As the European Union moves forward with its proposed Payment Services Directive 3 (PSD3), financial institutions across Europe – and likely the UK – must prepare for a new wave of regulatory transformation. Building on the foundations laid by PSD2, PSD3 aims to further harmonise payment services, enhance consumer protection and strengthen both fraud prevention and operational resilience. For organisations operating in the payments ecosystem, this presents both a challenge and an opportunity to improve services, build trust and gain competitive advantage.

From PSD2 to PSD3: a regulatory evolution

PSD2 was a landmark directive that reshaped the European payments landscape. By removing barriers to entry and encouraging innovation, it enabled a broader range of financial service providers to offer payment solutions. It also introduced Strong Customer Authentication (SCA), improved consumer protection and laid the groundwork for open banking.

The UK’s adoption of PSD2 through the Payment Services Regulation Act 2017 positioned it as a leader in payments innovation. Organisations that embraced PSD2 benefited from increased market share, improved payment efficiency, enhanced security and reduced fraud risk. In turn, consumers, gained greater choice and confidence in the resilience of payment services.

Now, PSD3 seeks to build on this momentum with a more comprehensive and harmonised regulatory framework.

Key objectives of PSD3

The proposed PSD3 directive, announced in June 2023, introduces several significant changes:

• Regulatory harmonisation: PSD3 separates rules on the conduct of payment services from those governing authorisation and supervision. This aims to level the playing field across jurisdictions and prevent regulatory arbitrage, where organisations might seek to take advantage of differences in regulatory approaches.
• Enhanced Strong Customer Authentication (SCA): the directive seeks to clarify the scope of SCA, improve its application, especially for vulnerable users, and refine transaction monitoring and exemptions.
• Fraud liability shift: PSD3 proposes a shift in fraud liability from consumers to payment service providers (PSPs). PSPs will bear greater responsibility for proving fraud or gross negligence, thereby encouraging more robust fraud detection and incident management systems.
• Operational resilience: in an increasingly digital financial environment, PSD3 emphasises the need for stronger operational resilience to counter cyber threats and service disruptions.
• Data sharing framework: the directive introduces provisions for financial entities to share fraud-related data, personal customer information and cyber threat intelligence. This requires organisations to have mature data governance and protection frameworks in place.

Implications of PSD3 for financial institutions

Although PSD3 is still under development, with implementation expected in 2026, organisations should begin preparing now. The directive will likely be adopted into UK regulation, continuing the trend of alignment with EU standards.

Financial firms should focus on the following key areas:

• Technology and infrastructure readiness: organisations must assess their current payments infrastructure and identify gaps in compliance and security.
• Governance and risk management: firms will need to update governance structures and control frameworks to meet PSD3’s requirements, particularly around fraud liability and operational resilience.
• Regulatory reporting: enhanced reporting obligations, such as REP018, will require accurate documentation and timely submission of fraud statistics and SCA exemption methodologies.
• Data protection and sharing: compliance with new data sharing rules will demand robust data governance, privacy controls and secure exchange mechanisms.

Operational expectations under PSD3: balancing fraud and consumer trust

PSD3 challenges firms to strike a delicate balance between consumer trust, security and user experience. As fraud liability shifts to PSPs, the effectiveness of fraud risk engines and incident management processes becomes critical. At the same time, SCA must be accessible and user-friendly, especially for vulnerable consumers.

Operational resilience is another cornerstone of PSD3. Financial institutions must ensure their systems can withstand disruptions and cyber threats, while maintaining service continuity and regulatory compliance.

How we can support your PSD3 journey

RSM’s Technology Risk Assurance team brings deep expertise in payments regulation, technology assurance, operational resilience and cyber risk. We work with a wide range of financial institutions – including banks, building societies, electronic money institutions, and fintechs – to support them in navigating regulatory change and strengthening their risk and control environments.

We can help you protect your business and prepare for regulatory changes with:

• PSD2 and PSD3 compliance assessments: evaluating your current frameworks for SCA, Transaction Risk Analysis (TRA) and exemptions.
• Operational resilience advisory: assessing your readiness for regulatory compliance, including alignment with the Digital Operational Resilience Act (DORA).
• Data governance and protection: guidance for developing data sharing frameworks and privacy controls.
• Regulatory reporting readiness: ensuring accurate documentation and reporting processes for fraud statistics and TRA methodologies.
• Training and simulation workshops: preparing your teams for regulatory change through targeted education and scenario planning.

With our extensive experience in regulatory assurance and advisory services, we are well-positioned to help your organisation prepare for PSD3 and maintain a competitive edge in the evolving payments landscape.

Please get in contact with Riza Unal for more on how we can help.

Related insights