Authors: Gaby Zammit, Lara Savona - WH Partners
On 24 April 2026, the Council of the EU published final compromise texts of the legislative proposals for a Third Payment Services Directive (PSD3) and Payment Services Regulation (PSR). The release of the final texts provides much-needed clarity on the future EU payments framework marking a major step toward a more harmonised, transparent and crypto-‑aware regime for payment services.
The package centres on the proposed PSD3, which is intended to repeal and replace the current Payment Services Directive (PSD2), together with linked adjustments to PSR provisions. It moves many conduct-of-business rules into a directly applicable Regulation, aligns electronic‑money and payment conduct rules, narrows scope exclusions, and introduces new measures on cash access, currency-conversion disclosure, strong customer authentication, fraud liability, and crypto-related payment activities.
What changes and why it matters
The compromise seeks to address long-standing fragmentation in EU payments law that arose under PSD2, where varying national transpositions of Directive-level rules undermined the single market’s consistency. PSD3 is designed to repeal PSD2 in its entirety rather than merely amend it, reflecting the legislature’s view that incremental reform is insufficient. By migrating many conduct rules into the directly applicable PSR, the Council aims to eliminate interpretation gaps and enforce a consistent baseline of consumer protections and transparency across Member States. Meanwhile, authorisation, prudential requirements and supervisory structures will remain subject to Directive-format measures so that Member States retain flexibility on institutional and structural rules.
The text also recognises the blurring of lines between traditional payment services and electronic money activities. To reflect market realities and close regulatory loopholes, the compromise aligns conduct obligations for electronic money institutions and payment institutions while preserving their distinct licensing and capital regimes.
Key provisions: Practical and Legal effects
Aligning e‑money and payment rules
Recognising the operational convergence between electronic money services and traditional payment services, the compromise text brings conduct obligations for e‑money institutions closer to PSD3’s framework where relevant. Electronic money concepts, including electronic‑money tokens, are expressly referenced when they intersect with consumer-facing conduct rules. The approach aims to close regulatory arbitrage while preserving separate licensing and capital regimes for e‑money issuers.
Tighter scope exclusions and European Banking Authority (EBA) guidance
The compromise text narrows and clarifies exclusions that previously allowed some providers to operate outside the payment rulebook. The commercial‑agent exclusion is tightened to prevent platforms and intermediaries from evading PSP obligations. The ‘specific‑purpose instrument’ exemption is constrained to prevent large-scale or consumer-facing services from sidestepping protections. The EBA is tasked with issuing guidance to promote consistent interpretation across the Single Market.
Cash access, ATMs and retail cash‑in
Improving access to cash is an EU-wide priority reflected in the compromise text. Retailers may provide voluntary cash‑in and cash‑out services without full payment-service authorisation if they meet transparency obligations, notably disclosing any fees to consumers before the transaction. The regulatory treatment of ATM deployers has been clarified: some categories will be subject to registration rather than full authorisation, with mandatory upfront disclosure when third parties or deployers charge withdrawal fees. The changes aim to preserve consumer access to cash while avoiding undue licensing burdens for merchants.
Crypto‑assets and e‑money tokens
The compromise text expressly addresses how crypto-related transfers and e‑money tokens fit within the payment rulebook. Transfers involving e-money tokens and certain crypto-related payment activities may fall under PSD3 if they serve a payment function. Payment institutions will be permitted to offer crypto‑asset services linked to e‑money tokens under specified conditions and notification procedures. Importantly, the text seeks to avoid duplicative or disproportionate obligations for crypto firms already regulated under EU crypto rules (MiCA), envisaging coordination to prevent overlap while ensuring that core consumer protections apply to crypto-linked payment services.
Transparency, currency conversion and virtual IBANs
Consumer transparency is a key focus. The compromise text strengthens currency conversion disclosure: providers must state conversion costs both as a monetary amount and as a percentage mark-up over an aggregated mid-market rate, improving comparability for cross-border transactions. The PSR also recognises virtual IBANs as valid payment account identifiers for transfers and reconciliation, facilitating modern banking operations while imposing safeguards to reduce misuse.
Operational and notification duties
Operational resilience, security and reporting obligations are preserved and sharpened. Providers will face enhanced record-keeping, incident reporting, and notification duties, including specific notifications tied to crypto-related services involving e-money tokens. The EBA will develop technical standards and guidelines to harmonise the implementation of these operational provisions.
Open banking and third-party provider access
The compromise text refines the framework for third-party provider access, one of PSD2’s most consequential innovations. Account information service providers (AISPs) and payment initiation service providers (PISPs) retain their right to access payment accounts held by other providers, but the text introduces clearer technical and contractual parameters governing that access. Account-servicing payment service providers (ASPSPs) are subject to more specific obligations regarding the quality and reliability of dedicated interfaces, and the EBA is mandated to develop technical standards on interface performance, uptime and fallback mechanisms. The aim is to move beyond the friction that characterised PSD2’s open banking implementation and to establish a more predictable operating environment for both incumbents and challengers.
