The Payment Services Directive 2 (PSD2) came into force in January 2018 and introduced two transformative concepts to European payments regulation: strong customer authentication (SCA) and open banking, the latter through provisions requiring banks to provide third-party payment service providers with standardised access to payment accounts. Seven years on, the Commission has acknowledged that PSD2’s open banking framework underperformed its potential, and the proposed PSD3 and accompanying Payment Services Regulation (PSR) — currently under legislative review — represent a significant recalibration. Understanding what PSD2 achieved, where it fell short, and what PSD3 intends to fix is essential for banks, fintechs, and corporate treasurers operating in the European payments market.
What PSD2 Delivered and Where It Fell Short
PSD2 created the legal framework for two categories of third-party provider. Account information service providers (AISPs) are licensed to access payment account data, with the account holder’s consent, to provide consolidated account information services. Payment initiation service providers (PISPs) are licensed to initiate payments directly from a customer’s payment account without requiring the customer to use the bank’s own interface. Both categories of provider access bank account data and payment infrastructure through APIs that banks are required to make available under PSD2.
The Commission’s review of PSD2’s implementation identified several persistent problems. The quality and reliability of bank APIs varied enormously across institutions and member states, with many banks offering APIs that were technically compliant but practically difficult to use, frequently unavailable, or throttled in ways that disadvantaged third-party providers. The absence of a mandatory technical standard for API interfaces — PSD2 delegated this to the European Banking Authority through Regulatory Technical Standards, which specified authentication requirements but not interface architecture — resulted in fragmentation across hundreds of different API implementations. Third-party providers, particularly smaller fintechs, faced significant integration costs to connect with multiple banks across multiple member states.
Consumer adoption of open banking services also grew more slowly than anticipated. The strong customer authentication requirements, while necessary for fraud prevention, added friction to the customer authentication journey that reduced conversion rates in payment initiation flows. The liability framework for fraudulent transactions under PSD2 was also perceived by some market participants as inadequately protecting consumers in certain social engineering scenarios, creating reputational risk for open banking payment products.
PSD3 and the Payment Services Regulation: The Structural Approach
The Commission’s June 2023 legislative package proposes a split approach: a revised directive (PSD3) addressing authorisation, supervision, and enforcement of payment service providers, and a new directly applicable regulation (PSR) containing the harmonised rules for payment services. The Regulation format is significant because it eliminates the member state implementation discretion that created fragmentation under PSD2, producing uniform rules across the EU without national transposition variation.
On open banking specifically, PSD3 and the PSR introduce a dashboard mechanism that requires banks to provide account holders with a clear, accessible tool to manage which third-party providers have access to their accounts and what data they can access. This transparency requirement addresses consumer trust concerns that partly explain slow adoption of open banking services. The package also proposes to strengthen the API quality requirements by requiring banks to maintain performance standards for third-party API access that are no less favourable than those for their own customer-facing interfaces, with supervisory authority empowered to impose remedies where API quality falls below the required standard.
From Open Banking to Open Finance
Perhaps the most strategically significant element of the Commission’s payment regulation reform is its connection to the broader Financial Data Access (FIDA) Regulation, also proposed in June 2023. While PSD3 and PSR modernise open banking for payment accounts, FIDA proposes to extend the data-sharing logic to a much broader universe of financial products: investment accounts, insurance policies, pension products, mortgage and consumer credit data, and certain savings products. This extension — sometimes called open finance — represents a fundamental shift in the competitive dynamics of European retail financial services.
Under FIDA, financial institutions holding customer data would be required to make that data available to authorised third-party data users — including fintechs, insurance comparison platforms, wealth management services, and other financial firms — when the customer consents. The data would be shared through standardised interfaces maintained through financial data sharing schemes, which would be industry-developed but subject to regulatory oversight. Unlike PSD2’s API framework, which was implemented without adequate standardisation, FIDA explicitly requires standardisation through these schemes as a precondition for its data access obligations to apply.
