PSR and PSD3 – An Overview of the Implications

Author

Romano Ramanti

Published

5 September 2024

Reading time

minutes

Required knowledge

  • Basic understanding of payment ­transactions
  • Knowledge of the PSD2 Directive and its objectives

In 2015, the EU Commission adopted and introduced the second Payment Services Directive EU 2015/2366 (PSD2). The aim was to regulate technical innovations in the retail payments market, the increasing number of electronic and mobile payments, and new payment services. 

Revision

As part of the 2020 work program, the Commission has presented a package of measures as the third priority under the title “An economy that works for people”.

This includes the revision of the existing PSD2 regulation. In its analysis, the Commission identified four fundamental problems in the market:

  • Customers are vulnerable to fraud and lack trust in payments.
  • The open banking sector functions incompletely.
  • The supervisory authorities of the EU member states have different powers and duties.
  •  There are unequal competitive conditions between banks and payment service providers outside the banking sector.

The following actions, among others, can help address the issues identified:   

  • Improving the use of strong customer authentication
  • Creating a legal basis for fraud information sharing
  • Mandatory fraud reporting to customers
  • Conditional waiver of liability for fraud on authorized push payments
  • Requiring payment service providers to improve strong customer authentication for people with disabilities
  • Requiring account-holding payment service providers to provide a dedicated data access interface
  • Introducing a “permissions dashboard” to allow users to manage the open banking access permissions granted to them
  • Transposing most of PSD2 into a directly applicable regulation to clarify unclear aspects of PSD
  • Integrating licensing regimes for payment and e-money institutions
  • Strengthening the rights of payment and e-money institutions to a bank account
  • Allowing payment and e-money institutions to participate directly in all payment systems, including those set up by member states under the Settlement Finality Directive (SFD).

This resulted in two proposals to revise the PSD2 Directive, which the Commission published on 28 June 2023: the Payment Services Directive (PSD3) and the Payment Services Regulation (PSR). In a directive, the European Council specifies certain results to be achieved. It is up to the member states to decide how to transpose the directive into national law with regard to the results. A regulation, on the other hand, is directly applicable in the EU member states. This ensures harmonized implementation throughout the EU.

EEA states, such as Liechtenstein, must incorporate directives and regulations into the EEA Agreement. This is done via the EEA adoption procedure. The EEA Joint Committee, which consists of representatives of the EU and the EEA/EFTA states of Norway, Iceland, and Liechtenstein, examines the legal acts to be incorporated. Formal adoption takes place through the inclusion of the acts in the list of protocols and annexes to the EEA Agreement. After incorporation into the Agreement, the EEA/EFTA state concerned must implement the act into national law in accordance with national provisions. This is a formal process that only allows for technical adjustments. In Liechtenstein, this is the responsibility of the EEA Unit. In cooperation with experts from the Liechtenstein national administration and the ministries, the EEA Unit prepares biennial EEA Working Lists, which the government adopts in a government decree, together with the implementing measures and implementation schedules specified therein.

The development of the PSD Directive

Key Changes

Even before the revised PSD2, different EU member states had national regulations for payment and e-money institutions. However, these were not always consistent, leading to fragmentation and differing requirements. PSD3 aims to create a single legal framework. With PSD3, e-money institutions will be able to obtain authorization as payment service providers (PSPs) throughout the EU, making the Electronic Money Directive (EMD2) redundant. In addition, third parties will be able to overcome existing barriers to accessing customers’ bank accounts.

An important innovation is the verification of the IBAN and the name of the beneficiary for non-immediate transfers: The payer’s PSP must offer its customers a service to verify that the IBAN matches the beneficiary’s name as provided by the payer. The PSP may request this verification free of charge from the beneficiary’s PSP. If the IBAN and the name do not match, the PSP must inform the payer of the discrepancy. Instant payments are explicitly excluded from the verification of the beneficiary in PSD3, as this is already included in the new Instant Payment Regulation (IPR).

