Go back
Business Insights

PSD3 and PSR: Redefining trust, liability, and open banking in Europe’s new payments era

Nebo Djurdjevic Categories: Business Insights Date 16-Mar-2026 8 minute to read

As the regulatory framework moves toward finalisation, banks are beginning to translate PSD3/PSR requirements into concrete implementation and investment plans.

PSD3 BLOG NEWS (1)

    PSD3 and the Payment Services Regulation introduce a series of changes that go beyond regulatory technicalities. They signal a structural shift in how payment ecosystems are governed.

    Three developments stand out.

    First, fraud liability is moving upstream, placing greater emphasis on institutions’ ability to prevent manipulation and social engineering before funds leave the system.

    Second, open banking is evolving from API availability to enforceable infrastructure, requiring institutions to demonstrate that access is fair, usable, and reliable in practice.

    Third, payments trust is becoming core banking infrastructure, integrating fraud monitoring, authentication orchestration, consent management, and dispute processes into a coherent control layer.

    This article explores how these developments reshape the payments landscape and what strategic implications they create for banks. It also considers how institutions should think about the architecture required to support the next phase of digital payments.

    While the reforms originate in the EU, similar policy themes are emerging in the UK’s evolving regulatory framework, making cross-border coordination increasingly relevant for banking groups operating across both markets.

    Fraud prevention moves closer to the payment execution layer

    One of the most significant shifts introduced by PSD3/PSR concerns how fraud accountability is distributed across the payments ecosystem.

    Under PSD2, fraud controls were largely concentrated around authentication. Strong customer authentication focused on verifying that the person initiating a transaction was legitimate.
    However, the rapid growth of authorised push payment fraud demonstrated the limits of this model. Criminals increasingly manipulate customers themselves through impersonation, social engineering, and psychological pressure.

    As a result, fraud prevention is increasingly expected to occur before funds leave the system, rather than relying primarily on authentication or post-incident recovery.
    In practice, this means institutions must strengthen their ability to detect:

    • impersonation and social engineering patterns
    • behavioural anomalies in payment initiation
    • account takeover indicators
    • suspicious payee relationships

    Fraud prevention, therefore, becomes a transactional and behavioural risk control problem that must operate directly within the payment execution layer.

    Open banking becomes an enforceable infrastructure

    PSD2 introduced open banking by requiring banks to provide access to accounts through APIs. While this successfully enabled a wave of fintech innovation, practical implementation often proved uneven.

    Access could technically exist while still being difficult to use in practice.

    PSD3/PSR therefore places greater emphasis on ensuring that access works fairly and reliably in practice.

    The regulatory focus moves from a technical question: “Are APIs available?” to a governance question: “Can the institution demonstrate that access is fair, usable, and non-discriminatory in practice?”

    Supervisory discussions are therefore likely to focus increasingly on:

    • API performance and reliability
    • consistency of access conditions
    • transparency of data-sharing permissions
    • effective customer control over consent

    Open banking becomes less about enabling access and more about ensuring that access functions as trusted infrastructure.

    PSD3 BLOG DETAILS 02 (1)

    Platform and ecosystem accountability expands

    Another notable shift concerns how fraud and payments risk are conceptualised.

    Traditionally, payment fraud was viewed primarily as a bilateral issue between a bank and its customer. Increasingly, however, fraud originates outside the banking system.

    Scams frequently begin on digital platforms, messaging channels, or impersonation schemes before the payment interaction reaches the bank.

    This reality expands the regulatory lens toward the broader digital ecosystem in which payments operate. Institutions are expected to strengthen monitoring, data-sharing, and escalation mechanisms across multiple actors in the digital environment. Payments risk is increasingly treated as ecosystem risk, rather than a problem confined to the banking system alone.

    Supervisory harmonisation increases

    The introduction of a directly applicable Payment Services Regulation alongside the revised directive also aims to reduce national divergence in how rules are interpreted and enforced.

    For banks operating across multiple EU markets, this may bring greater consistency in supervisory expectations. At the same time, it also increases the importance of scalable internal governance frameworks capable of supporting cross-border operations.

    Institutions that rely heavily on localised adaptations may find it more difficult to justify divergent approaches.

