PSD3 and PSR on the home stretch: now is the time to prepare

Parliament and Council reach provisional agreement on PSD3 and PSR

The political agreement reached between the European Parliament and the Council on November 27, 2025 marked a significant milestone in the legislative process: the trilogue negotiations on the new Payment Services Regulation (PSR) and the third Payment Services Directive (PSD3) have been concluded.

The conclusion of the trilogue negotiations marks the end of the fundamental political discussions. This lays the foundation for the final drafting and formal adoption of the legal acts. For payment service providers, this step means significantly greater planning security. It also allows concrete assumptions to be made for impact analysis and preparation for implementation.

In our last blog post on the regulatory disputes between the legislative bodies, this post focuses on the current status of the legislative process, the expected final regulations, and the challenges this poses for banks.

Where we currently stand in the legislative process

Both legislative acts are currently undergoing technical finalization and legal-linguistic review. Here, the decisions and compromises reached in the trilogue are being incorporated into a final legislative text (which is consistent in all 24 official languages).

This will be followed by formal adoption by Parliament and Council and publication in the EU Official Journal. On the 20th day after publication, the PSR will enter into force immediately as a regulation, while a national implementation period is planned for PSD3.

Looking back at PSD2, the process between the conclusion of the trilogue negotiations and publication in the Official Journal took around seven months. The time between agreement in the trilogue and final publication varies depending on the legislative complexity. For PSD3 and PSR, we consider publication in summer 2026 to be realistic.

What to expect in the final text

The European Parliament’s press release clearly outlines the expected regulatory requirements for banks and payment service providers (PSPs). Both pieces of legislation aim to achieve greater harmonization of European payment transactions, increased protection against fraud, and a level playing field in the market.

The PSR is intended to cover a broad scope of application. In addition to banks and payment service providers, technical service providers and, in certain constellations, telecommunications providers and online platforms will also be included. This means that key requirements will be regulated uniformly across the EU for the first time.

Fraud prevention mechanisms

The PSR will impose significantly stricter requirements with regard to fraud prevention. A key element of the final regulatory framework is the extended responsibility of payment service providers. In future, PSPs will be held increasingly liable if insufficient protection mechanisms have been implemented. In practical terms, these new obligations can be divided into three core areas:

1. Internal prevention: monitoring, verification of payee, and investigation

A key protective mechanism for fraud prevention is the rejection or freezing of transactions. This places an obligation on both the payment service providers on the orderer side and the recipient side. In future, a payer’s payment service providers must reject suspicious payments. If an institution fails to do so despite an objectively justified suspicion of fraud, it is directly liable for the damage incurred. In addition, payment service providers on the recipient side must not make the amount of suspicious payments available to the beneficiary if there is reasonable suspicion.

In addition to extending verification of payee to transfers in all EU currencies, the PSR obliges banks to set up comprehensive, risk-based transaction monitoring. Banks must be able to detect fraud patterns in real time, taking into account a variety of specific criteria.

This includes, for example, comparison with known fraud scenarios and compromised or stolen authentication elements. If the bank provides the access device or software itself, complete logging of usage and detection of anomalous usage behavior is also required to prevent unauthorized access at an early stage.

In addition to technical monitoring, the focus is shifting to education and prevention: In the future, banks must proactively inform their customers about new fraud schemes and implement technical protective measures against identity fraud. Internally, annual training will also be mandatory for all relevant employees to ensure that they have up-to-date knowledge of current fraud risks.

2. Collaborative fraud prevention

The PSR also establishes a new standard for collaborative fraud prevention between PSPs. In the future, payment service providers must share information about fraud-related data with each other via a dedicated platform. However, information from other institutions must not lead to negative consequences, such as the termination of business relationships, without being verified. Before institutions participate in data exchange, a data protection impact assessment (DPIA) must be carried out. In addition, the storage of this shared data is strictly limited to a maximum of five years after the incident.

A new feature is the integration of large online platforms into the liability structure. In future, these platforms will be liable to banks if they fail to remove content that promotes fraud despite being notified, thereby triggering reimbursement payments to payment service providers.

3. Customer interface: limits, blocking functions, and new intervention rights

The third pillar of PSR fraud prevention focuses on the direct interface with the customer and intervenes in limit control.

In order to reduce and prevent fraud risks, PSPs must in future provide their customers with comprehensive functions for independently managing payment and spending limits, as well as immediate blocking and suspension options. These limits should be individually definable by the user depending on the payment method or time period.

This represents a significant shift in authority. While customers are allowed to adjust their limits at any time, payment service providers are prohibited from unilaterally changing limits once they have been set in the framework agreement. However, in addition to these customer rights, institutions are granted the express right to proactively stop payments under certain conditions.

Transparency in payment transactions: Information requirements and operational requirements

In order to protect customers from hidden costs, the PSR tightens transparency requirements both at the contractual level and in day-to-day operations.

In future, payment service providers will have to provide detailed information on fees for domestic cash withdrawals in their framework agreements, differentiating between their own ATMs, partner networks, and third-party operators. For cross-border payments outside the EU, there is also an obligation to indicate the estimated transfer time.

