Payment Services Directive 3 (PSD3) and Payment Services Regulation (PSR): Impact on Payment Processors

• Digital Payments Boom and New Fraud Threats: The EU’s retail payments market has grown massively, electronic payments in the EU reached €240 trillion in value in 2021 (up from €184 trillion in 2017). This surge, accelerated by COVID-19, brought new fintech players (e.g. open banking services) and more sophisticated fraud that undermines consumer trust.
• Regulatory Response - PSD3 and PSR: In June 2023, the European Commission proposed an overhaul of PSD2 via a new Directive (PSD3) and a new Regulation (PSR). These aim to modernize payments rules for the digital age, enhancing consumer protection, competition, security, and innovation in electronic payments.
• Scope – Who Is Affected: Payment service providers of all kinds (banks, fintech PSPs, payment gateways, acquirers, e-money issuers, etc.) offering services in the EU will be impacted. PSD3/PSR will apply across the EU single market, ensuring a more uniform rulebook for payments once in force.

Overview of PSD3 and PSR

• Two-Part Framework: PSD3 is a Directive focusing on the licensing and supervision of payment institutions (including bringing electronic money institutions under its scope), while the PSR is a Regulation that contains most operational rules for providing payment services. This split means core conduct rules (fraud, transparency, SCA, open banking, etc.) will be directly applicable via the PSR, reducing inconsistent national interpretations. Meanwhile, PSD3 will require transposition into each EU country’s laws for prudential aspects like authorization and capital.
• Key Goals: The PSD3/PSR package builds on PSD2’s foundations with a focus on:
  • Strengthening Consumer Protection: Tighter anti-fraud measures, improved redress rights, and greater transparency in fees.
  • Boosting Innovation & Competition: Updates to support open banking (and future open finance), leveling the playing field between banks and fintechs (e.g. non-bank PSPs access to payment systems), and clarifying rules for new business models.
  • Harmonization: By moving detailed rules into an EU Regulation, PSD3/PSR will standardize compliance requirements across member states, making it easier for payment firms to operate EU-wide under one rulebook.
• Inclusion of E-Money Services: A notable change is the merging of the E-Money Directive (EMD2) into PSD3. Going forward, e-money institutions will be licensed as payment institutions, and payment institutions can issue e-money. This consolidation simplifies the regulatory landscape for fintech issuers of wallets, prepaid cards, etc., under one regime.

New Liability Rules for Payment Processors

• Broader Liability for Fraud Losses: PSD3 proposes to expand the situations in which payment providers are held liable for fraudulent transactions. Payment service providers will face liability for fraud in a greater range of cases and cannot easily shift blame. Notably, if a provider fails to properly apply Strong Customer Authentication (SCA) when required, they (including intermediaries like gateways or technical service providers) will bear the fraud loss, a new liability shift designed to incentivize rigorous authentication. This means card schemes, wallet providers, payment gateways, etc., will be on the hook if they don’t enforce SCA, protecting customers from lapses in the security process.
• Liability for Authorized Scams (APP Fraud): Importantly, regulators are addressing scams where customers are tricked into authorizing payments (Authorized Push Payment fraud). PSD3/PSR will make providers more responsible for impersonation and social engineering fraud cases. For example, the European Commission explicitly wants banks/PSPs to be liable for certain impersonation scams and to implement “Confirmation of Payee” name-check systems to prevent payments to fraudsters. The idea is that no participant in the payment chain should escape responsibility: if telecom networks or messaging platforms enabled a fraud (e.g. via number spoofing), authorities could hold them accountable too. Overall, the rules stress that consumers should not be left out-of-pocket from fraud, providers must refund victims unless there’s evidence of customer fraud or gross negligence. (Notably, the Council’s June 2025 position emphasized that consumers must not be disadvantaged by fraud, strengthening refund obligations on PSPs.)
• Faster Resolution of Unauthorized Transactions: PSD3 looks to tighten timelines and procedures for handling unauthorized payment cases. Under PSD2, if a customer disputes an unauthorized charge, the PSP must refund promptly unless it suspects fraud by the payer. The new proposal mandates refunds within 14 business days after notification in cases of unauthorized transactions, as long as the payer isn’t at fault. This creates more certainty and urgency for PSPs to investigate and resolve fraud claims quickly, or else provide provisional refunds.
• Delegated Authentication and Liability: A subtle but important change is that PSD3 explicitly allows delegated SCA, e.g. an acquirer or wallet can perform authentication on behalf of an issuer, provided certain conditions are met. With this change, the liability framework is also clarified: whichever party performs the authentication carries the liability if it’s done improperly. This opens the door for smoother checkout experiences (merchants or gateways may handle 3-D Secure flows, etc.), but those parties must meet security requirements because they will be liable for any fraud resulting from weak authentication.

