What PSD3 means for banks, fintechs, and small businesses

The third installment of the EU’s Payment Services Directive is fast approaching, expected to come into force in the next 18 months.

Described as “an evolution, not a revolution,” the newest version promises to build on existing regulations— generally viewed as successful. Nevertheless, it’s a critical consideration for banks and financial services providers, who need to be ready. 

Likely changes include: 

• Further emphasis on open banking and financial data sharing
• More protections for consumers, particularly around fraud
• Initiatives to promote competitiveness between banks and non-banks

This article details the most likely new rules, the history of PSD regulations, and what this all means for banks and fintechs, especially.

What is PSD3?

PSD3 stands for Payment Services Directive 3, a set of rules governing payment service providers in the EU. It protects consumers’ data and rights, and enables the open banking environment in which payments and financial services operate in Europe. 

Alongside PSD3, the EU is also due to introduce the Payment Services Regulation (PSR). PSR is essentially PSD2. The previous directive was seen as successful, and the EU has chosen to make it law across the Union. 

Directive vs regulation

The EU has two broad formats for legislative change: 

• Directives are guidelines for member states to follow when they create their own laws and regulations.
  
  
• Regulations are enforceable laws that automatically apply to all member states once passed. 

PSD3 is a directive. This set of guidelines isn’t automatically law at the state level, but members will be expected to follow it when setting their own rules. This lets member states test the new rules domestically and report back, before they’re made law at the EU level. 

A brief history of PSD directives

PSD1 (2009)

The first Payment Services Directive aimed to create a single retail payments market across Europe, to make cross-border payments easier and more secure. Sending payments between member states became as simple as executing payments within them. 

Crucially, PSD1 created a new category of service providers called “payment institutions” also known as “payment services providers” (PSPs). This designation formally allowed non-bank institutions to provide payment services, and set out the conditions in which they could do this. 

Before this point, companies and consumers were largely limited to the products banks provided. New entrants could now join the market, and specialized services began to appear.

PSD1 introduced two other important changes: 

• Service providers had to be more transparent about their fees, exchange rates, and the time certain actions would take.
  
  
• The SEPA infrastructure was accelerated, making intra-European payments faster. 

This laid the groundwork for payment innovation in the EU, and birthed a range of new fintechs. 

PSD2 (2018)

PSD2 updated and consolidated PSD1, with additional focus on more open data sharing and third party actions. It did this by introducing two new classes of service providers: 

• Account Information Service Provider (AISP): These third parties can consolidate and communicate bank account data in a read-only way. This could include business intelligence tools or budgeting software, for example.
  
  
• Payment Initiation Service Providers (PISP): PISPs can initiate payments to and from bank accounts on behalf of a person or business. An example might be a payroll software you use to pay employees. The funds live in your business bank account, but you can schedule payments directly through this HR tool. 

Because financial data would now be open and shared more widely, PSD2 also mandated increased security and strong customer authentication

These key changes essentially created “open banking” in Europe. Private and corporate users can now complete a range of banking tasks without actually logging into or visiting their bank.

And we’ve seen an extraordinary number of promising and successful fintech businesses innovate in this space. 

PSD3 & PSR (2026?)

PSD3 builds on the already successful elements of PSD2, with a few key focal points for this iteration: 

• Fraud protections: PSPs will need to verify that IBANs match the identified user for credit transfers across Europe.
  
  
• Easier access to bank services for PSPs: Banks will have to give clear reasons if they decline to give PSPs access to their services. This essentially makes banking more open, and creates additional connections between all forms of providers.
  
  
• More refund opportunities for consumers. Customers who fall victim to scams or who are inaccurately flagged as risky may be entitled to refunds. 

As noted above, PSR will codify most of the existing PSD2 directive into regulation, meaning that these rules will now be EU law. 

PSD3 and PSR are expected to be finalized in 2025, and likely take effect in 2026.

PSD3 for banks: even more open banking

The biggest impacts of PSD3 will likely come from increased data access and sharing. Many of the regulatory changes fall on banks, to encourage them to let new fintech players in. 

These changes include: 

• PISPs and AISPs will be allowed to build and connect their own interfaces to banks and other financial institutions.
  
  
• Banks will need to provide additional information about their APIs and performance, so that third parties can easily choose which institutions to partner with.
  
