The EU has for some time been working on updating its regulation of the payments sector, planning to issue a revised directive and to introduce a bloc-wide payment services regulation.
The plan is for the Payments Services Regulation (PSR) and the updated Payments Services Directive (PSD3) to operate in lockstep and build on the existing framework.
The broad goals of the updated regime are to modernise and strengthen existing provisions, and in particular to increase consumer protection and more effectively enable open banking in the bloc.
The changes could massively affect the ways banks and non-bank payment service providers (PSPs) operate in the EU, particularly in key areas such as safeguarding of client funds, strong customer authentication (SCA), and rights and obligations.
Progress has been somewhat slow, and the precise timeline remains unclear.
However, in June 2025, as covered by Vixio, the member states agreed their position on the updates to the payment services regime, paving the way for negotiations with the European Parliament and marking a significant step on the path to implementation.
A final version of the framework is expected to be adopted and published by the end of 2025, unless unforeseen delays arise, and from that point, member states will have 18 months to transpose PSD3 into national law.
The bigger picture
The European Commission originally issued a legislative package aimed at modernising and streamlining the EU’s retail payments framework in June 2023.
PSD2 came into force in 2018 and was reviewed in 2021, so was due for an update, and the combination of an updated PSD and a new PSR represents a restructured format for the regime.
The addition of the regulation is intended to reduce fragmentation, given that, unlike directives, regulations are directly applicable in all EU countries without the need for national transposition.
The new European regime has similar objectives to the UK’s post-Brexit revisions of its own payments services regulations, which also build upon the existing PSD2 framework, but seek to reinforce certain areas.
For example, the UK Payment Systems Regulator’s rules on authorised push payment (APP) fraud reimbursement, introduced in October 2024, go well beyond what was previously in place.
They include a cap on reimbursement of £85,000, split 50/50 between the sending and receiving PSPs.
The proposals for the EU’s new framework have a narrower scope, limiting mandatory reimbursement to impersonation scams, but they nevertheless aim to provide more expansive anti-fraud protections for consumers making payments in the bloc.
On open banking, meanwhile, the UK is shifting oversight from the Open Banking Implementation Entity (OBIE) to a Future Entity, which will involve stronger governance.
The goal is to extend open banking into open finance, which is a similar objective to what the EU is trying to achieve with PSD3.
Another area of overlap is that both jurisdictions seem to be interested in bringing social media and telecommunications firms within their fraud regimes.
The European Parliament favours making such organisations accountable for fraud originating on their platforms, and earlier this year a UK legislator warned that unless social media companies take fraudulent payments more seriously, they face being regulated.
Why should you care?
The updated regulatory framework for the payment services industry in the EU will have a significant impact on firms operating in this space.
The aims of implementing fresh approaches to tackling fraud, promoting open banking and ensuring financial inclusion will require organisations to change their approaches in a number of respects.
In addition, the goal of levelling the playing field for banks and fintechs by giving non-bank financial institutions greater access to existing payments systems should accelerate the digital transition, which will have a substantial impact on both incumbents and challengers.
Finally, the creation of the PSR should promote a more standardised environment across the EU. By removing the need for national transposition, the regulation will increase harmonisation and make working in multiple jurisdictions more straightforward.
Firms may find that they need to adapt their practices in the following areas:
- Safeguarding of funds – Firms could have to diversify their safeguarding methods to reduce concentration risk, as well as enhance reconciliation, segregation and risk management frameworks.
- Calculation of own funds – Payment institutions should prepare for Method B (calculating own funds based on a percentage of monthly payment volume) to be the default, unless regulators specify otherwise.
- SCA – PSPs should expect to be required to tighten their SCA protocols, focusing more on consumer outcomes in a similar way to the Consumer Duty in the UK.
- Limited network exemption – Firms relying on the exclusion must prepare to prove compliance or otherwise risk additional regulatory burdens.
- Commercial agent exclusion – Online marketplaces that process payments between buyers and merchants may no longer qualify for the exclusion, so would need a payment institution or electronic money licence, increasing their compliance costs and regulatory obligations.
- Open banking interfaces – PSPs will need to upgrade their dedicated access interfaces to meet stricter security, performance and availability standards.
- Rights and obligations – PSPs will have to enhance their APIs to ensure seamless, secure communication with third-party providers (TPPs), and banks will need to implement real-time dashboards for user data control, establish clear fraud reporting mechanisms and eliminate barriers to data access.
- Competent authorities – Compliance teams at banks should be wary, as enforcement related to open banking, which has been rare outside the UK, could become more regular.
- Electronic Money Directive (EMD)/PSD merger – E-money firms based in the EU should assess their regulatory status, as they will be reclassified as payment institutions with specific e-money permissions unless changes come out of the trilogues.
PSPs should continue to monitor the progress of the negotiations between the EU institutions, as the final version of the new regime may be agreed during the second half of 2025.
Whatever shape that final version takes, it will profoundly affect the way regulated entities operate, and they should consider beginning their preparations now to avoid being overwhelmed by requirements as the implementation deadline, once set, approaches.