions of PSD3 will be translated into regulations, requirements, and standards closer to 2026.