Stronger Fraud Prevention Requirements

• IBAN-Name Matching (“Confirmation of Payee”): To combat fraud, especially APP fraud, PSPs must verify payee identity on bank transfers. The proposals require an IBAN/name matching service for credit transfers, before money is sent, the payer’s PSP will query the beneficiary’s PSP to confirm that the account name matches the provided IBAN. If there’s a mismatch, the payer can be alerted, preventing common frauds where victims are tricked into sending money to an account under a scammer’s name. (Several EU countries have already introduced such confirmation services; PSD3 aims to make it standard across Europe.)
• Enhanced Transaction Monitoring and Blocking: PSD2 already required fraud monitoring, but PSD3 goes further. PSPs must have more sophisticated real-time transaction monitoring systems to detect suspicious payments. Critically, under the new rules PSPs will have the explicit right to block or delay a payment when their systems have strong evidence of fraud in progress. This is a shift from today’s regime, it empowers providers to proactively pause transactions to prevent loss, rather than feeling obliged to execute every authorized payment instantly. Providers will need policies for when to intervene, and regulators/EBA may issue guidance on using this power appropriately.
• Fraud Data Sharing Between Institutions: Recognizing that fraudsters often hop between banks and PSPs, PSD3/PSR will create a legal basis for PSPs to share fraud-related information with each other, in compliance with GDPR. This is a significant development, currently, privacy laws can make banks wary of sharing data about fraudulent payees or compromised accounts. The new regulation will explicitly allow PSPs to exchange data on confirmed fraud cases (e.g. details of mule accounts, scammer names or IDs, IBANs used in fraud, Modus Operandi patterns). By pooling this intelligence, the industry can more quickly flag accounts that are suspected in fraud and prevent them from receiving further payments. Data protection safeguards will be built-in, but regulators see data-sharing as vital to fight cross-institution scams.
• Customer Education Obligations: In addition to technical measures, PSPs will be required to educate customers (and their own staff) about fraud risks. PSD3 will mandate awareness programs so that users know how to spot phishing or spoofing attempts, understand SCA prompts, and where to report suspected fraud. Many banks already do fraud awareness, but this makes it a formal obligation. The goal is to reduce human vulnerabilities by making consumers more vigilant, an acknowledgment that technology alone isn’t enough if users are duped into giving away credentials or approving fake payments.
• Inclusion of Telecom/Digital Actors in Fraud Prevention: Uniquely, the Council has pushed to bring electronic communication providers (telecoms, messaging services) into the fraud-fighting framework. For example, phone companies may need to cooperate more in preventing “SIM swap” or caller ID spoofing scams that lead to payment fraud. This cross-sector approach means payment regulators can require telecom or internet platforms to implement measures against fraud (since scammers often use phone/social media to socially engineer victims). It underscores that fraud prevention under PSD3 is not just a banking issue but a wider ecosystem responsibility.
• Refining SCA Rules (Strong Customer Authentication): PSD3 will update SCA requirements to be both more flexible and more inclusive:
  • Accessibility: PSPs must offer alternative authentication methods for users who can’t use smartphones, e.g. allowing hardware token or smartcard options, and ensuring no user segment (elderly, disabled, rural with no internet) is left unable to do SCA. Also, SCA methods must be provided free of charge to customers.
  • Technical Clarifications: The definition of “two independent factors” is broadened, PSD3 will allow two biometrics in combination (like fingerprint + facial recognition) to count as SCA, which PSD2 left ambiguous. This could spur new biometric solutions.
  • SCA Exemptions and Friction: The law will clarify where SCA is not needed (e.g. certain low-risk transactions, merchant-initiated transactions, or MOTO – mail order/telephone order, which PSD3 explicitly exempts from SCA requirements to help sectors like travel). EBA is expected to update the Regulatory Technical Standards on SCA to refine exemption thresholds and require better fraud analytics for risk-based exemptions. The overall aim is to maintain security gains from SCA while minimizing unnecessary friction for consumers.

