PSD3 and PSR Explained: What Changes for Fintechs and PSPs

The EU's Second Payment Services Directive (PSD2) reshaped European payments. PSD3 — and its companion regulation, the Payment Services Regulation (PSR) — goes further: it shifts fraud liability more squarely onto payment service providers (PSPs), tightens Strong Customer Authentication (SCA), mandates IBAN-name verification, and formalizes cross-industry fraud data sharing. For fintechs, neobanks, and PSPs, it is both a compliance burden and a competitive moat.

PSD3 is a directive (member states transpose it); the PSR is a regulation (directly applicable across the EU). Together they replace PSD2 and create a more uniform legal floor — most operational rules sit in the PSR, which applies directly once it enters into force, while member states get a transposition period for PSD3. Treat timelines as indicative and track them via official EU sources.

What actually changes

1. Fraud liability — APP fraud and the payee PSP

A significant structural change is extending liability to the payee's PSP (the institution receiving the fraudulent payment) in APP fraud cases. Under PSD2 the focus was almost entirely on the payer's PSP; the new framework introduces liability-sharing — where the payee's PSP failed to act on signals that the receiving account was being used for fraud, it bears a share of the loss. PSPs on both sides now need better fraud signals, not just authentication on the payer side.

2. Strong Customer Authentication — cleaner rules, tighter scope

PSD2's SCA rules were correct in principle but messy in practice. PSD3/PSR clarifies:

• Authentication delegation: a PSP can delegate SCA to a third party more cleanly — important for merchant-embedded flows and wallet providers.
• Exemption framework: transaction-risk-analysis (TRA) exemptions and low-value thresholds are tightened — exemptions require documented risk models, and blanket low-friction approaches face scrutiny.
• Corporate accounts: large corporates using dedicated payment protocols get a more defined exemption path.
• SCA for account access: the 90-day silent re-authentication requirement that frustrated PSD2 open banking flows is rationalised.

The technical definition is unchanged; what changes is who is liable when SCA fails or is incorrectly exempted.

3. Verification of Payee — IBAN-name mandated

Verification of Payee requires the payer's PSP to check that the name attached to a payment instruction matches the name registered to the destination IBAN before execution. On a mismatch, the PSP must warn the payer; if the payer proceeds anyway, liability shifts to them. The PSR moves VoP from national opt-in to a cross-EU requirement with standardised APIs and response codes — so a payer's PSP in Spain can verify a payee IBAN in Poland. For PSPs, this means a real-time payee-name lookup before execution.

4. Fraud data sharing — mandatory interoperability

Under PSD3, PSPs will be required to participate in fraud-intelligence sharing frameworks. Voluntary bilateral arrangements are replaced with a regulated interoperability requirement: institutions must be able to receive and act on fraud signals from other PSPs. EBA technical standards will fill in the detail.

5. Open banking access — fewer obstacles for TPPs

PSD2 created the legal right for third-party providers (TPPs) to access payment accounts via APIs; PSD3 extends and enforces it. Dedicated interfaces must meet performance standards (uptime, latency, data completeness), screen-scraping fallback is eliminated for compliant interfaces, and TPPs get cleaner consent flows.

What PSD3 means operationally for fintechs and PSPs

The provisions translate into concrete requirements across the lifecycle. At onboarding, weak identity checks weaken the receiving PSP's liability position; robust KYC is the first line of defence. At authentication, a four-digit PIN with an SMS OTP is compliant but increasingly risky; biometric face-match provides higher assurance. At payment execution, VoP means a name-matching API call before sending — blocking, not post-hoc. In continuous monitoring, the payee-PSP provisions make inbound monitoring as important as outbound — real-time pattern matching, not batch reviews.

How Didit helps

Didit is infrastructure for identity and fraud — one API covering authentication, verification, and monitoring. The modules that map to PSD3/PSR requirements are already live.

SCA-grade biometric authentication

SCA requires "inherence" as one factor. Didit's Biometric Authentication module ($0.10) delivers face-match liveness against the original KYC biometric, not just a face against itself. Combined with device-binding, it satisfies inherence at a level passive PIN-based SCA does not. The same stack is available as Active Liveness ($0.15) or Passive Liveness ($0.10).

