The PSR and PSD3 move forward: What the EU's new payments framework means for regulated firms

EU RegCORE Client Alert | Banking Union

QuickTake

On 23 April 2026, the Council of the EU published an 'I' Item Note (dated 17 April 2026)Available here.Show Footnote inviting the Committee of Permanent Representatives (COREPER) to approve the final compromise texts of the draft Payment Services Regulation (PSR)Available here.Show Footnote and the Third Payment Services Directive (PSD3),Available here.Show Footnote paving the way for a second-reading agreement with the European Parliament. The headline points for regulated firms are summarised below in brief.

• What. The PSR and PSD3 will repeal and replace the (second) Payment Services Directive (Directive (EU) 2015/2366) (PSD2) and the (second) Electronic Money Directive (Directive 2009/110/EC) (EMD2), merging the regulatory regimes for payment services and electronic money into a single, directly applicable conduct-of-business regulation alongside a recast directive on authorisation, prudential supervision and safeguarding.
• When. Subject to formal adoption, both instruments will apply 21 months after entry into force, with the mandatory verification of payee (VoP)See coverage here.Show Footnote service applying from 27 months and existing EMIs benefitting from a 27-month transitional regime.
• Who. The framework will affect credit institutions, payment institutions (PIs), electronic money institutions (EMIs), account information service providers (AISPs), payment initiation service providers (PISPs), account servicing payment service providers (ASPSPs) and—for the first time—certain technical service providers, electronic communications providers, hosting service providers, mobile device manufacturers and operators of very large online platforms (VLOPs) and very large online search engines (VLOSEs).
• Three biggest changes. (i) a single, harmonised PI/EMI authorisation and safeguarding regime; (ii) a recalibrated fraud and liability framework, including a dedicated refund right for impersonation (“spoofing”) fraud, mandatory transaction monitoring on both payer and payee sides and the new VoP service and strict PSP liability for monitoring/VoP failures; (ii) a single, harmonised PI/EMI authorisation and safeguarding regime, eliminating the separate EMI track; and (iii) a deeper open banking regime with mandatory dedicated interfaces, data parity, a consent dashboard and a non-exhaustive list of prohibited obstacles.
• Immediate action. Firms should begin a structured gap analysis covering authorisation conditions, safeguarding arrangements, fraud controls, open banking interfaces, framework contracts and customer disclosures and should track the European Banking Authority (EBA)’s forthcoming regulatory and implementing technical standards (RTS and ITS)—most of which are due within 12 to 18 months of entry into force.

The PSR will be directly applicable in all Member States and will govern the conduct-of-business rules—including transparency, information requirements, the rights and obligations of payment service users (PSUs) and payment service providers (PSPs), open banking, fraud prevention, strong customer authentication (SCA) and enforcement. PSD3 will retain in directive form the rules on authorisation, prudential supervision, safeguarding (i.e. the protection of customer funds from the insolvency of the payment institution holding them) and passporting (i.e. the ability of a firm authorised in its home Member State to provide services across the EEA on the basis of that single licence), which by their nature require transposition into national law. Both instruments will apply 21 months after entry into force, with certain provisions, notably the VoP service, applying from 27 months and existing EMIs benefitting from a transitional regime of up to 27 months as mentioned above.

Together, the PSR and PSD3 will deliver the most far-reaching reform of the EU's payment services framework since PSD2 and EMD2, repealing and replacing both instruments and merging the regulatory regimes for payment services and electronic money into a single, unified framework. This Client Alert, which should be read in conjunction with our earlier alertAvailable here.Show Footnote as well as further coverage from PwC, analyses the Council’s final compromise texts of the PSR and PSD3, which remain subject to formal adoption and is current as at the date set out above. Non-EU firms offering in-scope payment services into the European Economic Area (EEA) will need to comply with the new framework once it applies.