Key Differences from PSD2 for Payment Gateways, PSPs, and Acquirers

• Uniform EU Regulation vs. National Divergences: Perhaps the biggest structural change is that the bulk of payment conduct rules (everything from fraud liability to open banking APIs) will now be in an EU Regulation (directly applicable). Under PSD2 (a directive) some rules were interpreted or enforced differently by each country. PSD3/PSR eliminates many of those gaps, meaning payment firms will deal with one unified set of rules across Europe. This benefits payment gateways and acquirers operating cross-border; compliance will be more streamlined without 27 variations. It also means regulators (like the EBA and national authorities) can enforce rules more consistently, using the regulation as a single source of truth.
• Authorization & Supervision Changes: PSD3 introduces a new licensing regime for payment institutions. All existing PSD2-authorized Payment Institutions (and E-Money Institutions) will likely need to reapply or convert to a PSD3 license (though lawmakers aim to make this a simplified process). Requirements are being updated, e.g. firms must prepare wind-down plans as part of licensing, have stricter ICT/security resilience (aligned with the new DORA regulation on operational resilience), and demonstrate robust fraud data-sharing arrangements. Initial capital requirements for various services are also being raised to account for inflation and risk changes. For payment processors, this means engaging early with regulators to ensure a smooth transition to the new authorization standards once PSD3 is in force.
• Payment Gateways and Technical Service Providers in Scope: Under PSD2, certain tech providers could argue they were just “technical service providers” not subject to regulation (if they didn’t hold funds). PSD3 blurs this line in cases where tech providers play a role in SCA or other critical functions. For example, if a gateway or wallet app manages customer authentication, it is effectively part of the regulated space now (with liability and compliance duties as discussed). Moreover, marketplace platforms that intermediate payments face a narrower “commercial agent” exemption, PSD3 further limits when marketplaces can avoid a license. Many online marketplaces that could operate under PSD2 exemptions will now need payment licenses or partnerships, because acting on behalf of both payer and payee or holding funds will trigger regulation. This change is highly relevant to e-commerce platforms and their payment providers, they must reassess their models or use compliant payment service arrangements (e.g. platform wallets, split payments via licensed PSPs).
• Level Playing Field, Non-Banks vs Banks: PSD3/PSR include provisions to open up banking infrastructure to non-bank PSPs. Notably, non-bank payment institutions will gain the right to access all EU payment systems that banks use (e.g. card networks, SEPA clearing) under fair terms. Additionally, member states’ central banks may allow non-bank PSPs to open settlement accounts at the central bank, improving liquidity and risk management for fintechs. These measures reduce longstanding barriers where banks had competitive advantages in payments networks. For acquirers and payment processors, this means potentially more competition but also opportunities, e.g. fintech acquirers could participate in domestic payment schemes directly rather than needing a sponsor bank.
• Open Banking 2.0: Building on PSD2’s open banking, the new rules will demand better API performance and reliability from banks:
  • Banks will be required to meet performance benchmarks for their open banking APIs (so that third-party providers (TPPs) get consistently fast and successful responses). Any “obstacles” to TPP access (delays, unnecessary hurdles) are explicitly prohibited.
  • The cumbersome “fallback interface” (a backup screen-scraping option if APIs failed) that PSD2 allowed is going away. PSD3 mandates dedicated APIs, but if those APIs go down, banks must offer contingency access (e.g. temporarily let TPPs use the customer online banking interface) and fix issues within a set deadline or face penalties. Regulators can impose fines if a bank doesn’t restore its API in time, and TPPs can even claim damages for lost business due to API downtime. This is a strong incentive for banks and processors to maintain high uptime.
  • Consumer Dashboards: Banks/ASPSPs will have to provide customers a dashboard to manage fintech data access, a single view where a user sees which TPPs have access to their account and can withdraw consents easily. This improves transparency and trust in open banking, indirectly benefiting TPPs and processors who rely on customer consent.
  • Beyond Payments to Open Finance: While not directly about PSD3, the parallel Financial Data Access (FIDA) Regulation was introduced to expand data sharing to other financial products. Payment processors should anticipate a future where data from loans, insurance, pensions, etc., could be integrated with payments, offering new business models but also requiring strong compliance with data protection and consent management.
• Supervisory Harmonization and Enforcement: PSD3 will strengthen the European Banking Authority’s role in consistency. The EBA is tasked with drafting new Regulatory Technical Standards (e.g. on SCA, on incident reporting, on fraud data sharing) and issuing guidelines to harmonize interpretation (for example, clarifying the application of the commercial agent exemption across all countries). National regulators will also get new tools – for instance, as noted, they can penalize banks for failing API obligations, and they will oversee that payment institutions implement the new fraud measures and capital rules. The expectation is that regulatory scrutiny on payment firms’ fraud prevention and operational resilience will increase under PSD3/PSR. Payment processors need to be prepared for more frequent audits or requests for information from regulators, as the EU seeks to ensure the rules aren’t just on paper but actively enforced across the union.

