The Maturity of Money: A New PSD3 Deal Redefines European Payments

Last week, negotiators from the European Parliament and the Council of the EU struck a provisional political agreement that promises to reshape the financial topography of the continent.

The deal on the new Payment Services Regulation (PSR) and the third Payment Services Directive (PSD3) is a pivot in how Europe handles money. If the Second Payment Services Directive (PSD2) was the "revolution" that democratised opportunity for startups, this new package is the "constitution" that brings order, safety, and maturity to the resulting digital landscape.

For nearly a decade, Europe’s payment sector has operated under PSD2, a framework that successfully ignited the fintech boom and introduced "Open Banking." However, it also coincided with a sophisticated industrialization of fraud and a fragmentation of rules that left consumers vulnerable and fintechs frustrated.

A New Era for Fraud Prevention

The most headline-grabbing aspect of the agreement is the aggressive stance on fraud. Under PSD2, security was largely defined by Strong Customer Authentication (SCA), the two-factor checks we perform to log in. While SCA successfully reduced technical hacks, it did little to stop "social engineering" or Authorized Push Payment (APP) fraud, where a consumer is manipulated into voluntarily sending money to a scammer.

The new PSR fundamentally alters the liability landscape. For the first time, EU regulation will mandate that payment service providers (PSPs) reimburse victims of "impersonation fraud" (spoofing). This covers the increasingly common scenario where a fraudster poses as a bank employee to trick a victim into moving funds.

As EU Commissioner Mairead McGuinness noted during the proposal stages, the goal is to restore eroded confidence:

"We are strengthening protection against payment fraud... ensuring customers and businesses benefit from more innovative payment options, whilst being confident that these are offered in a safe way."

To support this liability shift, the "Verification of Payee" (VoP) system will become mandatory for all credit transfers in the Eurozone.8 This system checks if the recipient’s IBAN matches the name on the account before the money leaves the sender's wallet. Historically, banks argued that privacy laws prevented this; the new deal clarifies that fraud prevention overrides these concerns. If a bank fails to provide this check, and a customer pays the wrong person, the bank is now liable.

Furthermore, the legislation introduces a groundbreaking "network liability" that extends beyond banks. In a move that aligns financial regulation with the Digital Services Act, large online platforms (such as social media giants) can now be held liable for payment fraud if they fail to remove fraudulent content after being notified. This closes a critical loop, acknowledging that financial crimes often begin on social media, not in banking apps.

Transparency and the End of "Drip Pricing"

For consumers, the agreement promises an end to the opacity of transaction fees. The "hidden fee" model (where a transfer looks cheap until the exchange rate markup is applied) is explicitly targeted. The new rules require that the total cost of a transaction, including currency conversion margins and ATM surcharges, be displayed before the user initiates the payment.

This transparency extends to the physical world. In a victory for financial inclusion, the deal protects cash access. Retailers will be permitted to offer "cash-back" services (up to €100 or €150, depending on the final technical text) without the customer needing to make a purchase. This is a lifeline for rural communities where ATMs are disappearing, ensuring that the digital transition does not disenfranchise the elderly or the unbanked.

Perhaps the most human-centric provision, however, is the "anti-chatbot" rule. The legislation mandates that all payment service users must have access to competent human customer support. As neobanks and fintechs have scaled, many have relied entirely on automated support to cut costs, leaving distressed victims of fraud in "chat loops." The EU has drawn a hard line: if you hold people's money, you must have people available to talk to them.

Leveling the Playing Field

While consumers gain protection, the fintech industry gains legitimacy. Under the previous regime, non-bank Payment Institutions (PIs) and E-Money Institutions (EMIs) were often second-class citizens. They frequently had to rely on commercial banks to access payment settlement systems (like SEPA). This "correspondent banking" model added cost, delay, and existential risk: if a partner bank "de-risked" and closed the fintech's account, the fintech effectively died.

The new deal grants non-bank PSPs direct access to all EU payment systems, provided they meet capital and risk requirements. This cuts out the middleman, theoretically allowing a small payment app in Lisbon to settle transactions as quickly and cheaply as a major bank in Frankfurt.

By allowing fintechs to settle their own payments, the EU hopes to foster a generation of "European Champions" that can compete with American and Asian giants, reducing the bloc's reliance on foreign payment rails.

Fintechs Face a Reality Check

Despite the "level playing field" victory, the reception from the fintech industry has been mixed, with undercurrents of significant concern regarding the operational and financial burdens the new rules impose.

1. The "Human Touch" Cost Explosion

The requirement to provide "competent human support" strikes at the heart of the neobank business model. Many digital challengers operate on razor-thin margins, achieved precisely by eliminating call centers and branches. Industry insiders argue that mandating human support for every dispute or fraud query will force a restructuring of their cost bases, potentially ending the era of "free" accounts.