Identity verification at onboarding

The KYC core flow — ID Verification + Passive Liveness + Face Match + IP/Device Analysis — runs at $0.33 per check, covers 14,000+ document types across 220+ countries, and completes in under 2 seconds. It gives you a verified identity to anchor re-authentication against, plus an audit record of due diligence. Didit is the only identity provider formally attested by an EU member-state government — Spain's Tesoro, Banco de España (BdE), and SEPBLAC — as safer than in-person verification, which matters when demonstrating compliance to supervisors. NFC Reading ($0.15) adds chip verification for NFC-enabled documents — the highest assurance tier.

AML screening

PSD3 sharpens the consequences of onboarding customers or businesses linked to financial crime. Didit's AML Screening ($0.20) runs against 1,300+ sanctions, PEP, and adverse-media lists in real time. Ongoing AML Monitoring ($0.07/user/year) re-screens the enrolled population continuously — if a risk profile changes post-onboarding, you know before the next transaction.

Transaction Monitoring

The payee-PSP provisions make continuous monitoring on inbound flows a PSD3 requirement in all but name. Didit's Transaction Monitoring ($0.02 per transaction) runs a real-time rule engine — 11 seeded rule bundles covering velocity, amount anomalies, geography, and behavioral patterns — with case management, SAR workflow, and an AWAITING_USER auto-remediation loop that requests additional identity evidence without manual intervention. AML Screening on flagged transactions is billed at $0.20 when triggered, keeping the base cost low for clean flows.

Device & IP Analysis

APP fraud and account takeover rely on spoofed device contexts. Didit's Device & IP Analysis ($0.03) runs automatically in every verification session, returning device fingerprint, duplicate-device signals, VPN/proxy/Tor detection, and geo-document mismatch warnings — a behavioral signal that complements the identity credential check.

Use cases

Neobank onboarding. Run the KYC core flow at signup — document + liveness + face match + device analysis — for a verified identity, biometric reference, and device binding before the account opens. The enrolled biometric becomes the SCA inherence factor for later authentication.

APP fraud prevention — payee-side PSP. Run a Transaction Monitoring rule bundle on inbound payments above a threshold; accounts receiving multiple transfers from different senders in a short window are surfaced for review, with Linked KYB adding entity AML context on business accounts.

SCA step-up for high-value payments. When TRA flags a payment for step-up, trigger a Biometric Authentication check — face match against the enrolled identity — instead of an SMS OTP, for higher assurance and an audit log. The same flow re-verifies dormant accounts before reactivation, matched against the original onboarding biometric.

Frequently asked questions

When does PSD3 apply?

PSD3 is a directive — member states must transpose it into national law within a defined period after formal adoption. The PSR, as a regulation, applies directly once it enters into force. The process is still moving through EU institutions as of mid-2026; check the European Commission's and EBA's official publications for current timelines rather than secondary sources.

What is the difference between PSD3 and the PSR?

PSD3 is a directive that sets the framework — licensing, passporting, access rights — and requires member states to enact national legislation. The PSR is a regulation that applies directly and uniformly without transposition, and carries most of the operational rules (SCA, fraud liability, VoP, data sharing).

Does PSD3 apply to crypto PSPs?

Payment services involving cryptoassets are within scope where the transaction involves fiat conversion or a regulated payment account. Pure crypto-to-crypto transfers that don't touch regulated payment accounts sit under MiCA (Markets in Crypto-Assets Regulation). Businesses that straddle both must assess obligations under both.

What counts as SCA under PSD3?

SCA requires at least two independent factors from different categories: knowledge (PIN, password), possession (device, token), and inherence (biometric). A face scan confirms inherence; a device-bound token confirms possession. A PIN and a memorised password are both knowledge — that is not SCA.

Do we need to implement Verification of Payee before PSD3 enters into force?

For Instant Credit Transfers under the EU Instant Payments Regulation, IBAN-name verification requirements already apply ahead of the full PSD3/PSR timeline. If you process instant credit transfers to EU beneficiaries, VoP obligations may already be live — check your national competent authority guidance.

Ready to get started?

PSD3 compliance is layered — identity at onboarding, biometric authentication at step-up, AML and transaction monitoring post-approval. Didit covers the whole stack from a single API, with public pricing and no minimums.

• Learn the platform → Didit docs
• See the product → User Verification · Transaction Monitoring
• Check the price → Pricing — KYC core flow at $0.33, TM at $0.02/txn, 500 free verifications/month
• Start free → business.didit.me