On 28 June 2023, the European Commission published proposals for a Third Payment Services Directive (“PSD3“) and an accompanying Payment Services Regulation (“PSR“), initiating the most significant reform of the EU retail payments framework since PSD2.
What are PSD3 and the PSR, and why do they matter?
On 28 June 2023, the European Commission published proposals for a Third Payment Services Directive (“PSD3“) and an accompanying Payment Services Regulation (“PSR“), initiating the most significant reform of the EU retail payments framework since PSD2. For Irish-authorised payment institutions, electronic money institutions and banks – many of which passport extensively across the Union – the package will have immediate and practical consequences: re-authorisation planning, tighter fraud and redress expectations, and a more prescriptive and enforceable open-banking regime.
The reforms respond to shortcomings that have become increasingly visible since PSD2 entered into application in 2018. Open banking has functioned, but unevenly. Payment fraud – particularly authorised push payment and impersonation scams – has increased materially. And directive-based implementation produced different outcomes across Member States, creating operational friction for firms operating on a cross-border basis and inconsistent supervisory expectations.
PSD3 and PSR address those issues by clearly separating who may provide payment services from how those services must be provided. PSD3 refreshes and consolidates the licensing, prudential and supervisory framework for payment institutions. The PSR, by contrast, moves the core conduct-of-business, transparency, fraud and market-access rules into a directly applicable Regulation. In practice, this materially reduces the scope for national divergence, raises minimum standards across the Union, and sharpens supervisory expectations around compliance and enforcement.
From an Irish perspective, the implications are particularly significant. Ireland is one of the EU’s principal authorisation hubs for payment institutions and electronic money institutions. A large cohort of firms regulated by the Central Bank of Ireland will be required to demonstrate compliance with a revised and more detailed framework within a defined re-authorisation window, whilst also adapting to regulation-based conduct rules that will apply uniformly across all Member States.
The PSD3 and PSR at a glance
| What they are | PSD3 and PSR — the most significant reform of the EU retail payments framework since PSD2 entered into application in 2018 |
| The legal instruments | PSD3 (a Directive requiring national transposition) and PSR (a Regulation, directly applicable across all Member States without national transposition) |
| Who it affects | Payment institutions, electronic money institutions, banks and account-servicing PSPs, consumers, and national competent authorities |
| Anticipated publication | Formal adoption and OJEU publication anticipated end Q2 2026 |
| Current stage | Final legal-linguistic review complete; Council ‘I’ Item Note issued 17 April 2026; formal adoption imminent |
| Application timeline | PSR applies 21 months after entry into force; PSD3 transposition deadline also 21 months after entry into force |
| Critical deadline | Firms authorised under PSD2 must submit re-authorisation information to their competent authority within 27 months of entry into force. Firms which remain non-compliant will be suspended from providing payment services until the competent authority has received and verified the necessary information. |
| Matheson key contacts | Joe Beashel and Ian O’Mara |
What problems is the PSD3/PSR package designed to solve?
The PSD3/PSR package is intended to address four specific shortcomings identified in the Commission’s review of PSD2:
| Problem identified under PSD2 | PSD3/PSR Response |
| Rising payment fraud — particularly authorised push payment and impersonation scams — and insufficient consumer protection | A higher bar for fraud prevention and consumer protection through enhanced monitoring obligations, stronger customer authentication measures, and changes to liability in impersonation and authorised push payment fraud scenarios; enhanced transparency around fees and charges; strengthened rights of redress for victims of unauthorised transactions |
| Uneven functioning of open banking, with obstacles to third-party access and inconsistent interface performance | A more workable open-banking framework by prohibiting defined categories of obstacle to third-party access, imposing performance standards on dedicated interfaces, and introducing consent dashboards allowing customers to manage and revoke data access |
| Supervisory fragmentation resulting from directive-based implementation producing divergent national outcomes | Reduced supervisory fragmentation by moving most conduct rules into a directly applicable Regulation rather than relying on national transposition |
| Unequal competitive conditions between banks and non-bank payment service providers | Competitive neutrality, ensuring equivalent payment services attract equivalent regulatory treatment regardless of provider type |
Where are PSD3 and the PSR in the Legislative Process?
The legislative file is now close to completion. Following the provisional political agreement reached between the European Parliament and the Council on 27 November 2025, the agreed texts have moved through legal-linguistic review and translation.
On 17 April 2026, the Council circulated an ‘I’ Item Note alongside final compromise texts for both PSD3 and the PSR, inviting approval at COREPER with a view to agreement at second reading. Formal adoption by both institutions, followed by publication in the Official Journal of the European Union (the “OJEU“), is generally anticipated towards the end of Q2 2026.
