- within Tax topic(s)
On 24 April 2026, the Council of the EU published final compromise texts for the proposed Third Payment Services Directive (PSD3) and Payment Services Regulation (PSR). The release of the final texts gives the market greater clarity on the future EU payments framework and marks a major step toward a more harmonised, transparent and crypto-aware regime for payment services.
The package centres on PSD3, which is intended to repeal and replace PSD2, together with linked changes under the PSR. In practical terms, it moves many conduct-of-business rules into a directly applicable Regulation, aligns electronic-money and payment conduct rules, narrows scope exclusions, and introduces new measures on cash access, currency-conversion disclosure, strong customer authentication, fraud liability and crypto-related payment activities.
What changes and why it matters
The compromise seeks to address the fragmentation that emerged under PSD2, where differing national transpositions of Directive-level rules weakened consistency across the Single Market. PSD3 is designed to repeal PSD2 in full rather than merely amend it, reflecting the view that incremental reform is no longer enough. By shifting many conduct rules into the directly applicable PSR, the Council is aiming to reduce interpretation gaps and create a more consistent baseline of consumer protection and transparency across Member States, while leaving authorisation, prudential requirements and supervisory structures within a Directive-format framework.
The text also reflects the increasingly blurred lines between traditional payment services and electronic-money activities. To better match market reality and close regulatory loopholes, the compromise aligns conduct obligations for electronic money institutions and payment institutions while preserving their separate licensing and capital regimes.
Key provisions: practical and legal effects
Aligning e-money and payment rules
Recognising the operational convergence between electronic money services and traditional payment services, the compromise text brings conduct obligations for electronic money institutions closer to PSD3 where relevant. Electronic-money concepts, including electronic-money tokens, are expressly referenced when they intersect with consumer-facing conduct rules. The aim is to reduce regulatory arbitrage while preserving separate licensing and capital frameworks for e-money issuers.
Tighter scope exclusions and EBA guidance
The compromise narrows and clarifies exclusions that previously allowed some providers to operate outside the payments rulebook. The commercial-agent exclusion is tightened to prevent platforms and intermediaries from sidestepping PSP obligations, while the specific-purpose instrument exemption is constrained to stop large-scale or consumer-facing services from avoiding core protections. The European Banking Authority is tasked with issuing guidance to support more consistent interpretation across the Single Market.
Cash access, ATMs and retail cash-in
Improving access to cash remains an EU priority. Retailers may be allowed to offer voluntary cash-in and cash-out services without full payment-service authorisation if they comply with transparency requirements, especially the need to disclose fees before the transaction. The regulatory treatment of ATM deployers is also clarified, with some categories subject to registration rather than full authorisation, alongside mandatory upfront disclosure where withdrawal fees are charged.
Crypto-assets and e-money tokens
The compromise expressly addresses how crypto-related transfers and e-money tokens interact with the payments framework. Transfers involving e-money tokens and certain crypto-related payment activities may fall within PSD3 where they serve a payment function. Payment institutions may also be permitted to offer crypto-asset services linked to e-money tokens under specified conditions and notification procedures, while the text seeks to avoid unnecessary overlap with MiCA for already regulated firms.
Transparency, currency conversion and virtual IBANs
Consumer transparency is a central theme. The compromise strengthens currency-conversion disclosure by requiring providers to state conversion costs both as a monetary amount and as a percentage mark-up over an aggregated mid-market rate. The PSR also recognises virtual IBANs as valid payment account identifiers for transfers and reconciliation, while introducing safeguards to reduce misuse.
Operational and notification duties
Operational resilience, security and reporting obligations are retained and sharpened. Providers will face enhanced record-keeping, incident-reporting and notification duties, including specific notifications tied to crypto-related services involving e-money tokens. The EBA is expected to develop further technical standards and guidelines to harmonise implementation.
Open banking and third-party provider access
The compromise refines one of PSD2's most significant areas: third-party provider access. AISPs and PISPs retain their right to access payment accounts held by other providers, but the text introduces clearer technical and contractual parameters governing that access. ASPSPs will face more specific obligations on the quality and reliability of dedicated interfaces, with the EBA mandated to develop technical standards on performance, uptime and fallback mechanisms.
Strong customer authentication
The strong customer authentication framework is preserved but clarified. The core multi-factor authentication requirement remains, while the compromise gives greater detail on how exemptions such as transaction-risk analysis, trusted beneficiaries and low-value payments should apply. Delegated authentication arrangements are given a clearer legal basis, subject to contractual and liability safeguards, and the EBA is tasked with updating its technical standards to reflect new authentication technologies.
Liability for unauthorised transactions and fraud
The compromise also addresses unauthorised transactions and fraud, including growing concern around authorised push payment fraud and social-engineering scams. The existing liability framework is broadly retained, but providers will be required to implement real-time fraud-detection measures and warn consumers of suspected fraud before execution. Where a payee's provider has failed to apply adequate fraud-prevention controls, the text contemplates a liability-sharing mechanism between the payer's and payee's providers.
Supervision, enforcement and penalties
National competent authorities would receive stronger investigatory and sanctioning powers, including the ability to impose administrative fines calibrated to the seriousness and duration of an infringement. The compromise also pushes for greater harmonisation of penalties and a stronger EBA role in supervisory convergence, peer reviews and common supervisory methodologies, together with updated cross-border cooperation mechanisms.
Interaction with the Instant Payments Regulation
The compromise must also be read alongside the Instant Payments Regulation, which requires EU payment service providers to offer instant euro credit transfers at charges no higher than standard transfers. The two regimes are complementary: the Instant Payments Regulation deals with availability and pricing, while PSD3 and PSR shape the broader conduct, transparency and authorisation framework within which those transfers operate. Providers will need integrated compliance programmes, particularly where fraud-screening duties must be performed in real time without delaying instant execution windows.
Market impact and next steps
Banks and established PSPs are likely to face more consistent conduct rules across the Single Market, but also higher standards on disclosures, contracts, fraud prevention, strong customer authentication and operational resilience. Fintech operators and third-party providers will benefit from clearer perimeter rules and more structured open banking access standards, while those offering crypto-linked payment services gain a more defined regulated pathway subject to core consumer-protection obligations. Merchants may gain clearer routes to offer in-store cash services, but only with the relevant fee-disclosure and registration safeguards in place.
The Council's final compromise text is a major milestone, but it is not the final word. The proposals will now move into trilogue negotiations with the European Parliament, where further debate is expected on APP fraud liability, the calibration of SCA exemptions, the scope of open banking access rights, and the treatment of crypto-asset service providers. One practical question that remains is how EU-licensed providers will interact with non-EU-licensed providers. If adopted in its current direction, the PSR would apply directly across Member States after a transitional period, while PSD3's Directive-level provisions would still require national transposition, a process that may once again create implementation divergence if not carefully managed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]