Payments Insights #6 – EU Legislative Drafting Status Of PSD3 And PSR

When the Second Payment Services Directive (‘PSD2’) replaced the First Payment Services Directive, the EU had solidified the regulatory architecture governing payment services across the single market; and this has served the ecosystem well for the past decade. On 18^th May 2026, the Chair of the European Parliament’s Committee on Economic and Monetary Affairs wrote to the EU Council Presidency to confirm that if the EU Council transmits its position on the Third Payment Services Directive (“Proposed PSD3”) and the Payment Services Regulation (“Proposed PSR”) in its current form, the Committee will recommend adoption at second reading without amendment.

The package now nearing approval confirms the split of that legal architecture in two. The Proposed PSD3 continues to govern authorisation, prudential supervision, and the licensing of payment institutions. Meanwhile, the bulk of the conduct of business rules, such as transparency, fraud prevention, strong customer authentication, and open banking access, migrate into the Proposed PSR. These conduct rules will sit in a directly applicable Regulation rather than a directive requiring transposition by each EU Member State. This eliminates the divergent national implementations that characterised the PSD2 era.

The Committee’s Chair urged accelerating the legal and linguistic finalisation so the EU Parliament can adopt the package by September 2026 at the latest. Analysed in context, this clearly indicates the legislative process has moved beyond substantive negotiation. For industry, this certainty is overdue. Euro-area providers have been subject to the Instant Payments Regulation since its entry into force, with the obligation to receive instant credit transfers applying from January 2025, as discussed in Payments Insights #4.

With the legislative text more predictable, attention turns to the statutory payment obligations governing day-to-day operations. The proposed PSD3 collapses the long-standing distinction between payment institutions and electronic money institutions into a single authorisation framework. Under the reformed framework, electronic money institutions sit as a sub-category of payment institutions, and the E-Money Directive is repealed. Existing payment institutions and electronic money institutions would be transitioned into the new regime, sparing them a fresh application, but they would be required to update their authorisation files and governance documentation to reflect the new legislation.

Intersection with crypto-asset regulation and open banking

The proposed framework clarifies the overlap with Regulation (EU) 2023/1114 on markets in crypto-assets (“MiCA”). Electronic money tokens (“EMTs”) that meet the definition of electronic money are subject to the PSD3 and PSR framework. In the previous payments insights it was seen that the digital asset sector continues grappling with the dual obligations arising from the overlap between crypto-asset service providers (“CASPs”) and payment service providers (“PSPs”). Regulatory clarity in traditional payments is arguably a precondition for crypto because electronic money tokens under MiCA are subject to the e-money framework, and CASPs providing transfer services for EMTs must hold payment services authorisation.

Certain payment transactions with EMTs used for investment or trading activities fall outside scope, including exchanges by crypto-asset service providers acting in their own name as buyer or seller. Transfer services provided by CASPs where EMTs are used to pay for goods or services, however, remain within scope. To reduce duplication, the proposed framework provides a notification-based equivalence mechanism allowing an already-authorised payment institution to offer specified EMT-related crypto-asset services.

The proposed PSR tightens the open banking regime in several respects. Account servicing payment service providers (“ASPSPs”) must rely on dedicated interfaces for third-party access as the default, with screen-scraping prohibited; a conditional derogation allows competent authorities to exempt ASPSPs from maintaining a dedicated interface in defined circumstances. Those interfaces must achieve performance parity with the customer-facing interface; the PSR presumes unavailability after five consecutive failed requests or 30-second timeouts, requires quarterly statistics, and tasks the EBA with setting optimal recovery time via regulatory technical standards. Unjustified downtime itself constitutes a supervisory breach. Third-party providers will enjoy the same data access as the ASPSP’s own customers using direct channels, finally addressing the data parity concerns that dogged PSD2.

Prudential foundations and NCA expertise

The proposed PSD3 aligns the safeguarding regimes inherited from PSD2 and the E-Money Directive. Customer funds must be diversified to avoid concentration risk where appropriate, with the EBA to specify the circumstances in regulatory technical standards. At the discretion of the national central bank, based on its organic law, payment institutions can safeguard directly at that central bank, potentially eliminating single-bank concentration risk in eligible jurisdictions. Reconciliation requirements, to be specified by the EBA in regulatory technical standards, are introduced together with documented evidence obligations for supervisors. Moreover, clearer insolvency ring-fencing provisions require safeguarded funds to be insulated in accordance with national law in the interest of payment service users against the claims of other creditors.

That reform is unmistakably centralising. By relocating conduct of business rules into a directly applicable regulation and elevating the role of the European Banking Authority in technical standard-setting and supervisory convergence, the package narrows the space in which national competent authorities (“NCAs”) have historically shaped the regulatory experience of payment institutions. Yet, centralisation at EU level increases the importance (rather than diminishing) of having a capable, responsive, and commercially literate NCA at the national level. The quality of local supervision becomes the determining factor in whether a Member State remains an attractive jurisdiction in which to authorise, scale, and operate payment and electronic money institutions.

It is on precisely this measure that the Malta Financial Services Authority (“MFSA”) continues to distinguish itself. The MFSA’s sustained expertise in its FinTech and Payments supervisory functions, its accessibility during the authorisation process, its principled but pragmatic application of EU-derived requirements, and its willingness to engage substantively with novel business models have made Malta a credible home for payment institutions, electronic money institutions, and crypto-asset service providers seeking a serious EU foothold. As the Proposed PSD3 and the Proposed PSR push the regulatory centre of gravity towards the European Commission, the European Central Bank (“ECB”), the EBA and the European Securities and Markets Authority (“ESMA”), one might hypothetically argue that the legal amendments will bring more centralisation to financial regulatory supervision.

Nevertheless, rather than ESMA, ECB, EBA and the EU Commission, the regulatory supervisor that will matter most to payment institutions and electronic money issuers will be national competent authorities, like the MFSA, that combine technical rigour with genuine on-the-ground market understanding. If the proposed law is approved, the operational phase begins at the host member state, and for financial institutions operating from Malta, the MFSA’s continued excellence as an NCA remains a decisive competitive advantage.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.