From PSD2 to PSD3: A Guide for Banks and Financial Institutions

The payment services industry faces significant change with the upcoming introduction of the Payment Services Directive 3 (PSD3). As the successor to PSD2, PSD3 will further drive the harmonisation of payment services within the EU, bringing both new challenges and opportunities for banks and financial institutions.

A brief overview of the most important new features of PSD3

• Stronger fight against fraud: PSD3 tightens the requirements for Strong Customer Authentication (SCA) and introduces a requirement for IBAN name verification for credit transfers.
• A standardised legal framework has been created for payment and e-money institutions. This simplification will facilitate regulation and monitoring.
• Improvement of Open Banking: The Payment Services Regulation (PSR) as part of PSD3 will facilitate access for third-party providers and harmonise API standards.
• Enhanced consumer rights: Customers will receive clearer information on fees and better solutions for blocked funds.

Preparations for the transition

PSD3, which is expected to come into force in the first half of 2026, is the result of a lengthy process. Several important bodies were and are involved in this process: The European Commission presented the proposals for PSD3 and the PSR in June 2023. The European Payments Council (EPC), which brings together European banks, also plays a central role in shaping the new directive. Other important protagonists are standardisation bodies such as the Berlin Group, STET and PolishAPI, which develop the specifications for relevant APIs. At a national level, the German SEPA Committee, consisting of representatives of the German banking industry and the Deutsche Bundesbank, is coordinating the implementation of the SIngle Euro Payments Area, while the European Central Bank (ECB) is also involved in shaping the European Payments landscape.
Banks and financial institutions can therefore not claim to have been taken by surprise by the new regulation. However, this means that they have a responsibility to initiate the necessary adjustments and changes in a timely manner.

Technological adjustments for the change from PSD2 to PSD3

Review and update your IT systems to meet the new requirements, especially in the area of Strong Customer Authentication (SCO) and IBAN name verification.

Checklist of technological adjustments:

• Improved security measures: Implement advanced authentication technologies that go beyond existing Strong Customer Authentication (SCA). This could include biometric authentication or the use of tokens.
• IBAN name verification: Introduction of an automated plausibility check between IBAN and account holder, also known as ‘Payment Account Verification’ (PAV). This check must be integrated into the payment process.
• API standardisation: Adapt the API infrastructure to new, harmonised standards for improved data exchange with third-party providers.
• Real-time processing: Optimise systems for faster processing of instant payments, including processing the recipient bank’s response within 10 seconds.
• Consent management system: Develop a ‘permission dashboard’ that allows customers to control the sharing of their data with third-party providers.
• Fraud detection and prevention: Implementation of advanced fraud detection and prevention systems.
• Digital wallet: Possible integration of a digital wallet for consumers modelled on the Swedish BankID.

Development of an open banking strategy

PSD3 and PSR share the goal of improving open banking in the EU financial area, facilitating access for third-party providers and harmonising API standards. Banks should now develop a strategy to benefit from these improved Open Banking opportunities and adapt their APIs accordingly.

Checklist for an open banking strategy:

• API optimisation and standardisation:
  • Adaptation of the API infrastructure to new, harmonised standards for improved data exchange with third-party providers
  • Ensuring API availability for third-party providers with the same service level agreements (SLAs) and development expertise as for internal systems
• Data management and security
  • Implementation of a ‘permission dashboard’ for customers to control their data transfer to third-party providers
  • Compliance with the principle of data minimisation in accordance with the GDPR when processing personal customer data
  • Strengthening security measures and combating fraud
• Promoting innovation and partnerships
  • Development of innovative financial products and services based on extended data access rights
  • Building strategic partnerships with FinTechs and other third-party providers to create a dynamic ecosystem
• Customer-centric approach
  • Focus on seamless and personalised customer experiences
  • Customisation of services to local preferences and needs
• Regulatory compliance
  • Preparation for extended consumer rights and transparency requirements
  • Implementation of clear liability rules and dispute resolution mechanisms
• Transformation of the business model
  • Reviewing and adapting the business model to the new opportunities and challenges of Open Banking
  • Positioning as a modern service provider that goes beyond pure financial services

Employee training

The human factor must not be forgotten: banks and financial institutions should ensure that their employees are familiar with the new regulations and can implement them correctly.

Employee training checklist:

• Development of training programmes to communicate the new regulatory requirements to employees.
• Focus on regulatory changes: Training should focus on what’s new in PSD3, PSR and IPR, including tightened security requirements and expanded consumer rights.
• Practice-orientated approaches: It is advisable to incorporate practical case studies and examples into training courses to illustrate how the new regulations apply to everyday working life.
• Regular updates: Given the ever-changing regulatory landscape, training should be regularly updated and repeated.
• Cross-departmental training: It is important to train employees from different departments (e.g. IT, compliance, customer service) to ensure a holistic understanding of the new regulations.
• Focus on customer education: Training should also aim to enable employees to educate customers about the new rights and security measures

Seizing Opportunities

PSD3 offers banks and financial institutions the opportunity to improve their services and explore new business areas. Take advantage of this opportunity to:

• Develop innovative payment solutions
• Strengthen partnerships with fintechs and other third-party providers
• Increase customer trust through enhanced security measures

Conclusion

The transition from PSD2 to PSD3 presents new challenges for the financial world, but also offers opportunities for growth and innovation. The new PSD3 directive opens up diverse possibilities for banks and financial institutions to create new revenue streams by improving access to customer data and enabling the development of innovative financial products and personalised services. By utilising Open Banking and Open Finance, financial institutions can thus not only develop new business models and offer value-added services, but also increase their efficiency and reduce costs, ultimately leading to an expansion of their customer base and strengthening their competitive position.

Stay informed about the latest developments and work closely with regulatory authorities and technology partners to ensure a smooth transition. With the right preparation, you can use PSD3 as a catalyst for positive changes in your organisation.

PSD3, PSR & IPR Compliance – Future-proof with our PS-Star solution!
Learn more about the PS-Star solution from Qwist.