European Parliament and the Council have reached a political agreement on the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR)
On November 27, 2025, the European Parliament and the Council reached a political agreement on the “Payment Services Package,” which includes the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR). This represents the most significant overhaul of the European payments framework since SEPA (Single Euro Payments Area) and signals a clear shift toward a Single Rulebook for payments in the EU and eventually the EEA. The Parliament and the Council need to formally approve PSD3 and PSR before they come into effect.
The Payment Services Package addresses both market fragmentation under PSD2 and a sharp increase in sophisticated payment fraud, especially Authorized Push Payment (APP) fraud. By splitting the framework into a Directive (covering authorization and supervision) and a directly applicable Regulation (covering market conduct, liability, and user rights), the EU aims to reduce national discretion and create a more unified, resilient payments ecosystem.
The Four Strategic Pillars of the Reform
The Payment Services Package is centered on four main pillars, each addressing specific market failures identified in the Commission’s 2023 impact assessment.
1. Fraud & Liability
Key innovations
Mandatory refunds for impersonation (“spoofing”) fraud, where scammers pretend to be your bank through fake calls or messages.
Shared liability across banks, electronic communications providers (ECPs), and large online platforms.
Verification of Payee (VoP) extended to all credit transfers, beyond the Instant Payments Regulation (IPR) and beyond euro payments.
Strategic implication
The financial burden of fraud shifts from individual consumers and onto the infrastructure chain - such as banks, telecom providers, and Big Tech. This is designed to encourage technical prevention measures rather than relying solely on user vigilance and education. The customer needs to report the impersonation scam to the police and their bank to get a refund.
2. Market Structure
Key innovations
Merger of the Payment Institution (PI) and E-Money Institution (EMI) frameworks.
Amendments to the Settlement Finality Directive (SFD) to allow non-bank PSPs direct access to designated payment systems.
Strategic implication
The EMI license is now integrated into a single PI regime, reducing regulatory arbitrage between e-money and payment services and decreasing fintechs’ reliance on incumbent banks for access to essential payment infrastructure.
3. Open Banking
Open banking allows you to securely share your bank data with other financial apps or services (like budgeting apps or payment apps) if you choose. However, until now it hasn’t worked as smoothly as hoped.
Key innovations
A shift from “access to account” to data permissions.
Mandatory permission dashboards for users – a user-friendly dashboard (within your banking app or website) where you can see which third-party services have access to your account and easily turn those permissions on or off.)
Performance parity between bank APIs and banks’ own customer interfaces.
Strategic implication
Open Banking is reframed from a narrow compliance requirement into part of a broader, user-centric data economy, aligned with the forthcoming Financial Data Access (FIDA) framework. The goal is a functioning market based on high-quality APIs and meaningful user control over data sharing.
4. Consumer Protection
Key innovations
Greater transparency on currency conversion and ATM fees.
The possibility of cashback without a purchase.
Strengthened and more accessible Strong Customer Authentication (SCA).
Strategic implication
The reforms enhance price transparency in cross-border payments and support the continued availability of cash as a public good in increasingly digital payment environments. (You will be able to go into a store and withdraw cash at the checkout without having to buy something first. It’s a way to ensure access to cash even if bank branches or ATMs are scarce – for instance, in small towns or rural areas, shops can act as cash withdrawal points.)
From PSD2 Fragmentation to PSR Uniformity
PSD2 (Directive (EU) 2015/2366) was intended to harmonize payment services across the EU. In practice, relying on 27 different national transpositions (plus EEA EFTA states) produced significant divergence:
Gold-plating: Some countries added extra consumer protection rules, complicating cross-border acquiring and creating friction.
Supervisory arbitrage: Fintechs engaged in “forum shopping”, locating in Member States perceived as more lenient on SCA, conduct rules or capital requirements.
Timeline discrepancies: Implementation delays undermined the goal of a truly integrated Single Market.
The November 2025 agreement confirms the Commission’s decision to split the framework: PSR as a Regulation governing user rights and market conduct, and PSD3 as a Directive overseeing supervisory architecture. This is not a minor administrative change, but a fundamental re-engineering of the legal structure to reduce future fragmentation.
The Payment Services Regulation (PSR): A Single Rulebook
The PSR functions as the main market conduct rulebook, applicable directly in all Member States, and includes the following topics:
Transparency of terms and conditions.
Liability rules for authorized and unauthorized transactions.
SCA requirements and exemptions.
Open Banking access rules, including API requirements and performance obligations.
Because the PSR has Regulation status, its provisions apply uniformly once in force, without the need for national transposition and without scope for National Competent Authorities (NCAs) to significantly reinterpret user-facing rules.
The Third Payment Services Directive (PSD3): Supervision and Licensing
PSD3 retains the Directive format for elements that must integrate with national administrative systems and supervisory practices:
Licensing and authorization of payment institutions.
Supervisory powers, enforcement, and sanctions.
Capital requirements and safeguarding of client funds.
Re-designation of EMIs as PIs with e-money issuance permission.
