EU institutions negotiate revised payments legislation

Dubbed by many as an 'evolution' rather than a 'revolution', the reforms to the EU payments legislative framework have reached the trialogue negotiation stage, following the approval in June 2025 of the Council of the EU's position. We explore some of the provisions which are likely to feature prominently in the inter-institutional dialogue. 

Background

In June 2023, the EU Commission published its proposals for a revised Payment Services Directive (PSD3) and a new Payment Services Regulation (PSR). The package of measures aims to reduce payment fraud, foster technological innovation, improve consumer protection and increase transparency on fees it responds to the Commission's review of the Second Payment Services Directive (PSD2), which concluded that the payment services market has undergone a major transformation in recent years.

On 23 April 2024, the EU Parliament voted to adopt amended texts of PSD3 and PSR at first reading. The Council published the texts of compromise proposals of PSD3 and PSR on 13 June 2025. Coreper (member states' representatives) formally approved the Council's stance on 18 June 2025. Ahead of the commencement of trialogue negotiations, the Council published the following working documents:

• A comparison table comparing the negotiating positions taken by the Commission, the Council and the Parliament on PSD3.
• A comparison table comparing the negotiating positions taken by the Commission, the Council and the Parliament on PSR.

Fraud prevention

The Commission's proposed text of the PSR establishes for the first time in the EU a liability regime for payment service providers (PSP) for authorising transactions where the consumer was a victim of impersonation fraud (which would be considered a type of authorised push payment (APP) fraud in the United Kingdom). Parliament has widened the scope to impersonation by "any other relevant entity of a public or private nature." The Council does not follow this approach and includes in its proposal a positive obligation on the consumer to notify the PSP without "undue delay" once it is aware of the fraudulent transaction, requiring the consumer to provide all relevant information requested by the PSP "and that the consumer can reasonably be expected to have regarding the events leading up to the disputed payment transaction," and that the consumer reports the fraud to the police. Furthermore, the Council has extended the time limit for the PSP to determine the fraud from ten business days to 15 business days.

Electronic communication service providers

While both of the co-legislators have introduced provisions to address the role of electronic communications service providers (ECSPs) in mitigating the risk of fraud, each has taken a different approach. The Parliament's amendments focus on requiring ECSPs to:

• refund a PSP if they fail to remove fraudulent or illegal content having been informed of its existence
• educate and warn consumers about online scams and what steps can be taken to avoid becoming a victim of fraud as well as how to report fraud
• together with PSPs and digital platform service providers, have in place adequate fraud mitigation measures.

On the other hand, the Council's amendments are centred around building cross-sectoral co-operation. It seeks to achieve this by requiring ECSPs to:

• have in place measures to ensure effective cooperation with PSPs
• establish dedicated communication channels with PSPs, or participate in a system for effective communication, or in an information sharing mechanism, to allow for faster and more effective sharing of any information that could be useful in the prevention and detection of fraud
  In addition it calls on the Commission and the European Board of Digital Services to support the adoption of a voluntary code of conduct at Union level to promote prevention, enhance security as well as combat payment fraud and financial scams.

Interoperability

The Parliament's text addresses concerns regarding interoperability by including a substantive provision that requires mobile devices and ECSPs to allow providers of front-end payment services to store software on relevant mobile devices’ hardware in order to make transactions technically possible both online and offline. In contrast, the Council has not included such a provision, leaving this topic to one of the recitals.

Open banking

PSR transforms open banking, which was introduced by PSD2 and Commission Delegated Regulation (EU) 2018/389 on strong customer authentication and secure communication.

PSD2 created a regime for third party providers (TPP) to communicate with account servicing payment service providers (ASPSPs) (providers of payment accounts to customers) to:

• get access to or gather customer data (by becoming account information service providers)
• initiate a payment (by becoming payment initiation services providers).

Key to both accessing/gathering customer data and initiating payments are "dedicated interfaces." The PSR contains a number of proposed enhancements on the current regulations for such interfaces including exemptions for small ASPSPs from some of the obligations around dedicated interfaces.

While the Council's position largely tracks that of the Parliament's, there are a number of noteworthy differences.

Where a dedicated interface is unavailable, the Parliament (following the Commission) suggests a procedure for TPPs to notify their national competent authority (NCA) to request access to the interface provided by the ASPSPs for communication with its users until the dedicated interface is available. The Council has not included this procedure in its text but places more emphasis instead on the responsibility of an ASPSP "to ensure an optimal recovery time of the dedicated interface". It goes on to require that the dedicated interface must ensure availability and performance equivalent to the ASPSP's interface. To support this, it tasks the European Banking Authority (EBA) to develop regulatory technical standards:

• for the publication of quarterly statistics on the availability and performance of dedicated interfaces, such data to be published on the websites of ASPSPs
• establishing an optimal recovery time in case of unplanned unavailability of a dedicated interface, based on the severity of the incident.