  
• Banks will also need to ensure (and prove) that their services remain available. In some cases, businesses will be able to recoup damages caused by bank failures.
  
  
• If banks choose not to grant access to their services, the onus is on them to explain this decision. 

Some of the further changes will have a more limited impact on banks. It’s the newer players expanding their financial services and accessing more data who’ll have to adapt. 

PSD3 for fintechs and marketplaces: more diligence around fraud

As access to the financial system increases, so too do the potential fraud risks. Banks are already highly regulated and have robust systems in place to combat fraud. But new obligations will exist for PSPs and third parties to make sure they’re verifying identities adequately and onboarding trustworthy clients. 

In short, more parties will have to implement Strong Customer Authentication (SCA) practices. Providers will also need to educate clients on fraud risks, particularly where users are tricked into making unwanted or illegal payments. This education is already common for banks, and will soon need to be undertaken by a wider group of providers.

Perhaps most significantly, PSPs will be liable for failing to take actions against fraud.

Who this applies to

This includes those fintech platforms that partly fulfill banking roles: cash and spend management tools for example.

It will also apply to marketplaces that were previously able to claim to be mere “commercial agents”—facilitating payments without actually providing them. PSD3 has tightened the definition here and now marketplaces and the payments providers they’re built on will be covered. 

How banks should prepare for PSD3

As noted above, PSD3 is an incremental change and not a wholesale rewrite of the existing rules. So banks shouldn’t brace themselves for huge upheaval. 

But the current PSD3 proposals are a clear signifier of what European regulators want to see from the sector: 

1. Continued emphasis on consumer protections; and
2. More innovation, more competition, and more collaboration

Banks already take fraud and phishing incredibly seriously, and the new changes are unlikely to cause disruption. But banks should look closely at the third parties they’ll increasingly work with. Choosing regulated fintech partners helps guard against reputational impacts that could come if and when third parties get into trouble. 

This leads to the second, more significant point: if they’re not already, banks must be prepared to partner with fintech companies. Consumers are calling for an easier banking experience, and regulators are forcing banks to provide it. 

As CEO of Societé Generale Factoring ‍Aurélien Viry writes, “technology is fuelling increasing consumer expectations. Banks now need to integrate with so many systems and external references, and this is a significant investment.

“The new possibilities lie in open architecture—Banking-as-a-Service. Banks can focus solely on distribution and let fintechs and new players be the producers. Banks can then cross sell these new services to their clients very efficiently, irrespective of the fact that they’ve been created and processed by others.” 

Embrace open banking

The EU is fully committed to its open banking bank push. On top of PSD3, legislators are also working on Instant Payments Regulation (IPR) and the Financial Data Access (FIDA) proposal. Together, the goal is “financial data sharing and promoting open finance beyond open banking, driving more competition in financial services.”

While some banks may secretly wish they could keep all data under lock and key, that’s not going to be possible. Regulations are here to create open data flows. 

And resisting open banking misses a critical point: it’s great for business. Providing financial services will only get cheaper, easier, and better targeted.

“Open banking is incredibly exciting,” says Patrick Brett of Citi. “It’s creating data sets that were previously only accessible to one bank at a time. Now, borrowers can give access to accounts and data sources that banks can use to underwrite much more efficiently. And that access to and use of data changes everything.”

Innovate through collaboration

The EU has been clear that its aim is to “further level the playing field between banks and non-banks,” and is essentially forcing banks to open their arms to the wider sector. The best way to prepare for this new regulation is to welcome it. 

“There’s always a temptation for banks to try to build things on their own,” says Patrick. “But in many cases lending-as-a-service partners are already there, and can often work better than the tools banks would build. 

“These services can have a much lower cost, and do it in a really client-friendly way.”

More bank-fintech collaboration is coming

PSD3 is a welcome invitation to banks to build lasting partnerships with fintechs. Banks have the big data and deep pockets that fintech companies can’t possibly match, while the latter have the freedom to innovate and build niche products tailored to specific use cases. 

Defacto is a great example. We partner with fintech companies to embed lending into accounting and financial management tools. But we also partner with banks to speed up the SMB lending experience. 

By working with Defacto, banks can focus on their bread and butter business, whether that’s startup loans or major M&A funding. And Defacto ensures your small business clients are taken care of quickly and efficiently—just the way they like it. 

See how Defacto changes SMB lending for banks.