PSD3 & PSR 2027: Roadmap for Credit and Payment institutions

Practical analyses, checklists and whitepapers for banks, payment institutions and FinTechs


PSD3 and PSR revolutionise European payments for all payment institutions, e-money institutions and banks from 2027 onwards. The European payments landscape is once again at a turning point. With the Payment Services Directive 2 (PSD2), key foundations such as Open Banking and Strong Customer Authentication (SCA) were introduced in 2018. In practice, however, implementation proved inconsistent:

Symbol für unterschiedliche rechtliche UmsetzungSymbol für technische SchnittstellenproblemeSymbol für steigende BetrugsrisikenSymbol für regulatorische Lücken bei neuen Technologien
  • Divergent interpretations across Member States
  • Technical issues with interfaces
  • Rising fraud cases despite SCA
  • Legal gaps in handling new technologies and business models

Against this backdrop, the European Commission has proposed the Payment Services Directive 3 (PSD3) and the accompanying Payment Services Regulation (PSR). Unlike before, parts of the framework will now apply directly and uniformly as a Regulation across all Member States.

Symbol für VerbraucherschutzSymbol für BetrugspräventionSymbol für einheitliche StandardsSymbol für fairen Wettbewerb zwischen Banken und FinTechs
  • Enhanced consumer protection
  • Stronger fraud prevention
  • Harmonised standards for all institutions
  • Fair competition between banks and non-banks

PSD3 and PSR now establish a uniform legal framework that will shape the payments landscape until 2027 – institutions should start preparing early.

PSD3 and PSR: The New Foundation for Payment Institutions and Banks

Illustration eines klassischen Gebäudes mit zwei Säulen, die PSD3 und PSR darstellen, und einem EU-Symbol im Giebeldreieck – Sinnbild für den neuen europäischen Zahlungsverkehrsrahmen

With the third Payment Services Directive 3 (PSD3) and the new Payment Services Regulation (PSR), the European Union aims to place the European payments market on a future-proof foundation. Unlike PSD2, the EU is now adopting a dual structure:

  1. PSD3 is a Directive that primarily governs the licensing and supervision of payment and e-money institutions and must be transposed into national law.
  2. PSR is a directly applicable Regulation that sets operational rules such as technical requirements, transparency and security standards, uniformly across all Member States.

This marks a decisive step forward: national deviations and so-called “gold-plating” will largely be eliminated. Instead, a harmonised EU-wide framework will apply, creating fairer competition, fostering innovation and ensuring legal certainty.The reform package is not merely a response to the shortcomings of PSD2, but a fundamental realignment of the European payments market.

It clearly separates responsibilities between structure (Directive) and application (Regulation) – thereby strengthening the integrity of the Single Market.

Stronger consumer protection
Improved fraud prevention
New licensing requirements
Fair competition
Starke Kundenauthentifizierung für sichere Zahlungen

Stronger consumer protection (SCA & Transparency)

With PSD3 and PSR, the EU is tightening requirements on security and transparency in payments. The goal is to strengthen consumer trust and make digital payments even more secure.

Explanation:
Strong Customer Authentication (SCA) will be further expanded and refined. Specific exemptions will be more clearly regulated, and requirements for accessible authentication procedures will increase. In addition, payment service providers will be required to provide more detailed information – for example on fees, currency conversions or payees.Stricter rules will also apply to pre-authorisations, such as at petrol stations or hotels, where blocked amounts will now be subject to clearer release requirements.

Action Required:

  • Review SCA processes and exemption rules
  • Adapt information obligations in customer communication and contracts
  • Implement monitoring of release processes for pre-authorisations
Betrugsprävention durch Prüfung und Warnhinweise

Improved fraud prevention

PSD3 addresses modern fraud schemes such as spoofing and social engineering much more rigorously. Institutions must implement new control mechanisms and collaborate more closely.

Explanation:
A central element is the mandatory verification of IBAN and beneficiary name in transfers to prevent manipulation. Institutions will also be required to enhance transaction monitoring and report anomalies at an early stage.The exchange of fraud data between payment service providers will be reinforced by regulation. In parallel, institutions will face greater obligations for customer education and staff training in fraud awareness.

Action Required:

  • Integrate IBAN name checks into payment processes
  • Expand real-time fraud detection systems
  • Establish customer and employee awareness programmes on fraud prevention
Neulizenzierung nach PSD3 für Zahlungsinstitute“

New licensing requirements

A key element of PSD3 is the restructuring of the licensing regime. All payment institutions and e-money institutions will be required to renew their authorisation.

Explanation:
With PSD3, the previous E-Money Directive will be repealed and integrated into the new framework. Existing licences will no longer be valid. Institutions must undergo a new licensing process, which sets stricter requirements on governance, capital resources, outsourcing and IT security.The transition periods are tight – those who start early will gain a decisive time advantage.

Action Required:

  • Conduct a gap analysis on governance, risk and IT
  • Update documentation, policies and manuals
  • Prepare and submit licence applications at an early stage
llustration zweier Hände im Handschlag, links mit Bankgebäude-Symbol und rechts mit Cloud-Symbol, umgeben von EU-Sternen – symbolisiert fairen Wettbewerb zwischen Banken und FinTechs.

Fair competition

PSD3 promotes greater competition by giving non-bank payment service providers easier access to essential banking services and payment systems.

