EU Payment Services Directive (PSD2/PSD3)

EU framework for payment services, open banking, and consumer protection in digital payments.

The Payment Services Directive (PSD2), in force since January 2018, transformed the European payments landscape by opening up access to payment accounts, introducing new categories of payment service providers, and mandating strong customer authentication (SCA) for electronic payments. PSD2 enabled the emergence of open banking by requiring banks to provide licensed third-party providers, specifically Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), with access to customer account data through secure APIs, with the customer's explicit consent.

PSD2 applies to all payment service providers operating in the EU, including banks, electronic money institutions, payment institutions, and the new category of third-party providers. It also affects merchants, e-commerce platforms, and technology companies that facilitate or initiate payments. The directive introduced consumer protection measures, including reduced liability for unauthorised transactions, faster complaint handling, and a ban on surcharging for most electronic payment methods. Strong customer authentication, requiring at least two of three authentication factors (knowledge, possession, and inherence), became mandatory for electronic payment transactions, with limited exemptions for low-risk or low-value transactions.

The European Commission proposed PSD3 and the accompanying Payment Services Regulation (PSR) in June 2023, aiming to address shortcomings identified in PSD2's implementation. Key proposed changes include converting core requirements into a directly applicable regulation to eliminate divergent national transpositions, enhancing open banking by improving API performance standards and expanding data access, strengthening fraud prevention measures, and merging the licensing frameworks for payment institutions and electronic money institutions. PSD3/PSR is expected to be finalised in 2025 and become applicable around 2027.

The payment services framework interacts with DORA, which imposes ICT risk management requirements on payment service providers alongside their PSD2/PSD3 obligations. AML directives also apply to payment institutions, requiring customer due diligence and suspicious transaction reporting. The broader financial services regulatory framework, including licensing, capital requirements, and supervisory arrangements, creates an overlapping set of obligations that payment service providers must navigate.

For businesses in the payments ecosystem, PSD2 has already reshaped competitive dynamics by enabling new entrants and business models. The transition to PSD3 and PSR will further harmonise requirements, improve consumer protection, and expand open finance opportunities. Companies should monitor the legislative timeline closely and begin preparing for enhanced API obligations, updated authentication requirements, and the consolidated regulatory framework that will define European payments regulation for the next decade.

Select your company type for tailored compliance guidance.