Timeline for Regulatory Adoption and Compliance

• Legislative Timeline: The PSD3 and PSR proposals were unveiled by the European Commission on 28 June 2023. The European Parliament adopted its first reading amendments in April 2024, and EU Member States (Council of the EU) agreed on a negotiating position by June 2025. The next step (as of mid-2025) is trialogue negotiations between the Parliament, Council, and Commission to finalize the text. It’s expected that the final PSD3 Directive and PSR Regulation will be formally adopted by late 2024 or (more likely) sometime in 2025. Once adopted, the Regulation (PSR) will enter into force on a set date, while the Directive (PSD3) will require transposition.
• Effective Dates and Transition: PSD3 (Directive), Member States will likely have 18–24 months to transpose it into national law. That suggests national laws around late 2026 or 2027, depending on the adoption date. After transposition, existing payment firms may be given a grace period (perhaps a year or more) to comply with new licensing and requirements. The Commission’s intent is to give 2-3 years for payment service providers to obtain new authorizations and comply after PSD3 is in force, roughly targeting 2026-2027 for full compliance deadlines.
• PSR (Regulation) – Regulations are directly applicable EU-wide. The PSR might specify an application date (for example, “18 months after entry into force” or a fixed date). If finalized in 2025, many PSR provisions could kick in by 2026 for all EU countries simultaneously. This means certain rules (like fraud info-sharing, liability changes, customer rights) will apply at the same time across the EU, without waiting for national legislation. Payment processors should keep an eye on the final Regulation’s timeline – some obligations might become law earlier than the PSD3 Directive obligations.
• Jurisdictional Nuances: While the aim is a harmonized rollout, there may be slight variances:
  • Countries could move faster in transposing PSD3 (some regulators may encourage voluntary early compliance, especially on fraud measures).
  • The UK, no longer in the EU, is charting its own course (it has mandated broader APP fraud reimbursements starting 2024, for instance) but UK-based payment firms serving EU customers will still need to adapt to PSD3. Global PSPs should be ready for parallel but distinct regimes (EU’s PSD3 vs UK’s payments regime evolution), which Flagright and similar compliance partners can help navigate.
• Compliance Preparation Timeline: Forward-thinking PSPs are already preparing. We do not expect the new rules to take effect before 2026, but 2025 will be a crucial year to adjust internal processes. Firms should target end of 2025 to have plans for compliance in place, so they can meet the deadlines once the law is final. Regulators (and the EBA) will likely publish draft technical standards or guidance throughout 2024-2025, which compliance teams should monitor closely. Early movers will have an advantage in adapting products (e.g. implementing name-check systems, upgrading fraud monitoring engines, planning license transitions) before the rush.