Explanation:
In the past, banks often denied third-party providers access to accounts or payment systems. Under PSD3, banks will be required to clearly justify such decisions. Payment institutions will also have the right to appeal.This will reduce market entry barriers and foster innovation – particularly benefitting FinTechs and smaller providers.

Action Required:

  • Revise policies governing access to banking services
  • Introduce standardised onboarding processes for third-party providers
  • Review and adapt contractual terms and documentation

Timeline to 2027: When Institutions Need to Act

The implementation of PSD3 and PSR follows a multi-stage roadmap. Even though the final texts are still under negotiation, a clear timeline is emerging:

2025

Conclusion of EU trilogue negotiation

2026

Publication in the Official Journal, PSR enters into force directly as a regulation (6 months after publication) and Member States transpose PSD3 into national law (typically 18–24 months deadline).

2027

All payment and e-money institutions must comply with the new requirements and, where applicable, undergo re-licensing.

Every institution faces its own challenges. Let’s work together to determine how you can implement PSD3 & PSR in the best possible way

The coming years will be decisive for payment and e-money institutions. Those who prepare early will gain a competitive advantage.

To support you, we have compiled in-depth analyses, practice-oriented whitepapers and up-to-date articles on PSD3 and PSR.

Illustration of a crossroads: the left path represents ‘Registration’ (simple), the right path represents ‘Licensing’ (complex). Colour scheme in dark blue, teal and gold.

Registration vs. Licensing under PSD3 and PSR – What Financial Institutions Need to Know Now

Blog

PSD3 and PSR introduce clearer rules for payment institutions and FinTechs. But when is a simple registration sufficient – and when is a full licensing procedure required? In our latest expert article, we explain the key differences, the risks of misinterpretation, and how to align your business model with regulatory requirements in time.

More information
Image of a european map in blue colors and with yellow nodes and lines to illustrate the connection between the EU Member Countries. Payment Services Directive 3 Whitepaper Cover

Whitepaper: PSD3 & PSR – Practical Guidance for Banks and Payment Institutions

Whitepaper

The new requirements under PSD3 and PSR are fundamentally changing European payment transactions – with direct consequences for banks, payment institutions and e-money institutions. Our white paper provides a concise overview of the changes that are now imminent, the opportunities they present and how you can prepare your institution in good time.

More information

Every institution faces its own challenges. Together, we will identify how to implement PSD3 & PSR in the most effective way

Let’s review together how you can put regulatory requirements into practice – efficiently and effectively

30 minutes for more clarity – book your appointment

Free & non-binding · 30 minutes · Remote

Frequently Asked Questions (FAQ)

What you need to know now about PSD3 and PSR

What is the difference between PSD3 and PSR?

Erweiterung

PSD3 (Payment Services Directive 3) is an EU directive that must be transposed into national law by member states. It primarily regulates licensing, supervision and institutional requirements for payment and e-money institutions. PSR (Payment Services Regulation) is an EU regulation that applies directly and uniformly in all Member States – without national implementation. It sets operational standards such as technical requirements, strong customer authentication (SCA), transparency obligations and fraud prevention. This dual structure prevents national deviations and creates genuine EU-wide harmonisation in payment transactions for the first time.

By when must PSD3 be implemented?

Erweiterung

The expected timeline: A breakthrough was achieved in the EU trilogue negotiations in 2025. The PSD3/PSR are now expected to be published in the EU Official Journal in early 2026 and to enter into force in 2026 as well. The PSR, as a regulation, will enter into force directly, while Member States will have to transpose PSD3 into national law within 18-24 months, i.e. by around 2027. From 2027 onwards, all payment and e-money institutions will have to comply with the new requirements and renew their licences. Institutions should start preparing by 2025 at the latest, as re-licensing takes 8-14 months.

Does every payment institution and electronic money institution have to apply for a new licence?

Erweiterung

Yes. PSD3 repeals the previous E-Money Directive (EMD2) and integrates it fully into the new PSD3 framework. This means that all existing licences – both for payment institutions and e-money institutions – are no longer valid. All institutions must undergo a new licensing procedure with the competent national supervisory authority (in Germany: BaFin). The new requirements are significantly stricter: tighter governance, higher capital requirements, more comprehensive IT security, more detailed outsourcing documentation. There are transition periods (grandfathering), but no automatic extension.

What is grandfathering and how long does it apply?

Erweiterung

Grandfathering refers to transitional arrangements that allow existing institutions to continue operating despite new requirements. Under PSD3, institutions with existing licences can generally continue to operate, but must apply for a new licence in accordance with PSD3 standards within the transition period. Typical deadlines: 18-24 months after national entry into force (i.e. approximately until 2028/2029). Important: Grandfathering is NOT a free pass – institutions must demonstrate that they are actively working on compliance. Those who miss the deadline will lose their licence. Recommendation: Start early (2025) with gap analysis and preparation.

Which institutions are affected by PSD3?

Erweiterung

All payment service providers within the scope of the PSD are affected: payment institutions under PSD3, e-money institutions (previously EMD2, now integrated into PSD3), account information service providers (AISPs), payment initiation service providers (PISPs), credit institutions (banks) involved in payment transactions, fintechs offering payment services, and providers of wallet and payment solutions. Also indirectly affected: IT service providers, cloud providers and outsourcing partners of these institutions, as stricter requirements apply to third-party relationships.

Got questions?

We are happy to offer you a free initial consultation

Contact us