
TL;DR:
- The new EU payment rules, PSD3 and PSR, unify regulations and eliminate national discrepancies across member states. They demand real-time verification of payees, 24/7 instant payments, and expanded oversight for all payment providers, including EMIs reauthorizing as Payment Institutions. Firms must prioritize data quality, upgrade operational infrastructure, and engage regulators early to maintain compliance and competitiveness.
EU payment regulations are the unified legal framework governing payment services across the European Union, anchored by the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR). These two instruments replace PSD2 and the Electronic Money Directive (EMD2), and together they form the most significant overhaul of EU payment laws in over a decade. For business owners and financial professionals managing cross-border transactions, this overview of EU payment regulations is not optional reading. PSD3 and PSR affect every payment institution (PI), electronic money institution (EMI), account information service provider (AISP), and payment initiation service provider (PISP) operating in the EU. The core goals are clear: stronger consumer protection, tighter fraud liability, and uniform conduct rules across all member states.
What are PSD3 and PSR, and how do they reshape EU payment law?
PSD3 and PSR divide regulatory responsibilities into two distinct instruments, each with a different legal form. PSD3 is a directive, meaning each EU member state must transpose it into national law. It governs authorization, supervision, and licensing of payment service providers. PSR is a regulation, meaning it applies directly across all member states without national transposition. That distinction matters enormously. PSR sets the conduct-of-business rules, fraud liability standards, and transparency requirements that every payment service provider must follow, with no room for national variation.

The shift from directive to regulation is the structural change that ends years of fragmented compliance. Under PSD2, national regulators applied their own interpretations, creating uneven standards across the EU. PSD3 and PSR eliminate that divergence, replacing it with a Single Rulebook that sets a uniform, EU-wide baseline for conduct, transparency, and fraud liability. Firms that previously calibrated compliance to their home regulator now face a higher, non-negotiable standard.
The licensing structure also changes significantly. EMIs will no longer exist as a separate license category. Instead, EMIs must reauthorize as Payment Institutions under PSD3, with a transitional regime of up to 27 months. During that window, firms face dual reporting obligations and heightened audit scrutiny. The new framework also expands the regulatory perimeter, bringing new categories of service providers under supervision.
Key structural changes under PSD3 and PSR include:
- Single licensing regime: EMIs merge into the PI category, simplifying the license landscape but requiring reauthorization.
- Direct applicability of PSR: Conduct rules apply uniformly across all EU member states from day one.
- Expanded regulatory scope: New types of payment service providers fall under supervision for the first time.
- Mandatory Verification of Payee (VoP): Required within 27 months of the framework’s entry into force.
- Enhanced Open Banking rules: PSD3 introduces more prescriptive API performance and uptime requirements for third-party access.
Pro Tip: If your firm holds an EMI license, begin your reauthorization planning now. The 27-month transitional window sounds generous, but dual reporting and regulator engagement take longer than most firms expect.
How do the new EU payment rules impact fraud prevention and VoP requirements?

Fraud liability under PSR is the area where the new EU payment rules bite hardest. The regulation mandates Verification of Payee as a core operational requirement, not a best practice. VoP requires real-time API integration to match a payee’s name against their IBAN before a payment executes. When a mismatch occurs, the payment service provider must alert the payer immediately. If the PSP fails to flag the discrepancy and fraud results, PSPs must fully reimburse payers for unauthorized transfers. That liability shift is a direct financial consequence of non-compliance.
Authorized push payment (APP) fraud, where a payer is tricked into sending money to a fraudster’s account, is the primary target of these rules. The reimbursement obligation for APP fraud expands consumer rights significantly. For payment service providers, this means fraud monitoring can no longer be a back-office function. It must be automated, real-time, and integrated into the payment flow itself.
The operational steps required to meet VoP and fraud prevention obligations are:
- Deploy real-time VoP APIs. Your systems must query payee name and IBAN data before every credit transfer, not just instant payments.
- Build early-warning alerts. When a name-IBAN mismatch is detected, the payer must receive a clear, immediate notification before confirming the transaction.
