A guide to understanding PSD3

PSD3 is an EU Directive that provides rules for the authorisation and supervision of non-bank payment service providers (PSPs) in the EU. 

The PSD3 aims to protect consumers’ rights and personal information while improving competition in the payments industry. 

This will empower consumers to securely share their data and contribute to a broader range of innovative financial products and services. 

Since it’s a directive, the PSD3 rules need to be transposed into the national laws of the various EU Member States.

What is PSR? 

While PSD3 is a directive, PSR is an EU regulation that directly applies to the EU Member States once adopted and entered into force. 

The PSR will be applicable without the need for transposition at a national level; thus, contributing to more consistent implementation across the EU.

This is particularly important as the PSR aims to improve consumer protection — an area in which rule consistency is crucial.

PSD3 will cover a bigger scope than PSD2, making it more suitable for today’s payments landscape.

It covers most parts of PSD2, such as transparency, liability, and open banking. However, PSD3 sets out more extensive SCA regulations and stricter rules on access to payment systems and account information (which we’ll cover further below). 

This will play a pivotal role in safeguarding payment transactions and counteracting fraud. 

Here’s how the upcoming changes will make a difference within the payments industry: 

Strong Customer Authentication

The PSD3 changes regarding SCA will contribute to safer buying experiences. 

There will be new rules around data sharing, fraud prevention, authentication, transactions, and accessibility.

Data:

Businesses will need to share more data with issuers, allowing them to monitor environmental and behavioural characteristics such as:

• User location

• Transaction time

• Devices used

• Spending habits

• Transaction history

• Session data

• Device IP 

As a result, they can increase approval rates by better determining which transactions to approve and which to decline. 

Fraud: 

The new proposals suggest a liability shift in terms of fraud. Schemes, technical service providers (such as wallet providers), and payment gateways will be liable for fraud if they fail to apply SCA. 

Issuers will also be liable when spoofing fraud occurs — such as when a fraudster impersonates a bank’s employee to make the user authenticate the payment. 

Authentication:

PSD2 required SCA factors to belong to two out of three categories: knowledge, possession, and inherence. 

With PSD3, using two of the same categories, like token and SMS OTP, or even two passwords, is possible. 

SCA delegation by issuers to third parties, such as Apple Pay, is now qualified as outsourcing and needs to comply with outsourcing rules to authenticate the cardholder. 

Adyen anticipated that outsourcing would be regulated and created a delegated authentication solution that lets us do the authentication. So issuers can delegate SCA to us.

Exemptions:

Merchant-initiated transactions (MIT), such as subscriptions, are now excluded from SCA. Only the first transaction requires SCA. MITs will have the same 8-week unconditional refund right (‘no question asked’) that you find in SEPA Direct Debits. 

Similarly, card-based mail orders and telephone orders, also called MOTO transactions, don’t need to be authenticated with SCA. This exemption will greatly benefit industries like travel. 

Regarding tokenisation, SCA is only required if the cardholder initiates the transaction, for instance, during a card-on-file transaction or when a cardholder initially enrolls their card in a digital wallet. 

Accessibility:

SCA must now be accessible for vulnerable customers such as the elderly, people with disabilities, and non-digitally savvy consumers by providing authentication methods that don’t rely solely on smartphones. 

Access to payment systems and account information

• The PSR will introduce changes to the existing Open Banking framework that will remove obstacles to providing open banking services and ultimately increase uptime for banking and financial services.

• Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) will be allowed to build custom interfaces that connect to banks and other financial institutions. 

• Banks and financial institutions will have to share more information about their API performance by publishing quarterly statistics on interface availability and performance, creating a higher level of transparency.

• In case of bank downtime or disruptions, banks need to allow third parties (AISPs and PISPs) to use their own banking interfaces, creating more efficient processes for digital businesses and their customers. Following applicable civil law, businesses also retain the right to claim damages for losses incurred.

• Banks are required to provide customers with a permission dashboard. This dashboard allows customers to continuously monitor and manage permissions granted to AISPs conveniently.

The PSD3 and PSR proposals ensure consumers can continue making secure electronic payments and transactions in the EU — domestically or cross-border. 

It aims to provide a greater choice of payment service providers while safeguarding customers. 

At Adyen, we're working with regulators and card schemes to ensure everything is ready for PSD3. 

The member states usually receive an 18-month transition period, suggesting that PSD3 could take effect around 2026.

At the moment, there are no further actions required. We'll keep you up-to-date on the latest developments of the regulations via email and system messages to ensure an optimal experience.

Subscribe to our newsletter to stay in-the-know about all things payments and industry news.

Under PSD2, many platforms and marketplaces rely on the Commercial Agent Exemption to offer financial services without needing a license.

The Commercial Agent Exemption applies when the platform or marketplace only acts on behalf of the payer or the payee, but not both. If acting for both, a platform can only avoid a licensing requirement if it relies on a licensed payment service provider like Adyen. 

The draft of PSR published by the European Commission significantly narrowed the Commercial Agent Exemption, meaning many platforms and marketplaces would no longer be able to rely on it. 

However, in the latest draft of PSR proposed by the European Council, the Commercial Agent Exemption is reverted closer to its original position under PSD2. 

As a result, the continued availability of the commercial agent exemption to marketplace platforms under PSR is currently uncertain and will be known only when the final text of PSR is agreed by the EU institutions. This is expected to be published during the first half of 2026.

PSR also seeks to implement a more consistent approach to the commercial agent exemption across the EU by mandating the European Banking Authority to develop guidelines for national regulators on the application of the exemption.

PSD3 and PSR were proposed by the European Commission in June 2024. They have since been reviewed by the European Parliament and European Council, with each party proposing a draft of the texts. The three institutions now seek to find political agreement and a final version is expected in Q1 or Q2 of 2026. 

The member states usually receive an 18-month transition period, suggesting that PSD3 and PSR could take effect around 2027 or early 2028.

Platforms and marketplaces should begin to think about how this legislation change could impact their business set-up. Adyen is closely monitoring the legislative progress of PSD3 and PSR and will help you remain fully compliant.

Whether you want to get your own payment license or use Adyen for Platforms, we’re here to help. 

Adyen for Platforms lets you embed payments directly into your platform or marketplace, so your users can sign up, sell, and get paid through one simple integration, all while staying compliant with PSD3 and PSR. 

Our unified platform lets you manage payments and finance in one place, through a single integration. This makes it easy to scale your businesses by easily expanding and launching new products across multiple markets. 

Since Adyen is a licensed credit institution, you are compliant no matter where your business grows. This also means we don’t rely on third parties, eliminating third-party delays and enabling instant processing and payouts.

Owning our entire tech stack also gives you full control and flexibility to white-label, localise, and deliver the customer experience you want.

Want to offer financial services and comply with PSD3/PSR? Learn more about Adyen for Platforms.