The Council has also limited the planned unavailability of the dedicated interface to between midnight and 06:00. It also requires that ASPSPs ensure that the dedicated interface provides an availability and performance equivalent to the ASPSP's interface with its users.

Outsourcing

Where technical service providers carry out and verify the elements of strong customer authentication for a PSP, the Commission's text requires that the PSP enters into an outsourcing agreement with the technical service provider. The Parliament has proposed to delete this obligation; the Council does not follow this approach. 

Payments and crypto overlap

Under the EU Market in Crypto-Assets Regulation (MiCA), e-money tokens (cryptoassets that purport to maintain a stable value by referencing the value of one official currency) are subject to regulation under MiCA but may also qualify as 'funds' for PSD2. This has led to the question as to whether cryptoasset service providers (CASPs) handling e-money tokens need additional payment services licences under PSD2.

This regulatory ambiguity prompted the European Banking Authority (EBA) to issue a "no-action" letter on 10 June 2025, providing temporary guidance while calling for legislative clarification through either amendments to MiCA or the upcoming PSD3/PSR framework.

The Council has sought to clarify the boundaries through payment services regulation. It has proposed that the following services are excluded from PSD/PSR:

• Exchange services where parties act in their own name.
• Operation of trading platforms.
• Reception, transmission and execution of orders for cryptoassets.
• Direct payment transactions with e-money tokens without intermediaries (including transfers between self-hosted addresses).

The following services would remain within the scope of payment services regulation:

• Transfer services using e-money tokens for purchasing goods/services
• Peer-to-peer payment transactions with e-money tokens
• Payment transactions between accounts held by the same person.

The Council also proposes allowing existing payment service providers to offer equivalent cryptoasset services with e-money tokens under their current licences, suggesting corresponding amendments to MiCA.

For the Parliament (whose position pre-dates the no-action letter), the starting point is that cryptoasset services should be governed in the large part by MiCA rather than payment services legislation. It has proposed exempting from the scope of PSR payment transactions used for trading and settlement services with e-money tokens where the PSP has already been authorised as a CASP under MiCA, proposing a similar carve-out from licensing under PSD3 as an optional exemption for member states. 

Authorisation and perimeter issues

Both the Parliament and Council adopt similar stances on the authorisation process and exemptions for payment institutions. There are however some important additions in the Council's proposals:

• As well as crypto-related exclusions (see above), the Council is proposing an exclusion for the professional physical transportation of banknotes and coins, including their collection, processing and delivery as well as cash-to-cash currency exchange operations where the funds are not held on a payment account.
• In relation to the commercial agent exemption, the Council stipulates that the agent must have a "real scope" to negotiate with the payer or payee (as opposed to the Commission and Parliament's text, which frames this in terms of the payer or payee having "real margin" to negotiate with the commercial agent). Further, the Council has rejected the approach of both the Commission and Parliament to define an agent by reference to the definition in Directive 86/653/EC (the EU Commercial Agents Directive) and while the Commission and the Parliament preserve the current position in PSD2, which disregards whether or not the commercial agent is in the "possession of client’s funds", the Council has struck this text out. 
• The Council has widened the scope of the limited network exemption (LNE) by clarifying that premises includes online stores. It is also proposing that the current requirement under the LNE for providers to notify NCAs where the value of payments is greater than €1 million shall be at the discretion of each member state.

Supervision and enforcement

In PSD3, the Council proposes significantly broadening the supervisory powers of NCAs. Powers cover financial, operational as well as governance controls and include the ability to:

• require payment institutions to hold additional own funds 
• order changes to strategies and processes
• restrict or limit businesses, operations or networks or request the divestment of activities that pose excessive risks to the financial soundness of a payment institution
• require the reduction of risk in activities, products and systems of a payment institution, including outsourced activities
• restrict profit distributions
• require a payment institution to remove managers. 

In PSR, the Council proposes a far stronger range of investigative and enforcement powers, including:

Asset and business controls

• Seizing items, documents or data.
• Requesting the freezing or sequestration of assets (or both).
• Referring matters for criminal investigations.
• Prohibiting payment services.
• Prohibiting offerings to the public.
• Suspending or prohibiting marketing communications.

Digital enforcement

• Removing content or restricting access to online interfaces or ordering that a warning is explicitly displayed to customers when they access an online interface.
• Ordering a hosting service provider to remove, disable or restrict access to an online interface.
• Deleting domain names.
• Accessing data traffic records held by telecommunications operators.

Information gathering

• Interviewing natural persons regardless of their consent to be interviewed
• Requiring anyone involved in initiating, concluding or processing payment services (regardless of negligence or knowledge of involvement) to provide information or documents.

