The European Council’s response on the revised payment services legislation, known as PSD3, is keenly awaited as it will trigger the formal adoption of the new framework. The changes to the current PSD2 come in the form of a new Directive and a new Regulation[1] and would likely take effect in 2027. Whilst there’s a lot to absorb and discuss in the new drafts, here are 10 things which, pending finalisation of the legal text, will help you understand the regulatory compliance challenge you may face.

1.      The focus is on consumers

The Regulation includes a number of consumer-friendly changes including to the liability of payment service providers, entitlement to refunds and reimbursements, the provision of information on items such as charges and expected payment times, and access to dispute resolution. Additionally, there are enhanced security and anti-fraud provisions, including in relation to strong customer authentication and impersonation fraud, and enhanced data protection provisions, such as in relation to transfers of data between banks and non-banks. There are also limits being placed on unilateral changes to terms of service.

Provisions on safeguarding of consumer funds retained at the end of day are strengthened with a requirement on payment institutions and electronic money institutions to spread their deposits across credit institutions or even use an account with a Member State’s central bank. Electronic money institutions which previously enjoyed a five-day window after the issuance of electronic money to arrange safeguarding will need to adjust to a new one-day limit.

2.      PSD3 reflects changes in the industry since PSD2, and looks to the future 

The Regulation notes that “the retail payment services market underwent significant changes largely related to the increasing use of cards and digital means of payment, the decreasing use of cash and the growing presence of new players and services, including digital wallets and contactless payments.” At the same time the European Union is encouraging innovation, such as in relation to open banking, and driving competition by creating a level playing field for payment services and removing obstacles which reviews have identified. These include data sharing and consent requirements, and the updated regulations included alignment with GDPR, the Data Act and the proposed Regulation on Financial Data Access[2]. Non-discriminatory access to payment systems continues to be an issue which the EU is focused on, and here it extends access for payment institutions to payment systems designated under the Settlement Finality Directive.

3.      Much of PSD2 is staying the same…

Part of the challenge of understanding the new rules is the format of the amendments.  The Directive is mostly concerned with authorisation and on-going supervision whereas the Regulation contains the specific rules which such as information to users, user rights, charges, data, liability and payment processes. A regulation is typically used by the EU where the goal is harmonisation of rules across all member states, and it is used here as PSD2 implementation has been fragmented, allowing regulatory arbitrage. However, on a closer read the current text of the Regulation retains a number of existing Member State discretions. The new texts will require close reading to understand exactly what is changing.

A useful approach to managing this complex text is to think about these categories:

·       Alignment: where the aim is to align existing regulations such as incorporating electronic money institutions into the payment regime, but also provisions which align with regulations more recently passed such as MICA, GDPR and DORA.

·       Enhancements: where existing concepts such as strong customer authentication and open banking are being enhanced.

·       New provisions: where, for example, PSD2 is being updated to reflect changing technology and practices.

4.      … but there is devil in the detail

Lawyers will note changes in terminology in the new texts, some of which are semantic but others more significant, such as the interpretation of ‘explicit consent’ and its interaction with ‘permission’ in the context of data protection or the impact of the new definition of ‘authorisation’[3].  Many of the changes between the old and new text are blended into existing provisions. What this means is that implementation requires a close reading and analysis of the drafts.

Interpretation of the new rules is not straight forward, and we will also have to absorb further guidelines from the European Banking Authority during the implementation period. Close attention should be paid, for example, to data provisions, their interaction with GDPR and the new EU Data Act and note should also be taken of the incorporation of recent EU legislation including the Digital Operational Resilience Act and Markets Crypto-Assets Regulation, as well as the revised Settlement Finality Directive. Also noteworthy is the expanded grounds for withdrawal of authorisation in the Directive, which now includes a breach of money laundering obligations.

5.      The separate category of Electronic Money Institutions is being removed

Electronic Money Institutions will be incorporated into the wider category of payment service providers whereas they were formally a separate entity: the current Electronic Money Directive[4], introduced in 2009, is being repealed by PSD3. The reason is that there is already strong alignment between the regulations applying to electronic money institutions and payment institutions and that the two regimes have allowed regulatory arbitrage and an uneven playing field. A consequence of this is that electronic money institutions will now be subject to authorisation and supervision requirements which apply to payment institutions.