In order to strengthen customer confidence, the Commission has tightened the liability rules. If a PSP denies having authorized an executed payment transaction, the use of a payment instrument recorded by the PSP (e.g., a bank) alone is not sufficient to prove that the payer authorized the transaction or acted fraudulently or with gross negligence in breach of one or more of his obligations. The onus is on the PSP to prove that the payment service user acted fraudulently or with gross negligence. If they are unable to do so, they must refund the amount of the unauthorized payment transaction to the payer no later than 14 days after notification of the transaction. In addition, the Commission has extended the payer’s right to a refund in cases of fraud. Suppose someone pretends to be an employee of a PSP, using the employee’s name, e-mail address, or phone number, and induces the payer to authorize a fraudulent transaction. In this case, the PSP must compensate the loss in full, provided that the payer immediately reports the fraud to the police and notifies the PSP.

An electronic communications service provider is obliged to cooperate closely with PSPs. They must immediately take appropriate organizational and technical measures to ensure the security and confidentiality of communications. This also applies to the transmission of phone numbers and e-mail addresses. If the service provider does not remove the fraudulent or illegal content after becoming aware of it, they must reimburse the PSP for the full amount of the fraudulently authorized payment transaction, provided that the payer has immediately reported the fraud to the police.

PSPs may exchange the IBANs of their beneficiaries with each other if they have sufficient evidence of fraudulent payment transactions.

Schedule

On 23 April 2024, the European Parliament adopted the EU Commission’s proposals for PSD3 and the related PSR Regulation at the first reading.

Following the Council’s decision, expected this summer, the final versions could be available by the end of 2024. Member states will be granted a transitional period of 18 months, meaning that the regulation could come into force in 2026.

 

Romano Ramanti
Certified Ethical Hacker, Zürcher Kantonalbank

Find Out More

Artificial Intelligence: Payment Data that Makes the Difference

Focus

Artificial Intelligence: Payment Data that Makes the Difference

AI has become indispensable in everyday banking. High-quality payment data is critical for personalized experiences and efficient AI applications. Payment enrichment improves data quality and optimizes key processes.

8 July 2026

5 minutes
Dynamic Security for Card Data Protection

Experts

Dynamic Security for Card Data Protection

The PCI DSS 4.0 standard protects credit card data with enhanced security measures such as multi-factor authentication and risk-based approaches. These measures increase the security and transparency of payment transactions.

8 July 2026

4 minutes
Service Bureaus: Little-Known Key Players in Swiss Payments

Experts

Service Bureaus: Little-Known Key Players in Swiss Payments

Service bureaus have been central players in Swiss payments since the 1990s. They transmit payment orders and ensure data integrity. The SNB has published formal requirements to ensure security and efficiency.

8 July 2026

6 minutes
CBDC and Instant Payments: A Combination with Pitfalls

Panorama

CBDC and Instant Payments: A Combination with Pitfalls

Only one country operates both a CBDC and an instant payment system to increase financial inclusion and efficiency. However, different standards and technologies make interoperability difficult. Some countries are considering wholesale CBDCs instead.

8 July 2026

4 minutes
“Machine Beats Man” – True for Chess and Payments

Talk

“Machine Beats Man” – True for Chess and Payments

Helge Kraas, PPI AG, talks about artificial intelligence in payments. The focus will be on fraud detection, instant payments, e-invoices, Request to Pay, personalized financial services, regulation, financial crime and judicious AI decisions.

8 July 2026

9 minutes
"Security Is the Be-All and End-All"

Talk

"Security Is the Be-All and End-All"

Professor Thomas Ankenbrand of the Lucerne University emphasizes the importance of security in payment solutions. In a study, his team shows that eBill scores well in all eleven criteria examined. The closed system of eBill avoids media breaks and thus makes fraud more difficult.

5 December 2024

4 minutes