One technical focus is on currency conversion: before each transaction, the estimated fee amount and the percentage surcharge compared to a reference rate must be disclosed to the user. This reference rate must be based on an “aggregated mid-market exchange rate” from an IOSCO-compliant administrator and must be no more than 10 minutes old.

Challenges also arise from the new requirement to provide receipts at ATMs. The regulation stipulates that fees must not only be displayed on the screen in future, but also issued on a durable medium – usually a paper receipt. In Germany, the majority of ATMs do not have a print function, which has led to a debate about technical feasibility and economic viability. In addition to the high retrofitting costs, sustainability aspects and potential security risks posed by receipts left behind can also be cited as critical factors.

Open banking and dashboard

As already known from PSD2, the PSR specifies the requirements for account-holding payment service providers in the context of open banking. Payment service providers that offer an online payment account are still required to provide at least one dedicated interface for data exchange with account information and payment initiation services free of charge. This makes the dedicated interface the sole access point for open banking services.

In addition, the PSR strengthens payment service users’ control over their data access. Account-holding payment service providers are required to provide their customers with online access to their payment account with a dashboard integrated into the user interface, which can be used to monitor and control access authorizations granted to account information and payment initiation services. The dashboard must provide customers with a clear overview of existing authorizations at all times—including for recurring or multiple payments—and enable them to revoke individual or all data access free of charge.

Challenges

With the upcoming legislation, the regulatory requirements go well beyond selective adjustments. The new requirements have a profound impact on existing IT architectures, processes, organizational structures, and business models, and affect payment transactions across the entire operational spectrum. The following points outline some of the challenges that arise from the expected final regulations.

Limitation of liability, risk transfer, and time pressure

Despite the limitation of liability for identity fraud agreed in the trilogue, the distinction remains challenging in individual cases. Banks must be able to assess with legal certainty whether a case of fraud falls under the liability rule or whether the customer can be accused of gross negligence, which in turn must be proven by the PSP.

At the same time, there is a risk of a structural shift in risk from the customer to the PSP, which could lead to an “all-risk insurance” mentality on the part of customers. Banks must bear a risk that they can hardly control and that lies outside their area of responsibility.

This situation is exacerbated by the time factor: many of the regulatory requirements are subject to ambitious implementation deadlines. The time pressure thus becomes a central risk for consistent and economically viable implementation.

IT architecture under real-time pressure

PSR combines various real-time requirements that can pose challenges for existing core banking systems. In the future, banks will have to update exchange rates based on external reference data, such as IOSCO-compliant exchange rates, at defined intervals and make them available consistently across all channels. At the same time, transaction monitoring, verification of payee, and intervention decisions must be made within the shortest possible time.

For many institutions, this means that historically grown system landscapes may reach their technical limits. In order to reliably comply with regulatory latency requirements, modernization of the IT architecture will be necessary, for example at the interfaces between payment transactions, fraud systems, and front ends.

Transparency requirements vs. operational realities

The expanded transparency requirements pose challenges in practical implementation in terms of the interaction between system architecture, processes, and output channels.

In addition to external reference data, physical and digital output channels must also be secured by regulatory measures in order to avoid discrepancies in cost information.

The conflict is particularly evident in the cash infrastructure: the new requirement to provide receipts at ATMs could prove to be a critical factor for the future of individual locations. Many ATMs in Germany do not yet have the necessary hardware, meaning that costly retrofitting will be necessary. If these investments exceed the economic returns of individual branches or locations, there is a risk of a further reduction in cash supply – an effect that runs counter to the PSD3’s objectives of strengthening access to cash.

Conflict of objectives between customer experience and security

With extended limits, blocking, and intervention rights, PSR is shifting security mechanisms more toward the customer side. While this increases protection against social engineering attacks, it comes at the expense of convenience and speed.

Banks must actively manage this conflict of objectives: on the one hand, customers are given more control, but on the other hand, the payment service provider remains liable if protective mechanisms are deemed insufficient. Processes and user interfaces thus become a factor relevant to security and liability.

Procedural and data protection complexity in open banking

The introduction of the mandatory dashboard for data access significantly increases procedural complexity. A planned recovery period after data withdrawal, which is currently under discussion in the trilogue, requires close synchronization between the account-holding bank and third-party providers so that the data flow can be resumed without renewed authentication, which is burdensome for customers.

At the same time, the PSR establishes new forms of collaborative fraud prevention through the exchange of fraud-related information between payment service providers. This data exchange is in a sensitive tension with data protection law and requires governance, audit, and documentation processes to avoid misjudgments and inadmissible follow-up decisions.

Conclusion

Whether PSD3 and PSR actually draw the right lessons from PSD2 will only become clear once they have been implemented in practice. Although PSR does not represent a revolution, it does require complex adjustments in some areas of banks’ system and process landscapes.

If the scope for economic control, market-oriented remuneration models, and practical design remains limited, there is a risk that regulatory goals will be formally achieved, but efficiency and innovation potential will once again remain untapped, thus failing to meet one of the main objectives of the new legislation.

Even though final adoption is still pending, now is the time to analyze the impact on your own institution. The year 2026 should be used to understand regulatory requirements in detail, identify areas for action, determine the need for adjustments, and thus start implementation by the beginning of 2027 at the latest.