    EU-UK divergence and convergence in policy direction

    Although PSD3 and PSR are EU initiatives, the broader policy themes extend beyond the EU.

    The UK is simultaneously reshaping its payments regulatory framework through its own legislative and supervisory processes. While the legal architecture differs, many of the underlying objectives are similar.

    Both jurisdictions are increasingly focused on:

    • strengthening fraud prevention capabilities
    • improving transparency in digital payments
    • reinforcing consumer protection
    • ensuring that open banking infrastructure functions reliably

    For banks operating across both jurisdictions, this creates a practical coordination challenge. Parallel regulatory tracks may lead to overlapping change programmes unless institutions deliberately align their architectural responses.

    The result is that cross-border banking groups must increasingly think about how payments control capabilities are designed once and adapted across jurisdictions, rather than implemented independently in each market.

    PSD3 BLOG DETAILS 03 (1)

    The strategic implication: Build a unified payments trust layer

    Taken together, these developments point toward the emergence of what can be described as a payments trust layer.

    This layer represents the set of capabilities through which institutions engineer trust in digital payments.
    Rather than existing as isolated controls, these capabilities increasingly need to operate as a coherent infrastructure spanning multiple payment channels, products and regulatory environments.

    A payments trust layer typically integrates:

    • payee verification
    • authentication orchestration
    • consent and permission management
    • real-time fraud monitoring
    • risk-based payment controls
    • dispute and reimbursement workflows
    • auditability and regulatory reporting

    Institutions that treat these capabilities as fragmented compliance functions risk increasing operational complexity and regulatory friction over time. By contrast, banks that design a coherent trust architecture can reduce duplication, improve resilience, and create a more scalable foundation for innovation.

    Strategic questions for banking leadership

    For senior banking leaders, the implications of PSD3/PSR extend well beyond regulatory implementation.

    Key questions increasingly concern operating models and infrastructure design.

    • Do we have a coherent payments trust architecture across channels and payment types?
    • Are fraud prevention capabilities embedded directly within payment execution flows?
    • Can we demonstrate fair and reliable open banking access in practice?
    • How are regulatory developments across different jurisdictions coordinated internally?
    • Are trust capabilities treated as strategic infrastructure in our technology and investment planning?

    These questions move the discussion from regulatory compliance toward long-term architecture and governance.

    Conclusions

    European payments regulation has evolved through several distinct stages.

    The first phase focused on market integration.

    The second phase focused on openness and innovation.

    The next phase focuses on accountability and engineered trust in digital payments.

    PSD3 and the Payment Services Regulation formalise this shift. Digital payments must not only be efficient and innovative, but also demonstrably secure, transparent, and resilient.

    For banks, the challenge is not simply implementing new rules. It is ensuring that the infrastructure underpinning digital payments can support innovation while maintaining measurable trust.

    Nebojsa Djurdjevic Author
    Nebo Djurdjevic Partner & Chief Strategy and Innovation Officer

    Entrepreneur and executive leader with over 25 years of global fintech experience and passion for partnerships that unlock growth and create value.
    More Posts from the Author:
    Five controversial trends shaping financial services in 2026
    Who will own the rails? Stablecoins and market power after GENIUS
    AI at work: Where automation ends and judgment begins

    Real People. Real Pros.

    Send us your contact details and a brief outline of what you might need, and we’ll be in touch within 12 hours.

    Latest blog posts

    Nemanja Sobo | 16-Mar-2026

    Healthcare 2026: From innovation to accountability

    Healthcare technology trends for 2026 are shifting from experimentation to accountability. From AI and interoperability to cyber resilience, data governance, and workforce productivity, health systems are under growing pres...

    Read more
    Katarina Vislavski | 16-Mar-2026

    Axceler8 Rx: Supporting smarter, more predictable clini...

    Clinical trials are often delayed by inaccurate forecasting and slow patient recruitment. Axceler8 Rx brings AI-powered modelling, site selection, and enrolment forecasting into a single platform, helping pharma teams run s...

    Read more
    Katarina Vislavski | 05-Mar-2026

    Vega IT strengthens its role in UK public sector digita...

    Vega IT strengthens its UK public sector presence through the Digital Outcomes and Specialists 7 (DOS7) framework, delivering agile digital services and specialist DDaT expertise.

    Read more