Strong Customer Authentication
The compromise text updates the Strong Customer Authentication (SCA) framework that has been one of the most operationally significant, and contested, elements of PSD2. The core requirement for multi-factor authentication is preserved, but the text provides greater clarity on the application of exemptions, including transaction-risk analysis, trusted beneficiary listings and low-value payment thresholds. Delegated authentication arrangements, whereby a merchant or third-party provider applies SCA on behalf of the issuer, are given an express legal basis subject to contractual and liability safeguards. The EBA is tasked with updating its regulatory technical standards on SCA to reflect technological developments, including biometric and device-based authentication methods, and to promote a more consistent application of exemptions across the Single Market.
Liability for unauthorised transactions and fraud
The compromise text addresses liability allocation for unauthorised and fraudulent transactions, an area of growing policy concern given the rise of authorised push payment (APP) fraud and social-engineering scams. The existing liability framework, under which the payer’s provider generally bears the loss for unauthorised transactions unless the payer acted with gross negligence or fraud, is retained in substance but supplemented with new provisions. Providers are required to implement real-time fraud-detection mechanisms and to warn consumers of suspected fraud before execution. Where a payee’s provider has failed to apply adequate fraud-prevention measures, the compromise contemplates a liability-sharing mechanism between the payer’s and the payee’s providers, reflecting the principle that both sides of a transaction bear responsibility for fraud prevention. The detailed calibration of these provisions is expected to be a focal point in trilogue negotiations.
Supervision, enforcement and penalties
The compromise text strengthens the supervisory and enforcement architecture underpinning the payments framework. National competent authorities are granted enhanced investigatory and sanctioning powers, including the ability to impose administrative fines calibrated to the seriousness and duration of the infringement. The text introduces minimum harmonisation of penalty levels to reduce the enforcement disparities that emerged under PSD2, where sanctions varied significantly across Member States. The EBA’s coordination role is reinforced, with new mandates for supervisory convergence, peer reviews and the development of common supervisory methodologies. Cross-border cooperation mechanisms are updated to facilitate information sharing between home and host supervisors, particularly for payment institutions operating under passporting arrangements.
Interaction with the Instant Payments Regulation
The compromise text must be read alongside the recently adopted Instant Payments Regulation, which amends the SEPA Regulation to require all EU payment service providers to offer instant credit transfers in euro at charges no higher than those for standard transfers. The PSD3/PSR package and the Instant Payments Regulation are complementary: the latter mandates the availability and pricing of instant transfers, while the former governs the broader conduct, transparency and authorisation framework within which those transfers take place. Providers will need to ensure that their compliance programmes address both instruments in an integrated manner, particularly with respect to fraud-screening obligations, which must be performed in real time without delaying the ten-second execution window mandated for instant transfers.
Market impact
Banks and established PSPs will encounter more consistent conduct rules across the Single Market, requiring updates to disclosures, contracts, and internal processes. Harmonisation should reduce legal uncertainty but raise compliance standards for transparency and operational resilience. Fintech operators and third‑party providers face clearer perimeter rules for open banking and reduced scope for evasive interpretations of exclusions. Those offering crypto-linked payment services gain a regulated pathway but must meet consumer protection obligations. Merchants gain clearer options to provide in‑store cash services, but must comply with fee‑disclosure and registration requirements where applicable.
Next steps and implications
Banks and established PSPs will encounter more consistent conduct rules across the Single Market, requiring updates to disclosures, contracts, SCA implementations, and internal processes. Harmonisation should reduce legal uncertainty but raises compliance standards on transparency, fraud prevention and operational resilience. The new liability-sharing provisions for APP fraud will require payee-side providers to invest in fraud-detection capabilities, a significant operational shift. Of course, one question that remains is, what will happen when EU-licensed providers interact with non-EU-licensed providers?
Fintech operators and third-party providers face clearer perimeter rules for open banking, improved interface access standards, and reduced scope for evasive interpretations of exclusions, but must also adapt to updated SCA delegation requirements. Those offering crypto-linked payment services gain a regulated pathway but must meet consumer-protection obligations and navigate the interface between PSD3 and MiCA. Merchants gain clearer options for providing in-store cash services but must comply with fee disclosure and registration requirements where applicable. All providers must account for the parallel obligations under the Instant Payments Regulation when designing compliance frameworks.
The Council’s final compromise text is a significant milestone, but not the final step. The text will enter trilogue negotiations with the European Parliament, which is expected to push for stronger consumer protections, particularly on APP fraud liability allocation, SCA exemption thresholds, and the scope of open banking access rights. Parliament may also seek to tighten the conditions under which crypto-asset service providers can offer payment services, and to expand the EBA’s supervisory coordination mandate. If adopted, the PSR will apply directly across all Member States following a transitional period, while PSD3’s Directive-level provisions on authorisation, prudential requirements and supervisory powers will require national transposition, a process that, based on PSD2 experience, risks renewed divergence in implementation. Key elements to watch include the EBA’s development of technical standards on SCA, interface access and fraud prevention; the practical interaction between PSD3/PSR and MiCA for dual-regulated entities; the alignment of fraud-screening obligations with the Instant Payments Regulation’s real-time execution requirements; and the timeline for Member State transposition, which is unlikely to be completed before 2028 at the earliest.