2. The Burden of Liability

While the European Fintech Association (EFA) publicly welcomed the agreement as an "important step forward," their statement contained a note of caution, emphasizing that the effectiveness of the rules "will depend on how these responsibilities are defined in the final text."

Privately, many fintech founders worry about the "moral hazard" of the new refund rights. By making reimbursement for impersonation fraud mandatory, critics argue the regulation might inadvertently make consumers less vigilant. If a user knows they will be refunded even if they authorize a payment to a scammer (provided they didn't act with "gross negligence"), the incentive to double-check details diminishes. For smaller fintechs with limited balance sheets, absorbing these fraud costs could be existential.

“Giving those affected by fraud a guarantee that they will be compensated will have perverse effects and creates a ‘moral hazard’. It would encourage users to be less cautious and prudent, which would counteract initiatives to increase consumer awareness and vigilance about fraud. Worse, it would increase incentives to participate in fraud. Guaranteed reimbursement gives fraudsters incentives to pose as ‘victims’ in order to collect compensation – which can be as simple as falsely claiming that a product has not been delivered.”

- Zach Meyers, Assistant Director, Centre for European Reform

3. The Compliance "Army"

The merging of EMI and PI licenses, while simplifying the legal structure, comes with stricter capital and liquidity rules. As noted in analysis by Global Government Fintech, the cumulative weight of PSD3, along with the Digital Operational Resilience Act (DORA) and Markets in Crypto-Assets (MiCA) regulation, means even small crypto or payment startups now need an "army of compliance people" just to open their doors. This raises barriers to entry, potentially protecting incumbents rather than fostering the startups the EU claims to support.

“The company, which could be managed by [just] 10 or 12 people – they have to hire an army of compliance people in order to be compliant to the MiCA regulation, to the payment service directive regulation, to DORA regulation; [and] if they’re using AI, the AI [Act]. Who will pay for [this]? Only customers.”

- Marine Krasovska, head of the fintech supervision department at Latvijas Banka

4. Implementation Friction

There is also criticism regarding the "Verification of Payee" (VoP) system. While banks accept it as necessary, payment processors warn that adding an extra check before every transaction adds "friction." In the world of e-commerce, friction leads to cart abandonment. Payment service providers are now scrambling to implement these checks without slowing down the user experience—a technical challenge that will likely delay product roadmaps for the next 18 months.

From Access to Control

PSD2 gave birth to Open Banking; the ability to share your bank data with third-party apps (like budgeting tools or loan providers). However, the experience has been plagued by poor API performance and clunky re-authentication processes (the "90-day re-consent" rule) that caused users to drop off.

The PSD3 deal attempts to fix the plumbing. It mandates "parity" between the performance of a bank's dedicated API and its own customer interface. If the bank’s app works, the API must work.

More importantly, it shifts the focus to user autonomy via "Permission Dashboards." Banks and PSPs will be required to provide users with a centralized view of exactly who has access to their data and for what purpose, with a "kill switch" to revoke permissions instantly. This addresses the "consent fatigue" of the PSD2 era, where users often lost track of which apps were scraping their accounts.

The European consumer organization BEUC has long advocated for this, arguing that trust in Open Banking relies on control. In their reaction to the legislative process, they noted:

"Consumers should remain in full control of their data and should not be refused a good or service when they decide not to share their data."

Implementation and Impact

While the political handshake has happened, the operational reality is just beginning. The industry now faces a daunting implementation timeline, likely spanning 18 to 24 months once the text is formally adopted.

For traditional banks, the cost of compliance will be high. Building "Verification of Payee" systems that work across borders in real-time, upgrading APIs, and staffing up human support centers will require significant investment. We can expect industry bodies to push for realistic deadlines. Legal experts from firms like Hogan Lovells and Freshfields have already flagged that while the regulation is an "evolution," the operational projects required are substantial.

For fintechs, the "direct access" provision is a golden ticket, but it comes with higher scrutiny. With direct access comes direct responsibility for anti-money laundering (AML) and liquidity management. The "regulatory moat" protecting banks is gone, but so are the excuses for fintechs who fail to manage risk.

Conclusion

Similar to the recent developments for consumer credit via CCD2, the "PSD3/PSR deal" is a signal that European payments have grown up. The focus has shifted from innovation at all costs to the creation of a resilient, fair, and transparent ecosystem.

By forcing banks to share data better, forcing fintechs to mature their operations, and forcing everyone to take responsibility for fraud, the EU is attempting to engineer a market where safety and innovation are not mutually exclusive. The message to the industry is clear: The "move fast and break things" era is over. The new mandate is to move smart, keep it safe, and pick up the phone when the customer calls.