- in United States
- with readers working within the Retail & Leisure industries
- within Finance and Banking, Technology and Corporate/Commercial Law topic(s)
- The End of the Dual Licence: One Framework for All Non-Bank PSPs
Perhaps the most structurally significant change is the abolition of the standalone EMI licence. Under the current regime, PIs and EMIs operate under separate directives (PSD2 and EMD2), each with its own capital requirements, safeguarding rules, and authorisation criteria.
PSD3 eliminates this split. The issuance of electronic money is reclassified as a payment service (Annex I, Point 8), meaning every non-bank PSP whether it provides payment services, issues e-money, or does both must hold a single Payment Institution authorisation.
This resolves long-standing ambiguity around the boundary between payment services and e-money services, an area where some undertakings exploited grey zones to obtain a PI licence while effectively conducting e-money activities.
For existing EMIs, the implication is clear: you will need to transition to the new PI framework within 27 months of PSD3 entering into force, or face suspension.
2. Key Changes That Will Affect Your Operations
Mandatory Verification of Payee (VoP)
One of the most operationally demanding new requirements is the extension of Verification of Payee to all credit transfers, not just SEPA instant payments. PSPs must verify that the IBAN and payee name match before a transaction is authorised, notifying the payer of any discrepancy. For legal persons, verification may use fiscal numbers, LEIs, or other unambiguous identifiers. This service must be provided free of charge.
The VoP obligation kicks in 24 months after the PSR enters into force but the technical infrastructure changes required are substantial and should be planned well in advance.
3. A Major Shift in Fraud Liability
The PSR fundamentally rebalances fraud liability. Where a consumer is defrauded by someone impersonating their PSP spoofing the PSP’s domain name, email, phone number, website, or app the PSP is liable for the full amount of the fraudulent transaction, unless the payer acted fraudulently or with gross negligence.
PSPs must also be able to delay suspicious transactions, enable customers to set their own transaction limits, and block payment instruments where fraud is suspected. Online platforms that fail to remove fraudulent content after notification may themselves face liability.
The message is unambiguous: PSPs that do not invest in transaction monitoring, behavioural analytics, and real-time intervention will absorb losses previously borne by customers.
4. Stronger SCA and Open Banking Rules
Strong Customer Authentication rules are refined and extended, with explicit provisions for digital wallets and mobile payment applications, clearer exemption frameworks, and the inclusion of microenterprises as consumer-equivalent for SCA purposes.
On open banking, ASPSPs must continue providing free API access for regulated data, but a new contractual framework allows premium or value-added data access arrangements (such as variable recurring payments) to be negotiated between parties.
5. Access to Banking and Payment Systems
Two persistent pain points under PSD2 are directly addressed. First, credit institutions must now provide PIs with access to payment accounts on a proportionate and non-discriminatory basis, with written justification for any refusal and a right of appeal. Second, PIs may now apply for direct participation in payment systems, with operators only permitted to reject applications on the basis of objectively assessed risk.
6. Harmonised Capital and Safeguarding
Capital requirements are adjusted for inflation, and safeguarding rules are unified across the PI framework. PIs must diversify safeguarding methods to manage concentration risk, and must disclose safeguarding arrangements to users. For e-money PIs specifically, funds must be safeguarded from the point of receipt a tighter standard than under EMD2.
7. The Transitional Timeline: Key Deadlines
The timeline is tightly sequenced. PSD3 enters into force upon publication in the Official Journal. From that date:
- 18 months: Member States must transpose PSD3 into national law.
- 21 months: Most PSR conduct obligations become directly applicable.
- 24 months: The VoP obligation takes effect.
- 27 months: The grandfathering period for existing PIs and EMIs expires. Firms that have not demonstrated compliance will be suspended.
Existing PIs must submit information to their NCA demonstrating compliance with PSD3’s requirements governance, ICT, safeguarding, security, and AML/CFT arrangements. Existing EMIs must do the same, but must also formally transition from their EMI licence to the new PI framework.
Those that comply are deemed authorised under PSD3 and entered into the new EBA register. Those that do not comply by the deadline face suspension.
What Should You Be Doing Right Now?
The regulatory text is settled. The question is no longer ‘what’ is coming, but ‘how prepared you are’?
Firms should be taking concrete steps today by:
- Conducting a gap analysis mapping existing governance, ICT, safeguarding, AML/CFT, and capital arrangements against PSD3 Article 3(3) requirements and DORA obligations.
- Begin preparing updated authorisation documentation, including DORA-compliant ICT frameworks, revised safeguarding policies, and updated capital assessments.
- Assess technical infrastructure for VoP compliance. System changes take time, and the 24-month window will move faster than expected.
- Review and upgrade fraud prevention capabilities. The liability shift under the PSR is commercially significant inadequate monitoring systems will translate directly into financial losses.
- CASPs offering or planning payment-related services should map activities against both MiCA and PSD3/PSR and engage early with their NCA, taking advantage of the streamlined dual-authorisation process.
How MK Fintech Partners Can Help?
At MK Fintech Partners, we advise payment institutions, EMIs, and crypto-asset service providers across the full spectrum of EU financial regulation from licensing and compliance to ongoing regulatory engagement with the MFSA and other competent authorities.
We are already working with clients to prepare for PSD3 and PSR, including:
– PSD3 gap analysis and readiness assessments, identifying where your current arrangements fall short of the new requirements and building a remediation roadmap.
– Transitional compliance support for EMIs migrating to the unified PI framework.
– Authorisation documentation preparation aligned with PSD3 Article 3(3) and DORA.
– Safeguarding and capital structure advisory under the new harmonised regime.
– VoP and fraud prevention readiness reviews.
– Dual-authorisation advisory for CASPs navigating both MiCA and PSD3.
The 27-month grandfathering window is not as generous as it appears. Firms that begin their gap analysis and compliance planning now will be in the strongest position when their NCA begins assessments.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