6.      Competition and innovation are being encouraged

The EU Commission explicitly calls out a lack of competition in the payments sector linked to imperfections such as different national applications of existing rules which favour payment services providers in their home member states over those providing cross border services. It has also highlighted continue challenges in non-bank service providers opening and maintaining accounts with credit institutions. Other changes driven by competition concerns include the transparent pricing, standardisation of termination fees, ending surcharging and transparency of charges by ATM providers. In the midst of technological innovation, the package also looks to improve the availability of cash.

Innovation is being supported particularly for open banking; for example, the principle that access to data should not be subject to a charge has been identified as important for both innovation and competition. Anti-fraud measures such as strong customer authorisation require continued innovation against changing threats, whilst the developments of tokenisation and payments through personalised devices has prompted the need to identify which of them are ‘payment instruments’ in scope for PSD3 and which are ‘payment applications’, namely the underlying technology.

7.      An application for reauthorisation will be required

Existing PSD2 payment institutions and electronic money institutions will need to apply for reauthorisation under Articles 44 and 45 of the Directive (unless they can already demonstrate compliance to competent authorities for automatic authorisation). There is some leeway given on the time to do this: those who have been authorised for at least 18 months as at the entry into force of the Directive will have 24 months after the date of entry into force to submit the application[5]. All information that enables the national competent authority to assess compliance with Title II (Licensing and Supervision) of the Directive will need to be submitted[6]. A new requirement is the presentation of a winding-up plan for each institution seeking authorisation.

Payment institutions benefiting from an existing exemption under Article 32 of PSD2 may be able to retain that benefit during the transition period, as may electronic money institutions benefitting from exemptions under Article 9 of the Electronic Money Directive.

8.      How will the UK respond to the EU’s changes?

The UK post-Brexit payment services regulations currently align to PSD2. Payment services changes are being considered in the UK government’s Payment Services Regulation Review and in 2024 the National Payments Vision was issued by HM Treasury, where the Chancellor signalled regulatory simplification, infrastructure modernisation and innovation[7]. The UK is aiming for a world leading and competitive payment system. It now falls to the Financial Conduct Authority and the Payment Services Regulator to present the detail behind the high-level aims, which will in turn show payment market participants areas of difference between the UK and the EU regimes. EU market participants might anticipate increased divergence between the two regimes, and in implementing PDS3 will need to keep a close eye on progress in the UK.

9.      What needs to be done?

As a first step, those in-scope need to understand the changes being made by the EU, albeit that we await the final text and the output of the European Banking Authority on technical details. However, there is sufficient material for an impact assessment to begin. The changes are legal, operational, technical and process related, prompting engagement with multiple stakeholders and generating a challenging to-do list.

The requirement to obtain a revised authorisation needs advanced planning, information gathering and anticipation of the regulator’s responses in a fixed time frame. Additionally, there will be changes to legal terms and conditions and contracts, data protection, technology, operations and security, including procedures and protocols. Finally, there may be commercial decisions to be made, as well as opportunities which arise from the new framework.

10. How can Temple Consulting help?

Temple Consulting is a consultancy of experts in EU and UK law and regulation. Our depth of knowledge and experience is such that we understand not only how our clients work but also their commercial objectives and imperatives, which invariably are budget and time sensitive. This is why each mandate necessarily is costed according both to the nature of the work to be undertaken, and your desired outcome as well as the time frame and budget within which delivery is required. We provide an experienced and trusted talent pool from which they select the best fit for each project. In relation to our talent pool, we partner with bankers, accountants and lawyers - only those with whom we have worked previously and successfully.

Keith Blizzard

Temple Consulting

Keith Blizzard has over 20 years’ experience in financial services and specialises in EU and UK law and regulation and has worked on many regulatory projects, helping clients finding the simplest route to compliance.

This article is not intended as, and should not be read as, legal advice.

Temple Consulting © 2025 Temple Consulting Limited

[1] PSD2 (2015/2366/EC) is being replaced by a combination of a new Payment Services Regulation (Proposal COD (2023) 0210) and a 3rd Payment Services Directive (Proposal COD (2023) 0209), which we refer to as the ‘Regulation’ and the ‘Directive’ respectively. The Electronic Money Directive (2009/110/EC) will also be repealed and the Settlement Finality Directive (98/26/EC) will be amended.

[2] 2023/0205 (COD) ‘FIDAR’. 

[3] “‘authorisation’ means a permission granted in a procedure where the payment service user authenticates a given transaction freely and with full knowledge of all relevant facts”, as added by the European Parliament.

[4] 2009/110/EC

[5] Or 30 months in total, allowing a further 6 months for the processing of the application.

[6] See Article 3 of the Directive.

[7] National Payments Vision - GOV.UK