The Urgency of Compliance: Fraud Trends & Enforcement Signals (2023-2025)

• Rising Fraud Rates Pressuring Regulators: Payment fraud has become a pressing concern across Europe. The Commission’s impact assessment noted that consumers still “lack confidence in payments” due to fraud risks under PSD2. Industry data underscores this: Global e-commerce fraud losses were projected to exceed $48 billion in 2023, up significantly in recent years. In particular, Authorised Push Payment (APP) scams have surged, growing roughly 10% year-on-year recently, as fraudsters trick people into sending money to accounts under their control. This trend has made APP fraud one of the fastest-growing threats in digital payments, fueling the regulatory drive to bolster fraud prevention in PSD3.
• Stark Examples, APP Fraud Losses: The United Kingdom’s experience has been a cautionary tale: in 2022, UK banks reported customers lost over $505 million to APP scams, and less than 60% of those losses were reimbursed to victims. Even more striking, 98% of those scams involved instant transfers that gave victims little recourse. The scale and impact (hundreds of millions unrecovered) led UK regulators to intervene, from October 2024 the UK is enforcing a mandatory 50/50 reimbursement split between sending and receiving banks for many scam payments. EU authorities are keenly aware of these figures; they add urgency to implementing PSD3’s fraud liability reforms so consumers across EU are better protected.
• Enforcement Actions & Compliance Crackdowns: While PSD3 is being negotiated, regulators haven’t waited to act:
  • Several National Competent Authorities have been vigilant about PSD2 compliance, for example, some banks faced strict deadlines to fix faulty open banking APIs or risk penalties. The European Commission explicitly noted that under the new proposals, authorities will be empowered to set deadlines and issue fines if a bank’s dedicated interface for TPPs is not restored promptly after outages. This foreshadows tougher enforcement ahead, PSPs that don’t meet uptime or security requirements may incur regulatory sanctions or public orders to remediate.
  • Data protection regulators and financial regulators have also coordinated on issues like fraud data sharing. In anticipation of PSD3, there’s acknowledgment that GDPR allows fraud data processing under certain legal bases, we’ve seen early moves in 2023 towards clarifying this, giving PSPs more confidence to share fraud intel without breaching privacy laws. Not complying with the upcoming data-sharing frameworks (once in effect) could expose PSPs to both financial and reputational risk, especially if a failure to share information leads to preventable fraud at another institution.
  • Fines under PSD2: While major fines specifically for PSD2 breaches have been relatively rare so far, regulators did levy penalties for related infractions (e.g. banks delaying SCA implementation or failing to timely report incidents). For instance, a large French bank was reportedly fined in 2022 for deficiencies in handling unauthorized transactions claims (citing consumer protection rules akin to PSD2). The trend indicates that supervisors are increasingly willing to penalize non-compliance as digital payment usage grows. Under PSD3/PSR, the expectations will be even higher, any uptick in fraud or customer detriment could swiftly invite enforcement action using the stronger tools in the new framework.
• Market Repercussions: Apart from regulatory fines, the cost of non-compliance can be measured in fraud losses and lost reputation. The period 2023–2025 has seen some payment processors and neo-banks suffer high-profile fraud incidents, resulting in customer churn and remediation costs far exceeding compliance investments. By contrast, firms with robust anti-fraud systems (often exceeding PSD2’s minimum requirements) have used that as a selling point. This climate makes it commercially risky to be a laggard. As PSD3’s enactment nears, industry leaders are publicizing their readiness, for example, some processors already introduced Confirmation of Payee checks and report significantly reduced fraud in pilot programs, citing alignment with the expected PSD3 mandate. Such statistics build a narrative that compliance is not just about avoiding fines, but about brand trust and competitive advantage in a fraud-conscious market.