- Automate fraud monitoring. Manual review processes cannot meet the speed requirements of real-time payment flows. Automated transaction monitoring is required.
- Document liability decisions. When a payer proceeds despite a mismatch warning, document the decision trail. This affects reimbursement eligibility.
- Review outsourcing arrangements. Under PSD3, PSPs face expanded liability for fraud or failures caused by third-party technical service providers.
Pro Tip: VoP sounds like a technical integration project, but it is a legal liability question first. Brief your legal and risk teams before your engineering team. The reimbursement exposure defines the business case for the investment.
What operational changes are required for instant payments and sanctions screening?
The Instant Payments Regulation is the third pillar of the new EU payment compliance framework, and its operational demands are the most immediate. The regulation requires payment service providers to execute instant credit transfers within seconds, around the clock, every day of the year. Batch processing and manual workflow delays are no longer acceptable for credit transfers in scope. That is a fundamental change to how many payment operations teams currently work.
Sanctions screening is where the operational complexity peaks. PSPs must run 24/7 automated sanctions screening on every instant payment, with no manual intervention in the processing chain. Traditional batch-based screening tools cannot meet this requirement. The regulation also amends the SEPA Regulation, meaning VoP applies to all credit transfers, not just instant ones. That broadens the compliance surface area significantly.
The timeline varies by institution type:
- Eurozone PSPs: Earlier compliance deadlines apply for instant payment processing obligations.
- Non-Eurozone PSPs and traditional banks: Must meet instant payment requirements by january 9, 2027.
- All PSPs: VoP obligations apply within 27 months of the framework’s entry into force.
- Third-party technical providers: Face increased scrutiny under expanded outsourcing liability rules.
For cross-border payment operations, the combination of instant execution, real-time sanctions screening, and VoP creates a technology stack that most legacy systems cannot support without significant upgrades. Understanding cross-border payment processing requirements is the starting point for any gap analysis.
What compliance steps should businesses take to prepare for PSD3 and PSR?
Compliance with PSD3 and PSR is an operational system, not a one-time project. Missing or inconsistent transaction fields are the primary triggers for non-compliance under the new framework. That means data quality sits at the center of every compliance program. A payment that fails validation because of an incomplete field is a regulatory breach, not just a technical error.
The compliance preparation framework for businesses and payment service providers breaks down into six areas:
- Gap analysis: Map your current licensing, safeguarding, fraud controls, and open banking capabilities against PSD3 and PSR requirements. Identify where your existing controls fall short.
- System upgrades: Upgrade transaction monitoring, API performance, and VoP integration. National regulators must act promptly against substandard interfaces under PSD3.
- Data quality: Audit transaction data completeness across all payment flows. Incomplete fields trigger downgrades and penalties.
- EMI reauthorization planning: If your firm holds an EMI license, engage your regulator early. The reauthorization process involves dual reporting and increased audit scrutiny during the transitional period.
- Level 2 measures tracking: The European Banking Authority (EBA) will publish technical standards and guidelines under PSD3 and PSR. Track these closely, as they define the operational detail behind the high-level rules.
- Third-party risk management: Review all outsourcing and contractor arrangements. Expanded liability for third-party failures means your vendor contracts need compliance clauses.
The importance of compliance in payments has never been more directly tied to operational performance. Firms that treat compliance as a governance checkbox will find themselves exposed when the new rules take effect.
Pro Tip: Build your compliance program around data quality first. A payment that executes correctly but carries incomplete transaction fields is still a regulatory problem. Fix the data pipeline before you fix the reporting layer.
