Internal Audit

From PSD2 to PSD3: Strengthening Europe’s Payments Framework

February 11, 2026
|
3 minute read

The EU is preparing to introduce the Third Payment Services Directive (PSD3), marking the next major evolution in how payment services are regulated across the Single Market. Together with the accompanying Payment Services Regulation (PSR), PSD3 is intended to modernise Europe’s payments rulebook, reflecting both rapid technological change and a number of gaps that became apparent under the current PSD2 framework. A final political agreement is expected in early 2026, after which Member States will begin transposing the directive into national law. In practice, full compliance for banks, fintechs, and payment service providers is likely to stretch into 2027 or possibly beyond, depending on the final timelines and transition periods agreed at EU level.

When PSD2 was first introduced, it was widely seen as a landmark reform. It opened up access to banking data through APIs, strengthened consumer protections, and introduced Strong Customer Authentication (SCA) to help combat fraud. Over time, however, the payments landscape evolved faster than the regulation. Differences in how PSD2 was implemented across Member States led to fragmentation, fraud techniques became more sophisticated, and open banking adoption proved slower and more uneven than originally expected.

PSD3 is designed to tackle these challenges head-on. Its implementation focuses on improving consumer protection, encouraging greater competition, and harmonising rules across the EU. Key changes include:

  • Enhanced fraud prevention measures (most notably mandatory verification of payee checks for credit transfers);
  • Improved transparency for cross-border payments, and
  • Clearer, more consistent cybersecurity requirements.

The new framework also aims to give open banking a further boost by clarifying data access and consent rules, while allowing non-bank payment institutions better access to core payment systems traditionally reserved for banks. In addition, bringing e-money institutions and payment institutions under a single licensing framework should help reduce regulatory arbitrage and simplify compliance.

Overall, PSD3 represents a forward-looking attempt to future-proof Europe’s payments ecosystem, striking a balance between innovation, competition, and security in an increasingly digital economy. For licensed entities, this will mean seeking re-authorisation under the new regime, which is expected to be a complex and resource-intensive process that will require significant investment from both firms and regulators alike.

Our Authors

Mark Wirth
Partner
Mark Wirth
Partner

Continue Reading

Internal Audit
Articles
Jan 6, 2026
|
4 minute read
One year of MiCA: The Evolving Landscape of EU Crypto-Asset Regulation
On 30 December 2024, the Markets in Crypto-Assets Regulation (MiCA) entered into full force across the European Union, marking a pivotal moment for the crypto-asset industry and ushering in a new era of regulatory harmonisation.
by
Internal Audit
Articles
Jul 21, 2025
|
3 minutes read
The Four Eyes Principle in Sanctions Monitoring: An Internal Audit Perspective
In a complex regulatory landscape, companies must remain vigilant in preventing transactions and relations with sanctioned individuals, suppliers, entities or jurisdictions. A weakness or failure in this area can lead to severe consequences, including fines, regulatory penalties, breach in compliance, revocation of licenses, and reputational harm.
by

Register for From Funds to FinTech: The VAT Implications of Evolving Financial Services Models