Industry Feedback and Challenges to PSD3 Proposals

• General Reception, Support with Caveats: By and large, payment industry players have welcomed PSD3/PSR’s objectives. Major industry associations like the European Banking Federation, Electronic Money Association, and European Fintech Association voiced support, seeing the proposals as a timely update to improve security and adapt regulation to innovation. Many firms agree with the focus on fraud reduction and consumer confidence. “PSD3 is an evolution, not a revolution,” as one payments association puts it, it fine-tunes PSD2’s framework rather than overhauling it. This evolutionary approach is appreciated because it builds on what the industry already invested in (like SCA) instead of introducing completely new paradigms.
• Challenge, Implementation Cost and Complexity: A common concern, especially among payment service providers (PSPs) and merchants, is the cost of implementing new measures. The strong SCA requirements under PSD2 were expensive and sometimes painful to roll out for merchants (many saw increased cart abandonment initially). Now PSD3 adds more, from upgrading fraud monitoring systems to deploying IBAN/name check services and retooling APIs. Merchants worry that extra security steps could introduce friction and hurt conversions if not done smartly. They also recall the investment needed for PSD2 compliance and question whether PSD3’s additions will be more cost-effective. For smaller PSPs and fintech startups, the prospect of re-authorization and higher capital thresholds may strain resources. Industry feedback during consultations included calls for proportional implementation, e.g. longer lead times or support for small players to meet new rules without stifling innovation.
• Liability Shift Concerns: Payment processors and card networks have raised questions about the new liability distribution. While they agree fraud should be curtailed, the practicality of holding a technical provider or a telecom operator partly liable for a fraud event is debatable. Some card schemes and gateways in their feedback noted that clear guidelines will be needed to determine fault in complex fraud cases. For instance, if a bank’s SCA was bypassed due to a SIM-swap (telecom issue) combined with poor user vigilance, how do we apportion liability? Industry stakeholders want clarity to avoid endless disputes between PSPs, banks, and telecoms when reimbursing victims. The European Banking Authority (EBA) is expected to develop guidelines on this, but until then, some uncertainty remains.
• Data Sharing and Privacy: Another challenge brought up by industry/legal experts is balancing fraud data sharing with privacy. Banks and fintechs are broadly supportive of sharing fraud intelligence (it’s in everyone’s interest to stop serial fraudsters), but they seek reassurance that GDPR won’t come into conflict. The proposals explicitly allow it under GDPR’s fraud prevention clauses, yet PSPs call for standardized processes (possibly via the EBA) to share data in a secure, anonymized way when possible. The risk of breaches or misuse of shared data is a concern, any centralized fraud database could itself become a target. Industry groups like the EMA have suggested safeguards and liability protections for those sharing information in good faith. This dialogue indicates a need for detailed technical standards to implement the data sharing mandate smoothly.
• Open Banking API Standards, Fragmentation vs. Harmonization: TPPs and some payment tech firms have given feedback that PSD3 should push further on API standardization. Currently, multiple standards (Berlin Group, STET, etc.) exist in Europe. PSD3 stops short of mandating one API spec, which some feel is a missed opportunity to truly harmonize open banking. Fintech developers note that while PSD3 sets performance goals, the lack of a single standard means they still have to build and maintain connections to many APIs. On the other hand, banks were resistant to a one-size-fits-all API rule, so the Commission chose a middle ground. This remains a point of discussion: will the market coalesce on its own or will regulators eventually enforce a unified API standard? For now, PSD3 leans on high-level rules and oversight (with the EBA monitoring API performance and uptime). Industry feedback suggests cautious optimism that these measures will at least eliminate the worst friction (like banks with unreliable APIs or lengthy onboarding for TPPs), even if full technical harmonization is deferred.
• Marketplace and Fintech Business Models: Platforms and fintech firms operating under PSD2 exemptions (like the commercial agent exemption) have understandably pushed back on losing those loopholes. Some online marketplaces argued in consultations that requiring a full payment license for certain models could raise costs and compliance burden, potentially hindering small platforms. The regulators’ counter-argument is that money handling by platforms needs oversight to protect users (citing past incidents of funds mismanaged by unlicensed entities). Industry associations have largely accepted the tightening, with the expectation that payment-as-a-service providers (like Stripe, Adyen, etc.) will fill the gap by offering compliant solutions to marketplaces. Indeed, companies like Stripe have already positioned their products (e.g. Stripe Connect) to help platforms comply without themselves becoming licensed institutions. The challenge for the industry is ensuring a smooth migration: platforms currently relying on exemptions must secure partnerships or licenses in time, and regulators may need to provide transitional arrangements to avoid disrupting service for merchants using those platforms.
• Timeline and Readiness: A final theme in industry feedback is concern about the ambitious timeline. Given the breadth of changes, stakeholders have urged regulators to provide sufficient lead time and phased implementation where possible. For example, rolling out the IBAN/name check across all of Europe’s banks is non-trivial, it requires inter-bank coordination and perhaps new infrastructure. PSPs have suggested a staged approach (as was done with SCA under PSD2, which had multiple compliance extensions). Additionally, re-authorizing potentially thousands of payment institutions across the EU is a heavy load for both firms and regulators, there are calls for making that process streamlined (as Parliament has supported via a “simplified” re-authorization process). The good news is that most provisions won’t kick in overnight, and the authorities have signaled flexibility on practical matters. Nonetheless, payment processors clearly need to stay alert and start planning early, those that delay risk being caught in a crunch when the rules do take effect.

