PSD3 – what the new payment services directive means for compliance and fraud prevention

Written by Partisia | 2025.11.09

The Payment Services Directive 3 (PSD3) and its accompanying Payment Services Regulation (PSR) mark a major update to Europe’s digital payments framework.

Building on PSD2, PSD3 strengthens fraud prevention, consumer protection, and supervisory oversight across all payment providers — including banks, fintechs, and new entrants in the open banking ecosystem.

The aim is clear: ensure secure, transparent, and competitive digital finance across the EU, while keeping compliance consistent under evolving frameworks like DORA and FATF.

Why PSD3 matters now

PSD3 arrives at a critical point. Fraud and cyber risk continue to grow faster than transaction volumes, and regulators have concluded that PSD2’s technical standards need refinement.

PSD3 introduces:

Unified supervision – closing regulatory gaps between banks and non-bank PSPs.
Stronger Strong Customer Authentication (SCA) rules – more consistent enforcement across channels.
Updated Transaction Risk Analysis (TRA) thresholds – aligned with new EBA standards.
Direct integration with DORA – ensuring payment systems are operationally resilient.
Enhanced consumer redress mechanisms – standardizing liability for fraud losses.

The European Commission describes PSD3 and PSR as the foundation for “safer, fairer, and more innovation-ready payments.”

Key regulatory changes from PSD2 to PSD3

While PSD2 established the framework for open banking, PSD3 aims to refine it — closing loopholes and clarifying the rules for both institutions and regulators.

The most significant updates include:

Expanded scope: applies to all types of PSPs, including technical service providers and data aggregators.
Data-sharing oversight: mandates stricter security for open banking APIs.
Fraud liability clarity: defines responsibility between merchants, acquirers, and issuers.
Enhanced authentication: ensures SCA and TRA exemptions are used only under provable low-risk conditions.
Regulatory consistency: PSD3 converts many PSD2 guidelines into directly enforceable regulations under PSR.

These refinements reflect five years of practical lessons learned since PSD2 went live in 2018.

The link between PSD3, DORA, and fraud prevention

DORA (Digital Operational Resilience Act) operates alongside PSD3 to ensure that payment systems remain secure, resilient, and verifiable.
Together, the two frameworks address both sides of the compliance equation: fraud prevention and operational continuity.

PSD3 mandates real-time monitoring and response capabilities for payment service providers, while DORA sets requirements for incident reporting, ICT risk management, and third-party oversight.

In practical terms:

PSD3 sets the rules for detecting and preventing fraud.
DORA ensures the systems doing so remain reliable and resilient.

This alignment signals a move toward integrated compliance — where risk management, fraud detection, and operational security are treated as a single discipline.

Privacy and data governance under PSD3

Open banking depends on data sharing — but that same openness increases privacy risk. PSD3 places stronger obligations on PSPs to protect personal and transaction data across all systems.

Key privacy updates include:

Explicit consent verification for all data-sharing actions.
Auditable logs for access requests and API use.
Encryption and pseudonymization for transaction-level data.
Stricter interoperability requirements for API communication.

Institutions must now demonstrate not only that data is protected, but that privacy-preserving mechanisms are built into the system by design.

Implementation challenges

Transitioning from PSD2 to PSD3 will not be simple. Institutions face several operational and strategic challenges:

Upgrading authentication systems to meet new SCA standards.
Rebuilding API frameworks for consistent data access and security.
Realigning TRA thresholds and fraud models to EBA’s new performance metrics.
Integrating DORA’s operational testing into payment system governance.
Ensuring privacy compliance under both PSD3 and GDPR simultaneously.

The EBA’s PSD3 Technical Roadmap (2025–2027) expects full implementation by late 2026, with regulatory testing starting in early 2025.

“PSD3 doesn’t just close gaps in PSD2 — it forces institutions to prove that their systems are both secure and interoperable. Compliance will now depend as much on how data is protected as on how payments are processed.”
– Mark Medum Bundgaard, CPO, Partisia

This captures the regulator’s message: trust in digital payments depends on visible, verifiable controls.

Partisia’s perspective

As payments become more interconnected, compliance increasingly depends on secure data collaboration between multiple parties. Partisia’s privacy-preserving data collaboration platform enables payment providers to comply with PSD3’s demands for transparency, resilience, and data protection.

Using Multi-Party Computation (MPC) and Confidential Computing, institutions can:

Conduct shared fraud risk analysis across PSPs without exposing customer data.
Enable real-time transaction monitoring that meets PSD3 and DORA performance standards.
Maintain full GDPR and FATF compliance through encrypted analytics.
Strengthen authentication and TRA models using privacy-protected intelligence.

Partisia provides the technical foundation for the future of payments compliance — privacy-first, interoperable, and regulator-ready.

View full post