Menu

Menu

Loading Results

A new framework for payments in Europe

PSD3 & PSR

CRD VI: reshaping the EU banking landscape

The Payment Services Directive: why the overhaul matters for your business

Since the first Payment Services Directive (PSD) (Directive 2007/64/EC), the EU has maintained a single regulatory framework governing who may provide payment services, on what terms, and with what liability. PSD2 (Directive (EU) 2015/2366) updated the framework without fixing its underlying gaps. PSD3 and the Payment Services Regulation (PSR), proposed in June 2023 and agreed in November 2025, are expected to be adopted in 2026 and applied from around 2027-2028, providing a broader and more stringent framework, with the PSR applying directly across all Member States and leaving no room for national variation.

If your business touches payments — as a bank, a fintech, or a corporate — this directly changes how you operate, what you must prove, and who bears the cost when things go wrong.

PwC Payments and Regulation Team

Five things to understand about PSD3 & PSR

Stronger fraud liability and faster dispute resolution
Banks and payment firms must act faster on disputed transactions and share fraud intelligence with other institutions, with direct liability consequences when they fail to do so. 

Stronger authentication requirements (SCA)
Your authentication processes will face a high compliance bar and closer supervisory scrutiny. Gaps in your current setup will be harder to justify.

Open banking gets a real upgrade
Third-party providers will access your customers’ account data through standardised interfaces held to higher quality and availability standards, closing the gaps that PSD2 left open across Member States. 

One rulebook, directly applicable across all Member States
The PSR will apply the same requirements to your business in every EU Member State, at the same time. PSD3 will still require national transposition, but the room for divergence that PSD2 left open is significantly reduced. 

Banks and fintechs compete – and comply – on equal terms
Non-bank payment providers get fairer access to infrastructure. Equal access comes with equal accountability. 

Three business consequences you cannot ignore

This is not a compliance checkbox. It reshapes how you operate, what you owe customers, and what you must be able to prove to the supervisor. 

1. Liability shifts – fast 

If fraud lands at your door and authentication controls fall short, the financial and reputational cost is yours to bear. The burden of proof sits with you. 

2. Your payment infrastructure is in scope 

APIs, authentication flows, data access controls, every layer of your payment infrastructure will be tested against new standards. 

3. Your supervisor is aligned and watching

The PSR creates one standard across all EU Members States. Softer national interpretation is no longer an option.

PSD3 and the PSR don't stand alone

PSD3 + PSR FIDA FRIDA NIS2 DORA MiCA AI Act

Six EU frameworks intersect directly with payments. Compliance programmes that ignore the overlaps will create critical gaps, and the supervisor will find them.
Pick a frameword to explore more.

Treating PSD3 as a standalone exercise is the single most common mistake we see. The frameworks are designed to interlock, and your programme must too.

PwC Payments and Regulation Team

What we hear from clients

Five challenges that consistently surface; none of them can wait until the final legislative text is published. 

Most organisations haven’t mapped their processes, contracts, or technology against new requirements. 

Legacy flows create friction for customers and control gaps for your supervisor. Both carry a cost.

Compliance, IT, and operations each hold a piece of the picture. Without a consolidated view, gaps go unnoticed until they are flagged externally.

Open banking requires robust oversight of who accesses what, when, and under which conditions.

Good controls are only half the job. Being able to evidence them clearly is what your supervisor will look for.

How we can help

We work alongside your teams, from first assessment through to ongoing supervision of readiness. Our approach follows three integrated practice areas:

Understand where you stand before the deadline moves: 

  • PSD3/PSR gap analysis against your current operating model
  • Cross-framework mapping: DORA, NIS2, FIDA and AI Act
  • Licensing and authorisation review
  • Board-level readiness briefing

 Adress identified gaps efficiently and at scale:

  • SCA design, testing and exemption strategy
  • Open banking API controls and third-party governance 
  • Fraud detection framework and data-sharing setup
  • Contract and policy updates across the value chain

Prove readiness to your supervisor and maintain it over time:

  • Supervisory readiness and mock inspection preparation
  • Compliance monitoring framework and KPI dashboard
  • Penetration testing and SCA assurance reviews
  • Training for first – and second-line teams 

Contact us

Isabelle Melcion-Richard

Advisory Partner, Regulatory & Compliance, PwC Luxembourg

Tel: +352 49 48 48 2469

Email
Follow us

© 2018 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.