Safer, more competitive and more innovative: the European payments market is on the brink of a significant update to its regulatory framework. On 27 November 2025, the Council of the European Union and the European Parliament reached a provisional agreement on the two-part successor to the key retail payments directive PSD2: the new Payment Services Regulation (PSR) and the Third Payment Services Directive (PSD3).
Although the final texts have not yet been published, a press release already offers a preview: the EU is focusing on further reducing fraud, increasing transparency, strengthening consumer protection and stimulating innovation.
This agreement signals upcoming changes and opportunities for banks, payment service providers, large online platforms and consumers alike. What should the market be preparing for?
The new regulation (PSR) focuses on tackling common emerging forms of fraud, in particular payment fraud where the victim authorises the payment to the fraudster themselves, also known as authorised push payment (APP) fraud. The press release explicitly mentions spoofing—where the fraudster impersonates a payment service provider (for example, posing as a bank helpdesk employee)—as a key area of concern.
Payment service providers can expect new obligations and responsibilities, particularly in relation to fraud prevention and compensation. Under the current legislation (PSD2), payment service providers are not obliged to reimburse victims of APP fraud. In the Netherlands, however, a goodwill scheme has been in place since 2021 under which the four major Dutch banks fully compensate victims of bank helpdesk fraud, subject to certain conditions. According to the latest draft proposals for the PSR, damage suffered by consumers as a result of spoofing must be reimbursed within fifteen (15) working days, unless the payment service provider can demonstrate that the consumer acted with gross negligence or was themselves involved in the fraud. Once the final text is published, it will become clear whether this protection will indeed apply and whether it will also extend to non-bank payment service providers.
From a prevention perspective, the IBAN name–number check (Verification of the Payee, VoP), which has already been mandatory for SEPA instant payments in euros since October 2025 under the Instant Payments Regulation, will be extended to other types of transfers (such as SEPA credit transfers). In addition, payment service providers will be required to share information on fraud with one another. Where a payment service provider has failed to implement these preventive measures, or has done so inadequately, it will be liable for the damage suffered by the consumer.
The press release also introduces new obligations for a notable group of non-payment service providers: very large online platforms and search engines such as Google will no longer be permitted to display advertisements for payment providers operating in countries where they offer payment services without a licence or exemption. Remarkably, this obligation did not appear in earlier proposals for PSD3 and PSR. A payment service provider (or its advertiser) wishing to promote its services via such a platform will need to demonstrate that it holds a licence, exemption or exception. How this will be implemented in practice remains to be seen in the official texts. It does, however, suggest that it will become more difficult for payment providers without local authorisation to achieve prominent sponsored placement in search results.
Consumers must be better informed about costs prior to completing a transaction at a payment terminal or cash machine. Information on, for example, withdrawal fees or currency conversion costs must be clearly displayed before the transaction is authorised.
The press release also indicates that access to cash must be improved in non-urban areas. As part of this, PSD3 and PSR encourage retailers—without making it mandatory—to offer consumers the option to withdraw cash at the till without making a purchase, up to a maximum of €150 and a minimum of €100. To combat fraud, a combination of a payment card and PIN will be required, ensuring that withdrawals cannot be made contactlessly without entering a PIN.
Retailers will also be required to ensure that the name appearing on bank statements matches the trade name they use, in order to avoid confusion among consumers.
The negotiators have agreed to lower market barriers for open banking services (account information services and payment initiation services) and to prevent account-servicing payment service providers (usually banks) from discriminating against them. Licensed open banking providers should gain improved access to payment account data. The PSR proposals include a list of prohibited obstacles to data access imposed by ASPSPs. In practice, open banking providers still face many unnecessary technical barriers to accessing banks’ payment data, such as non-uniform API connections, cumbersome authentication procedures and poor data formats. These issues hinder the smooth provision of services to customers who have authorised open banking providers to retrieve their payment data or initiate payments on their behalf. The proposals aim to remove such obstacles, enabling open banking providers to compete more effectively with banks.
Naturally, not all topics from the earlier draft proposals for PSD3 and PSR are mentioned in the press release. However, several notable issues are absent from the announcement, some of which were previously presented as key priorities. For example, there is no mention of improving payment institutions’ ability to open safeguarding accounts for third-party funds, further restricting exemptions that allow payment services to be provided without a licence, or implementing more accessible strong customer authentication procedures for people with disabilities. This does not necessarily mean that these topics will not reappear in the final text. It is likely that the European Commission has chosen to focus this press release more on the impact of the new legislation on European consumers. Meanwhile, payment companies—licensed or otherwise—are eagerly awaiting clarity on what the final texts will mean for their opportunities and obligations. Although the outcome is not yet certain, this wait will likely be rewarded in Q1 2026, when the adopted texts are expected to be published in the Official Journal of the European Union.
Curious about the impact of PSD3 and PSR on your payment business? Call or email us for an informal introductory discussion. Of course, we will also keep you informed of the latest developments via our newsletter
