How Europe Is Rewriting the Rules of Payments: A Case Study for International Regulators
Every major payments market is grappling with the same core problems right now: fraud that outpaces consumer protection rules, fintechs locked out of bank-controlled infrastructure, and a patchwork of national approaches that frustrates cross-border commerce. The EU’s answer – the Third Payment Services Directive (PSD3) and its companion Payment Services Regulation (PSR) – is now close enough to finalisation to serve as a real-world test case. For regulators in the Americas, UK, APAC, and beyond, the design choices are worth studying closely to see what it gets right and for the friction it might expose.
A two-instrument architecture to close the arbitrage gap
The most instructive design decision in the EU’s approach isn’t any single rule – it’s a legal architecture. The EU split its reform into two instruments rather than one. PSD3, a directive, governs licensing and supervision and requires each of the 27 member states to transpose it into national law. The PSR, a regulation, governs the conduct-of-business rules – fraud liability, authentication, open banking access, transparency – and applies directly and identically across every member state the day it takes effect, with no national discretion
This is a deliberate fix for PSD2’s central flaw. Under PSD2, member states transposed the same directive differently enough that firms could shop jurisdictions for lighter enforcement, and conduct rules ended up inconsistent across a supposedly single market. By moving the operational rules into a directly-applicable regulation, the EU is attempting to harmonise outcomes while still preserving member states’ ability to control which firms get licensed to operate within their borders. For any regulator weighing whether to legislate through a single national rulebook versus a multi-jurisdictional framework, this directive/regulation split is a concrete example of how to decouple “who gets to operate” from “what the rules are” – and a reminder that the latter is where regulatory arbitrage actually resides.
Where the EU is placing the line on fraud liability
Under PSD3/PSR, payment service providers that have not implemented adequate fraud controls will bear liability when customers are defrauded through impersonation scams, including a new reimbursement right where a fraudster poses as a trusted authority. This is backed by two concrete obligations: payee name-to-account verification before transfers complete, and mandatory fraud-data sharing between PSPs via a dedicated platform.
This is a materially different stance from jurisdictions that leave fraud-loss allocation to private contract or consumer-protection litigation. The EU is treating fraud prevention as a baseline supervisory expectation, not an optional feature. Regulators elsewhere debating mandatory reimbursement regimes – the UK has already moved in this direction on its faster payments rail – can use PSD3/PSR as a live reference point for a verification-plus-liability model applied at single-market scale.
Making open banking access enforceable, not just guaranteed
PSD2 guaranteed third-party providers bank API access in principle; in practice, banks could decline with little consequence. PSD3/PSR closes that gap by requiring banks to give documented reasons for declining access and by giving national regulators explicit penalty powers over API performance failures. The lesson for other regulators building or refining open banking regimes: a legal right of access without an enforcement mechanism behind it tends to function as a right in name only. The EU’s correction – turning a principle into a supervisable, penalisable obligation – is a useful template for any jurisdiction (the US among them, as it works through its own open banking rulemaking) currently deciding how much enforcement teeth to attach to data-access mandates.
Safeguarding: from good practice to evidenced requirement
PSD3/PSR also tightens fund safeguarding in a way that’s broadly applicable beyond Europe. Concentration risk at a single safeguarding bank is no longer treated as acceptable above a threshold; firms must diversify across multiple credit institutions or, where available, safeguard directly at the central bank. Daily reconciliation, already common practice, becomes a formally evidenced requirement, after supervisors found that firms were performing reconciliation without retaining proof of having done so. This is a small but telling detail: it shows a regulator moving from trusting good practice to requiring demonstrable evidence of it – a shift other supervisors auditing nonbank payment institutions or stablecoin issuers may find directly applicable.
The tradeoffs of harmonising at scale
The timeline reflects the cost of 27-country alignment: publication expected mid-2026, full compliance potentially not until early 2028 once transposition and grandfathering periods run their course. Single-jurisdiction regulators don’t face this drag, but any multilateral body pursuing harmonised payments rules should expect it.
It’s also worth noting where the EU’s approach is creating new friction rather than resolving it. UK divergence from PSD3/PSR means cross-border firms are now building toward two distinct compliance regimes rather than one, even as both jurisdictions pursue broadly similar policy goals around fraud and open banking. For regulators in regions with deep payments interoperability with the EU, this is an early signal of the compliance cost that comes with choosing not to align, even where substantive policy goals overlap.
The takeaway
PSD3/PSR is not a finished experiment – full compliance is still roughly 18 months to two years out – but it already demonstrates a coherent regulatory philosophy: separate licensing from conduct rules to control arbitrage, attach liability directly to the absence of fraud controls rather than relying on litigation after the fact, convert access guarantees into enforceable obligations, and require evidence rather than assurance for core safeguarding practices. Whether or not other jurisdictions adopt the same instruments, the underlying design choices are transferable, and worth tracking as the EU moves from legislative text to live supervision over the next two years.