Once published:
- the PSR will apply 21 months after entry into force (with certain obligations applying after a further 6 months, including payee name verification and liability for incorrect application of the verification service), and
- Member States will have 21 months to transpose PSD3 into national law.
For firms authorised in Ireland, the period between formal adoption and active supervisory engagement on re-authorisation and compliance readiness is therefore likely to be short.
Frequently Asked Questions
Payment Institutions and Electronic Money Institutions
Re-authorisation is mandatory and time-limited — firms cannot assume continuity. Firms authorised under PSD2 or EMD2 at the time of the PSD3 transposition deadline may avail of six-month transitional provisions in Articles 44 and 45 of PSD3 and continue operating under their existing authorisations. However, by six months after PSD3 is transposed, firms must have submitted to their competent authority all information necessary to assess their compliance with PSD3’s revised authorisation requirements under Title II of PSD3. Firms that remain non-compliant by that deadline will be suspended from providing payment services until the competent authority has received and verified the necessary information.
Compliance determines whether re-authorisation is automatic or conditional. Firms considered compliant with Title II of PSD3 by their competent authority will be deemed re-authorised under PSD3 automatically. Those not considered fully compliant may be granted further time to achieve compliance but will be suspended from providing payment services until they are judged compliant.
Delays in processing by the competent authority do not excuse firms from the process. In exceptional circumstances, competent authorities may delay imposing a suspension on transitioning firms by up to three months — but only where the firm has provided the information needed for the re-authorisation process and the competent authority has not been able to process it within the applicable deadline.
Electronic money institutions face structural integration into a new licensing framework. Electronic money institutions are integrated into a consolidated payment-institution licensing framework, requiring careful assessment of permissions, prudential treatment and business models.
Banks and Account-Servicing PSPs
Fraud liability has shifted materially in the direction of the PSP. Fraud detection frameworks, dispute handling procedures and reimbursement outcomes will need to be reassessed in light of a liability regime that places materially greater responsibility on PSPs in impersonation and authorised push payment fraud scenarios.
Open-banking interfaces are now subject to explicit performance standards and new prohibitions. Open-banking interfaces will be subject to clearer performance and availability standards, with explicit prohibitions on practices that have restricted access in the PSD2 period.
Consumers
Enhanced pre-contractual disclosures — including around currency conversion charges and ATM withdrawal fees — will apply.
The revised liability framework shifts greater responsibility onto PSPs in circumstances where fraud prevention measures fail.
National Competent Authorities
- Supervisory frameworks will need to adapt to reflect the move from directive-based conduct rules to a directly applicable Regulation.
- Authorities will face increased demands in relation to monitoring API performance, assessing fraud controls, processing incident reports and managing re-authorisation volumes.
Date |
Event |
| 28 June 2023 | Commission publishes PSD3 and PSR proposals |
| 27 November 2025 | Provisional political agreement reached |
| 17 April 2026 | Council issues ‘I’ Item Note and final compromise texts |
| End Q2 2026 (anticipated) | Formal adoption and OJEU publication; entry into force 20 days following OJEU publication |
| 21 months after entry into force | PSR applies; PSD3 transposition deadline |
| 27 months after entry into force | Payee-name verification obligation applies; deadline for PSD2-authorised firms to submit re-authorisation information to their competent authority |
For Ireland, the scale of impact is amplified by the number of payment institutions and electronic money institutions authorised by the Central Bank of Ireland and passporting across the Union.
The re-authorisation process alone will require the Central Bank to process a significant volume of applications from approximately 60 firms in the sector whilst simultaneously supervising new, directly applicable PSR obligations.
Irish-authorised firms should not assume that existing authorisations will carry forward without material compliance work. Early and well-documented gap analysis, clear internal ownership of PSD3/PSR workstreams, and proactive engagement with the Central Bank of Ireland will be critical to navigating the transition smoothly.
SD3 and PSR form part of a broader EU payments and open-finance agenda.
The proposed Financial Data Access (“FIDA”) Regulation – still in trilogue – will extend data-sharing principles beyond payment accounts to a wider range of financial products. In parallel, the Digital Operational Resilience Act (“DORA”) applies to many entities in scope of the revised payments framework.
These instruments should not be assessed in isolation. Governance, ICT risk management and third-party arrangements should be considered with all three instruments in mind. Firms preparing for PSD3/PSR compliance will need to consider their obligations under DORA in respect of ICT risk management, incident reporting and third-party arrangements, and to monitor the progression of FIDA for developments that may extend open-finance obligations beyond the payment account perimeter.
Contractual arrangements with technology providers and data access policies should be reviewed across all three instruments together, as the interaction between them is a high-priority area for in-house legal and compliance teams.







