Berlin | Düsseldorf | Frankfurt  | Hamburg | Cologne | Munich | Stuttgart
MTR Legal Rechtsanwälte Logo
Contact

Berlin | Düsseldorf | Frankfurt  | Hamburg | Cologne | Munich | Stuttgart | Paris | London | Amsterdam

Header-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Contact
Berlin | Düsseldorf | Frankfurt  | Hamburg | Cologne | Munich | Stuttgart
Contact

PSD3 and PSR Innovations in Payment Transactions Explained Clearly

  • Lesezeit: 4 Min

News  >  Bankrecht  >  PSD3 and PSR Innovations in Payment Transactions Explained Clearly

Arbeitsrecht-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Steuerrecht-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Home-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Arbeitsrecht-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte

PSD3 and PSR – Innovations in Payment Transactions

Regulatory package brings changes

With the planned third Payment Services Directive (PSD3) and the accompanying Payment Services Regulation (PSR), the EU is preparing another reform of European payment transactions. The package builds on PSD2 and aims to adapt the legal framework to developments in digital payments.

Under PSD2, important impulses were set, such as access to payment accounts by third-party providers (“Open Banking”) and strong customer authentication (SCA). Since then, the market, technologies, and fraud patterns have significantly evolved: Digital payments have continued to increase, new players such as FinTechs, platforms, and marketplaces are more involved in payment processes, and fraud risks (e.g., social engineering/impersonation) have changed.

Goals: Consumer protection, competition, and harmonization

With PSD3 and PSR, the EU primarily pursues three goals: (1) Strengthening consumer protection, particularly through better fraud prevention and clearer liability rules, (2) promoting competition and innovation, and (3) stronger harmonization of rules within the internal market.

The important thing is: The initiative is not intended to “regulate everything anew” but to address the weaknesses and implementation differences of PSD2 and cleanly classify new market structures regulatorily.

PSR applies directly in all EU member states

Unlike a directive, a regulation generally applies directly. Therefore, the PSR complements PSD3: While PSD3 as a directive still needs to be transposed into national law by the member states, central obligations should henceforth be uniformly regulated in the PSR and apply directly EU-wide.

This should reduce the current fragmentation. In practice, this means: fewer national deviations in central points such as transparency obligations, security requirements, fraud prevention, and liability issues – and thus more consistency in the internal market.

Combating fraud and security requirements

A focus of the package is on combating payment fraud. More intensive forms of data exchange between payment service providers and improved risk-based controls during transactions are planned. Additionally, liability rules could be tightened in favor of consumers.

Strong customer authentication remains a fundamental principle but is intended to be adapted and further developed to current fraud scenarios. The goal is more security without unnecessarily complicating digital payments.

Inclusion of new market participants

PSD3/PSR address new market roles more strongly – such as platforms, digital marketplaces, or technical service providers that integrate payment functions into their offerings. This is intended to close regulatory gaps that could previously arise depending on the business model and national interpretation.

In parallel, access to payment data should be further standardized. This is intended to promote innovations and enable a step towards more extensive data-based financial services (“Open Finance”) – but with attention to data protection, IT security, and clear responsibilities.

Practical impacts: What changes for market participants

Even though PSD3 and PSR are based on existing foundations, the practical impacts on the market are significant. Both established institutions and new providers and technical service providers are affected.

Banks and payment service providers

Banks and payment service providers will likely need to further adjust compliance, IT, and risk management processes. In particular, enhanced requirements for fraud prevention, monitoring, data exchange, and uniform information obligations may require technical investments and organizational changes.

Stronger harmonization can facilitate cross-border business models in the internal market. At the same time, the requirements for a consistent EU-wide regulatory and control system are increasing, as uniform rules can also be enforced more uniformly.

FinTechs, platforms, and marketplaces

For FinTechs and platforms, clearer guidelines and standardized interfaces can bring advantages, such as access to account infrastructures and more predictable requirements in cross-border offerings.

At the same time, a stricter classification of certain business models is to be expected. This may mean that additional permits become necessary or existing processes need to be adjusted to new obligations (e.g. security, information, and governance requirements) depending on the specific design.

Strengthening consumer protection

For consumers, security and transparency are the priority. Future regulations aim to make information about fees, execution times, and responsibilities more understandable and accessible.

Additionally, fraud risks should decrease and rights in unauthorized or abusive payment transactions should be strengthened – especially where previous regulations have left practical gaps or points of contention.

Legal context: Relationship to PSD2, national law, and data protection

For implementation in Germany, PSD3 – like PSD2 before – will have to be transposed into national law (including through amendments to the Payment Services Supervision Act – ZAG). In contrast, the PSR applies directly, reducing the need for national alternatives.

In addition, the data protection framework (especially the GDPR) remains relevant. In the context of expanded data exchange and standardized access to account data, purpose limitation, data minimization, legal bases, as well as IT security requirements must still be strictly observed. Companies should therefore examine early on how payment data processing, security concepts, and consent/authorization models fit together effectively.

Adapting Early to Changes

PSD3 and PSR are designed as an advancement of payment services law. The focus is on reducing fragmentation, responding to new fraud patterns, and regulating new market structures. In practice, this means more uniformity – but also higher and more detailed requirements.

Final adoption is currently expected during the year 2026. Affected companies – credit institutions, payment and e-money institutions, technical service providers, and platforms with payment functions – should already start creating project plans for governance, IT, interfaces, fraud prevention, customer communication, and documentation. Existing licenses are expected to remain valid according to the current state; nevertheless, adjustments to new obligations and reporting/evidence requirements may become necessary.

Note: This article serves solely for general information and does not constitute individual legal advice. An individual case review is required for the assessment of specific business models and implementation issues.

MTR Legal Attorneys advise in Banking Law.

Feel free to contact us!