PSD3 and PSR1 — What UK Payment Firms Should Know

The European Commission published its proposals for PSD3 and the Payment Services Regulation (PSR1) in June 2023, launching the most significant overhaul of EU payment services regulation since PSD2. While the UK is no longer bound by EU legislation, the proposals have significant implications for UK payment firms that operate in the EU, serve EU customers or compete with EU-authorised firms. This guide explains the key changes and why UK firms should pay attention.

Why Is the EU Replacing PSD2?

PSD2 has been in force since January 2018 and has driven significant innovation in the EU payment sector, particularly through open banking and strong customer authentication (SCA) requirements. However, the European Commission identified several shortcomings: inconsistent implementation across member states due to PSD2's status as a directive (requiring national transposition); gaps in fraud prevention and liability frameworks; uneven access to payment systems and bank accounts for payment institutions; and insufficient consumer protection in certain areas, including credit transfers and account information services.

The solution is a two-instrument approach: PSD3 as a directive (governing authorisation and supervision) and PSR1 as a directly applicable regulation (governing conduct rules, SCA, transparency and fraud liability). The regulation format for PSR1 means its rules will apply uniformly across all EU member states without the need for national transposition — eliminating much of the inconsistency that plagued PSD2.

Key Changes in PSD3

Merged licensing framework — PSD3 merges the Payment Services Directive and the Electronic Money Directive (EMD2) into a single framework. This means a single authorisation category for payment institutions and EMIs, with EMIs becoming a sub-category of payment institution. The distinction between authorised PIs and authorised EMIs is maintained for prudential purposes (different capital requirements), but the licensing process and supervisory framework are unified.

Enhanced safeguarding — PSD3 strengthens safeguarding requirements, building on lessons from firm failures. Safeguarded funds must be deposited in a segregated account within one business day. The directive also introduces new requirements for safeguarding fund insurance and for regulators to have powers to direct the return of funds to customers in insolvency scenarios.

Access to payment systems — PSD3 includes provisions to improve payment institutions' access to payment systems and bank accounts, addressing the 'de-risking' problem where banks have refused to provide accounts to payment firms.

Key Changes in PSR1

Stronger SCA framework — PSR1 refines the SCA requirements, including explicit provisions for SCA delegation (where the acquirer performs SCA on behalf of the issuer), updated exemption thresholds and new rules for SCA in open banking contexts. Fraud liability and prevention — PSR1 introduces new fraud prevention obligations, including a requirement for payment service providers to implement transaction monitoring systems and share fraud data. The liability framework is enhanced to better protect consumers from authorised push payment (APP) fraud. Open banking evolution — PSR1 updates the open banking framework, including requirements for dedicated data access interfaces (APIs), performance standards, and provisions to address the problem of 'screen scraping' that persisted under PSD2. Transparency — Enhanced transparency requirements for fees, charges and exchange rates, including pre-transaction disclosure of total costs for cross-border payments.

Implications for UK Firms

Although the UK is not directly affected by PSD3/PSR1, the proposals are significant for UK firms for several reasons:

UK firms with EU operations — Firms operating through EU-authorised subsidiaries or branches will be directly subject to the new framework. The merger of PI and EMI licensing may require firms to restructure their EU authorisations. Safeguarding changes will require operational adjustments. Competitive dynamics — PSD3/PSR1 will shape the competitive landscape in Europe. UK firms competing with EU-authorised firms should understand the new framework to identify competitive advantages and disadvantages. Regulatory divergence — The UK retained PSD2 and EMD2 in domestic law post-Brexit but is now developing its own reforms (including PS25/12 on safeguarding and the planned review of the Payment Services Regulations). PSD3/PSR1 creates a divergence trajectory — UK firms operating in both jurisdictions will need to comply with two evolving and potentially conflicting frameworks. Customer expectations — EU regulatory developments influence customer expectations globally. Enhanced fraud protection, improved transparency and better open banking services mandated by PSR1 may raise the bar for UK firms even in the domestic market.

Timeline and UK Response

PSD3 and PSR1 are expected to be finalised and adopted by 2025–2026, with an implementation period of 18–24 months. UK firms should: monitor the legislative process and final text; assess the impact on EU operations and competitive positioning; and engage with UK regulatory consultations to ensure that UK reforms remain workable alongside the evolving EU framework.

Regulatory Counsel advises UK payment institutions and EMIs on cross-border regulatory compliance, EU licensing and the implications of PSD3/PSR1. Contact us for a free initial consultation. See our PI licensing and EMI authorisation pages for more.