On administrative fines, the positions of the co-legislators are as follows:

Safeguarding

The Commission and Parliament's proposed changes in PSD3 to the safeguarding requirements in PSD2 are largely in lockstep and include the ability to deposit client funds at a central bank and avoiding concentration risk by not using the same segregation method for all customer funds. The Council develops this in a number of ways including:

• requiring that the payment service user is always made aware under what member state’s insolvency laws and courts a claim should be raised if the payment institution becomes insolvent
• where the payment institution has been granted direct access to designated payment systems (such access is set out in the Settlement Finality Directive (Directive 98/26/EC) as amended), permitting the funds of payment service users to be held in a settlement account of the designated payment system provided the funds are not commingled with the funds of any natural or legal person other than the payment service users, and the funds are insulated in accordance with national laws of the member state so that payment service users are protected against the claims of other creditors of the payment institution. To support the use of settlement accounts, the Council proposes that the EBA draft regulatory technical standards that will specify the approach for segregation and reconciliation of payment service user funds held in settlement accounts. If payment institutions are given the ability to hold funds in settlement accounts, this will make payment institutions less reliant on banks. 

Fees and transparency

On the regulation of fees and measures to promote transparency, the Parliament and the Council significantly diverge in their approach. 

The Commission proposed a limited extension in the scope of the current surcharge ban, which at the moment applies to transactions covered by the SEPA Regulation and those covered by the Interchange Fee Regulation, to include all direct debits and credit transfers in the EU. The Council accepts this proposal whereas the Parliament would like to broaden the prohibition to cover any payment instrument.

To help business payment service users to understand their card-based payment transaction acceptance costs better, the Council has put forward a new set of transparency provisions:

• payment card schemes and processing entities will be required to disclose the rules and fees imposed on payment service providers that extend acquiring services in a transparent and consistent way allowing comparability of billing categories between schemes and processing entities. The operators of such payment card schemes and processing entities will also be required to communicate changes in scheme and processing rules as well as fees to payment service providers at least six months prior to their implementation
• payment service providers that supply acquiring services will be required to disclose transparently merchant services charges applied to their business payments services users of the payment card scheme consistently with their obligations under the Interchange Fee Regulation.
  Under the proposal, working closely with the ECB, the EBA will develop regulatory technical standards setting out the criteria for determining what amounts to a "transparent and consistent" disclosure of fees and rules by payment card schemes and processing entities.

Strong customer authentication

On strong customer authentication (SCA), compared to the Parliament, the Council generally expands SCA requirements while providing more flexibility in implementation, particularly regarding accessibility.

The Council proposes expanding SCA application to include:

• Accessing payment account information online.
• Ordering creation or replacement of payment instrument tokens through remote channels.
• Remote increases of agreed spending limits.
• Activating mobile applications on new devices for payment transactions.

While both of the co-legislators agree that SCA should not apply to payment transactions triggered by the payee, including refunds, the Council opts for a dedicated new article on merchant-initiated credit transfers exempt from SCA, with conditions to be specified through EBA regulatory technical standards, rather than relying on Parliament's clarification (tracking the Commission's text) that the exemption covers certain payment orders placed by the payee based on a mandate given by the payer. Importantly, the Council proposes that PSPs should retain the right to decide that strong customer authentication is necessary ie, the exemptions from the application of the SCA are not mandatory.

In relation to the two or more elements on which SCA is based (knowledge, possession and inherence), the Council proposes that these must belong to different categories, whereas both the Parliament and Commission allow these to belong to the same category.

When it comes to making SCA accessible, the Parliament and the Council once again differ in their positions. The Parliament has proposed that PSPs develop more than one means for the application of SCA to cater for the characteristics of all their customers specifically those with disabilities, few digital skills, older persons and those who do not have access to digital channels or payment instruments. On the other hand, the Council's approach is to require that PSPs ensure that payment service users are adequately informed about the different means available to them to perform SCA. The Council's approach to the use of a smartphone is also worth noting. It agrees with the Commission and the Parliament that PSPs should not make the performance of SCA dependent on a smartphone but qualifies this by recognising that this would not apply if the business model or payment account package selected by the payment service user consists in providing services exclusively through a smartphone.

Next steps

The timing of the final versions of the PSD3 and PSR has slipped somewhat from what was contemplated when the Commission published its original proposals in 2023. It is hoped that the trialogue negotiations will be concluded during the Danish presidency of the Council, which runs until the end of December 2025. This means that it may not be until 2027 that the new regime is in effect.

Notwithstanding, now is the time to be undertaking a gap analysis of the current PSD2 regime and the proposals, focusing in particular on those requirements that are likely to need significant resource such as operational and technical challenges with fraud protection, SCA and Open Banking, along with identifying what adjustments need to be made to contractual arrangements with third parties. 

This article has been published in www.compliancemonitor.com and www.i-law.com.