The competitive implications of open finance are significant. A fintech or neobank that can access a customer’s full financial data profile — including their mortgage position, investment portfolio, insurance coverage, and pension savings — can offer personalised financial advice, optimised product recommendations, and integrated financial management tools that incumbent institutions find difficult to replicate. Incumbents, for their part, can use the same open finance infrastructure to access data held by competitors, enabling competitive intelligence and personalised retention offers. The net effect is an acceleration of competition in retail financial services that will reward data-driven product development and penalise institutions that rely on data captivity for customer retention.
Strong Customer Authentication: Calibration and Fraud Liability
PSD3 revisits the strong customer authentication framework with two objectives: reducing friction while maintaining security, and clarifying the liability framework for fraud. On friction reduction, the PSR introduces a more risk-based approach that allows payment service providers to apply simplified authentication for low-risk transactions defined by reference to transaction value, merchant type, payer behaviour, and fraud rate. The existing SCA exemptions under PSD2 — transaction risk analysis, recurring transactions, low-value transactions — are maintained and clarified.
The fraud liability provisions in PSD3 address a specific concern about APP (Authorised Push Payment) fraud, in which consumers are manipulated into authorising payments to fraudsters. Under PSD2, the fact that the customer authorised the payment meant the bank bore no liability in many such cases, even where the manipulation was sophisticated. PSD3 proposes to require payment service providers to implement technical measures to detect and prevent APP fraud, including verification of the payee account holder’s name against the payment instruction (a verification service already mandatory in the Netherlands and being rolled out in the UK). Where a bank fails to implement required fraud prevention measures and a consumer suffers APP fraud loss, liability attaches to the payment service provider.
Non-Bank Payment Institutions: Supervision and Consumer Protection
PSD3 addresses persistent concerns about the supervision of non-bank payment institutions, including e-money institutions and payment institutions. These entities are authorised under PSD2 but supervised by national financial authorities with varying degrees of rigour. Several high-profile failures of e-money institutions — including Wirecard’s spectacular collapse in 2020 and the subsequent difficulties of institutions that depended on Wirecard’s infrastructure — highlighted the risks of insufficient supervision and inadequate safeguarding of client funds.
PSD3 strengthens the safeguarding requirements for client funds held by payment institutions, tightens the fit and proper requirements for management, and provides for more harmonised supervisory standards across member states through enhanced coordination between the EBA and national supervisors. The passporting regime — which allows a payment institution authorised in one member state to provide services throughout the EU — is also tightened, with requirements for the passporting institution to have genuine substance in its home member state and with enhanced supervisory cooperation obligations for the host member state where the institution conducts significant activity.
Implications for Fintechs, Banks, and Corporates
For fintech companies building on open banking data, PSD3 and PSR offer the prospect of better API quality and more standardised access, reducing integration costs. The FIDA extension to open finance creates a dramatically larger data universe on which to build financial services products. The liability clarifications around APP fraud create both risk management obligations and, where implemented well, a competitive advantage for providers that can demonstrate lower fraud rates.
For incumbent banks, the PSD3 package accelerates competitive pressure from third-party providers with access to previously captive customer data. The transition to open finance will require banks to invest in the API infrastructure and data governance necessary to comply with FIDA data sharing obligations while simultaneously building their own data-driven product capabilities to retain customers in a more competitive environment. Banks that treat PSD3 compliance as a minimum obligation risk strategic disadvantage relative to those that treat it as a platform for building new data partnerships and revenue streams.
For corporate treasurers, the improvements to payment initiation services and the extension of account information to corporate accounts could simplify treasury operations, reduce dependence on proprietary bank connectivity solutions, and provide greater real-time visibility into cash positions across multiple banking relationships. The uptake of open banking in corporate treasury has been slower than in retail, partly because corporate payment flows involve higher values and more complex authorisation requirements, but the regulatory improvements in PSD3 should gradually reduce these barriers.
Conclusion
PSD3, the PSR, and FIDA together represent the second generation of Europe’s open finance strategy, addressing the documented shortcomings of PSD2 while extending the data-sharing logic to the full breadth of retail financial products. The shift to a directly applicable Regulation eliminates fragmentation, the API quality requirements address the persistent underperformance of bank open banking interfaces, and the open finance extension creates a competitive environment that will structurally benefit data-driven financial services providers. For all participants in the European financial services market, understanding the direction of travel is as important as managing compliance with the current rules.