PSD3/PSR: What the EU's new payments rules mean for your business

The most fundamental change is architectural. PSD2 was designed as a Directive, requiring transposition into national law across all Member States – a process that generated divergence in the rules applicable in different jurisdictions. The new framework separates the subject matter into two legal instruments: 

• PSD3 which, as a Directive, governs especially organisational rules centred around the authorisation, governance, capital, safeguarding, and supervision of payment institutions.
• PSR, which focuses, among others, on conduct of business rules, including customer information, authorisation and execution of payment transactions, strong customer authentication, liability, and open banking. Critically, the PSR takes the form of a Regulation and will therefore apply directly and uniformly across all Member States without the need for national transposition. 

For firms operating on a cross-border basis, this represents a significant step towards a genuinely harmonised single market in payment services.

• PSD3 merges the e-money institution regime, previously governed by the separate E-Money Directive (Directive 2009/110/EC), into a single payment institution framework. Payment institutions can be authorised for the service of e-money issuance, in which case specific rules apply.
• A new registration category is introduced for ATM deployers operating without payment accounts.
• Account information service providers (AISPs), currently required only to register, will benefit from passporting rights, enabling cross-border provision of services on the basis of a single home-state registration.
• The overlap with crypto-asset regulation is addressed: issuers of e-money tokens under MiCA (Regulation (EU) 2023/1114) will be not required to obtain separate PSD3 authorisation if already authorised as crypto-asset service providers, unless they also provide payment services. Streamlined application procedures apply for MiCA-authorised entities applying for payment services authorisation. The provision of ‘payment services’ may include services in relation to e-money tokens, whose dual nature as crypto-assets and funds may result in certain services being considered as both, a crypto-asset service under MiCA and a payment service under PSR (see our previous blog post for further details). 

Several of the exclusions from the scope of PSD2 have been clarified or narrowed. 

• Most notably, the commercial agent exclusion, which exempts agents acting on behalf of payers or payees from payment services regulation, is now expressly limited to agents acting for one side of the transaction only. Commercial agents must be given a real scope to negotiate with the payer or payee or conclude the sale or purchase of goods or services. E-commerce platforms that act as agents for both buyers and sellers are explicitly excluded from relying on this exception, closing a gap that had been applied inconsistently across Member States.
• The limited network exclusion for specific-purpose instruments (such as fuel cards, meal vouchers, and store cards) is retained but clarified, with the geographical location and number of the points of acceptance to be considered.
• The telecom micro-payment exclusion is similarly retained but restricted to operators with a direct contractual relationship with the subscriber, subject to per-transaction and cumulative limits.
• Buy Now Pay Later arrangements are expressly confirmed as consumer credit products due to their lending nature rather than payment services. However, providers remain subject to PSD3/PSR if they offer (additionally) any payment services.
• Cash from shops gets a clearer framework. Retailers can provide cash to customers even in the absence of a purchase by a customer, without having to apply for a payment institution license, subject to certain customer information and authentication requirements and withdrawal limits. 

The PSR introduces several materially new liability provisions, the most significant of which concern fraud.

• The refund obligation for unauthorised transactions is retained, with a modified procedure permitting the payer’s payment service provider (PSP) to defer refund for up to 15 business days where there are objectively justified suspicions of payer fraud, subject to a written explanation and subsequent investigation.
• Impersonation fraud is addressed for the first time. Where a consumer is manipulated into authorising a payment by a fraudster impersonating the consumer’s PSP through the PSP's own communication channels, the PSP is now required to refund the consumer in full, provided the consumer notifies the PSP and police authorities without undue delay. The burden of proof rests on the PSP to demonstrate consumer fraud or gross negligence, which excludes liability.
• Payee name verification is introduced as a mandatory obligation for all credit transfers. PSPs must verify that the payee's name matches the payment account identifier supplied by the payer before executing a credit transfer. Failure to do so, where it results in a misdirected payment, triggers a direct refund obligation.
• A new direct liability regime applies to operators of payment schemes and technical service providers that either provide services to the payee or to a PSP, for example, in delivering strong customer authentication (SCA) (see below) and other technical functions. Where their failure causes direct financial damage, they may be held liable with certain limitations. 

Specific liability rules for significant market players providing technical services were discussed in the trilogues but ultimately not introduced, except for a right of recourse for PSPs against hosting service providers where they store illegal content and this gives rise to unauthorised or fraudulently authorised payment transactions (in which case the hosting provider must compensate the PSP for losses).

However, the PSR will introduce specific conduct obligations for very large online platforms (VLOP) and very large online search engines (VLOSE) (as defined under the Digital Services Act) and electronic communication service providers where they are involved in the presentation, distribution or provision of payment services or payment instruments. Further, VLOP and VLOSE will be subject to direct supervision and enforcement by the European Commission also in respect of their obligations under the PSR, a notable extension of the Digital Services Act’s supervisory architecture to reflect the growing role of such players in the payment ecosystem.

Cross-sectoral cooperation and information sharing arrangements with PSPs will also be required. 

The scope of SCA is clarified and expanded, with the list of triggers now expressly including actions such as the creation or replacement of tokenised payment instruments, changes to spending limits, and amendments to contact details. The core exemptions available under PSD2, including low-value transactions, merchant-initiated transactions, and risk-based transaction monitoring, are retained and refined, with the EBA continuing to develop the relevant regulatory technical standards.

Two notable additions deserve attention. 

• First, the PSR permits SCA based on two inherence elements (for example, two biometric factors) in place of the standard requirement for elements drawn from two separate categories, provided the independence of those elements can be demonstrated to the satisfaction of the competent authority.
• Second, and of particular significance from a consumer protection standpoint, PSPs are now required to offer multiple SCA means free of charge, adapted to the needs of consumers with disabilities, limited digital skills, or no access to a smartphone. No SCA method may be made dependent on a single device or technology unless agreed by the user. This represents a noteworthy extension of the accessibility obligations applicable under PSD2.

The architecture of PSD2's open banking regime, requiring account-servicing payment service providers (ASPSPs) to offer a dedicated interface for PISPs and AISPs, is broadly retained. 

• PSR provides clearer rules on what constitutes account information services and payment initiation services. This builds on PSD2's definitions but provides greater operational clarity.
• The rules governing data access are clarified, including a requirement that AISPs re-authenticate consumers every 180 days to keep consent current.
• Banks that seek to restrict third-party access to payment accounts must provide specific, documented justification – a stricter standard than applied in practice under PSD2.