Zum Hauptmenü Zum Inhalt

PSD3 and PSR on the home stretch

Authors: Birgit Meisinger and Leonie Müller

On November 27th, 2025, the European Parliament and the Council reached a fundamental political agreement on the Payment Services Regulation (PSR) and the Third Payment Services Directive (PSD3). The regulations cover the entire operational spectrum of payment transactions – from fraud prevention through Open Banking to cash supply – and represent a further development and refinement of the existing framework. The publication of the two legal acts is expected in the coming months.

Key innovations

The currently proposed drafts follow a clear division of responsibilities: As an EU regulation, the PSR governs the substantive rules of conduct and obligations for all payment service providers – that is, all operational requirements regarding fraud prevention, transparency, Open Banking, and customer protection. The PSD3, by contrast, governs the institutional side as a directive – in particular, the licensing and supervision of payment institutions.

Subject to the review of the final texts, essential aspects can already be gleaned from the Commission’s proposal for the PSR and PSD3 as well as the respective responses from the Parliament or the press releases of the Council:

1. Enhanced fraud prevention and consumer protection

The PSR introduces a comprehensive system of obligations for combating fraud, which goes significantly beyond the previous requirements of PSD2:

  • Expanded transaction monitoring: Payment service providers must implement risk-based real-time transaction monitoring, based on the analysis of previous payment transactions, including checks against known fraud scenarios, compromised authentication elements, and anomalous usage behavior. Additionally, the European Banking Authority (EBA) is tasked with setting up a dedicated IT platform for the exchange of fraud-related information among payment service providers.
  • Verification of payee: Before each transfer, the consistency of the payee’s name and IBAN must be checked (similar to what is already provided by the Instant Payment Regulation). In the event of discrepancies, the payment must be rejected and the payer informed.
  • Spoofing reimbursement: In cases of identity fraud (spoofing), where a fraudster impersonates an employee of a payment service provider, the provider must reimburse the full amount, provided the customer reports the fraud to the police and informs their payment service provider. An exception exists in cases of gross negligence by the customer, with the burden of proof lying with the payment service provider.
  • Limits and blocking functions: Payment service providers must offer their customers spending limits and blocking features, which the customer can adjust individually.
  • Liability of online platforms: Large online platforms are liable to payment service providers for reimbursed damages if they were informed of fraudulent content and failed to remove it – building on the obligations under the Digital Services Act.
  • Human customer support: Users must have access to human customer support – chatbots alone do not meet the requirements.

2. Greater transparency and improved access to cash

  • Fee transparency at ATMs: Customers must be fully informed of all applicable fees and exchange rates (as well as any associated surcharges) before each transaction.
  • Cash withdrawals without purchase: Retailers may voluntarily offer cash withdrawals of up to EUR 150 even without a purchase to improve access to cash, particularly in rural areas.

3. Open banking and competition

  • Dashboard: Account-holding payment service providers must provide an integrated dashboard on the user interface through which customers can monitor, manage, and revoke the access permissions they have granted for their data free of charge.
  • Non-discriminatory account access: Banks must grant payment institutions access to payment accounts on a non-discriminatory basis. A list of prohibited barriers to data access will be enshrined in law.
  • FRAND access to mobile devices: Mobile device manufacturers must enable front-end service providers to store and transmit data for payment transactions on fair, reasonable, and non-discriminatory (FRAND) terms.

4. Simplified authorization

  • The authorization procedure for payment institutions will be simplified; the initial capital will be risk-adjusted and linked to the type of payment services provided. Crypto-asset service providers that are already authorized under the MiCA Regulation will undergo a simplified procedure.

Sanctions

The PSR provides for a stricter sanctions regime:

  • Member states must provide for effective, proportionate, and dissuasive administrative sanctions and measures for breaches of the PSR. For specific core violations – particularly those related to account access, secure data access arrangements, fraud prevention mechanisms including strong customer authentication, and ATM fee transparency – severe sanctions are envisaged. For legal entities, administrative fines of at least 7.5%–10% of annual turnover or at least twice the profit generated by the violation are under consideration. In addition, public notices, cease and desist orders, and temporary bans on conducting business for executives may be imposed.
  • Furthermore, competent authorities may impose periodic penalty payments for ongoing violations (up to six months).
  • The publication of all sanction decisions on the websites of the competent authorities is planned and is intended to have an additional deterrent effect.

Next steps

The final details are currently being worked out. The legislative acts are expected to be adopted by the European Parliament and the Council and subsequently published in the coming months. After that, those affected will likely have 18 months (this period is still under discussion) to implement the changes: The PSR is expected to apply as an EU regulation from the end of 2027 or beginning of 2028, while the PSD3 (as a directive) will need to be implemented nationally by that time. Existing authorizations under PSD2 will provisionally continue, likely for up to 30 months after entry into force; however, within this period, a timely application for reauthorization must be submitted.

It is therefore already advisable to use the year 2026 as a preparation phase to review the regulatory requirements in detail and identify areas for action.

Disclaimer

This article is for general information only and does not replace legal advice. Haslinger / Nagele Rechtsanwälte GmbH assumes no liability for the content and correctness of this article.

Authors:

Porträtfoto Birgit Meisinger, Rechtsanwältin, eingetragene Mediatorin Haslinger/Nagele, Portrait von Julia Spicker

Birgit Meisinger

Attorney-at-Law
Leonie Müller, Porträt, quadratisch, Fotografin: Julia Spicker

Leonie Müller

Attorney-at-Law

Further information on this legal field can be found here

Bank & Kapitalmarkt | Haslinger / Nagele, Illustration: Karlheinz Wasserbacher

Banking & Capital Markets Law

 

29. April 2026

 
Go back to News
  • Haslinger/ Nagele: JUVE Top Arbeitgeber Österreich 2025
  • Haslinger/ Nagele: JUVE Awards 2018: Kanzlei des Jahres Österreich
  • Haslinger/ Nagele: JUVE Top 20 Arbeitgeber 2024
  • Haslinger/ Nagele: Chambers Europe Top Ranked 2025 Logo
  • Legal500 EMEA Ranking Logo 2025
  • Promoting the best. Women in Law Award
  • Haslinger/ Nagele: Partner im CTC Cleantech Cluster
  • Haslinger/ Nagele: Mitglied Photovoltaic Austria