This split model allows the EU to ensure consistent user rights through the PSR, while respecting national differences in how supervision and enforcement are organized under PSD3.
A New Liability Regime for Impersonation Fraud
One of the most politically sensitive elements of the deal is the recalibration of fraud liability, especially for APP fraud driven by impersonation and spoofing.
Under Article 59 PSR, a strict liability regime is introduced for impersonation fraud:
A PSP must refund the consumer in full if:
The consumer was manipulated by a third party impersonating an employee of the consumer’s PSP (for example, a “fraud department” call).
The fraudster misused the PSP’s name, email address or phone number (technical spoofing).
This manipulation led to an authorized transaction in favour of the fraudster.
The burden of proof shifts significantly. Under PSD2, banks generally argued that once SCA was properly implemented (e.g., via BankID), the payment was considered “authorized,” making the consumer liable. Under the PSR, if the consumer claims they were spoofed using the bank’s contact details, the PSP is initially liable unless it can demonstrate gross negligence or fraud on the part of the customer.
The agreement also limits what qualifies as gross negligence in spoofing scenarios. Falling victim to a convincing spoof, such as a call or SMS where the caller ID matches the bank’s verified number, is not automatically considered gross negligence. This significantly enhances consumer protection in the face of sophisticated social engineering tactics.
Extending Liability to “Enablers”: Telecommunication Companies and Platforms
For the first time in EU financial regulation, the “polluter pays” principle is extended to the digital infrastructure that enables fraud.
Electronic Communications Providers (ECPs)
The banking lobby successfully argued that they cannot be the sole underwriter of fraud facilitated by insecure telecom protocols (SS7 vulnerabilities, lack of Caller ID authentication).
Under the new rules:
Electronic Communications Providers (ECPs) (telcoms) can be liable to reimburse PSPs in specific cases where they fail to remove fraudulent content or prevent spoofing when technical solutions exist.
A likely cause is the failure to implement protections like SMS SenderID Protection Registries. If a bank has registered its sender ID (e.g., “DNB”) and a telecom still allows fraudsters to send SMS messages with that header, the telecom could be liable for the resulting losses.
This creates a direct financial incentive for operators to invest in anti-spoofing firewalls and other security measures previously viewed as cost centers rather than risk mitigants.
Online Platforms
Large platforms (e.g., Meta, Google) will also be subject to payment-linked liability.
They may be required to reimburse PSPs in cases where:
They are notified about fraudulent content, such as fake investment ads or phishing sites.
They fail to remove that content.
A consumer is then defrauded as a result of that specific content.
This effectively acts as a financial enforcement lever for the Digital Services Act (DSA), pushing platforms to verify the legitimacy of financial advertising (for example, checking against national FSA registers) or risk direct exposure for published scams.
Verification of Payee (VoP)
Verification of Payee (VoP) - checking that the account name matches the account number (IBAN) before payment execution – is promoted from a useful add-on to a mandatory, liability-bearing service for all credit transfers:
The Instant Payments Regulation already mandated VoP for instant euro payments.
The PSR now extends VoP to all credit transfers, including standard SEPA and domestic non-euro transfers.
If a PSP:
Fails to provide VoP at all, or
Provides VoP but returns a false positive “match” for a fraudulent beneficiary,
then the PSP will be liable for the full amount of the loss. This effectively removes the traditional “execution only” defence, where banks claimed they were only responsible for processing the IBAN provided by the customer.
Open Banking: From Access to Permissions
The PSR seeks to “reboot” Open Banking, recognizing that PSD2 granted the legal right to access data but failed to create a well-functioning market due to poor API quality and user-unfriendly consent processes.
Key elements include:
· Dedicated interfaces (APIs): Account Servicing Payment Service Providers (ASPSPs—i.e., banks) must provide dedicated interfaces for Third Party Providers (TPPs).
· Performance parity: These APIs must match the availability and performance of the bank’s own channels. Screen scraping remains as a fallback, but is intended to be phased out as APIs improve.
· Removal of obstacles: The PSR explicitly prohibits “obstacles” to data access, such as more burdensome SCA processes for TPP access compared to the bank’s own customers (a recurring complaint under the 90-day re-consent rule).
Permission Dashboards and GDPR Alignment
A central innovation for user control is the Permission Dashboard:
Banks must offer a centralized dashboard in their online and mobile banking platforms where customers can view, manage, and revoke permissions granted to TPPs. In other words, a single overview (like a settings page) that allows customers to easily see which apps and services are connected to their account.
This ties payment regulation more closely to GDPR data portability rights, requiring banks – including Norwegian banks – to consolidate TPP consent information from multiple internal systems into a single, user-friendly view.
Timeline
The European Union’s Third Payment Services Directive (PSD3) and the new Payment Services Regulation (PSR) must be formally approved by both the European Parliament and the Council before they become law. The legislation is expected to be adopted in 2026, after which member states will have 18 months to implement it. Based on this timeline, Norway and other European Economic Area (EEA) countries are likely to adopt the new rules by 2027 or 2028.