Conclusion: Preparing for PSD3 as a Payment Processor

• Embrace a Proactive Compliance Strategy: The coming of PSD3/PSR marks a significant step in the evolution of Europe’s payments regulation, one that demands payment processors to elevate their compliance and anti-fraud capabilities. Firms should treat this not just as a legal obligation, but as an opportunity to strengthen trust with customers and partners. By investing in fraud prevention technology (advanced monitoring, customer verification tools, data-sharing frameworks) and updating internal policies now, payment processors can get ahead of the curve. Early alignment with PSD3’s requirements (such as building IBAN/name match services or refining SCA flows for better UX and security) will pay dividends by reducing fraud losses and demonstrating to regulators that your organization takes consumer protection seriously.
• Key Action Items: Start with a gap analysis against the PSD3/PSR proposals:
  • Review liability scenarios and ensure your contracts and procedures reflect the new allocations (e.g. update terms with technical providers involved in authentication, and plan for reimbursing customers promptly when fraud occurs despite your controls).
  • Audit your fraud controls end-to-end, if there are weaknesses (say, no system for sharing fraud signals or blocking suspect transactions), begin implementing the solutions or find vendors who can help (for instance, real-time fraud scoring engines or consortium data networks).
  • Coordinate with your acquiring banks or scheme networks on SCA delegation and liability sharing. Processors that facilitate merchant payments should clarify roles with issuers under the new delegated auth model to avoid confusion later.
  • For open banking-oriented PSPs, work closely with banks and TPP aggregators to meet the new interface standards. Establish monitoring to track each partner bank’s API performance and have contingency plans if connections fail. Regulators will expect you to make use of the new rights (like requesting fallback access or reporting poor API behavior) to ensure service continuity for customers.
• Leverage Industry Collaboration: The spirit of PSD3 is collaborative security, no entity can tackle fraud alone. Payment processors should actively participate in industry forums, pilot projects, or information-sharing alliances to refine how fraud data-sharing will work in practice. Engaging with associations or sandbox initiatives can also give you a voice in how technical standards (e.g. for confirmation of payee or secure data exchange) are developed, ensuring they are workable. Many leading PSPs and fintechs have already begun such collaborations, which can be a valuable source of intelligence and readiness.
• Monitor Regulatory Guidance: Keep a close watch on outputs from the European Banking Authority and national regulators over 2024–2025. These will likely include draft Regulatory Technical Standards on SCA, guidelines on interpreting new rules (e.g. what counts as “strong evidence” to block a transaction), and perhaps FAQs or sandbox environments for new requirements. Early adoption of regulators’ guidance will smooth your compliance journey. It’s also wise to track enforcement trends – if certain types of non-compliance are drawing fines in the interim (for example, failure to report major incidents, or banks not providing basic open banking functionality), treat those as lessons to preemptively address similar issues within your operations.
• Staying Ahead with Innovation: Lastly, don’t lose sight of the innovation angle. While PSD3 certainly tightens some screws, it also encourages new services (open finance, safer instant payments, etc.). Forward-thinking payment processors can turn compliance into a competitive edge, advertise your stronger fraud guarantees to customers, develop seamless authentication experiences leveraging the new delegation options, or introduce products that capitalize on open access to data (with user consent). Regulators have effectively raised the bar for trust in payments; meeting that bar can set you apart in a crowded market. By positioning your company as one that not only meets the PSD3/PSR requirements but also champions the underlying goals (customer security and convenience), you reinforce your brand’s credibility. In an era where both compliance and customer experience are paramount, being proactive on PSD3 will showcase your organization as a credible, forward-thinking leader in payment compliance, exactly the kind of partner merchants and banks will want to work with in the new regulatory landscape.