PSD3: What you need to know

PSD3 is an EU Directive that provides rules for the authorisation and supervision of non-bank payment service providers (PSPs) in the EU. The PSD3 aims to protect consumers’ rights and personal information while improving competition in the payments industry. This will empower consumers to securely share their data and contribute to a broader range of innovative financial products and services. Since it’s a directive, the PSD3 rules need to be transposed into the national laws of the various EU Member States.

What is PSR?

PSR is an EU Regulation that directly applies to the EU Member States once adopted and entered into force. The PSR will be directly applicable without the need for transposition by member states at a national level. This contributes to a uniform and consistent implementation across the entire EU. The PSR aims to improve consumer protection, an area in which consistency of rules is crucial.

PSD3 will cover a more extensive scope than PSD2. This makes it more suitable for today’s payments landscape given the uneven implementation of rules that could encourage regulatory arbitrage. It covers most parts of PSD2, such as transparency, liability, and open banking. However, PSD3 sets out more extensive Strong Customer Authentication (SCA) regulations and stricter rules on access to payments systems and account information compared to PSD2. This plays a pivotal role in safeguarding payment transactions and counteracting payments fraud. 

Learn more about how PSD2 and SCA have been interacting up until now.

The changes regarding Strong Customer Authentication (SCA) and access to payment systems and account information will affect the payments industry. Let's look at these changes and how they will make a difference.

Strong Customer Authentication

The PSD3 changes regarding SCA will contribute to safer buying experiences. There will be new rules around data sharing, fraud prevention, authentication, transactions, and accessibility.

Data Businesses will need to share more data with issuers, allowing them to monitor environmental and behavioural characteristics such as user location, transaction time, devices used, spending habits, transaction history, session data, and device IP. As a result, they can increase approval rates by better determining which transactions to approve and which to decline.  Payment schemes and PSPs will also be allowed to process personal data for fraud prevention without explicit user consent under the General Data Protection Regulation (GDPR). This only applies if they use the data to prevent fraud. 

Fraud The new proposals also suggest a liability shift in terms of fraud. Schemes, technical service providers (such as wallet providers), and payment gateways will be liable for fraud if they fail to apply SCA. This protects payers from technical malfunctions and encourages providers to maintain a high quality of service. 

Issuers will also be liable when spoofing fraud occurs. This is when a fraudster impersonates a bank’s employee to make the user authenticate the payment. If the payer acts fraudulently or with gross negligence, they will remain liable.

Authentication PSD2 required SCA factors to belong to two categories out of the following three: knowledge, possession, and inherence. With PSD3, using two of the same categories, like token and SMS OTP or even two passwords, is possible. 

SCA delegation by issuers to third parties, such as Apple Pay, is now qualified as outsourcing and needs to comply with outsourcing rules to authenticate the cardholder. Adyen anticipated that outsourcing would be regulated and created a Delegated Authentication solution that allows us not to outsource to a third party but instead do the authentication ourselves. So issuers can delegate SCA to us.

Exemptions Merchant-initiated transactions (MIT), such as subscriptions, are now excluded from SCA. Only the first transaction requires SCA. MITs will have the same 8-week unconditional refund right (‘no question asked’) that you find in SEPA Direct Debits. 

Similarly, card-based mail orders and telephone orders, also called MOTO transactions, don’t need to be authenticated with SCA. This exemption will greatly benefit sectors such as the travel industry. 

Regarding tokenisation, SCA is only required if the cardholder initiates the transaction, for instance, during a card-on-file transaction or when a cardholder initially enrolls their card in a digital wallet. 

Accessibility  SCA must now be accessible for vulnerable customers such as the elderly, people with disabilities, and non-digitally savvy consumers by providing authentication methods that don’t rely solely on smartphones. 

Access to payment systems and account information

The PSR will introduce changes to the existing Open Banking framework that will remove obstacles to providing open banking services and ultimately increase uptime for banking and financial services.

Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) will be allowed to build custom interfaces that connect to banks and other financial institutions. 

Banks and financial institutions will have to share more information about their API performance by publishing quarterly statistics on interface availability and performance, creating a higher level of transparency. This gives businesses more accurate insights into the payment systems, helping them to make informed decisions about which partner they want to choose for their payment processing needs.

In case of bank downtime or disruptions, banks need to allow third parties (AISPs and PISPs) to use their own banking interfaces, leading to more efficient payment processes for digital businesses and their customers. Following applicable civil law, businesses also retain the right to claim damages for losses incurred.

Banks are required to provide customers with a permission dashboard. This dashboard allows customers to continuously monitor and manage permissions granted to AISPs conveniently.

The PSD3 and PSR proposals ensure consumers can continue safely and securely making electronic payments and transactions in the EU, domestically or cross-border, in euro and non-euro. It aims to provide a greater choice of payment service providers while safeguarding customers. 

At Adyen, we're working with regulators and card schemes to ensure everything is ready for PSD3. At the moment, there are no further actions required. We'll keep you up to date on the latest developments of the regulations via email and system messages to ensure an optimal experience. 

There is yet to be a clear timeline for implementing PSD3 and PSR. The European Parliament and European Council will review the proposed changes. The member states usually receive an 18-month transition period, suggesting that PSD3 and PSR could take effect around 2026. If you want to find more details, visit the official documents here.

Learn more about how to balance convenience with security through better authentication here.

Under PSD2, many platforms and marketplaces rely on the Commercial Agent Exemption to offer financial services without needing a license.

The Commercial Agent Exemption applies when the platform or marketplace only acts on behalf of the payer or the payee, but not both. If acting for both, a platform can only avoid a licensing requirement if it relies on a licensed payment service provider like Adyen. 

The draft of PSR published by the European Commission significantly narrowed the Commercial Agent Exemption, meaning many platforms and marketplaces would no longer be able to rely on it. 

However, in the latest draft of PSR proposed by the European Council, the Commercial Agent Exemption is reverted closer to its original position under PSD2. 

As a result, the continued availability of the commercial agent exemption to marketplace platforms under PSR is currently uncertain and will be known only when the final text of PSR is agreed by the EU institutions. This is expected to be published during the first half of 2026.

PSR also seeks to implement a more consistent approach to the commercial agent exemption across the EU by mandating the European Banking Authority to develop guidelines for national regulators on the application of the exemption.

PSD3 and PSR were proposed by the European Commission in June 2024. They have since been reviewed by the European Parliament and European Council, with each party proposing a draft of the texts. The three institutions now seek to find political agreement and a final version is expected in Q1 or Q2 of 2026. 

The member states usually receive an 18-month transition period, suggesting that PSD3 and PSR could take effect around 2027 or early 2028.

Platforms and marketplaces should begin to think about how this legislation change could impact their business set-up. Adyen is closely monitoring the legislative progress of PSD3 and PSR and will help you remain fully compliant.

Whether you want to get your own payment license or use Adyen for Platforms, we’re here to help. 

Adyen for Platforms lets you embed payments directly into your platform or marketplace, so your users can sign up, sell, and get paid through one simple integration, all while staying compliant with PSD3 and PSR. 

Our unified platform lets you manage payments and finance in one place, through a single integration. This makes it easy to scale your businesses by easily expanding and launching new products across multiple markets. 

Since Adyen is a licensed credit institution, you are compliant no matter where your business grows. This also means we don’t rely on third parties, eliminating third-party delays and enabling instant processing and payouts.

Owning our entire tech stack also gives you full control and flexibility to white-label, localise, and deliver the customer experience you want.

Want to offer financial services and comply with PSD3/PSR? Learn more about Adyen for Platforms.