PSD3 and the UK: Two Payments Regimes, One Direction of Travel
The European Parliament and Council reached provisional agreement on PSD3 and the Payment Services Regulation (PSR) on 27 November 2025, completing the most substantial overhaul of EU payments legislation since PSD2 came into force in 2018. The UK is not bound by either instrument. But for UK payment institutions, e-money firms and fintechs with EU-facing operations, the reforms matter. They also provide the clearest signal yet of where UK payments regulation is heading, even if it gets there by a different route.
What PSD3 and the PSR do
The EU has split its payments framework into two instruments. The PSR is a directly applicable regulation containing the operational rules for providing payment services: fraud liability, strong customer authentication (SCA), open banking access, transparency and fees. Because it is a regulation, it applies uniformly across all member states without transposition, eliminating the divergent national implementations that plagued PSD2. PSD3 is a directive dealing with licensing and prudential supervision, including the merger of the E-Money Directive (EMD2) into the payment institution framework. E-money institutions will be licensed as payment institutions going forward, and payment institutions will be able to issue e-money.
The key operational changes are in four areas.
First, fraud prevention and liability. Payment service providers must implement verification that the payee’s name matches the unique identifier (IBAN) before executing a transfer. Liability for APP fraud is formalised: PSPs that fail to implement adequate fraud prevention mechanisms, including scam warning systems, will be liable for covering customers’ losses. The PSR also creates a legal basis for PSPs to share fraud-related information with each other, including details of mule accounts and modus operandi patterns, within a GDPR-compliant framework.
Second, open banking. Account-servicing PSPs must provide dedicated, high-performing data access interfaces for authorised open banking providers. Discrimination against account information and payment initiation services is explicitly prohibited. Consumers will get a permissions dashboard to monitor and manage third-party access to their payment account data. These are the provisions that PSD2 promised but never fully delivered.
Third, SCA flexibility. The rigid SCA requirements under PSD2 are relaxed to allow risk-based approaches for low-value and low-risk transactions. The contactless payment exemption thresholds are updated. PSPs will have more discretion to apply transaction risk analysis to determine when SCA is required, provided they meet specified fraud rate benchmarks.
Fourth, cash access and payment system participation. Retailers can offer cash provision services without requiring a purchase. Payment institutions gain the right to access EU payment systems directly, with appropriate safeguards, reducing their dependency on banks for clearing and settlement.
The UK parallel
The UK retained its on-shored version of PSD2 (the Payment Services Regulations 2017 and Electronic Money Regulations 2011) after Brexit and is conducting its own review. The Payments Forward Plan, published in February 2026 by HM Treasury, the FCA, the PSR and the Bank of England, sets out a 2026-2028 regulatory roadmap that covers much of the same ground as PSD3, though the legislative mechanism is different.
On fraud liability, the UK is ahead. The PSR’s APP fraud reimbursement requirement has been in force since October 2024, with 88% of in-scope losses returned to victims. The FCA has made clear that firms will be in breach of the Consumer Duty where consumers fall victim to APP fraud because of inadequate detection or warning systems. PSD3 is catching up to where the UK already is.
On open banking, the UK is taking a commercial rather than legislative approach. The first live commercial variable recurring payments (cVRPs) under the UK Payments Initiative scheme are expected in Q1 2026, with a statutory instrument for open banking anticipated in Q4 2026. The FCA will consult on a long-term regulatory framework in parallel. The EU’s approach under PSD3 is more prescriptive on interface quality and anti-discrimination, but the UK model, if it works, may prove more adaptable.
On safeguarding, the UK has moved first. The FCA’s supplementary safeguarding regime (PS25/12) takes effect on 7 May 2026, introducing a named senior manager, daily reconciliations, annual audits and monthly FCA returns. Once HM Treasury revokes the PSRs and EMRs, a statutory trust framework will replace the current safeguarding model. PSD3 maintains a safeguarding regime closer to the existing EU model.
On institutional structure, the UK is consolidating the PSR into the FCA. The Treasury consultation response is expected in Q1 2026, with primary legislation required to implement. This is a domestic choice with no EU equivalent, driven by the government’s objective to reduce regulatory duplication.
What this means for firms
Firms operating across both jurisdictions face the practical reality of two regimes heading in the same direction at different speeds and through different legislative instruments. The substantive standards on fraud liability, SCA flexibility and open banking access are converging. The structural and procedural differences, including licensing categories, prudential requirements and supervisory architecture, are diverging.
For UK-authorised payment institutions and e-money firms with EU clients or operations, PSD3’s merger of the PI and EMI licensing frameworks will require re-authorisation in the relevant member state. The 18-month implementation period from publication in the Official Journal (expected Q2 2026) gives firms until late 2027 to comply. UK firms relying on passporting alternatives or agent arrangements in the EU should assess their position now.
For fintechs building products across both markets, the convergence on fraud prevention, open banking and SCA creates opportunities for common compliance frameworks, but the regulatory detail will differ. Product teams will need jurisdiction-specific legal advice, not generic “payments compliance” guidance.
Viewpoint
PSD3 is not a revolution. It is a necessary repair of PSD2’s shortcomings, particularly on fraud liability and open banking delivery. The more interesting development, from a UK perspective, is the extent to which the Payments Forward Plan and PSD3 are converging on the same policy objectives through different legislative routes. I see this convergence playing out in real time: the cVRP framework, the safeguarding reforms and the APP fraud reimbursement regime all address the same challenges that PSD3 is designed to solve in the EU. The question for firms is not whether the rules will align, but how to manage compliance across two frameworks that are similar enough to create false confidence and different enough to create real risk.
Links
European Parliament: Payment services deal announcement
Council of the EU: Payment services agreement, 27 November 2025