For SMEs managing cross-border payments, the international payment compliance checklist covers the practical steps most relevant to smaller operations navigating these requirements.
| Compliance area | Priority action |
|---|---|
| Licensing | Confirm PI or EMI status and begin reauthorization if required |
| Fraud controls | Deploy real-time VoP API and automated monitoring |
| Data quality | Audit all transaction fields for completeness and accuracy |
| Instant payments | Assess infrastructure for 24/7 execution and sanctions screening |
| Third-party risk | Review outsourcing contracts for expanded liability clauses |
Key Takeaways
EU payment compliance under PSD3 and PSR requires real-time fraud controls, uniform data quality, and proactive licensing decisions across every payment service provider operating in the EU.
| Point | Details |
|---|---|
| PSD3 and PSR replace PSD2 and EMD2 | The new framework creates a Single Rulebook with no room for national regulatory variation. |
| VoP is a legal liability requirement | PSPs that fail real-time payee checks must reimburse payers for resulting fraud losses. |
| Instant payments demand 24/7 infrastructure | Non-Eurozone PSPs must meet instant payment and sanctions screening requirements by january 9, 2027. |
| EMIs face mandatory reauthorization | The 27-month transitional period involves dual reporting and heightened regulator scrutiny. |
| Data quality drives compliance | Missing transaction fields are the primary trigger for regulatory breaches under the new rules. |
Why compliance strategy is the real competitive divide
The firms that will struggle most under PSD3 and PSR are not the ones with the weakest technology. They are the ones that still treat compliance as a periodic audit exercise rather than a continuous operational function. I have seen this pattern repeatedly in financial services: a firm invests heavily in its payment infrastructure, then treats the compliance layer as something to bolt on before a regulatory deadline. That approach fails under a framework where compliance is now operational and linked directly to data quality and real-time transaction validation.
The end of national regulatory discretion is actually good news for well-prepared firms. Under PSD2, a competitor in a more permissive jurisdiction could undercut you on compliance costs. The Single Rulebook eliminates that arbitrage. Every firm operating in the EU now faces the same baseline. That levels the field, but only for firms that have already built to that standard.
The area I watch most closely is the EMI reauthorization process. Smaller fintechs and EMIs face the same rigorous requirements as traditional banks under PSD3, including ICT risk management and incident handling. That is a genuine operational burden for lean teams. The firms that engage their regulators early, document their transition plans, and build compliance into their product roadmap will come out of this period stronger. The ones that wait for final EBA technical standards before acting will find themselves scrambling.
The opportunity here is real. Firms that automate VoP, build clean transaction data pipelines, and maintain 24/7 payment infrastructure are not just compliant. They are faster, more reliable, and more trusted by their banking partners. Compliance and competitive advantage are the same thing under this framework.
— dd
How Demivolt supports EU payment compliance
Accurate IBAN data is the foundation of VoP compliance, and errors at the data entry stage create liability before a payment even executes.

Demivolt’s free IBAN validator checks IBAN format and structure against the ISO 13616 standard instantly, helping businesses catch errors before they trigger a mismatch alert or reimbursement obligation. For teams managing SEPA credit transfers, Demivolt’s SEPA payment tools support compliant cross-border payment processing aligned with the Instant Payments Regulation requirements. Demivolt operates as a regulated European fintech platform with dedicated IBAN accounts, segregated client funds, and built-in compliance infrastructure. For business owners building payment operations that need to hold up under PSD3 and PSR scrutiny, Demivolt provides the financial infrastructure to do it correctly from the start.
FAQ
What is the difference between PSD3 and PSR?
PSD3 is a directive governing licensing and supervision, transposed into national law by each EU member state. PSR is a regulation that applies directly across all member states, setting uniform conduct, fraud liability, and transparency rules.
When do PSD3 and PSR take effect?
The new framework applies 21 months after entry into force, with Verification of Payee requirements mandatory within 27 months. EMIs have up to 27 months to complete reauthorization as Payment Institutions.
What is Verification of Payee and why does it matter?
Verification of Payee (VoP) is a real-time check that matches a payee’s name against their IBAN before a payment executes. PSPs that fail to implement VoP correctly face full reimbursement liability for resulting fraud losses.
Do instant payment rules apply to non-Eurozone banks?
Traditional bank PSPs outside the Eurozone must meet instant payment and 24/7 automated sanctions screening requirements by january 9, 2027, under the Instant Payments Regulation.
What happens to EMI licenses under PSD3?
EMIs must reauthorize as Payment Institutions under PSD3. The transitional regime lasts up to 27 months and involves dual reporting obligations and increased regulatory scrutiny during the changeover period.